Name

zones — Shorewall zone declaration file

Synopsis

/etc/shorewall/zones

Description

The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces or /etc/shorewall/hosts.

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).

ZONE - zone[:parent-zone[,parent-zone]...]

Name of the zone. Must start with a letter and consist of letters, digits or '_'. The names "all", "none", "any", "SOURCE" and "DEST" are reserved and may not be used as zone names. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in shorewall.conf(5). With the default LOGFORMAT, zone names can be at most 5 characters long.

The maximum length of an iptables log prefix is 29 bytes. As explained in shorewall.conf (5), the default LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first %s is replaced by the chain name and the second is replaced by the disposition.

  • The default formatting string has 12 fixed characters ("Shorewall" and three colons).

  • The longest of the standard dispositions are ACCEPT and REJECT which have 6 characters each.

  • The canonical name for the chain containing the rules for traffic going from zone 1 to zone 2 is "<zone 1>2<zone 2>" or "<zone 1>-<zone 2>".

  • So if M is the maximum zone name length, such chains can have length 2*M + 1.

    12 + 6 + 2*M + 1 = 29 which reduces to
    2*M = 29 - 12 - 6 - 1 = 10 or
    M = 5

The order in which Shorewall matches addresses from packets to zones is determined by the order of zone declarations. Where a zone is nested in one or more other zones, you may either ensure that the nested zone precedes its parents in this file, or you may follow the (sub)zone name by ":" and a comma-separated list of the parent zones. The parent zones must have been declared in earlier records in this file. See shorewall-nesting(5) for additional information.

Example:

#ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
a         ipv4
b         ipv4
c:a,b     ipv4

Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall.conf(5) can also create implicit CONTINUE policies to/from the subzone.

Where an ipsec zone is explicitly included as a child of an ipv4 zone, the ruleset allows CONTINUE policies (explicit or implicit) to work as expected.

In the future, Shorewall may make additional use of nesting information.

TYPE
ipv4

This is the standard Shorewall zone type and is the default if you leave this column empty or if you enter "-" in the column. Communication with some zone hosts may be encrypted. Encrypted hosts are designated using the 'ipsec' option in shorewall-hosts(5).

ipsec (or ipsec4)

Communication with all zone hosts is encrypted. Your kernel and iptables must include policy match support.

firewall

Designates the firewall itself. You must have exactly one 'firewall' zone. No options are permitted with a 'firewall' zone. The name that you enter in the ZONE column will be stored in the shell variable $FW which you may use in other configuration files to designate the firewall zone.

bport (or bport4)

The zone is associated with one or more ports on a single bridge.

vserver

Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver guests. The zone contents must be defined in shorewall-hosts (5).

Vserver zones are implicitly handled as subzones of the firewall zone.

loopback

Added in Shorewall 4.5.17.

Normally, Shorewall treats the loopback interface (lo) in the following way:

  • By default, all traffic through the interface is ACCEPTed.

  • If a $FW -> $FW policy is defined or $FW -> $FW rules are defined, they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in shorewall.conf(5).

  • $FW -> $FW traffic is only filtered in the OUTPUT chain.

By defining a loopback zone and associating it with the loopback interface in shorewall-interfaces(5), you can effect a slightly different model. Suppose that the loopback zone name is 'local'; then:

  • Both $FW -> local and local -> $FW chains are created.

  • The $FW -> local and local -> $FW policies may be different.

  • Both $FW -> local and local -> $FW rules may be specified.

Rules to/from the loopback zone and any zone other than the firewall zone are ignored with a warning.

loopback zones may be nested within other loopback zones.

local

Added in Shorewall 4.5.17. local is the same as ipv4 with the exception that the zone is only accessible from the firewall and vserver zones.

OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [option[,option]...]

A comma-separated list of options. With the exception of the mss and blacklist options, these only apply to TYPE ipsec zones.

blacklist

Added in Shorewall 4.4.13. May not be specified for firewall or vserver zones.

When specified in the IN_OPTIONS column, causes all traffic from this zone to be passed against the src entries in shorewall-blacklist(5).

When specified in the OUT_OPTIONS column, causes all traffic to this zone to be passed against the dst entries in shorewall-blacklist(5).

Specifying this option in the OPTIONS column is equivalent to entering it in both of the IN_OPTIONS and OUT_OPTIONS column.

dynamic_shared

Added in Shorewall 4.5.9. May only be specified in the OPTIONS column and indicates that only a single ipset should be created for this zone if it has multiple dynamic entries in shorewall-hosts(5). Without this option, a separate ipset is created for each interface.

reqid=number

where number is specified using setkey(8) using the 'unique:number option for the SPD level.

spi=<number>

where number is the SPI of the SA used to encrypt/decrypt packets.

proto=ah|esp|ipcomp

IPSEC Encapsulation Protocol

mss=number

sets the MSS field in TCP packets. If you supply this option, you should also set FASTACCEPT=No in shorewall.conf(5) to insure that both the SYN and SYN,ACK packets have their MSS field adjusted.

mode=transport|tunnel

IPSEC mode

tunnel-src=address[/mask]

only available with mode=tunnel

tunnel-dst=address[/mask]

only available with mode=tunnel

strict

Means that packets must match all rules.

next

Separates rules; can only be used with strict

The options in the OPTIONS column are applied to both incoming and outgoing traffic. The IN OPTIONS are applied to incoming traffic (in addition to OPTIONS) and the OUT OPTIONS are applied to outgoing traffic.

If you wish to leave a column empty but need to make an entry in a following column, use "-".

FILES

/etc/shorewall/zones

See ALSO

http://www.shorewall.net/Multiple_Zones.html.

http://www.shorewall.net/configuration_file_basics.htm#Pairs

shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5)

Documentation


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation


Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page