1SHOREWALL-INTERFACE(5) [FIXME: manual] SHOREWALL-INTERFACE(5)
2
3
4
6 interfaces - Shorewall interfaces file
7
9 /etc/shorewall/interfaces
10
12 The interfaces file serves to define the firewall's network interfaces
13 to Shorewall. The order of entries in this file is not significant in
14 determining zone composition.
15
16 The columns in the file are as follows.
17
18 ZONE - zone-name
19 Zone for this interface. Must match the name of a zone declared in
20 /etc/shorewall/zones. You may not list the firewall zone in this
21 column.
22
23 If the interface serves multiple zones that will be defined in the
24 shorewall-hosts[1](5) file, you should place "-" in this column.
25
26 If there are multiple interfaces to the same zone, you must list
27 them in separate entries.
28
29 Example:
30
31 #ZONE INTERFACE BROADCAST
32 loc eth1 -
33 loc eth2 -
34
35 INTERFACE - interface[:port]
36 Logical name of interface. Each interface may be listed only once
37 in this file. You may NOT specify the name of a "virtual" interface
38 (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18. If
39 the physical option is not specified, then the logical name is also
40 the name of the actual interface.
41
42 You may use wildcards here by specifying a prefix followed by the
43 plus sign ("+"). For example, if you want to make an entry that
44 applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
45 ppp1, ppp2, ... Please note that the '+' means 'one or more
46 additional characters' so 'ppp' does not match 'ppp+'.
47
48 When using Shorewall versions before 4.1.4, care must be exercised
49 when using wildcards where there is another zone that uses a
50 matching specific interface. See shorewall-nesting[2](5) for a
51 discussion of this problem.
52
53 Shorewall allows '+' as an interface name.
54
55 There is no need to define the loopback interface (lo) in this
56 file.
57
58 If a port is given, then the interface must have been defined
59 previously with the bridge option. The OPTIONS column may not
60 contain the following options when a port is given.
61 arp_filter
62 arp_ignore
63 bridge
64 log_martians
65 mss
66 optional
67 proxyarp
68 required
69 routefilter
70 sourceroute
71 upnp
72 wait
73
74 BROADCAST (Optional) - {-|detect|address[,address]...}
75 If you use the special value detect, Shorewall will detect the
76 broadcast address(es) for you if your iptables and kernel include
77 Address Type Match support.
78
79 If your iptables and/or kernel lack Address Type Match support then
80 you may list the broadcast address(es) for the network(s) to which
81 the interface belongs. For P-T-P interfaces, this column is left
82 blank. If the interface has multiple addresses on multiple subnets
83 then list the broadcast addresses as a comma-separated list.
84
85 If you don't want to give a value for this column but you want to
86 enter a value in the OPTIONS column, enter - in this column.
87
88 OPTIONS (Optional) - [option[,option]...]
89 A comma-separated list of options from the following list. The
90 order in which you list the options is not significant but the list
91 should have no embedded white space.
92
93 arp_filter[={0|1}]
94 If specified, this interface will only respond to ARP who-has
95 requests for IP addresses configured on the interface. If not
96 specified, the interface can respond to ARP who-has requests
97 for IP addresses on any of the firewall's interface. The
98 interface must be up when Shorewall is started.
99
100 Only those interfaces with the arp_filter option will have
101 their setting changed; the value assigned to the setting will
102 be the value specified (if any) or 1 if no value is given.
103
104
105 Note
106 This option does not work with a wild-card interface name
107 (e.g., eth0.+) in the INTERFACE column.
108
109 arp_ignore[=number]
110 If specified, this interface will respond to arp requests based
111 on the value of number (defaults to 1).
112
113 1 - reply only if the target IP address is local address
114 configured on the incoming interface
115
116 2 - reply only if the target IP address is local address
117 configured on the incoming interface and the sender's IP
118 address is part from same subnet on this interface's address
119
120 3 - do not reply for local addresses configured with scope
121 host, only resolutions for global and link
122
123 4-7 - reserved
124
125 8 - do not reply for all local addresses
126
127
128 Note
129 This option does not work with a wild-card interface name
130 (e.g., eth0.+) in the INTERFACE column.
131
132 Warning
133 Do not specify arp_ignore for any interface involved in
134 Proxy ARP[3].
135
136 blacklist
137 Check packets arriving on this interface against the
138 shorewall6-blacklist[4](5) file.
139
140 Beginning with Shorewall 4.4.13:
141
142 · If a zone is given in the ZONES column, then the behavior
143 is as if blacklist had been specified in the IN_OPTIONS
144 column of shorewall-zones[5](5).
145
146 · Otherwise, the option is ignored with a warning: WARNING:
147 The 'blacklist' option is ignored on mult-zone interfaces
148
149 bridge
150 Designates the interface as a bridge. Beginning with Shorewall
151 4.4.7, setting this option also sets routeback.
152
153 dhcp
154 Specify this option when any of the following are true:
155
156 1. the interface gets its IP address via DHCP
157
158 2. the interface is used by a DHCP server running on the
159 firewall
160
161 3. the interface has a static IP but is on a LAN segment with
162 lots of DHCP clients.
