1SHOREWALL-INTERFACE(5)          [FIXME: manual]         SHOREWALL-INTERFACE(5)
2
3
4

NAME

6       interfaces - Shorewall interfaces file
7

SYNOPSIS

9       /etc/shorewall/interfaces
10

DESCRIPTION

12       The interfaces file serves to define the firewall's network interfaces
13       to Shorewall. The order of entries in this file is not significant in
14       determining zone composition.
15
16       The columns in the file are as follows.
17
18       ZONE - zone-name
19           Zone for this interface. Must match the name of a zone declared in
20           /etc/shorewall/zones. You may not list the firewall zone in this
21           column.
22
23           If the interface serves multiple zones that will be defined in the
24           shorewall-hosts[1](5) file, you should place "-" in this column.
25
26           If there are multiple interfaces to the same zone, you must list
27           them in separate entries.
28
29           Example:
30
31               #ZONE   INTERFACE       BROADCAST
32               loc     eth1            -
33               loc     eth2            -
34
35       INTERFACE - interface[:port]
36           Logical name of interface. Each interface may be listed only once
37           in this file. You may NOT specify the name of a "virtual" interface
38           (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18. If
39           the physical option is not specified, then the logical name is also
40           the name of the actual interface.
41
42           You may use wildcards here by specifying a prefix followed by the
43           plus sign ("+"). For example, if you want to make an entry that
44           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
45           ppp1, ppp2, ... Please note that the '+' means 'one or more
46           additional characters' so 'ppp' does not match 'ppp+'.
47
48           When using Shorewall versions before 4.1.4, care must be exercised
49           when using wildcards where there is another zone that uses a
50           matching specific interface. See shorewall-nesting[2](5) for a
51           discussion of this problem.
52
53           Shorewall allows '+' as an interface name.
54
55           There is no need to define the loopback interface (lo) in this
56           file.
57
58           If a port is given, then the interface must have been defined
59           previously with the bridge option. The OPTIONS column may not
60           contain the following options when a port is given.
61               arp_filter
62               arp_ignore
63               bridge
64               log_martians
65               mss
66               optional
67               proxyarp
68               required
69               routefilter
70               sourceroute
71               upnp
72               wait
73
74       BROADCAST (Optional) - {-|detect|address[,address]...}
75           If you use the special value detect, Shorewall will detect the
76           broadcast address(es) for you if your iptables and kernel include
77           Address Type Match support.
78
79           If your iptables and/or kernel lack Address Type Match support then
80           you may list the broadcast address(es) for the network(s) to which
81           the interface belongs. For P-T-P interfaces, this column is left
82           blank. If the interface has multiple addresses on multiple subnets
83           then list the broadcast addresses as a comma-separated list.
84
85           If you don't want to give a value for this column but you want to
86           enter a value in the OPTIONS column, enter - in this column.
87
88       OPTIONS (Optional) - [option[,option]...]
89           A comma-separated list of options from the following list. The
90           order in which you list the options is not significant but the list
91           should have no embedded white space.
92
93           arp_filter[={0|1}]
94               If specified, this interface will only respond to ARP who-has
95               requests for IP addresses configured on the interface. If not
96               specified, the interface can respond to ARP who-has requests
97               for IP addresses on any of the firewall's interface. The
98               interface must be up when Shorewall is started.
99
100               Only those interfaces with the arp_filter option will have
101               their setting changed; the value assigned to the setting will
102               be the value specified (if any) or 1 if no value is given.
103
104
105                   Note
106                   This option does not work with a wild-card interface name
107                   (e.g., eth0.+) in the INTERFACE column.
108
109           arp_ignore[=number]
110               If specified, this interface will respond to arp requests based
111               on the value of number (defaults to 1).
112
113               1 - reply only if the target IP address is local address
114               configured on the incoming interface
115
116               2 - reply only if the target IP address is local address
117               configured on the incoming interface and the sender's IP
118               address is part from same subnet on this interface's address
119
120               3 - do not reply for local addresses configured with scope
121               host, only resolutions for global and link
122
123               4-7 - reserved
124
125               8 - do not reply for all local addresses
126
127
128                   Note
129                   This option does not work with a wild-card interface name
130                   (e.g., eth0.+) in the INTERFACE column.
131
132                   Warning
133                   Do not specify arp_ignore for any interface involved in
134                   Proxy ARP[3].
135
136           blacklist
