1SHOREWALL-INTERFACE(5)        Configuration Files       SHOREWALL-INTERFACE(5)
2
3
4

NAME

6       interfaces - Shorewall interfaces file
7

SYNOPSIS

9       /etc/shorewall[6]/interfaces
10

DESCRIPTION

12       The interfaces file serves to define the firewall's network interfaces
13       to Shorewall. The order of entries in this file is not significant in
14       determining zone composition.
15
16       Beginning with Shorewall 4.5.3, the interfaces file supports two
17       different formats:
18
19       FORMAT 1 (default - deprecated)
20           There is a BROADCAST column which can be used to specify the
21           broadcast address associated with the interface.
22
23       FORMAT 2
24           The BROADCAST column is omitted.
25
26       The format is specified by a line as follows:
27
28       ?FORMAT {1|2}
29
30       The columns in the file are as follows.
31
32       ZONE - zone-name
33           Zone for this interface. Must match the name of a zone declared in
34           /etc/shorewall/zones. You may not list the firewall zone in this
35           column.
36
37           If the interface serves multiple zones that will be defined in the
38           shorewall-hosts[1](5) file, you should place "-" in this column.
39
40           If there are multiple interfaces to the same zone, you must list
41           them in separate entries.
42
43           Example:
44
45               #ZONE   INTERFACE       BROADCAST
46               loc     eth1            -
47               loc     eth2            -
48
49       INTERFACE - interface[:port]
50           Logical name of interface. Each interface may be listed only once
51           in this file. You may NOT specify the name of a "virtual" interface
52           (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18[2].
53           If the physical option is not specified, then the logical name is
54           also the name of the actual interface.
55
56           You may use wildcards here by specifying a prefix followed by the
57           plus sign ("+"). For example, if you want to make an entry that
58           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
59           ppp1, ppp2, ...
60
61           When using Shorewall versions before 4.1.4, care must be exercised
62           when using wildcards where there is another zone that uses a
63           matching specific interface. See shorewall-nesting[3](5) for a
64           discussion of this problem.
65
66           Shorewall allows '+' as an interface name, but that usage is
67           deprecated. A better approach is to specify 'physical=+' in the
68           OPTIONS column (see below).
69
70           There is no need to define the loopback interface (lo) in this
71           file.
72
73           If a port is given, then the interface must have been defined
74           previously with the bridge option. The OPTIONS column may not
75           contain the following options when a port is given.
76               arp_filter
77               arp_ignore
78               bridge
79               log_martians
80               mss
81               optional
82               proxyarp
83               required
84               routefilter
85               sourceroute
86               upnp
87               wait
88           Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
89           interface, then that zone must be defined as type local in
90           shorewall6-zones[4](5).
91
92       BROADCAST (Optional) - {-|detect|address[,address]...}
93           Only available if FORMAT 1.
94
95           If you use the special value detect, Shorewall will detect the
96           broadcast address(es) for you if your iptables and kernel include
97           Address Type Match support.
98
99           If your iptables and/or kernel lack Address Type Match support then
100           you may list the broadcast address(es) for the network(s) to which
101           the interface belongs. For P-T-P interfaces, this column is left
102           blank. If the interface has multiple addresses on multiple subnets
103           then list the broadcast addresses as a comma-separated list.
104
105           If you don't want to give a value for this column but you want to
106           enter a value in the OPTIONS column, enter - in this column.
107
108       OPTIONS (Optional) - [option[,option]...]
109           A comma-separated list of options from the following list. The
110           order in which you list the options is not significant but the list
111           should have no embedded white-space.
112
113           accept_ra[={0|1|2}]
114               IPv6 only; added in Shorewall 4.5.16. Values are:
115
116               0
117                   Do not accept Router Advertisements.
118
119               1
120                   Accept Route Advertisements if forwarding is disabled.
121
122               2
123                   Overrule forwarding behavior. Accept Route Advertisements
124                   even if forwarding is enabled.
125
126               If the option is specified without a value, then the value 1 is
127               assumed.
128
129                   Note
130                   This option does not work with a wild-card physical name
131                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
132                   option is specified, a warning is issued and the option is
133                   ignored.
134
135           arp_filter[={0|1}]
136               IPv4 only. If specified, this interface will only respond to
137               ARP who-has requests for IP addresses configured on the
138               interface. If not specified, the interface can respond to ARP
139               who-has requests for IP addresses on any of the firewall's
140               interface. The interface must be up when Shorewall is started.
141
142               Only those interfaces with the arp_filter option will have
143               their setting changed; the value assigned to the setting will
144               be the value specified (if any) or 1 if no value is given.
145
146                   Note
147                   This option does not work with a wild-card physical name
148                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
149                   option is specified, a warning is issued and the option is
150                   ignored.
151
152           arp_ignore[=number]
153               IPv4 only. If specified, this interface will respond to arp
154               requests based on the value of number (defaults to 1).
155
156               1 - reply only if the target IP address is local address
157               configured on the incoming interface
158
159               2 - reply only if the target IP address is local address
