File: //usr/share/shorewall/configfiles/zones.annotated
#
# Shorewall -- /etc/shorewall/zones
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#
# The /etc/shorewall/zones file declares your network zones. You specify the
# hosts in each zone through entries in /etc/shorewall/interfaces or /etc/
# shorewall/hosts.
#
# The columns in the file are as follows (where the column name is followed by a
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
# ZONE - zone[:parent-zone[,parent-zone]...]
#
# Name of the zone. Must start with a letter and consist of letters, digits
# or '_'. The names "all", "none", "any", "SOURCE" and "DEST" are reserved
# and may not be used as zone names. The maximum length of a zone name is
# determined by the setting of the LOGFORMAT option in shorewall.conf(5).
# With the default LOGFORMAT, zone names can be at most 5 characters long.
#
# The maximum length of an iptables log prefix is 29 bytes. As explained
# in shorewall.conf (5), the legacy default LOGPREFIX formatting string
# is “Shorewall:%s:%s:” where the first %s is replaced by the chain name
# and the second is replaced by the disposition.
#
# ☆ The "Shorewall:%s:%s:" formatting string has 12 fixed characters
# ("Shorewall" and three colons).
#
# ☆ The longest of the standard dispositions are ACCEPT and REJECT
# which have 6 characters each.
#
# ☆ The canonical name for the chain containing the rules for traffic
# going from zone 1 to zone 2 is "<zone 1>2<zone 2>" or "<zone 1>-
# <zone 2>".
#
# ☆ So if M is the maximum zone name length, such chains can have
# length 2*M + 1.
#
# 12 + 6 + 2*M + 1 = 29 which reduces to
# 2*M = 29 - 12 - 6 - 1 = 10 or
# M = 5
#
# In Shorewall 5.1.0, the LOGFORMAT in the default and sample
# shorewall.conf files was changed to "%s:%s ".
#
# ☆ That formatting string has 2 fixed characters (":" and a space).
#
# ☆ So the maximum zone name length M is calculated as:
#
# 2 + 6 + 2*M + 1 = 29
# 2M = 29 - 2 - 6 - 1 = 20
# M = 10
#
# The order in which Shorewall matches addresses from packets to zones is
# determined by the order of zone declarations. Where a zone is nested in one
# or more other zones, you may either ensure that the nested zone precedes
# its parents in this file, or you may follow the (sub)zone name by ":" and a
# comma-separated list of the parent zones. The parent zones must have been
# declared in earlier records in this file. See shorewall-nesting(5) for
# additional information.
#
# Example:
#
# #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
# a ip
# b ip
# c:a,b ip
#
# Currently, Shorewall uses this information to reorder the zone list so that
# parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE
# option in shorewall.conf(5) can also create implicit CONTINUE policies to/
# from the subzone.
#
# Where an ipsec zone is explicitly included as a child of an ip zone, the
# ruleset allows CONTINUE policies (explicit or implicit) to work as
# expected.
#
# In the future, Shorewall may make additional use of nesting information.
#
# TYPE
#
# ip
#
# This is the standard Shorewall zone type and is the default if you
# leave this column empty or if you enter "-" in the column.
# Communication with some zone hosts may be encrypted. Encrypted hosts
# are designated using the 'ipsec' option in shorewall-hosts(5). For
# clarity, this zone type may be specified as ipv4 in IPv4 configurations
# and ipv6 in IPv6 configurations.
#
# ipsec
#
# Communication with all zone hosts is encrypted. Your kernel and
# iptables must include policy match support. For clarity, this zone type
# may be specified as ipsec4 in IPv4 configurations and ipsec6 in IPv6
# configurations.
#
# firewall
#
# Designates the firewall itself. You must have exactly one 'firewall'
# zone. No options are permitted with a 'firewall' zone. The name that
# you enter in the ZONE column will be stored in the shell variable $FW
# which you may use in other configuration files to designate the
# firewall zone.
#
# bport
#
# The zone is associated with one or more ports on a single bridge. For
# clarity, this zone type may be specified as bport4 in IPv4
# configurations and bport6 in IPv6 configurations.
#
# vserver
#
# Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver
# guests. The zone contents must be defined in shorewall-hosts (5).
#
# Vserver zones are implicitly handled as subzones of the firewall zone.
#
# loopback
#
# Added in Shorewall 4.5.17.
#
# Normally, Shorewall treats the loopback interface (lo) in the following
# way:
#
# ☆ By default, all traffic through the interface is ACCEPTed.
#
# ☆ If a $FW -> $FW policy is defined or $FW -> $FW rules are defined,
# they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g.,
# 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in
# shorewall.conf(5).
#
# ☆ $FW -> $FW traffic is only filtered in the OUTPUT chain.
#
# By defining a loopback zone and associating it with the loopback
# interface in shorewall-interfaces(5), you can effect a slightly
# different model. Suppose that the loopback zone name is 'local'; then:
#
# ☆ Both $FW -> local and local -> $FW chains are created.
#
# ☆ The $FW -> local and local -> $FW policies may be different.
#
# ☆ Both $FW -> local and local -> $FW rules may be specified.
#
# Rules to/from the loopback zone and any zone other than the firewall
# zone are ignored with a warning.
#
# loopback zones may be nested within other loopback zones.
#
# local
#
# Added in Shorewall 4.5.17. local is the same as ipv4 with the exception
# that the zone is only accessible from the firewall and vserver zones.
#
# OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [
# option[,option]...]
#
# A comma-separated list of options. With the exception of the mss and
# blacklist options, these only apply to TYPE ipsec zones.
#
# dynamic_shared
#
# Added in Shorewall 4.5.9. May only be specified in the OPTIONS column
# and indicates that only a single ipset should be created for this zone
# if it has multiple dynamic entries in shorewall-hosts(5). Without this
# option, a separate ipset is created for each interface.
#
# reqid=number
#
# where number is specified using setkey(8) using the 'unique:number
# option for the SPD level.
#
# spi=<number>
#
# where number is the SPI of the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# IPSEC Encapsulation Protocol
#
# mss=number
#
# sets the MSS field in TCP packets. If you supply this option, you
# should also set FASTACCEPT=No in shorewall.conf(5) to insure that both
# the SYN and SYN,ACK packets have their MSS field adjusted.
#
# mode=transport|tunnel
#
# IPSEC mode
#
# tunnel-src=address[/mask]
#
# only available with mode=tunnel
#
# tunnel-dst=address[/mask]
#
# only available with mode=tunnel
#
# strict
#
# Means that packets must match all rules.
#
# next
#
# Separates rules; can only be used with strict
#
# The options in the OPTIONS column are applied to both incoming and outgoing
# traffic. The IN OPTIONS are applied to incoming traffic (in addition to
# OPTIONS) and the OUT OPTIONS are applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry in a
# following column, use "-".
#
###############################################################################
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall