1SHOREWALL-INTERFACE(5) [FIXME: manual] SHOREWALL-INTERFACE(5)
2
6 interfaces - Shorewall interfaces file
7
9 /etc/shorewall/interfaces
10
12 The interfaces file serves to define the firewall's network interfaces
13 to Shorewall. The order of entries in this file is not significant in
14 determining zone composition.
15 The columns in the file are as follows.
17 ZONE - zone-name
19 Zone for this interface. Must match the name of a zone declared in
20 /etc/shorewall/zones. You may not list the firewall zone in this
21 column.
22 If the interface serves multiple zones that will be defined in the
24 shorewall-hosts[1](5) file, you should place "-" in this column.
25 If there are multiple interfaces to the same zone, you must list
27 them in separate entries.
28 Example:
30 #ZONE INTERFACE BROADCAST
32 loc eth1 -
33 loc eth2 -
34 INTERFACE - interface[:port]
36 Logical name of interface. Each interface may be listed only once
37 in this file. You may NOT specify the name of a "virtual" interface
38 (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18. If
39 the physical option is not specified, then the logical name is also
40 the name of the actual interface.
41 You may use wildcards here by specifying a prefix followed by the
43 plus sign ("+"). For example, if you want to make an entry that
44 applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
45 ppp1, ppp2, ... Please note that the '+' means 'one or more
46 additional characters' so 'ppp' does not match 'ppp+'.
47 When using Shorewall versions before 4.1.4, care must be exercised
49 when using wildcards where there is another zone that uses a
50 matching specific interface. See shorewall-nesting[2](5) for a
51 discussion of this problem.
52 Shorewall allows '+' as an interface name.
54 There is no need to define the loopback interface (lo) in this
56 file.
57 If a port is given, then the interface must have been defined
59 previously with the bridge option. The OPTIONS column may not
60 contain the following options when a port is given.
61 arp_filter
62 arp_ignore
63 bridge
64 log_martians
65 mss
66 optional
67 proxyarp
68 required
69 routefilter
70 sourceroute
71 upnp
72 wait
73 BROADCAST (Optional) - {-|detect|address[,address]...}
75 If you use the special value detect, Shorewall will detect the
76 broadcast address(es) for you if your iptables and kernel include
77 Address Type Match support.
78 If your iptables and/or kernel lack Address Type Match support then
80 you may list the broadcast address(es) for the network(s) to which
81 the interface belongs. For P-T-P interfaces, this column is left
82 blank. If the interface has multiple addresses on multiple subnets
83 then list the broadcast addresses as a comma-separated list.
84 If you don't want to give a value for this column but you want to
86 enter a value in the OPTIONS column, enter - in this column.
87 OPTIONS (Optional) - [option[,option]...]
89 A comma-separated list of options from the following list. The
90 order in which you list the options is not significant but the list
91 should have no embedded white space.
92 arp_filter[={0|1}]
94 If specified, this interface will only respond to ARP who-has
95 requests for IP addresses configured on the interface. If not
96 specified, the interface can respond to ARP who-has requests
97 for IP addresses on any of the firewall's interface. The
98 interface must be up when Shorewall is started.
99 Only those interfaces with the arp_filter option will have
101 their setting changed; the value assigned to the setting will
102 be the value specified (if any) or 1 if no value is given.
103 Note
106 This option does not work with a wild-card interface name
107 (e.g., eth0.+) in the INTERFACE column.
108 arp_ignore[=number]
110 If specified, this interface will respond to arp requests based
111 on the value of number (defaults to 1).
112 1 - reply only if the target IP address is local address
114 configured on the incoming interface
115 2 - reply only if the target IP address is local address
117 configured on the incoming interface and the sender's IP
118 address is part from same subnet on this interface's address
119 3 - do not reply for local addresses configured with scope
121 host, only resolutions for global and link
122 4-7 - reserved
124 8 - do not reply for all local addresses
126 Note
129 This option does not work with a wild-card interface name
130 (e.g., eth0.+) in the INTERFACE column.
131 Warning
133 Do not specify arp_ignore for any interface involved in
134 Proxy ARP[3].
135 blacklist
137 Check packets arriving on this interface against the
138 shorewall6-blacklist[4](5) file.
139 Beginning with Shorewall 4.4.13:
141 · If a zone is given in the ZONES column, then the behavior
143 is as if blacklist had been specified in the IN_OPTIONS
144 column of shorewall-zones[5](5).
145 · Otherwise, the option is ignored with a warning: WARNING:
147 The 'blacklist' option is ignored on mult-zone interfaces
148 bridge
150 Designates the interface as a bridge. Beginning with Shorewall
151 4.4.7, setting this option also sets routeback.
152 dhcp
154 Specify this option when any of the following are true:
155 1. the interface gets its IP address via DHCP
157 2. the interface is used by a DHCP server running on the
159 firewall
160 3. the interface has a static IP but is on a LAN segment with
162 lots of DHCP clients.