160               configured on the incoming interface and the sender's IP
161               address is part from same subnet on this interface's address
162
163               3 - do not reply for local addresses configured with scope
164               host, only resolutions for global and link
165
166               4-7 - reserved
167
168               8 - do not reply for all local addresses
169
170                   Note
171                   This option does not work with a wild-card physical name
172                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
173                   option is specified, a warning is issued and the option is
174                   ignored.
175
176                   Warning
177                   Do not specify arp_ignore for any interface involved in
178                   Proxy ARP[5].
179
180           blacklist
181               Checks packets arriving on this interface against the
182               shorewall-blacklist[6](5) file.
183
184               Beginning with Shorewall 4.4.13:
185
186               ·   If a zone is given in the ZONES column, then the behavior
187                   is as if blacklist had been specified in the IN_OPTIONS
188                   column of shorewall-zones[7](5).
189
190               ·   Otherwise, the option is ignored with a warning: WARNING:
191                   The 'blacklist' option is ignored on multi-zone interfaces
192
193           bridge
194               Designates the interface as a bridge. Beginning with Shorewall
195               4.4.7, setting this option also sets routeback.
196
197                   Note
198                   If you have a bridge that you don't intend to define bport
199                   zones on, then it is best to omit this option and simply
200                   specify routeback.
201
202           dbl={none|src|dst|src-dst}
203               Added in Shorewall 5.0.10. This option defined whether or not
204               dynamic blacklisting is applied to packets entering the
205               firewall through this interface and whether the source address
206               and/or destination address is to be compared against the
207               ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
208               shorewall.conf(5)[8]). The default is determine by the setting
209               of DYNAMIC_BLACKLIST:
210
211               DYNAMIC_BLACKLIST=No
212                   Default is none (e.g., no dynamic blacklist checking).
213
214               DYNAMIC_BLACKLIST=Yes
215                   Default is src (e.g., the source IP address is checked).
216
217               DYNAMIC_BLACKLIST=ipset[-only]
218                   Default is src.
219
220               DYNAMIC_BLACKLIST=ipset[-only],src-dst...
221                   Default is src-dst (e.g., the source IP addresses in
222                   checked against the ipset on input and the destination IP
223                   address is checked against the ipset on packets originating
224                   from the firewall and leaving through this interface).
225
226               The normal setting for this option will be dst or none for
227               internal interfaces and src or src-dst for Internet-facing
228               interfaces.
229
230           destonly
231               Added in Shorewall 4.5.17. Causes the compiler to omit rules to
232               handle traffic from this interface.
233
234           dhcp
235               Specify this option when any of the following are true:
236
237                1. the interface gets its IP address via DHCP
238
239                2. the interface is used by a DHCP server running on the
240                   firewall
241
242                3. the interface has a static IP but is on a LAN segment with
243                   lots of DHCP clients.
244
245                4. the interface is a simple bridge[9] with a DHCP server on
246                   one port and DHCP clients on another port.
247
248                       Note
249                       If you use Shorewall-perl for firewall/bridging[10],
250                       then you need to include DHCP-specific rules in
251                       shorewall-rules[11](5). DHCP uses UDP ports 67 and 68.
252
253               This option allows DHCP datagrams to enter and leave the
254               interface.
255
256           forward[={0|1}]
257               IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding
258               option to the specified value. If no value is supplied, then 1
259               is assumed.
260
261                   Note
262                   This option does not work with a wild-card physical name
263                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
264                   option is specified, a warning is issued and the option is
265                   ignored.
266
267           ignore[=1]
268               When specified, causes the generated script to ignore up/down
269               events from Shorewall-init for this device. Additionally, the
270               option exempts the interface from hairpin filtering. When '=1'
271               is omitted, the ZONE column must contain '-' and ignore must be
272               the only OPTION.
273
274               Beginning with Shorewall 4.5.5, may be specified as 'ignore=1'
275               which only causes the generated script to ignore up/down events
276               from Shorewall-init; hairpin filtering is still applied. In
277               this case, the above restrictions on the ZONE and OPTIONS
278               columns are lifted.
279
280           loopback
281               Added in Shorewall 4.6.6. Designates the interface as the
282               loopback interface. This option is assumed if the interface's
283               physical name is 'lo'. Only one interface man have the loopback
284               option specified.
285
286           logmartians[={0|1}]
287               IPv4 only. Turn on kernel martian logging (logging of packets
288               with impossible source addresses. It is strongly suggested that
289               if you set routefilter on an interface that you also set
290               logmartians. Even if you do not specify the routefilter option,
291               it is a good idea to specify logmartians because your
292               distribution may have enabled route filtering without you
293               knowing it.
294
295               Only those interfaces with the logmartians option will have
296               their setting changed; the value assigned to the setting will
297               be the value specified (if any) or 1 if no value is given.
298
299               To find out if route filtering is set on a given interface,
300               check the contents of
