{"id":4738,"date":"2022-12-20T18:36:50","date_gmt":"2022-12-20T21:36:50","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallhosts-man5\/"},"modified":"2022-12-20T18:36:50","modified_gmt":"2022-12-20T21:36:50","slug":"shorewallhosts-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallhosts-man5\/","title":{"rendered":"SHOREWALL−HOSTS (man5)"},"content":{"rendered":"

SHOREWALL\u2212HOSTS<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLES<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

hosts \u2212 Shorewall file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/hosts<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

This file is used to define zones in terms of subnets and\/or individual IP addresses. Most simple setups don’t need to (should not) place anything in this file.<\/p>\n

The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall\u2212zones<\/font><\/b> [1]<\/font><\/small> (5) determines the order in which the records in this file are interpreted.<\/font><\/p>\n

Warning<\/big><\/b>
The only time that you need this file is when you have more than one zone connected through a single interface.<\/font><\/p>\n

Warning<\/big><\/b>
If you have an entry for a zone and interface in<\/font> shorewall\u2212interfaces<\/font><\/b> [2]<\/font><\/small> (5) then do not include any entries in this file for that same (zone, interface) pair.<\/font><\/p>\n

The columns in the file are as follows.<\/font><\/p>\n

ZONE<\/b> \u2212 zone\u2212name<\/i><\/font><\/p>\n

The name of a zone declared in<\/font> shorewall\u2212zones<\/font><\/b> [1]<\/font><\/small> (5). You may not list the firewall zone in this column.<\/font><\/p>\n

HOST(S)<\/b> \u2212 interface<\/i>:{[{address\u2212or\u2212range<\/i>[,<\/b>address\u2212or\u2212range<\/i>]…|+<\/b>ipset<\/i>|dynamic<\/b>}[exclusion<\/i>]<\/font><\/p>\n

The name of an interface defined in the<\/font> shorewall\u2212interfaces<\/font><\/b> [2]<\/font><\/small> (5) file followed by a colon (“:”) and a comma\u2212separated list whose elements are either:<\/font><\/p>\n

1. The IP address<\/i> of a host.<\/font><\/p>\n

2. A network in CIDR format.<\/font><\/p>\n

3. An IP address range of the form low.address<\/i>\u2212high.address<\/i>. Your kernel and iptables must have iprange match support.<\/font><\/p>\n

4. The name of an ipset<\/i>.<\/font><\/p>\n

5. The word dynamic<\/b> which makes the zone dynamic in that you can use the shorewall add<\/b> and shorewall delete<\/b> commands to change to composition of the zone.<\/font><\/p>\n

You may also exclude certain hosts through use of an exclusion<\/i> (see<\/font> shorewall\u2212exclusion<\/font><\/b> [3]<\/font><\/small> (5).<\/font><\/p>\n

OPTIONS<\/b> (Optional) \u2212 [option<\/i>[,<\/b>option<\/i>]…]<\/font><\/p>\n

A comma\u2212separated list of options from the following list. The order in which you list the options is not significant but the list must have no embedded white\u2212space.<\/font><\/p>\n

blacklist<\/b><\/font><\/p>\n

Check packets arriving on this port against the<\/font> shorewall\u2212blacklist<\/font><\/b> [4]<\/font><\/small> (5) file.<\/font><\/p>\n

broadcast<\/b><\/font><\/p>\n

Used when you want to include limited broadcasts (destination IP address 255.255.255.255) from the firewall to this zone. Only necessary when:<\/font><\/p>\n

1. The network specified in the HOST(S) column does not include 255.255.255.255.<\/font><\/p>\n

2. The zone does not have an entry for this interface in<\/font> shorewall\u2212interfaces<\/font><\/b> [2]<\/font><\/small> (5).<\/font><\/p>\n

destonly<\/b><\/font><\/p>\n

Normally used with the Multi\u2212cast IP address range (224.0.0.0\/4). Specifies that traffic will be sent to the specified net(s) but that no traffic will be received from the net(s).<\/font><\/p>\n

ipsec<\/b><\/font><\/p>\n

The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the<\/font> shorewall\u2212zones<\/font><\/b> [1]<\/font><\/small> (5) file then you do NOT need to specify the ‘ipsec’ option here.<\/font><\/p>\n

maclist<\/b><\/font><\/p>\n

Connection requests from these hosts are compared against the contents of<\/font> shorewall\u2212maclist<\/font><\/b> [5]<\/font><\/small> (5). If this option is specified, the interface must be an Ethernet NIC or equivalent and must be up before Shorewall is started.<\/font><\/p>\n

mss<\/b>=mss<\/i><\/font><\/p>\n

Added in Shorewall 4.5.2. When present, causes the TCP mss for new connections to\/from the hosts given in the HOST(S) column to be clamped at the specified mss<\/i>.<\/font><\/p>\n

nosmurfs<\/b><\/font><\/p>\n

This option only makes sense for ports on a bridge.<\/font><\/p>\n

Filter packets for smurfs (packets with a broadcast address as the source).<\/font><\/p>\n

Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in<\/font> shorewall.conf<\/font><\/b> [6]<\/font><\/small> (5). After logging, the packets are dropped.<\/font><\/p>\n

routeback<\/b><\/font><\/p>\n

Shorewall should set up the infrastructure to pass packets from this\/these address(es) back to themselves. This is necessary if hosts in this group use the services of a transparent proxy that is a member of the group or if DNAT is used to send requests originating from this group to a server in the group.<\/font><\/p>\n

tcpflags<\/b><\/font><\/p>\n

Packets arriving from these hosts are checked for certain illegal combinations of TCP flags. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL.<\/font><\/p>\n

EXAMPLES <\/a> <\/h2>\n

Example 1<\/font><\/p>\n

The firewall runs a PPTP server which creates a ppp interface for each remote client. The clients are assigned IP addresses in the network 192.168.3.0\/24 and in a zone named ‘vpn’.<\/font><\/p>\n

#ZONE HOST(S) OPTIONS
vpn ppp+:192.168.3.0\/24<\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/hosts<\/font><\/p>\n

\/etc\/shorewall6\/hosts<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/b> [7]<\/font><\/small><\/p>\n

shorewall(8)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-zones<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-zones.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-interfaces<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-interfaces.html<\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-exclusion<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-exclusion.html<\/font><\/p>\n\n\n
<\/td>\n\n

4.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-blacklist<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-blacklist.html<\/font><\/p>\n\n\n
<\/td>\n\n

5.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-maclist<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-maclist.html<\/font><\/p>\n\n\n
<\/td>\n\n

6.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall.conf<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall.conf.html<\/font><\/p>\n\n\n
<\/td>\n\n

7.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

hosts \u2212 Shorewall file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1658],"class_list":["post-4738","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-hosts"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4738","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4738"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4738\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}