137               Check packets arriving on this interface against the
138               shorewall6-blacklist[4](5) file.
139
140               Beginning with Shorewall 4.4.13:
141
142               ·   If a zone is given in the ZONES column, then the behavior
143                   is as if blacklist had been specified in the IN_OPTIONS
144                   column of shorewall-zones[5](5).
145
146               ·   Otherwise, the option is ignored with a warning: WARNING:
147                   The 'blacklist' option is ignored on mult-zone interfaces
148
149           bridge
150               Designates the interface as a bridge. Beginning with Shorewall
151               4.4.7, setting this option also sets routeback.
152
153           dhcp
154               Specify this option when any of the following are true:
155
156                1. the interface gets its IP address via DHCP
157
158                2. the interface is used by a DHCP server running on the
159                   firewall
160
161                3. the interface has a static IP but is on a LAN segment with
162                   lots of DHCP clients.
163
164                4. the interface is a simple bridge[6] with a DHCP server on
165                   one port and DHCP clients on another port.
166
167                       Note
168                       If you use Shorewall-perl for firewall/bridging[7],
169                       then you need to include DHCP-specific rules in
170                       shorewall-rules[8](8). DHCP uses UDP ports 67 and 68.
171
172               This option allows DHCP datagrams to enter and leave the
173               interface.
174
175           logmartians[={0|1}]
176               Turn on kernel martian logging (logging of packets with
177               impossible source addresses. It is strongly suggested that if
178               you set routefilter on an interface that you also set
179               logmartians. Even if you do not specify the routefilter option,
180               it is a good idea to specify logmartians because your
181               distribution may have enabled route filtering without you
182               knowing it.
183
184               Only those interfaces with the logmartians option will have
185               their setting changed; the value assigned to the setting will
186               be the value specified (if any) or 1 if no value is given.
187
188               To find out if route filtering is set on a given interface,
189               check the contents of
190               /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
191               indicates that route filtering is enabled.
192
193               Example:
194
195                           teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
196                           1
197                           teastep@lists:~$
198
199
200                   Note
201                   This option does not work with a wild-card interface name
202                   (e.g., eth0.+) in the INTERFACE column.
203               This option may also be enabled globally in the
204               shorewall.conf[9](5) file.
205
206           maclist
207               Connection requests from this interface are compared against
208               the contents of shorewall-maclist[10](5). If this option is
209               specified, the interface must be an ethernet NIC and must be up
210               before Shorewall is started.
211
212           mss=number
213               Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
214               entering or leaving on this interface to have their MSS field
215               set to the specified number.
216
217           nets=(net[,...])
218               Limit the zone named in the ZONE column to only the listed
219               networks. The parentheses may be omitted if only a single net
220               is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
221               zone is supported. Beginning with Shorewall 4.4.1, multicast
222               traffic to the zone is also supported.
223
224           nets=dynamic
225               Defines the zone as dynamic. Requires ipset match support in
226               your iptables and kernel. See
227               http://www.shorewall.net/Dynamic.html for further information.
228
229           nosmurfs
230               Filter packets for smurfs (packets with a broadcast address as
231               the source).
232
233               Smurfs will be optionally logged based on the setting of
234               SMURF_LOG_LEVEL in shorewall.conf[9](5). After logging, the
235               packets are dropped.
236
237           optional
238               When optional is specified for an interface, Shorewall will be
239               silent when:
240
241               ·   a /proc/sys/net/ipv4/conf/ entry for the interface cannot
242                   be modified (including for proxy ARP).
243
244               ·   The first address of the interface cannot be obtained.
245
246               May not be specified with required.
247
248           physical=name
249               Added in Shorewall 4.4.4. When specified, the interface or port
250               name in the INTERFACE column is a logical name that refers to
251               the name given in this option. It is useful when you want to
252               specify the same wildcard port name on two or more bridges. See
253               http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple.
254
255               If the interface name is a wildcard name (ends with '+'), then
256               the physical name must also end in '+'.
257
258               If physical is not specified, then it's value defaults to the
259               interface name.
260
261           proxyarp[={0|1}]
262               Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use