301               /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
302               indicates that route filtering is enabled.
303
304               Example:
305
306                           teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
307                           1
308                           teastep@lists:~$
309
310
311                   Note
312                   This option does not work with a wild-card physical name
313                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
314                   option is specified, a warning is issued and the option is
315                   ignored.
316               This option may also be enabled globally in the
317               shorewall.conf[8](5) file.
318
319           maclist
320               Connection requests from this interface are compared against
321               the contents of shorewall-maclist[12](5). If this option is
322               specified, the interface must be an Ethernet NIC and must be up
323               before Shorewall is started.
324
325           mss=number
326               Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
327               entering or leaving on this interface to have their MSS field
328               set to the specified number.
329
330           nets=(net[,...])
331               Limit the zone named in the ZONE column to only the listed
332               networks. The parentheses may be omitted if only a single net
333               is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
334               zone is supported. Beginning with Shorewall 4.4.1, multicast
335               traffic to the zone is also supported.
336
337           nets=dynamic
338               Defines the zone as dynamic. Requires ipset match support in
339               your iptables and kernel. See
340               http://www.shorewall.net/Dynamic.html[13] for further
341               information.
342
343           nodbl
344               Added in Shorewall 5.0.8. When specified, dynamic blacklisting
345               is disabled on the interface. Beginning with Shorewall 5.0.10,
346               nodbl is equivalent to dbl=none.
347
348           nosmurfs
349               IPv4 only. Filter packets for smurfs (packets with a broadcast
350               address as the source).
351
352               Smurfs will be optionally logged based on the setting of
353               SMURF_LOG_LEVEL in shorewall.conf[8](5). After logging, the
354               packets are dropped.
355
356           optional
357               When optional is specified for an interface, Shorewall will be
358               silent when:
359
360               ·   a /proc/sys/net/ipv[46]/conf/ entry for the interface
361                   cannot be modified (including for proxy ARP or proxy NDP).
362
363               ·   The first address of the interface cannot be obtained.
364
365               May not be specified with required.
366
367           physical=name
368               Added in Shorewall 4.4.4. When specified, the interface or port
369               name in the INTERFACE column is a logical name that refers to
370               the name given in this option. It is useful when you want to
371               specify the same wildcard port name on two or more bridges. See
372               http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple[14].
373
374               If the interface name is a wildcard name (ends with '+'), then
375               the physical name must also end in '+'. The physical name may
376               end in '+' (or be exactly '+') when the interface name is not a
377               wildcard name.
378
379               If physical is not specified, then it's value defaults to the
380               interface name.
381
382           proxyarp[={0|1}]
383               IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do
384               NOT use this option if you are employing Proxy ARP through
385               entries in shorewall-proxyarp[15](5). This option is intended
386               solely for use with Proxy ARP sub-networking as described at:
387               http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[16]
388
389                   Note
390                   This option does not work with a wild-card physical name
391                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
392                   option is specified, a warning is issued and the option is
393                   ignored.
394               Only those interfaces with the proxyarp option will have their
395               setting changed; the value assigned to the setting will be the
396               value specified (if any) or 1 if no value is given.
397
398           proxyndp[={0|1}]
399               IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
400
401                   Note
402                   This option does not work with a wild-card physical name
403                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
404                   option is specified, a warning is issued and the option is
405                   ignored.
406               Only those interfaces with the proxyndp option will have their
407               setting changed; the value assigned to the setting will be the
408               value specified (if any) or 1 if no value is given.
409
410           required
411               Added in Shorewall 4.4.10. If this option is set, the firewall
412               will fail to start if the interface is not usable. May not be
413               specified together with optional.
414
415           routeback[={0|1}]
416               If specified, indicates that Shorewall should include rules
417               that allow traffic arriving on this interface to be routed back
418               out that same interface. This option is also required when you
419               have used a wildcard in the INTERFACE column if you want to
420               allow traffic between the interfaces that match the wildcard.
421
422               Beginning with Shorewall 4.4.20, if you specify this option,
423               then you should also specify either sfilter (see below) or
424               routefilter on all interfaces (see below).
425
426               Beginning with Shorewall 4.5.18, you may specify this option to
427               explicitly reset (e.g., routeback=0). This can be used to
428               override Shorewall's default setting for bridge devices which
429               is routeback=1.
430
431           routefilter[={0|1|2}]
432               IPv4 only. Turn on kernel route filtering for this interface
433               (anti-spoofing measure).
434
435               Only those interfaces with the routefilter option will have
436               their setting changes; the value assigned to the setting will