163 4. the interface is a simple bridge[6] with a DHCP server on
165 one port and DHCP clients on another port.
166 Note
168 If you use Shorewall-perl for firewall/bridging[7],
169 then you need to include DHCP-specific rules in
170 shorewall-rules[8](8). DHCP uses UDP ports 67 and 68.
171 This option allows DHCP datagrams to enter and leave the
173 interface.
174 logmartians[={0|1}]
176 Turn on kernel martian logging (logging of packets with
177 impossible source addresses. It is strongly suggested that if
178 you set routefilter on an interface that you also set
179 logmartians. Even if you do not specify the routefilter option,
180 it is a good idea to specify logmartians because your
181 distribution may have enabled route filtering without you
182 knowing it.
183 Only those interfaces with the logmartians option will have
185 their setting changed; the value assigned to the setting will
186 be the value specified (if any) or 1 if no value is given.
187 To find out if route filtering is set on a given interface,
189 check the contents of
190 /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
191 indicates that route filtering is enabled.
192 Example:
194 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
196 1
197 teastep@lists:~$
198 Note
201 This option does not work with a wild-card interface name
202 (e.g., eth0.+) in the INTERFACE column.
203 This option may also be enabled globally in the
204 shorewall.conf[9](5) file.
205 maclist
207 Connection requests from this interface are compared against
208 the contents of shorewall-maclist[10](5). If this option is
209 specified, the interface must be an ethernet NIC and must be up
210 before Shorewall is started.
211 mss=number
213 Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
214 entering or leaving on this interface to have their MSS field
215 set to the specified number.
216 nets=(net[,...])
218 Limit the zone named in the ZONE column to only the listed
219 networks. The parentheses may be omitted if only a single net
220 is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
221 zone is supported. Beginning with Shorewall 4.4.1, multicast
222 traffic to the zone is also supported.
223 nets=dynamic
225 Defines the zone as dynamic. Requires ipset match support in
226 your iptables and kernel. See
227 http://www.shorewall.net/Dynamic.html for further information.
228 nosmurfs
230 Filter packets for smurfs (packets with a broadcast address as
231 the source).
232 Smurfs will be optionally logged based on the setting of
234 SMURF_LOG_LEVEL in shorewall.conf[9](5). After logging, the
235 packets are dropped.
236 optional
238 When optional is specified for an interface, Shorewall will be
239 silent when:
240 · a /proc/sys/net/ipv4/conf/ entry for the interface cannot
242 be modified (including for proxy ARP).
243 · The first address of the interface cannot be obtained.
245 May not be specified with required.
247 physical=name
249 Added in Shorewall 4.4.4. When specified, the interface or port
250 name in the INTERFACE column is a logical name that refers to
251 the name given in this option. It is useful when you want to
252 specify the same wildcard port name on two or more bridges. See
253 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple.
254 If the interface name is a wildcard name (ends with '+'), then
256 the physical name must also end in '+'.
257 If physical is not specified, then it's value defaults to the
259 interface name.
260 proxyarp[={0|1}]
262 Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use
263 this option if you are employing Proxy ARP through entries in
264 shorewall-proxyarp[11](5). This option is intended solely for
265 use with Proxy ARP sub-networking as described at:
266 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[12]
267 Note: This option does not work with a wild-card interface name
269 (e.g., eth0.+) in the INTERFACE column.
270 Only those interfaces with the proxyarp option will have their
272 setting changed; the value assigned to the setting will be the
273 value specified (if any) or 1 if no value is given.
274 required
276 Added in Shorewall 4.4.10. If this option is set, the firewall
277 will fail to start if the interface is not usable. May not be
278 specified together with optional.
279 routeback
281 If specified, indicates that Shorewall should include rules
282 that allow traffic arriving on this interface to be routed back
283 out that same interface. This option is also required when you
284 have used a wildcard in the INTERFACE column if you want to
285 allow traffic between the interfaces that match the wildcard.
286 Beginning with Shorewall 4.4.20, if you specify this option,
288 then you should also specify either sfilter (see below) or
289 routefilter on all interfaces (see below).
290 routefilter[={0|1|2}]
292 Turn on kernel route filtering for this interface
293 (anti-spoofing measure).
294 Only those interfaces with the routefilter option will have
296 their setting changes; the value assigned to the setting will
297 be the value specified (if any) or 1 if no value is given.
298 The value 2 is only available with Shorewall 4.4.5.1 and later
300 when the kernel version is 2.6.31 or later. It specifies a
301 loose form of reverse path filtering.
302 Note
304 This option does not work with a wild-card interface name
305 (e.g., eth0.+) in the INTERFACE column.
306 This option can also be enabled globally in the
307 shorewall.conf[9](5) file.
308 Note
310 There are certain cases where routefilter cannot be used on
311 an interface:
312 · If USE_DEFAULT_RT=Yes in shorewall.conf[9](5) and the
314 interface is listed in shorewall-providers[13](5).
315 · If there is an entry for the interface in
317 shorewall-providers[13](5) that doesn't specify the
318 balance option.