263               this option if you are employing Proxy ARP through entries in
264               shorewall-proxyarp[11](5). This option is intended solely for
265               use with Proxy ARP sub-networking as described at:
266               http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[12]
267
268               Note: This option does not work with a wild-card interface name
269               (e.g., eth0.+) in the INTERFACE column.
270
271               Only those interfaces with the proxyarp option will have their
272               setting changed; the value assigned to the setting will be the
273               value specified (if any) or 1 if no value is given.
274
275           required
276               Added in Shorewall 4.4.10. If this option is set, the firewall
277               will fail to start if the interface is not usable. May not be
278               specified together with optional.
279
280           routeback
281               If specified, indicates that Shorewall should include rules
282               that allow traffic arriving on this interface to be routed back
283               out that same interface. This option is also required when you
284               have used a wildcard in the INTERFACE column if you want to
285               allow traffic between the interfaces that match the wildcard.
286
287               Beginning with Shorewall 4.4.20, if you specify this option,
288               then you should also specify either sfilter (see below) or
289               routefilter on all interfaces (see below).
290
291           routefilter[={0|1|2}]
292               Turn on kernel route filtering for this interface
293               (anti-spoofing measure).
294
295               Only those interfaces with the routefilter option will have
296               their setting changes; the value assigned to the setting will
297               be the value specified (if any) or 1 if no value is given.
298
299               The value 2 is only available with Shorewall 4.4.5.1 and later
300               when the kernel version is 2.6.31 or later. It specifies a
301               loose form of reverse path filtering.
302
303                   Note
304                   This option does not work with a wild-card interface name
305                   (e.g., eth0.+) in the INTERFACE column.
306               This option can also be enabled globally in the
307               shorewall.conf[9](5) file.
308
309                   Note
310                   There are certain cases where routefilter cannot be used on
311                   an interface:
312
313                   ·   If USE_DEFAULT_RT=Yes in shorewall.conf[9](5) and the
314                       interface is listed in shorewall-providers[13](5).
315
316                   ·   If there is an entry for the interface in
317                       shorewall-providers[13](5) that doesn't specify the
318                       balance option.
319
320                   ·   If IPSEC is used to allow a road-warrior to have a
321                       local address, then any interface through which the
322                       road-warrior might connect cannot specify routefilter.
323
324           sfilter=(net[,...])
325               Added in Shorewall 4.4.20. This option provides an
326               anti-spoofing alternative to routefilter on interfaces where
327               that option cannot be used, but where the routeback option is
328               required (on a bridge, for example). On these interfaces,
329               sfilter should list those local networks that are connected to
330               the firewall through other interfaces.
331
332           sourceroute[={0|1}]
333               If this option is not specified for an interface, then
334               source-routed packets will not be accepted from that interface
335               (sets /proc/sys/net/ipv4/conf/interface/accept_source_route to
336               1). Only set this option if you know what you are doing. This
337               might represent a security risk and is usually unneeded.
338
339               Only those interfaces with the sourceroute option will have
340               their setting changed; the value assigned to the setting will
341               be the value specified (if any) or 1 if no value is given.
342
343
344                   Note
345                   This option does not work with a wild-card interface name
346                   (e.g., eth0.+) in the INTERFACE column.
347
348           tcpflags
349               Packets arriving on this interface are checked for certain
350               illegal combinations of TCP flags. Packets found to have such a
351               combination of flags are handled according to the setting of
352               TCP_FLAGS_DISPOSITION after having been logged according to the
353               setting of TCP_FLAGS_LOG_LEVEL.
354
355           upnp
356               Incoming requests from this interface may be remapped via UPNP
357               (upnpd). See http://www.shorewall.net/UPnP.html[14].
358
359           upnpclient
360               This option is intended for laptop users who always run
361               Shorewall on their system yet need to run UPnP-enabled client
362               apps such as Transmission (BitTorrent client). The option
363               causes Shorewall to detect the default gateway through the
364               interface and to accept UDP packets from that gateway. Note
365               that, like all aspects of UPnP, this is a security hole so use
366               this option at your own risk.
367
368           wait=seconds
369               Added in Shorewall 4.4.10. Causes the generated script to wait
370               up to seconds seconds for the interface to become usable before
371               applying the required or optional options.
372

