hosts — Shorewall file




This file is used to define zones in terms of subnets and/or individual IP addresses. Most simple setups don't need to (should not) place anything in this file.

The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall-zones(5) determines the order in which the records in this file are interpreted.


The only time that you need this file is when you have more than one zone connected through a single interface.


If you have an entry for a zone and interface in shorewall-interfaces(5) then do not include any entries in this file for that same (zone, interface) pair.

The columns in the file are as follows.

ZONE - zone-name

The name of a zone declared in shorewall-zones(5). You may not list the firewall zone in this column.

HOST(S) - interface:{[{address-or-range[,address-or-range]...|+ipset|dynamic}[exclusion]

The name of an interface defined in the shorewall-interfaces(5) file followed by a colon (":") and a comma-separated list whose elements are either:

  1. The IP address of a host.

  2. A network in CIDR format.

  3. An IP address range of the form low.address-high.address. Your kernel and iptables must have iprange match support.

  4. The name of an ipset.

  5. The word dynamic which makes the zone dynamic in that you can use the shorewall add and shorewall delete commands to change to composition of the zone.

You may also exclude certain hosts through use of an exclusion (see shorewall-exclusion(5).

OPTIONS (Optional) - [option[,option]...]

A comma-separated list of options from the following list. The order in which you list the options is not significant but the list must have no embedded white-space.


Check packets arriving on this port against the shorewall-blacklist(5) file.


Used when you want to include limited broadcasts (destination IP address from the firewall to this zone. Only necessary when:

  1. The network specified in the HOST(S) column does not include

  2. The zone does not have an entry for this interface in shorewall-interfaces(5).


Normally used with the Multi-cast IP address range ( Specifies that traffic will be sent to the specified net(s) but that no traffic will be received from the net(s).


The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall-zones(5) file then you do NOT need to specify the 'ipsec' option here.


Connection requests from these hosts are compared against the contents of shorewall-maclist(5). If this option is specified, the interface must be an Ethernet NIC or equivalent and must be up before Shorewall is started.


Added in Shorewall 4.5.2. When present, causes the TCP mss for new connections to/from the hosts given in the HOST(S) column to be clamped at the specified mss.


This option only makes sense for ports on a bridge.

Filter packets for smurfs (packets with a broadcast address as the source).

Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the packets are dropped.


Shorewall should set up the infrastructure to pass packets from this/these address(es) back to themselves. This is necessary if hosts in this group use the services of a transparent proxy that is a member of the group or if DNAT is used to send requests originating from this group to a server in the group.


Packets arriving from these hosts are checked for certain illegal combinations of TCP flags. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL.


Example 1

The firewall runs a PPTP server which creates a ppp interface for each remote client. The clients are assigned IP addresses in the network and in a zone named 'vpn'.

#ZONE       HOST(S)               OPTIONS
vpn         ppp+:




shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation

Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page