1SHOREWALL-INTERFACE(5) Configuration Files SHOREWALL-INTERFACE(5)
2
3
4
6 interfaces - Shorewall interfaces file
7
9 /etc/shorewall[6]/interfaces
10
12 The interfaces file serves to define the firewall's network interfaces
13 to Shorewall. The order of entries in this file is not significant in
14 determining zone composition.
15
16 Beginning with Shorewall 4.5.3, the interfaces file supports two
17 different formats:
18
19 FORMAT 1 (default - deprecated)
20 There is a BROADCAST column which can be used to specify the
21 broadcast address associated with the interface.
22
23 FORMAT 2
24 The BROADCAST column is omitted.
25
26 The format is specified by a line as follows:
27
28 ?FORMAT {1|2}
29
30 The columns in the file are as follows.
31
32 ZONE - zone-name
33 Zone for this interface. Must match the name of a zone declared in
34 /etc/shorewall/zones. You may not list the firewall zone in this
35 column.
36
37 If the interface serves multiple zones that will be defined in the
38 shorewall-hosts[1](5) file, you should place "-" in this column.
39
40 If there are multiple interfaces to the same zone, you must list
41 them in separate entries.
42
43 Example:
44
45 #ZONE INTERFACE BROADCAST
46 loc eth1 -
47 loc eth2 -
48
49 INTERFACE - interface[:port]
50 Logical name of interface. Each interface may be listed only once
51 in this file. You may NOT specify the name of a "virtual" interface
52 (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18[2].
53 If the physical option is not specified, then the logical name is
54 also the name of the actual interface.
55
56 You may use wildcards here by specifying a prefix followed by the
57 plus sign ("+"). For example, if you want to make an entry that
58 applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
59 ppp1, ppp2, ...
60
61 When using Shorewall versions before 4.1.4, care must be exercised
62 when using wildcards where there is another zone that uses a
63 matching specific interface. See shorewall-nesting[3](5) for a
64 discussion of this problem.
65
66 Shorewall allows '+' as an interface name, but that usage is
67 deprecated. A better approach is to specify 'physical=+' in the
68 OPTIONS column (see below).
69
70 There is no need to define the loopback interface (lo) in this
71 file.
72
73 If a port is given, then the interface must have been defined
74 previously with the bridge option. The OPTIONS column may not
75 contain the following options when a port is given.
76 arp_filter
77 arp_ignore
78 bridge
79 log_martians
80 mss
81 optional
82 proxyarp
83 required
84 routefilter
85 sourceroute
86 upnp
87 wait
88 Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
89 interface, then that zone must be defined as type local in
90 shorewall6-zones[4](5).
91
92 BROADCAST (Optional) - {-|detect|address[,address]...}
93 Only available if FORMAT 1.
94
95 If you use the special value detect, Shorewall will detect the
96 broadcast address(es) for you if your iptables and kernel include
97 Address Type Match support.
98
99 If your iptables and/or kernel lack Address Type Match support then
100 you may list the broadcast address(es) for the network(s) to which
101 the interface belongs. For P-T-P interfaces, this column is left
102 blank. If the interface has multiple addresses on multiple subnets
103 then list the broadcast addresses as a comma-separated list.
104
105 If you don't want to give a value for this column but you want to
106 enter a value in the OPTIONS column, enter - in this column.
107
108 OPTIONS (Optional) - [option[,option]...]
109 A comma-separated list of options from the following list. The
110 order in which you list the options is not significant but the list
111 should have no embedded white-space.
112
113 accept_ra[={0|1|2}]
114 IPv6 only; added in Shorewall 4.5.16. Values are:
115
116 0
117 Do not accept Router Advertisements.
118
119 1
120 Accept Route Advertisements if forwarding is disabled.
121
122 2
123 Overrule forwarding behavior. Accept Route Advertisements
124 even if forwarding is enabled.
125
126 If the option is specified without a value, then the value 1 is
127 assumed.
128
129 Note
130 This option does not work with a wild-card physical name
131 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
132 option is specified, a warning is issued and the option is
133 ignored.
134
135 arp_filter[={0|1}]
136 IPv4 only. If specified, this interface will only respond to
137 ARP who-has requests for IP addresses configured on the
138 interface. If not specified, the interface can respond to ARP
139 who-has requests for IP addresses on any of the firewall's
140 interface. The interface must be up when Shorewall is started.
141
142 Only those interfaces with the arp_filter option will have
143 their setting changed; the value assigned to the setting will
144 be the value specified (if any) or 1 if no value is given.