163
164 4. the interface is a simple bridge[6] with a DHCP server on
165 one port and DHCP clients on another port.
166
167 Note
168 If you use Shorewall-perl for firewall/bridging[7],
169 then you need to include DHCP-specific rules in
170 shorewall-rules[8](8). DHCP uses UDP ports 67 and 68.
171
172 This option allows DHCP datagrams to enter and leave the
173 interface.
174
175 logmartians[={0|1}]
176 Turn on kernel martian logging (logging of packets with
177 impossible source addresses. It is strongly suggested that if
178 you set routefilter on an interface that you also set
179 logmartians. Even if you do not specify the routefilter option,
180 it is a good idea to specify logmartians because your
181 distribution may have enabled route filtering without you
182 knowing it.
183
184 Only those interfaces with the logmartians option will have
185 their setting changed; the value assigned to the setting will
186 be the value specified (if any) or 1 if no value is given.
187
188 To find out if route filtering is set on a given interface,
189 check the contents of
190 /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
191 indicates that route filtering is enabled.
192
193 Example:
194
195 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
196 1
197 teastep@lists:~$
198
199
200 Note
201 This option does not work with a wild-card interface name
202 (e.g., eth0.+) in the INTERFACE column.
203 This option may also be enabled globally in the
204 shorewall.conf[9](5) file.
205
206 maclist
207 Connection requests from this interface are compared against
208 the contents of shorewall-maclist[10](5). If this option is
209 specified, the interface must be an ethernet NIC and must be up
210 before Shorewall is started.
211
212 mss=number
213 Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
214 entering or leaving on this interface to have their MSS field
215 set to the specified number.
216
217 nets=(net[,...])
218 Limit the zone named in the ZONE column to only the listed
219 networks. The parentheses may be omitted if only a single net
220 is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
221 zone is supported. Beginning with Shorewall 4.4.1, multicast
222 traffic to the zone is also supported.
223
224 nets=dynamic
225 Defines the zone as dynamic. Requires ipset match support in
226 your iptables and kernel. See
227 http://www.shorewall.net/Dynamic.html for further information.
228
229 nosmurfs
230 Filter packets for smurfs (packets with a broadcast address as
231 the source).
232
233 Smurfs will be optionally logged based on the setting of
234 SMURF_LOG_LEVEL in shorewall.conf[9](5). After logging, the
235 packets are dropped.
236
237 optional
238 When optional is specified for an interface, Shorewall will be
239 silent when:
240
241 · a /proc/sys/net/ipv4/conf/ entry for the interface cannot
242 be modified (including for proxy ARP).
243
244 · The first address of the interface cannot be obtained.
245
246 May not be specified with required.
247
248 physical=name
249 Added in Shorewall 4.4.4. When specified, the interface or port
250 name in the INTERFACE column is a logical name that refers to
251 the name given in this option. It is useful when you want to
252 specify the same wildcard port name on two or more bridges. See
253 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple.
254
255 If the interface name is a wildcard name (ends with '+'), then
256 the physical name must also end in '+'.
257
258 If physical is not specified, then it's value defaults to the
259 interface name.
260
261 proxyarp[={0|1}]
262 Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use
263 this option if you are employing Proxy ARP through entries in
264 shorewall-proxyarp[11](5). This option is intended solely for
265 use with Proxy ARP sub-networking as described at:
266 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[12]
267
268 Note: This option does not work with a wild-card interface name
269 (e.g., eth0.+) in the INTERFACE column.
270
271 Only those interfaces with the proxyarp option will have their
272 setting changed; the value assigned to the setting will be the
273 value specified (if any) or 1 if no value is given.
274
275 required
276 Added in Shorewall 4.4.10. If this option is set, the firewall
277 will fail to start if the interface is not usable. May not be
278 specified together with optional.
279
280 routeback
281 If specified, indicates that Shorewall should include rules
282 that allow traffic arriving on this interface to be routed back
283 out that same interface. This option is also required when you
284 have used a wildcard in the INTERFACE column if you want to
285 allow traffic between the interfaces that match the wildcard.
286
287 Beginning with Shorewall 4.4.20, if you specify this option,
288 then you should also specify either sfilter (see below) or
289 routefilter on all interfaces (see below).
290
291 routefilter[={0|1|2}]
292 Turn on kernel route filtering for this interface
293 (anti-spoofing measure).
294
295 Only those interfaces with the routefilter option will have
296 their setting changes; the value assigned to the setting will
297 be the value specified (if any) or 1 if no value is given.
298
299 The value 2 is only available with Shorewall 4.4.5.1 and later
300 when the kernel version is 2.6.31 or later. It specifies a
301 loose form of reverse path filtering.
302
303 Note
304 This option does not work with a wild-card interface name
305 (e.g., eth0.+) in the INTERFACE column.
306 This option can also be enabled globally in the
307 shorewall.conf[9](5) file.
308
309 Note
310 There are certain cases where routefilter cannot be used on
311 an interface:
312
313 · If USE_DEFAULT_RT=Yes in shorewall.conf[9](5) and the
314 interface is listed in shorewall-providers[13](5).
