1SHOREWALL-INTERFACE(5) Configuration Files SHOREWALL-INTERFACE(5)
2
6 interfaces - Shorewall interfaces file
7
9 /etc/shorewall[6]/interfaces
10
12 The interfaces file serves to define the firewall's network interfaces
13 to Shorewall. The order of entries in this file is not significant in
14 determining zone composition.
15 Beginning with Shorewall 4.5.3, the interfaces file supports two
17 different formats:
18 FORMAT 1 (default - deprecated)
20 There is a BROADCAST column which can be used to specify the
21 broadcast address associated with the interface.
22 FORMAT 2
24 The BROADCAST column is omitted.
25 The format is specified by a line as follows:
27 ?FORMAT {1|2}
29 The columns in the file are as follows.
31 ZONE - zone-name
33 Zone for this interface. Must match the name of a zone declared in
34 /etc/shorewall/zones. You may not list the firewall zone in this
35 column.
36 If the interface serves multiple zones that will be defined in the
38 shorewall-hosts[1](5) file, you should place "-" in this column.
39 If there are multiple interfaces to the same zone, you must list
41 them in separate entries.
42 Example:
44 #ZONE INTERFACE BROADCAST
46 loc eth1 -
47 loc eth2 -
48 INTERFACE - interface[:port]
50 Logical name of interface. Each interface may be listed only once
51 in this file. You may NOT specify the name of a "virtual" interface
52 (e.g., eth0:0) here; see https://shorewall.org/FAQ.htm#faq18[2]. If
53 the physical option is not specified, then the logical name is also
54 the name of the actual interface.
55 You may use wildcards here by specifying a prefix followed by the
57 plus sign ("+"). For example, if you want to make an entry that
58 applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
59 ppp1, ppp2, ...
60 When using Shorewall versions before 4.1.4, care must be exercised
62 when using wildcards where there is another zone that uses a
63 matching specific interface. See shorewall-nesting[3](5) for a
64 discussion of this problem.
65 Shorewall allows '+' as an interface name, but that usage is
67 deprecated. A better approach is to specify 'physical=+' in the
68 OPTIONS column (see below).
69 There is no need to define the loopback interface (lo) in this
71 file.
72 If a port is given, then the interface must have been defined
74 previously with the bridge option. The OPTIONS column may not
75 contain the following options when a port is given.
76 arp_filter
77 arp_ignore
78 bridge
79 log_martians
80 mss
81 optional
82 proxyarp
83 required
84 routefilter
85 sourceroute
86 upnp
87 wait
88 Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
89 interface, then that zone must be defined as type local in
90 shorewall6-zones[4](5).
91 BROADCAST (Optional) - {-|detect|address[,address]...}
93 Only available if FORMAT 1.
94 If you use the special value detect, Shorewall will detect the
96 broadcast address(es) for you if your iptables and kernel include
97 Address Type Match support.
98 If your iptables and/or kernel lack Address Type Match support then
100 you may list the broadcast address(es) for the network(s) to which
101 the interface belongs. For P-T-P interfaces, this column is left
102 blank. If the interface has multiple addresses on multiple subnets
103 then list the broadcast addresses as a comma-separated list.
104 If you don't want to give a value for this column but you want to
106 enter a value in the OPTIONS column, enter - in this column.
107 OPTIONS (Optional) - [option[,option]...]
109 A comma-separated list of options from the following list. The
110 order in which you list the options is not significant but the list
111 should have no embedded white-space.
112 accept_ra[={0|1|2}]
114 IPv6 only; added in Shorewall 4.5.16. Values are:
115 0
117 Do not accept Router Advertisements.
118 1
120 Accept Route Advertisements if forwarding is disabled.
121 2
123 Overrule forwarding behavior. Accept Route Advertisements
124 even if forwarding is enabled.
125 If the option is specified without a value, then the value 1 is
127 assumed.
128 Note
130 This option does not work with a wild-card physical name
131 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
132 option is specified, a warning is issued and the option is
133 ignored.
134 arp_filter[={0|1}]
136 IPv4 only. If specified, this interface will only respond to
137 ARP who-has requests for IP addresses configured on the
138 interface. If not specified, the interface can respond to ARP
139 who-has requests for IP addresses on any of the firewall's
140 interface. The interface must be up when Shorewall is started.
141 Only those interfaces with the arp_filter option will have
143 their setting changed; the value assigned to the setting will
144 be the value specified (if any) or 1 if no value is given.
145 Note
147 This option does not work with a wild-card physical name
148 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
149 option is specified, a warning is issued and the option is
150 ignored.