145
146 Note
147 This option does not work with a wild-card physical name
148 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
149 option is specified, a warning is issued and the option is
150 ignored.
151
152 arp_ignore[=number]
153 IPv4 only. If specified, this interface will respond to arp
154 requests based on the value of number (defaults to 1).
155
156 1 - reply only if the target IP address is local address
157 configured on the incoming interface
158
159 2 - reply only if the target IP address is local address
160 configured on the incoming interface and the sender's IP
161 address is part from same subnet on this interface's address
162
163 3 - do not reply for local addresses configured with scope
164 host, only resolutions for global and link
165
166 4-7 - reserved
167
168 8 - do not reply for all local addresses
169
170 Note
171 This option does not work with a wild-card physical name
172 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
173 option is specified, a warning is issued and the option is
174 ignored.
175
176 Warning
177 Do not specify arp_ignore for any interface involved in
178 Proxy ARP[5].
179
180 blacklist
181 Checks packets arriving on this interface against the
182 shorewall-blacklist[6](5) file.
183
184 Beginning with Shorewall 4.4.13:
185
186 · If a zone is given in the ZONES column, then the behavior
187 is as if blacklist had been specified in the IN_OPTIONS
188 column of shorewall-zones[7](5).
189
190 · Otherwise, the option is ignored with a warning: WARNING:
191 The 'blacklist' option is ignored on multi-zone interfaces
192
193 bridge
194 Designates the interface as a bridge. Beginning with Shorewall
195 4.4.7, setting this option also sets routeback.
196
197 Note
198 If you have a bridge that you don't intend to define bport
199 zones on, then it is best to omit this option and simply
200 specify routeback.
201
202 dbl={none|src|dst|src-dst}
203 Added in Shorewall 5.0.10. This option defined whether or not
204 dynamic blacklisting is applied to packets entering the
205 firewall through this interface and whether the source address
206 and/or destination address is to be compared against the
207 ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
208 shorewall.conf(5)[8]). The default is determine by the setting
209 of DYNAMIC_BLACKLIST:
210
211 DYNAMIC_BLACKLIST=No
212 Default is none (e.g., no dynamic blacklist checking).
213
214 DYNAMIC_BLACKLIST=Yes
215 Default is src (e.g., the source IP address is checked).
216
217 DYNAMIC_BLACKLIST=ipset[-only]
218 Default is src.
219
220 DYNAMIC_BLACKLIST=ipset[-only],src-dst...
221 Default is src-dst (e.g., the source IP addresses in
222 checked against the ipset on input and the destination IP
223 address is checked against the ipset on packets originating
224 from the firewall and leaving through this interface).
225
226 The normal setting for this option will be dst or none for
227 internal interfaces and src or src-dst for Internet-facing
228 interfaces.
229
230 destonly
231 Added in Shorewall 4.5.17. Causes the compiler to omit rules to
232 handle traffic from this interface.
233
234 dhcp
235 Specify this option when any of the following are true:
236
237 1. the interface gets its IP address via DHCP
238
239 2. the interface is used by a DHCP server running on the
240 firewall
241
242 3. the interface has a static IP but is on a LAN segment with
243 lots of DHCP clients.
244
245 4. the interface is a simple bridge[9] with a DHCP server on
246 one port and DHCP clients on another port.
247
248 Note
249 If you use Shorewall-perl for firewall/bridging[10],
250 then you need to include DHCP-specific rules in
251 shorewall-rules[11](5). DHCP uses UDP ports 67 and 68.
252
253 This option allows DHCP datagrams to enter and leave the
254 interface.
255
256 forward[={0|1}]
257 IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding
258 option to the specified value. If no value is supplied, then 1
259 is assumed.
260
261 Note
262 This option does not work with a wild-card physical name
263 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
264 option is specified, a warning is issued and the option is
265 ignored.
266
267 ignore[=1]
268 When specified, causes the generated script to ignore up/down
269 events from Shorewall-init for this device. Additionally, the
270 option exempts the interface from hairpin filtering. When '=1'
271 is omitted, the ZONE column must contain '-' and ignore must be
272 the only OPTION.
273
274 Beginning with Shorewall 4.5.5, may be specified as 'ignore=1'
275 which only causes the generated script to ignore up/down events
276 from Shorewall-init; hairpin filtering is still applied. In
277 this case, the above restrictions on the ZONE and OPTIONS
278 columns are lifted.
279
280 loopback
281 Added in Shorewall 4.6.6. Designates the interface as the
282 loopback interface. This option is assumed if the interface's
283 physical name is 'lo'. Only one interface man have the loopback
284 option specified.
