Your company here — click to reach over 10,000 unique daily visitors

shorewall-addresses - Man Page

Specifying addresses within a Shorewall configuration


In both Shorewall and Shorewall6, there are two basic types of addresses:

Host Address

This address type refers to a single host.

In IPv4, the format is i.j.k.l where i through l are decimal numbers between 1 and 255.

In IPv6, the format is a:b:c:d:e:f:g:h where a through h consist of 1 to 4 hexadecimal digits (leading zeros may be omitted). a single series of 0 addresses may be omitted. For example 2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.

Network Address

A network address refers to 1 or more hosts and consists of a host address followed by a slash ("/") and a Variable Length Subnet Mask (VLSM). This is known as Classless Internet Domain Routing (CIDR) notation.

The VLSM is a decimal number. For IPv4, it is in the range 0 through 32. For IPv6, the range is 0 through 128. The number represents the number of leading bits in the address that represent the network address; the remainder of the bits are a host address and are generally given as zero.



IPv6: 2001:227:e857:1:0:0:0:0:1/64

In the Shorewall documentation and manpages, we have tried to make it clear which type of address is accepted in each specific case.

Because Shorewall uses a colon (":") as a separator in many contexts, IPv6 addresses are best written using the standard convention in which the address itself is enclosed in square brackets:


Specifying Source and Dest

Entries in Shorewall configuration files often deal with the source (SOURCE) and destination (DEST) of connections and Shorewall implements a uniform way for specifying them.

A SOURCE or DEST consists of one to three parts separated by colons (":"):

  1. ZONE — The name of a zone declared in /etc/shorewall/zones or /etc/shorewall6/zones. This part is only available in the rules file (/etc/shorewall/rules, /etc/shorewall/blrules,/etc/shorewall6/rules and /etc/shorewall6/blrules).
  2. INTERFACE — The name of an interface that matches an entry in /etc/shorewall/interfaces (/etc/shorewall6/interfaces).

    Beginning with Shorweall 5.2.1, the interface may be preceded with '!' which matches all interfaces except the one specified.

  3. ADDRESS LIST — A list of one or more addresses (host or network) or address ranges, separated by commas. In an IPv6 configuration, this list must be included in square or angled brackets ("[...]" or "<...>"). The list may have exclusion.


  1. All hosts in the net zone — net
  2. Subnet in the loc zone — loc:
  3. All hosts in the net zone connecting through ppp0 — net:ppp0
  4. All hosts interfaced by eth3 — eth3
  5. Subnet interfacing through eth2 — eth2:
  6. Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the loc zone — loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]
  7. The primary IP address of eth0 in the $FW zone - $FW:&eth0
  8. All hosts in Vatican City - net:^VA (Requires the GeoIP Match capability).

IP Address Ranges

If you kernel and iptables have IP Range match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>.


See Also

For more information about addressing, see theSetup Guide[1].



Setup Guide

Referenced By


09/24/2020 Configuration Files