1SHOREWALL-ARPRULES(5)         Configuration Files        SHOREWALL-ARPRULES(5)
2
3
4

NAME

6       arprules - Shorewall ARP rules file
7

SYNOPSIS

9       /etc/shorewall/arprules
10

DESCRIPTION

12       IPv4 only.
13
14       This file was added in Shorewall 4.5.12 and is used to describe
15       low-level rules managed by arptables (8). These rules only affect
16       Address Resolution Protocol (ARP), Reverse Address Resolution Protocol
17       (RARP) and Dynamic Reverse Address Resolution Protocol (DRARP) frames.
18
19       The columns in the file are as shown below. MAC addresses are specified
20       normally (6 hexadecimal numbers separated by colons).
21
22       ACTION
23           Describes the action to take when a frame matches the criteria in
24           the other columns. Possible values are:
25
26           ACCEPT
27               This is the default action if no rules matches a frame; it lets
28               the frame go through.
29
30           DROP
31               Causes the frame to be dropped.
32
33           SNAT:ip-address
34               Modifies the source IP address to the specified ip-address.
35
36           DNAT:ip-address
37               Modifies the destination IP address to the specified
38               ip-address.
39
40           SMAT:mac-address
41               Modifies the source MAC address to the specified mac-address.
42
43           DMAT:mac-address
44               Modifies the destination MAC address to the specified
45               mac-address.
46
47           SNATC:ip-address
48               Like SNAT except that the frame is then passed to the next
49               rule.
50
51           DNATC:ip-address
52               Like DNAT except that the frame is then passed to the next
53               rule.
54
55           SMATC:mac-address
56               Like SMAT except that the frame is then passed to the next
57               rule.
58
59           DMATC:mac-address
60               Like DMAT except that the frame is then passed to the next
61               rule.
62
63       SOURCE - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
64           Where
65
66           interface
67               Is an interface defined in shorewall-interfaces(5).
68
69           ipaddress
70               is an IPv4 address. DNS names are not allowed.
71
72           ipmask
73               specifies a mask to be applied to ipaddress.
74
75           macaddress
76               The source MAC address.
77
78           macmask
79               Mask for MAC address; must be specified as 6 hexadecimal
80               numbers separated by colons.
81
82           When '!' is specified, the test is inverted.
83
84           If not specified, matches only frames originating on the firewall
85           itself.
86
87               Caution
88               Either SOURCE or DEST must be specified.
89
90       DEST - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
91           Where
92
93           interface
94               Is an interface defined in shorewall-interfaces(5).
95
96           ipaddress
97               is an IPv4 address. DNS Names are not allowed.
98
99           ipmask
100               specifies a mask to be applied to frame addresses.
101
102           macaddress
103               The destination MAC address.
104
105           macmask
106               Mask for MAC address; must be specified as 6 hexadecimal
107               numbers separated by colons.
108
109           When '!' is specified, the test is inverted and the rule matches
110           frames which do not match the specified address/mask.
111
112           If not specified, matches only frames originating on the firewall
113           itself.
114
115           If both SOURCE and DEST are specified, then both interfaces must be
116           bridge ports on the same bridge.
117
118               Caution
119               Either SOURCE or DEST must be specified.
120
121       OPCODE - [[!]opcode]
122           Optional. Describes the type of frame. Possible opcode values are:
123
124           1
125               ARP Request
126
127           2
128               ARP Reply
129
130           3
131               RARP Request
132
133           4
134               RARP Reply
135
136           5
137               Dynamic RARP Request
138
139           6
140               Dynamic RARP Reply
141
142           7
143               Dynamic RARP Error
144
145           8
146               InARP Request
147
148           9
149               ARP NAK
150
151           When '!' is specified, the test is inverted and the rule matches
152           frames which do not match the specified opcode.
153

EXAMPLE

155       The eth1 interface has both a public IP address and a private address
156       (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use the
157       private address as the IP source:
158
159           #ACTION                SOURCE                  DEST                ARP OPCODE
160           SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1
161

FILES

163       /etc/shorewall/arprules
164

SEE ALSO

166       shorewall(8)
167
168
169
170Configuration Files               01/15/2020             SHOREWALL-ARPRULES(5)
Impressum