285
286 logmartians[={0|1}]
287 IPv4 only. Turn on kernel martian logging (logging of packets
288 with impossible source addresses. It is strongly suggested that
289 if you set routefilter on an interface that you also set
290 logmartians. Even if you do not specify the routefilter option,
291 it is a good idea to specify logmartians because your
292 distribution may have enabled route filtering without you
293 knowing it.
294
295 Only those interfaces with the logmartians option will have
296 their setting changed; the value assigned to the setting will
297 be the value specified (if any) or 1 if no value is given.
298
299 To find out if route filtering is set on a given interface,
300 check the contents of
301 /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
302 indicates that route filtering is enabled.
303
304 Example:
305
306 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
307 1
308 teastep@lists:~$
309
310
311 Note
312 This option does not work with a wild-card physical name
313 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
314 option is specified, a warning is issued and the option is
315 ignored.
316 This option may also be enabled globally in the
317 shorewall.conf[8](5) file.
318
319 maclist
320 Connection requests from this interface are compared against
321 the contents of shorewall-maclist[12](5). If this option is
322 specified, the interface must be an Ethernet NIC and must be up
323 before Shorewall is started.
324
325 mss=number
326 Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
327 entering or leaving on this interface to have their MSS field
328 set to the specified number.
329
330 nets=(net[,...])
331 Limit the zone named in the ZONE column to only the listed
332 networks. The parentheses may be omitted if only a single net
333 is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
334 zone is supported. Beginning with Shorewall 4.4.1, multicast
335 traffic to the zone is also supported.
336
337 nets=dynamic
338 Defines the zone as dynamic. Requires ipset match support in
339 your iptables and kernel. See
340 http://www.shorewall.net/Dynamic.html[13] for further
341 information.
342
343 nodbl
344 Added in Shorewall 5.0.8. When specified, dynamic blacklisting
345 is disabled on the interface. Beginning with Shorewall 5.0.10,
346 nodbl is equivalent to dbl=none.
347
348 nosmurfs
349 IPv4 only. Filter packets for smurfs (packets with a broadcast
350 address as the source).
351
352 Smurfs will be optionally logged based on the setting of
353 SMURF_LOG_LEVEL in shorewall.conf[8](5). After logging, the
354 packets are dropped.
355
356 optional
357 When optional is specified for an interface, Shorewall will be
358 silent when:
359
360 · a /proc/sys/net/ipv[46]/conf/ entry for the interface
361 cannot be modified (including for proxy ARP or proxy NDP).
362
363 · The first address of the interface cannot be obtained.
364
365 May not be specified with required.
366
367 physical=name
368 Added in Shorewall 4.4.4. When specified, the interface or port
369 name in the INTERFACE column is a logical name that refers to
370 the name given in this option. It is useful when you want to
371 specify the same wildcard port name on two or more bridges. See
372 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple[14].
373
374 If the interface name is a wildcard name (ends with '+'), then
375 the physical name must also end in '+'. The physical name may
376 end in '+' (or be exactly '+') when the interface name is not a
377 wildcard name.
378
379 If physical is not specified, then it's value defaults to the
380 interface name.
381
382 proxyarp[={0|1}]
383 IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do
384 NOT use this option if you are employing Proxy ARP through
385 entries in shorewall-proxyarp[15](5). This option is intended
386 solely for use with Proxy ARP sub-networking as described at:
387 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[16]
388
389 Note
390 This option does not work with a wild-card physical name
391 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
392 option is specified, a warning is issued and the option is
393 ignored.
394 Only those interfaces with the proxyarp option will have their
395 setting changed; the value assigned to the setting will be the
396 value specified (if any) or 1 if no value is given.
397
398 proxyndp[={0|1}]
399 IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
400
401 Note
402 This option does not work with a wild-card physical name
403 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
404 option is specified, a warning is issued and the option is
405 ignored.
406 Only those interfaces with the proxyndp option will have their
407 setting changed; the value assigned to the setting will be the
408 value specified (if any) or 1 if no value is given.
409
410 required
411 Added in Shorewall 4.4.10. If this option is set, the firewall
412 will fail to start if the interface is not usable. May not be
413 specified together with optional.
414
415 routeback[={0|1}]
416 If specified, indicates that Shorewall should include rules
417 that allow traffic arriving on this interface to be routed back
418 out that same interface. This option is also required when you
419 have used a wildcard in the INTERFACE column if you want to
420 allow traffic between the interfaces that match the wildcard.