EXAMPLE

374       Example 1:
375           Suppose you have eth0 connected to a DSL modem and eth1 connected
376           to your local network and that your local subnet is 192.168.1.0/24.
377           The interface gets its IP address via DHCP from subnet
378           206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
379           eth2.
380
381           Your entries for this setup would look like:
382
383               #ZONE   INTERFACE BROADCAST        OPTIONS
384               net     eth0      206.191.149.223  dhcp
385               loc     eth1      192.168.1.255
386               dmz     eth2      192.168.2.255
387
388       Example 2:
389           The same configuration without specifying broadcast addresses is:
390
391               #ZONE   INTERFACE BROADCAST        OPTIONS
392               net     eth0      detect           dhcp
393               loc     eth1      detect
394               dmz     eth2      detect
395
396       Example 3:
397           You have a simple dial-in system with no ethernet connections.
398
399               #ZONE   INTERFACE BROADCAST        OPTIONS
400               net     ppp0      -
401
402       Example 4 (Shorewall 4.4.9 and later):
403           You have a bridge with no IP address and you want to allow traffic
404           through the bridge.
405
406               #ZONE   INTERFACE BROADCAST        OPTIONS
407               -       br0       -                routeback
408

FILES

410       /etc/shorewall/interfaces
411

SEE ALSO

413       shorewall(8), shorewall-accounting(5), shorewall-actions(5),
414       shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
415       shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
416       shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
417       shorewall-proxyarp(5), shorewall-route_rules(5),
418       shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
419       shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
420       shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
421       shorewall-zones(5)
422

NOTES

424        1. shorewall-hosts
425           http://www.shorewall.net/manpages/shorewall-hosts.html
426
427        2. shorewall-nesting
428           http://www.shorewall.net/manpages/shorewall-nesting.html
429
430        3. Proxy ARP
431           http://www.shorewall.net/manpages/../ProxyARP.htm
432
433        4. shorewall6-blacklist
434           http://www.shorewall.net/manpages/shorewall6-blacklist.html
435
436        5. shorewall-zones
437           http://www.shorewall.net/manpages/shorewall-zones.html
438
439        6. simple bridge
440           http://www.shorewall.net/manpages/../SimpleBridge.html
441
442        7. Shorewall-perl for firewall/bridging
443           http://www.shorewall.net/manpages/../bridge-Shorewall-perl.html
444
445        8. shorewall-rules
446           http://www.shorewall.net/manpages/shorewall-rules.html
447
448        9. shorewall.conf
449           http://www.shorewall.net/manpages/shorewall.conf.html
450
451       10. shorewall-maclist
452           http://www.shorewall.net/manpages/shorewall-maclist.html
453
454       11. shorewall-proxyarp
455           http://www.shorewall.net/manpages/shorewall-proxyarp.html
456
457       12. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
458           http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
459
460       13. shorewall-providers
461           http://www.shorewall.net/manpages/shorewall-providers.html
462
463       14. http://www.shorewall.net/UPnP.html
464           http://www.shorewall.net/manpages/../UPnP.html
465
466
467
468[FIXME: source]                   09/16/2011            SHOREWALL-INTERFACE(5)
Impressum