437               be the value specified (if any) or 1 if no value is given.
438
439               The value 2 is only available with Shorewall 4.4.5.1 and later
440               when the kernel version is 2.6.31 or later. It specifies a
441               loose form of reverse path filtering.
442
443                   Note
444                   This option does not work with a wild-card physical name
445                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
446                   option is specified, a warning is issued and the option is
447                   ignored.
448               This option can also be enabled globally via the ROUTE_FILTER
449               option in the shorewall.conf[8](5) file.
450
451                   Important
452                   If ROUTE_FILTER=Yes in shorewall.conf[8](5), or if your
453                   distribution sets net.ipv4.conf.all.rp_filter=1 in
454                   /etc/sysctl.conf, then setting routefilter=0 in an
455                   interface entry will not disable route filtering on that
456                   interface! The effective setting for an interface is the
457                   maximum of the contents of
458                   /proc/sys/net/ipv4/conf/all/rp_filter and the routefilter
459                   setting specified in this file
460                   (/proc/sys/net/ipv4/conf/interface/rp_filter).
461
462                   Note
463                   There are certain cases where routefilter cannot be used on
464                   an interface:
465
466                   ·   If USE_DEFAULT_RT=Yes in shorewall.conf[8](5) and the
467                       interface is listed in shorewall-providers[17](5).
468
469                   ·   If there is an entry for the interface in
470                       shorewall-providers[17](5) that doesn't specify the
471                       balance option.
472
473                   ·   If IPSEC is used to allow a road-warrior to have a
474                       local address, then any interface through which the
475                       road-warrior might connect cannot specify routefilter.
476               Beginning with Shorewall 5.1.1, when routefilter is set to a
477               non-zero value, the logmartians option is also implicitly set.
478               If you actually want route filtering without logging, then you
479               must also specify logmartians=0 after routefilter.
480
481           rpfilter
482               Added in Shorewall 4.5.7. This is an anti-spoofing measure that
483               requires the 'RPFilter Match' capability in your iptables and
484               kernel. It provides a more efficient alternative to the sfilter
485               option below. It performs a function similar to routefilter
486               (see above) but works with Multi-ISP configurations that do not
487               use balanced routes.
488
489           sfilter=(net[,...])
490               Added in Shorewall 4.4.20. This option provides an
491               anti-spoofing alternative to routefilter on interfaces where
492               that option cannot be used, but where the routeback option is
493               required (on a bridge, for example). On these interfaces,
494               sfilter should list those local networks that are connected to
495               the firewall through other interfaces.
496
497           sourceroute[={0|1}]
498               If this option is not specified for an interface, then
499               source-routed packets will not be accepted from that interface
500               unless it has been explicitly enabled via sysconf. Only set
501               this option to 1 (enable source routing) if you know what you
502               are doing. This might represent a security risk and is usually
503               unneeded.
504
505               Only those interfaces with the sourceroute option will have
506               their setting changed; the value assigned to the setting will
507               be the value specified (if any) or 1 if no value is given.
508
509                   Note
510                   This option does not work with a wild-card physical name
511                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
512                   option is specified, a warning is issued and the option is
513                   ignored.
514
515           tcpflags[={0|1}]
516               Packets arriving on this interface are checked for certain
517               illegal combinations of TCP flags. Packets found to have such a
518               combination of flags are handled according to the setting of
519               TCP_FLAGS_DISPOSITION after having been logged according to the
520               setting of TCP_FLAGS_LOG_LEVEL.
521
522               Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To
523               disable this option, specify tcpflags=0.
524
525           unmanaged
526               Added in Shorewall 4.5.18. Causes all traffic between the
527               firewall and hosts on the interface to be accepted. When this
528               option is given:
529
530               ·   The ZONE column must contain '-'.
531
532               ·   Only the following other options are allowed with
533                   unmanaged:
534                       arp_filter
535                       arp_ignore
536                       ignore
537                       routefilter
538                       optional
539                       physical
540                       routefilter
541                       proxyarp
542                       proxyudp
543                       sourceroute
544
545           upnp
546               Incoming requests from this interface may be remapped via UPNP
547               (upnpd). See http://www.shorewall.net/UPnP.html[18]. Supported
548               in IPv4 and in IPv6 in Shorewall 5.1.4 and later.
549
550           upnpclient
551               This option is intended for laptop users who always run
552               Shorewall on their system yet need to run UPnP-enabled client
553               apps such as Transmission (BitTorrent client). The option
554               causes Shorewall to detect the default gateway through the
555               interface and to accept UDP packets from that gateway. Note
556               that, like all aspects of UPnP, this is a security hole so use
557               this option at your own risk. Supported in IPv4 and in IPv6 in
558               Shorewall 5.1.4 and later.
559
560           wait=seconds
561               Added in Shorewall 4.4.10. Causes the generated script to wait
562               up to seconds seconds for the interface to become usable before
563               applying the required or optional options.
564