421
422 Beginning with Shorewall 4.4.20, if you specify this option,
423 then you should also specify either sfilter (see below) or
424 routefilter on all interfaces (see below).
425
426 Beginning with Shorewall 4.5.18, you may specify this option to
427 explicitly reset (e.g., routeback=0). This can be used to
428 override Shorewall's default setting for bridge devices which
429 is routeback=1.
430
431 routefilter[={0|1|2}]
432 IPv4 only. Turn on kernel route filtering for this interface
433 (anti-spoofing measure).
434
435 Only those interfaces with the routefilter option will have
436 their setting changes; the value assigned to the setting will
437 be the value specified (if any) or 1 if no value is given.
438
439 The value 2 is only available with Shorewall 4.4.5.1 and later
440 when the kernel version is 2.6.31 or later. It specifies a
441 loose form of reverse path filtering.
442
443 Note
444 This option does not work with a wild-card physical name
445 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
446 option is specified, a warning is issued and the option is
447 ignored.
448 This option can also be enabled globally via the ROUTE_FILTER
449 option in the shorewall.conf[8](5) file.
450
451 Important
452 If ROUTE_FILTER=Yes in shorewall.conf[8](5), or if your
453 distribution sets net.ipv4.conf.all.rp_filter=1 in
454 /etc/sysctl.conf, then setting routefilter=0 in an
455 interface entry will not disable route filtering on that
456 interface! The effective setting for an interface is the
457 maximum of the contents of
458 /proc/sys/net/ipv4/conf/all/rp_filter and the routefilter
459 setting specified in this file
460 (/proc/sys/net/ipv4/conf/interface/rp_filter).
461
462 Note
463 There are certain cases where routefilter cannot be used on
464 an interface:
465
466 · If USE_DEFAULT_RT=Yes in shorewall.conf[8](5) and the
467 interface is listed in shorewall-providers[17](5).
468
469 · If there is an entry for the interface in
470 shorewall-providers[17](5) that doesn't specify the
471 balance option.
472
473 · If IPSEC is used to allow a road-warrior to have a
474 local address, then any interface through which the
475 road-warrior might connect cannot specify routefilter.
476 Beginning with Shorewall 5.1.1, when routefilter is set to a
477 non-zero value, the logmartians option is also implicitly set.
478 If you actually want route filtering without logging, then you
479 must also specify logmartians=0 after routefilter.
480
481 rpfilter
482 Added in Shorewall 4.5.7. This is an anti-spoofing measure that
483 requires the 'RPFilter Match' capability in your iptables and
484 kernel. It provides a more efficient alternative to the sfilter
485 option below. It performs a function similar to routefilter
486 (see above) but works with Multi-ISP configurations that do not
487 use balanced routes.
488
489 sfilter=(net[,...])
490 Added in Shorewall 4.4.20. This option provides an
491 anti-spoofing alternative to routefilter on interfaces where
492 that option cannot be used, but where the routeback option is
493 required (on a bridge, for example). On these interfaces,
494 sfilter should list those local networks that are connected to
495 the firewall through other interfaces.
496
497 sourceroute[={0|1}]
498 If this option is not specified for an interface, then
499 source-routed packets will not be accepted from that interface
500 unless it has been explicitly enabled via sysconf. Only set
501 this option to 1 (enable source routing) if you know what you
502 are doing. This might represent a security risk and is usually
503 unneeded.
504
505 Only those interfaces with the sourceroute option will have
506 their setting changed; the value assigned to the setting will
507 be the value specified (if any) or 1 if no value is given.
508
509 Note
510 This option does not work with a wild-card physical name
511 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
512 option is specified, a warning is issued and the option is
513 ignored.
514
515 tcpflags[={0|1}]
516 Packets arriving on this interface are checked for certain
517 illegal combinations of TCP flags. Packets found to have such a
518 combination of flags are handled according to the setting of
519 TCP_FLAGS_DISPOSITION after having been logged according to the
520 setting of TCP_FLAGS_LOG_LEVEL.
521
522 Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To
523 disable this option, specify tcpflags=0.
524
525 unmanaged
526 Added in Shorewall 4.5.18. Causes all traffic between the
527 firewall and hosts on the interface to be accepted. When this
528 option is given:
529
530 · The ZONE column must contain '-'.
531
532 · Only the following other options are allowed with
533 unmanaged:
534 arp_filter
535 arp_ignore
536 ignore
537 routefilter
538 optional
539 physical
540 routefilter
541 proxyarp
542 proxyudp
543 sourceroute
544
545 upnp
546 Incoming requests from this interface may be remapped via UPNP
547 (upnpd). See http://www.shorewall.net/UPnP.html[18]. Supported
548 in IPv4 and in IPv6 in Shorewall 5.1.4 and later.
