Provided by: shorewall_5.2.8-6_all 
NAME
addresses - Specifying addresses within a Shorewall configuration
DESCRIPTION
In both Shorewall and Shorewall6, there are two basic types of addresses:
Host Address
This address type refers to a single host.
In IPv4, the format is i.j.k.l where i through l are decimal numbers between 1 and 255.
In IPv6, the format is a:b:c:d:e:f:g:h where a through h consist of 1 to 4 hexadecimal digits
(leading zeros may be omitted). a single series of 0 addresses may be omitted. For example
2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.
Network Address
A network address refers to 1 or more hosts and consists of a host address followed by a slash ("/")
and a Variable Length Subnet Mask (VLSM). This is known as Classless Internet Domain Routing (CIDR)
notation.
The VLSM is a decimal number. For IPv4, it is in the range 0 through 32. For IPv6, the range is 0
through 128. The number represents the number of leading bits in the address that represent the
network address; the remainder of the bits are a host address and are generally given as zero.
Examples:
IPv4: 192.168.1.0/24
IPv6: 2001:227:e857:1:0:0:0:0:1/64
In the Shorewall documentation and manpages, we have tried to make it clear which type of address is
accepted in each specific case.
Because Shorewall uses a colon (":") as a separator in many contexts, IPv6 addresses are best written
using the standard convention in which the address itself is enclosed in square brackets:
[2001:227:e857:1::1]
[2001:227:e857:1::]/64
SPECIFYING SOURCE AND DEST
Entries in Shorewall configuration files often deal with the source (SOURCE) and destination (DEST) of
connections and Shorewall implements a uniform way for specifying them.
A SOURCE or DEST consists of one to three parts separated by colons (":"):
1. ZONE — The name of a zone declared in /etc/shorewall/zones or /etc/shorewall6/zones. This part is
only available in the rules file (/etc/shorewall/rules, /etc/shorewall/blrules,/etc/shorewall6/rules
and /etc/shorewall6/blrules).
2. INTERFACE — The name of an interface that matches an entry in /etc/shorewall/interfaces
(/etc/shorewall6/interfaces).
Beginning with Shorweall 5.2.1, the interface may be preceded with '!' which matches all interfaces
except the one specified.
3. ADDRESS LIST — A list of one or more addresses (host or network) or address ranges, separated by
commas. In an IPv6 configuration, this list must be included in square or angled brackets ("[...]" or
"<...>"). The list may have exclusion.
Examples.
1. All hosts in the net zone — net
2. Subnet 192.168.1.0/29 in the loc zone — loc:192.168.1.0/29
3. All hosts in the net zone connecting through ppp0 — net:ppp0
4. All hosts interfaced by eth3 — eth3
5. Subnet 10.0.1.0/24 interfacing through eth2 — eth2:10.0.1.0/24
6. Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the loc zone — loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]
7. The primary IP address of eth0 in the $FW zone - $FW:ð0
8. All hosts in Vatican City - net:^VA (Requires the GeoIP Match capability).
IP ADDRESS RANGES
If you kernel and iptables have IP Range match support, you may use IP address ranges in Shorewall
configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>.
Example: 192.168.1.5-192.168.1.12.
SEE ALSO
For more information about addressing, see theSetup Guide[1].
NOTES
1. Setup Guide
https://shorewall.org/manpages/shorewall_setup_guide.htm#Addressing
Configuration Files 09/24/2020 SHOREWALL-ADDRESSES(5)