319 · If IPSEC is used to allow a road-warrior to have a
321 local address, then any interface through which the
322 road-warrior might connect cannot specify routefilter.
323 sfilter=(net[,...])
325 Added in Shorewall 4.4.20. This option provides an
326 anti-spoofing alternative to routefilter on interfaces where
327 that option cannot be used, but where the routeback option is
328 required (on a bridge, for example). On these interfaces,
329 sfilter should list those local networks that are connected to
330 the firewall through other interfaces.
331 sourceroute[={0|1}]
333 If this option is not specified for an interface, then
334 source-routed packets will not be accepted from that interface
335 (sets /proc/sys/net/ipv4/conf/interface/accept_source_route to
336 1). Only set this option if you know what you are doing. This
337 might represent a security risk and is usually unneeded.
338 Only those interfaces with the sourceroute option will have
340 their setting changed; the value assigned to the setting will
341 be the value specified (if any) or 1 if no value is given.
342 Note
345 This option does not work with a wild-card interface name
346 (e.g., eth0.+) in the INTERFACE column.
347 tcpflags
349 Packets arriving on this interface are checked for certain
350 illegal combinations of TCP flags. Packets found to have such a
351 combination of flags are handled according to the setting of
352 TCP_FLAGS_DISPOSITION after having been logged according to the
353 setting of TCP_FLAGS_LOG_LEVEL.
354 upnp
356 Incoming requests from this interface may be remapped via UPNP
357 (upnpd). See http://www.shorewall.net/UPnP.html[14].
358 upnpclient
360 This option is intended for laptop users who always run
361 Shorewall on their system yet need to run UPnP-enabled client
362 apps such as Transmission (BitTorrent client). The option
363 causes Shorewall to detect the default gateway through the
364 interface and to accept UDP packets from that gateway. Note
365 that, like all aspects of UPnP, this is a security hole so use
366 this option at your own risk.
367 wait=seconds
369 Added in Shorewall 4.4.10. Causes the generated script to wait
370 up to seconds seconds for the interface to become usable before
371 applying the required or optional options.
372
374 Example 1:
375 Suppose you have eth0 connected to a DSL modem and eth1 connected
376 to your local network and that your local subnet is 192.168.1.0/24.
377 The interface gets its IP address via DHCP from subnet
378 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
379 eth2.
380 Your entries for this setup would look like:
382 #ZONE INTERFACE BROADCAST OPTIONS
384 net eth0 206.191.149.223 dhcp
385 loc eth1 192.168.1.255
386 dmz eth2 192.168.2.255
387 Example 2:
389 The same configuration without specifying broadcast addresses is:
390 #ZONE INTERFACE BROADCAST OPTIONS
392 net eth0 detect dhcp
393 loc eth1 detect
394 dmz eth2 detect
395 Example 3:
397 You have a simple dial-in system with no ethernet connections.
398 #ZONE INTERFACE BROADCAST OPTIONS
400 net ppp0 -
401 Example 4 (Shorewall 4.4.9 and later):
403 You have a bridge with no IP address and you want to allow traffic
404 through the bridge.
405 #ZONE INTERFACE BROADCAST OPTIONS
407 - br0 - routeback
408
410 /etc/shorewall/interfaces
411
413 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
414 shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
415 shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
416 shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
417 shorewall-proxyarp(5), shorewall-route_rules(5),
418 shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
419 shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
420 shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
421 shorewall-zones(5)
422
424 1. shorewall-hosts
425 http://www.shorewall.net/manpages/shorewall-hosts.html
426 2. shorewall-nesting
428 http://www.shorewall.net/manpages/shorewall-nesting.html
429 3. Proxy ARP
431 http://www.shorewall.net/manpages/../ProxyARP.htm
432 4. shorewall6-blacklist
434 http://www.shorewall.net/manpages/shorewall6-blacklist.html
435 5. shorewall-zones
437 http://www.shorewall.net/manpages/shorewall-zones.html
438 6. simple bridge
440 http://www.shorewall.net/manpages/../SimpleBridge.html
441 7. Shorewall-perl for firewall/bridging
443 http://www.shorewall.net/manpages/../bridge-Shorewall-perl.html
444 8. shorewall-rules
446 http://www.shorewall.net/manpages/shorewall-rules.html
447 9. shorewall.conf
449 http://www.shorewall.net/manpages/shorewall.conf.html
450 10. shorewall-maclist
452 http://www.shorewall.net/manpages/shorewall-maclist.html
453 11. shorewall-proxyarp
455 http://www.shorewall.net/manpages/shorewall-proxyarp.html
456 12. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
458 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
459 13. shorewall-providers
461 http://www.shorewall.net/manpages/shorewall-providers.html
462 14. http://www.shorewall.net/UPnP.html
464 http://www.shorewall.net/manpages/../UPnP.html
465[FIXME: source] 09/16/2011 SHOREWALL-INTERFACE(5)