EXAMPLE

566       IPv4 Example 1:
567           Suppose you have eth0 connected to a DSL modem and eth1 connected
568           to your local network and that your local subnet is 192.168.1.0/24.
569           The interface gets its IP address via DHCP from subnet
570           206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
571           eth2. Your iptables and/or kernel do not support "Address Type
572           Match" and you prefer to specify broadcast addresses explicitly
573           rather than having Shorewall detect them.
574
575           Your entries for this setup would look like:
576
577               ?FORMAT 1
578               #ZONE   INTERFACE BROADCAST        OPTIONS
579               net     eth0      206.191.149.223  dhcp
580               loc     eth1      192.168.1.255
581               dmz     eth2      192.168.2.255
582
583       Example 2:
584           The same configuration without specifying broadcast addresses is:
585
586               ?FORMAT 2
587               #ZONE   INTERFACE OPTIONS
588               net     eth0      dhcp
589               loc     eth1
590               dmz     eth2
591
592       Example 3:
593           You have a simple dial-in system with no Ethernet connections.
594
595               ?FORMAT 2
596               #ZONE   INTERFACE OPTIONS
597               net     ppp0      -
598
599       Example 4 (Shorewall 4.4.9 and later):
600           You have a bridge with no IP address and you want to allow traffic
601           through the bridge.
602
603               ?FORMAT 2
604               #ZONE   INTERFACE OPTIONS
605               -       br0       bridge
606

FILES

608       /etc/shorewall/interfaces
609
610       /etc/shorewall6/interfaces
611

SEE ALSO

613       http://www.shorewall.net/configuration_file_basics.htm#Pairs[19]
614
615       shorewall(8)
616

NOTES

618        1. shorewall-hosts
619           http://www.shorewall.net/manpages/shorewall-hosts.html
620
621        2. http://www.shorewall.net/FAQ.htm#faq18
622           http://www.shorewall.net/FAQ.htm#faq18
623
624        3. shorewall-nesting
625           http://www.shorewall.net/manpages/shorewall-nesting.html
626
627        4. shorewall6-zones
628           http://www.shorewall.net/manpages6/shorewall6-zones.html
629
630        5. Proxy ARP
631           http://www.shorewall.net/ProxyARP.htm
632
633        6. shorewall-blacklist
634           http://www.shorewall.net/manpages/shorewall-blacklist.html
635
636        7. shorewall-zones
637           http://www.shorewall.net/manpages/shorewall-zones.html
638
639        8. shorewall.conf(5)
640           http://www.shorewall.net/manpages/shorewall.conf.html
641
642        9. simple bridge
643           http://www.shorewall.net/SimpleBridge.html
644
645       10. Shorewall-perl for firewall/bridging
646           http://www.shorewall.net/bridge-Shorewall-perl.html
647
648       11. shorewall-rules
649           http://www.shorewall.net/manpages/shorewall-rules.html
650
651       12. shorewall-maclist
652           http://www.shorewall.net/manpages/shorewall-maclist.html
653
654       13. http://www.shorewall.net/Dynamic.html
655           http://www.shorewall.net/Dynamic.html
656
657       14. http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple
658           http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple
659
660       15. shorewall-proxyarp
661           http://www.shorewall.net/manpages/shorewall-proxyarp.html
662
663       16. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
664           http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
665
666       17. shorewall-providers
667           http://www.shorewall.net/manpages/shorewall-providers.html
668
669       18. http://www.shorewall.net/UPnP.html
670           http://www.shorewall.net/UPnP.html
671
672       19. http://www.shorewall.net/configuration_file_basics.htm#Pairs
673           http://www.shorewall.net/configuration_file_basics.htm#Pairs
674
675
676
677Configuration Files               01/17/2019            SHOREWALL-INTERFACE(5)
Impressum