SHOREWALL\-ADDRESSES

Section: Configuration Files (5)
Updated: 04/11/2019
Page Index

NAME

addresses - Specifying addresses within a Shorewall configuration

DESCRIPTION

In both Shorewall and Shorewall6, there are two basic types of addresses:

Host Address

This address type refers to a single host.

In IPv4, the format is i.j.k.l where i through l are decimal numbers between 1 and 255.

In IPv6, the format is a:b:c:d:e:f:g:h where a through h consist of 1 to 4 hexadecimal digits (leading zeros may be omitted). a single series of 0 addresses may be omitted. For example 2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.

Network Address

A network address refers to 1 or more hosts and consists of a host address followed by a slash ("/") and a Variable Length Subnet Mask (VLSM). This is known as Classless Internet Domain Routing (CIDR) notation.

The VLSM is a decimal number. For IPv4, it is in the range 0 through 32. For IPv6, the range is 0 through 128. The number represents the number of leading bits in the address that represent the network address; the remainder of the bits are a host address and are generally given as zero.

Examples:

IPv4: 192.168.1.0/24

IPv6: 2001:227:e857:1:0:0:0:0:1/64

In the Shorewall documentation and manpages, we have tried to make it clear which type of address is accepted in each specific case.

Because Shorewall uses a colon (":") as a separator in many contexts, IPv6 addresses are best written using the standard convention in which the address itself is enclosed in square brackets:

: [2001:227:e857:1::1]

: [2001:227:e857:1::]/64

SPECIFYING SOURCE AND DEST

Entries in Shorewall configuration files often deal with the source (SOURCE) and destination (DEST) of connections and Shorewall implements a uniform way for specifying them.

A SOURCE or DEST consists of one to three parts separated by colons (":"):

: 1. ZONE --- The name of a zone declared in /etc/shorewall/zones or /etc/shorewall6/zones. This part is only available in the rules file (/etc/shorewall/rules, /etc/shorewall/blrules,/etc/shorewall6/rules and /etc/shorewall6/blrules).

: 2. INTERFACE --- The name of an interface that matches an entry in /etc/shorewall/interfaces (/etc/shorewall6/interfaces).
Beginning with Shorweall 5.2.1, the interface may be preceded with '!' which matches all interfaces except the one specified.

: 3. ADDRESS LIST --- A list of one or more addresses (host or network) or address ranges, separated by commas. In an IPv6 configuration, this list must be included in square or angled brackets ("[...]" or "<...>"). The list may have exclusion.

Examples.

: 1. All hosts in the net zone --- net

: 2. Subnet 192.168.1.0/29 in the loc zone --- loc:192.168.1.0/29

: 3. All hosts in the net zone connecting through ppp0 --- net:ppp0

: 4. All hosts interfaced by eth3 --- eth3

: 5. Subnet 10.0.1.0/24 interfacing through eth2 --- eth2:10.0.1.0/24

: 6. Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the loc zone --- loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]

: 7. The primary IP address of eth0 in the $FW zone - $FW:&eth0

: 8. All hosts in Vatican City - net:^VA (Requires the GeoIP Match capability).

IP ADDRESS RANGES

If you kernel and iptables have IP Range match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>.

Example: 192.168.1.5-192.168.1.12.

NOTES

1.

Setup Guide

: http://www.shorewall.orgshorewall_setup_guide.htm#Addressing