315
316 · If there is an entry for the interface in
317 shorewall-providers[13](5) that doesn't specify the
318 balance option.
319
320 · If IPSEC is used to allow a road-warrior to have a
321 local address, then any interface through which the
322 road-warrior might connect cannot specify routefilter.
323
324 sfilter=(net[,...])
325 Added in Shorewall 4.4.20. This option provides an
326 anti-spoofing alternative to routefilter on interfaces where
327 that option cannot be used, but where the routeback option is
328 required (on a bridge, for example). On these interfaces,
329 sfilter should list those local networks that are connected to
330 the firewall through other interfaces.
331
332 sourceroute[={0|1}]
333 If this option is not specified for an interface, then
334 source-routed packets will not be accepted from that interface
335 (sets /proc/sys/net/ipv4/conf/interface/accept_source_route to
336 1). Only set this option if you know what you are doing. This
337 might represent a security risk and is usually unneeded.
338
339 Only those interfaces with the sourceroute option will have
340 their setting changed; the value assigned to the setting will
341 be the value specified (if any) or 1 if no value is given.
342
343
344 Note
345 This option does not work with a wild-card interface name
346 (e.g., eth0.+) in the INTERFACE column.
347
348 tcpflags
349 Packets arriving on this interface are checked for certain
350 illegal combinations of TCP flags. Packets found to have such a
351 combination of flags are handled according to the setting of
352 TCP_FLAGS_DISPOSITION after having been logged according to the
353 setting of TCP_FLAGS_LOG_LEVEL.
354
355 upnp
356 Incoming requests from this interface may be remapped via UPNP
357 (upnpd). See http://www.shorewall.net/UPnP.html[14].
358
359 upnpclient
360 This option is intended for laptop users who always run
361 Shorewall on their system yet need to run UPnP-enabled client
362 apps such as Transmission (BitTorrent client). The option
363 causes Shorewall to detect the default gateway through the
364 interface and to accept UDP packets from that gateway. Note
365 that, like all aspects of UPnP, this is a security hole so use
366 this option at your own risk.
367
368 wait=seconds
369 Added in Shorewall 4.4.10. Causes the generated script to wait
370 up to seconds seconds for the interface to become usable before
371 applying the required or optional options.
372
374 Example 1:
375 Suppose you have eth0 connected to a DSL modem and eth1 connected
376 to your local network and that your local subnet is 192.168.1.0/24.
377 The interface gets its IP address via DHCP from subnet
378 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
379 eth2.
380
381 Your entries for this setup would look like:
382
383 #ZONE INTERFACE BROADCAST OPTIONS
384 net eth0 206.191.149.223 dhcp
385 loc eth1 192.168.1.255
386 dmz eth2 192.168.2.255
387
388 Example 2:
389 The same configuration without specifying broadcast addresses is:
390
391 #ZONE INTERFACE BROADCAST OPTIONS
392 net eth0 detect dhcp
393 loc eth1 detect
394 dmz eth2 detect
395
396 Example 3:
397 You have a simple dial-in system with no ethernet connections.
398
399 #ZONE INTERFACE BROADCAST OPTIONS
400 net ppp0 -
401
402 Example 4 (Shorewall 4.4.9 and later):
403 You have a bridge with no IP address and you want to allow traffic
404 through the bridge.
405
406 #ZONE INTERFACE BROADCAST OPTIONS
407 - br0 - routeback
408
410 /etc/shorewall/interfaces
411
413 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
414 shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
415 shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
416 shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
417 shorewall-proxyarp(5), shorewall-route_rules(5),
418 shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
419 shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
420 shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
421 shorewall-zones(5)
422
424 1. shorewall-hosts
425 http://www.shorewall.net/manpages/shorewall-hosts.html
426
427 2. shorewall-nesting
428 http://www.shorewall.net/manpages/shorewall-nesting.html
429
430 3. Proxy ARP
431 http://www.shorewall.net/manpages/../ProxyARP.htm
432
433 4. shorewall6-blacklist
434 http://www.shorewall.net/manpages/shorewall6-blacklist.html
435
436 5. shorewall-zones
437 http://www.shorewall.net/manpages/shorewall-zones.html
438
439 6. simple bridge
440 http://www.shorewall.net/manpages/../SimpleBridge.html
441
442 7. Shorewall-perl for firewall/bridging
443 http://www.shorewall.net/manpages/../bridge-Shorewall-perl.html
444
445 8. shorewall-rules
446 http://www.shorewall.net/manpages/shorewall-rules.html
447
448 9. shorewall.conf
449 http://www.shorewall.net/manpages/shorewall.conf.html
450
451 10. shorewall-maclist
452 http://www.shorewall.net/manpages/shorewall-maclist.html
453
454 11. shorewall-proxyarp
455 http://www.shorewall.net/manpages/shorewall-proxyarp.html
456
457 12. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
458 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
459
460 13. shorewall-providers
461 http://www.shorewall.net/manpages/shorewall-providers.html
462
463 14. http://www.shorewall.net/UPnP.html
464 http://www.shorewall.net/manpages/../UPnP.html
465
466
467
468[FIXME: source] 09/16/2011 SHOREWALL-INTERFACE(5)