1SHOREWALL-ARPRULES(5) Configuration Files SHOREWALL-ARPRULES(5)
2
3
4
6 arprules - Shorewall ARP rules file
7
9 /etc/shorewall/arprules
10
12 IPv4 only.
13
14 This file was added in Shorewall 4.5.12 and is used to describe
15 low-level rules managed by arptables (8). These rules only affect
16 Address Resolution Protocol (ARP), Reverse Address Resolution Protocol
17 (RARP) and Dynamic Reverse Address Resolution Protocol (DRARP) frames.
18
19 The columns in the file are as shown below. MAC addresses are specified
20 normally (6 hexadecimal numbers separated by colons).
21
22 ACTION
23 Describes the action to take when a frame matches the criteria in
24 the other columns. Possible values are:
25
26 ACCEPT
27 This is the default action if no rules matches a frame; it lets
28 the frame go through.
29
30 DROP
31 Causes the frame to be dropped.
32
33 SNAT:ip-address
34 Modifies the source IP address to the specified ip-address.
35
36 DNAT:ip-address
37 Modifies the destination IP address to the specified
38 ip-address.
39
40 SMAT:mac-address
41 Modifies the source MAC address to the specified mac-address.
42
43 DMAT:mac-address
44 Modifies the destination MAC address to the specified
45 mac-address.
46
47 SNATC:ip-address
48 Like SNAT except that the frame is then passed to the next
49 rule.
50
51 DNATC:ip-address
52 Like DNAT except that the frame is then passed to the next
53 rule.
54
55 SMATC:mac-address
56 Like SMAT except that the frame is then passed to the next
57 rule.
58
59 DMATC:mac-address
60 Like DMAT except that the frame is then passed to the next
61 rule.
62
63 SOURCE - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
64 Where
65
66 interface
67 Is an interface defined in shorewall-interfaces(5).
68
69 ipaddress
70 is an IPv4 address. DNS names are not allowed.
71
72 ipmask
73 specifies a mask to be applied to ipaddress.
74
75 macaddress
76 The source MAC address.
77
78 macmask
79 Mask for MAC address; must be specified as 6 hexadecimal
80 numbers separated by colons.
81
82 When '!' is specified, the test is inverted.
83
84 If not specified, matches only frames originating on the firewall
85 itself.
86
87 Caution
88 Either SOURCE or DEST must be specified.
89
90 DEST - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
91 Where
92
93 interface
94 Is an interface defined in shorewall-interfaces(5).
95
96 ipaddress
97 is an IPv4 address. DNS Names are not allowed.
98
99 ipmask
100 specifies a mask to be applied to frame addresses.
101
102 macaddress
103 The destination MAC address.
104
105 macmask
106 Mask for MAC address; must be specified as 6 hexadecimal
107 numbers separated by colons.
108
109 When '!' is specified, the test is inverted and the rule matches
110 frames which do not match the specified address/mask.
111
112 If not specified, matches only frames originating on the firewall
113 itself.
114
115 If both SOURCE and DEST are specified, then both interfaces must be
116 bridge ports on the same bridge.
117
118 Caution
119 Either SOURCE or DEST must be specified.
120
121 OPCODE - [[!]opcode]
122 Optional. Describes the type of frame. Possible opcode values are:
123
124 1
125 ARP Request
126
127 2
128 ARP Reply
129
130 3
131 RARP Request
132
133 4
134 RARP Reply
135
136 5
137 Dynamic RARP Request
138
139 6
140 Dynamic RARP Reply
141
142 7
143 Dynamic RARP Error
144
145 8
146 InARP Request
147
148 9
149 ARP NAK
150
151 When '!' is specified, the test is inverted and the rule matches
152 frames which do not match the specified opcode.
153
155 The eth1 interface has both a public IP address and a private address
156 (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use the
157 private address as the IP source:
158
159 #ACTION SOURCE DEST ARP OPCODE
160 SNAT:10.1.10.11 - eth1:10.1.10.0/24 1
161
163 /etc/shorewall/arprules
164
166 shorewall(8)
167
168
169
170Configuration Files 01/15/2020 SHOREWALL-ARPRULES(5)