549
550 upnpclient
551 This option is intended for laptop users who always run
552 Shorewall on their system yet need to run UPnP-enabled client
553 apps such as Transmission (BitTorrent client). The option
554 causes Shorewall to detect the default gateway through the
555 interface and to accept UDP packets from that gateway. Note
556 that, like all aspects of UPnP, this is a security hole so use
557 this option at your own risk. Supported in IPv4 and in IPv6 in
558 Shorewall 5.1.4 and later.
559
560 wait=seconds
561 Added in Shorewall 4.4.10. Causes the generated script to wait
562 up to seconds seconds for the interface to become usable before
563 applying the required or optional options.
564
566 IPv4 Example 1:
567 Suppose you have eth0 connected to a DSL modem and eth1 connected
568 to your local network and that your local subnet is 192.168.1.0/24.
569 The interface gets its IP address via DHCP from subnet
570 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
571 eth2. Your iptables and/or kernel do not support "Address Type
572 Match" and you prefer to specify broadcast addresses explicitly
573 rather than having Shorewall detect them.
574
575 Your entries for this setup would look like:
576
577 ?FORMAT 1
578 #ZONE INTERFACE BROADCAST OPTIONS
579 net eth0 206.191.149.223 dhcp
580 loc eth1 192.168.1.255
581 dmz eth2 192.168.2.255
582
583 Example 2:
584 The same configuration without specifying broadcast addresses is:
585
586 ?FORMAT 2
587 #ZONE INTERFACE OPTIONS
588 net eth0 dhcp
589 loc eth1
590 dmz eth2
591
592 Example 3:
593 You have a simple dial-in system with no Ethernet connections.
594
595 ?FORMAT 2
596 #ZONE INTERFACE OPTIONS
597 net ppp0 -
598
599 Example 4 (Shorewall 4.4.9 and later):
600 You have a bridge with no IP address and you want to allow traffic
601 through the bridge.
602
603 ?FORMAT 2
604 #ZONE INTERFACE OPTIONS
605 - br0 bridge
606
608 /etc/shorewall/interfaces
609
610 /etc/shorewall6/interfaces
611
613 http://www.shorewall.net/configuration_file_basics.htm#Pairs[19]
614
615 shorewall(8)
616
618 1. shorewall-hosts
619 http://www.shorewall.net/manpages/shorewall-hosts.html
620
621 2. http://www.shorewall.net/FAQ.htm#faq18
622 http://www.shorewall.net/FAQ.htm#faq18
623
624 3. shorewall-nesting
625 http://www.shorewall.net/manpages/shorewall-nesting.html
626
627 4. shorewall6-zones
628 http://www.shorewall.net/manpages6/shorewall6-zones.html
629
630 5. Proxy ARP
631 http://www.shorewall.net/ProxyARP.htm
632
633 6. shorewall-blacklist
634 http://www.shorewall.net/manpages/shorewall-blacklist.html
635
636 7. shorewall-zones
637 http://www.shorewall.net/manpages/shorewall-zones.html
638
639 8. shorewall.conf(5)
640 http://www.shorewall.net/manpages/shorewall.conf.html
641
642 9. simple bridge
643 http://www.shorewall.net/SimpleBridge.html
644
645 10. Shorewall-perl for firewall/bridging
646 http://www.shorewall.net/bridge-Shorewall-perl.html
647
648 11. shorewall-rules
649 http://www.shorewall.net/manpages/shorewall-rules.html
650
651 12. shorewall-maclist
652 http://www.shorewall.net/manpages/shorewall-maclist.html
653
654 13. http://www.shorewall.net/Dynamic.html
655 http://www.shorewall.net/Dynamic.html
656
657 14. http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple
658 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple
659
660 15. shorewall-proxyarp
661 http://www.shorewall.net/manpages/shorewall-proxyarp.html
662
663 16. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
664 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
665
666 17. shorewall-providers
667 http://www.shorewall.net/manpages/shorewall-providers.html
668
669 18. http://www.shorewall.net/UPnP.html
670 http://www.shorewall.net/UPnP.html
671
672 19. http://www.shorewall.net/configuration_file_basics.htm#Pairs
673 http://www.shorewall.net/configuration_file_basics.htm#Pairs
674
675
676
677Configuration Files 01/17/2019 SHOREWALL-INTERFACE(5)