151 arp_ignore[=number]
153 IPv4 only. If specified, this interface will respond to arp
154 requests based on the value of number (defaults to 1).
155 1 - reply only if the target IP address is local address
157 configured on the incoming interface
158 2 - reply only if the target IP address is local address
160 configured on the incoming interface and the sender's IP
161 address is part from same subnet on this interface's address
162 3 - do not reply for local addresses configured with scope
164 host, only resolutions for global and link
165 4-7 - reserved
167 8 - do not reply for all local addresses
169 Note
171 This option does not work with a wild-card physical name
172 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
173 option is specified, a warning is issued and the option is
174 ignored.
175 Warning
177 Do not specify arp_ignore for any interface involved in
178 Proxy ARP[5].
179 blacklist
181 Checks packets arriving on this interface against the
182 shorewall-blacklist[6](5) file.
183 Beginning with Shorewall 4.4.13:
185 · If a zone is given in the ZONES column, then the behavior
187 is as if blacklist had been specified in the IN_OPTIONS
188 column of shorewall-zones[4](5).
189 · Otherwise, the option is ignored with a warning: WARNING:
191 The 'blacklist' option is ignored on multi-zone interfaces
192 bridge
194 Designates the interface as a bridge. Beginning with Shorewall
195 4.4.7, setting this option also sets routeback.
196 Note
198 If you have a bridge that you don't intend to define bport
199 zones on, then it is best to omit this option and simply
200 specify routeback.
201 dbl={none|src|dst|src-dst}
203 Added in Shorewall 5.0.10. This option defined whether or not
204 dynamic blacklisting is applied to packets entering the
205 firewall through this interface and whether the source address
206 and/or destination address is to be compared against the
207 ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
208 shorewall.conf(5)[7]). The default is determine by the setting
209 of DYNAMIC_BLACKLIST:
210 DYNAMIC_BLACKLIST=No
212 Default is none (e.g., no dynamic blacklist checking).
213 DYNAMIC_BLACKLIST=Yes
215 Default is src (e.g., the source IP address is checked).
216 DYNAMIC_BLACKLIST=ipset[-only]
218 Default is src.
219 DYNAMIC_BLACKLIST=ipset[-only],src-dst...
221 Default is src-dst (e.g., the source IP addresses in
222 checked against the ipset on input and the destination IP
223 address is checked against the ipset on packets originating
224 from the firewall and leaving through this interface).
225 The normal setting for this option will be dst or none for
227 internal interfaces and src or src-dst for Internet-facing
228 interfaces.
229 destonly
231 Added in Shorewall 4.5.17. Causes the compiler to omit rules to
232 handle traffic from this interface.
233 dhcp
235 Specify this option when any of the following are true:
236 1. the interface gets its IP address via DHCP
238 2. the interface is used by a DHCP server running on the
240 firewall
241 3. the interface has a static IP but is on a LAN segment with
243 lots of DHCP clients.
244 4. the interface is a simple bridge[8] with a DHCP server on
246 one port and DHCP clients on another port.
247 Note
249 If you use Shorewall-perl for firewall/bridging[9],
250 then you need to include DHCP-specific rules in
251 shorewall-rules[10](5). DHCP uses UDP ports 67 and 68.
252 This option allows DHCP datagrams to enter and leave the
254 interface.
255 forward[={0|1}]
257 IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding
258 option to the specified value. If no value is supplied, then 1
259 is assumed.
260 Note
262 This option does not work with a wild-card physical name
263 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
264 option is specified, a warning is issued and the option is
265 ignored.
266 ignore[=1]
268 When specified, causes the generated script to ignore up/down
269 events from Shorewall-init for this device. Additionally, the
270 option exempts the interface from hairpin filtering. When '=1'
271 is omitted, the ZONE column must contain '-' and ignore must be
272 the only OPTION.
273 Beginning with Shorewall 4.5.5, may be specified as 'ignore=1'
275 which only causes the generated script to ignore up/down events
276 from Shorewall-init; hairpin filtering is still applied. In
277 this case, the above restrictions on the ZONE and OPTIONS
278 columns are lifted.
279 loopback
281 Added in Shorewall 4.6.6. Designates the interface as the
282 loopback interface. This option is assumed if the interface's
283 physical name is 'lo'. Only one interface man have the loopback
284 option specified.
285 logmartians[={0|1}]
287 IPv4 only. Turn on kernel martian logging (logging of packets
288 with impossible source addresses. It is strongly suggested that
289 if you set routefilter on an interface that you also set
290 logmartians. Even if you do not specify the routefilter option,
291 it is a good idea to specify logmartians because your
292 distribution may have enabled route filtering without you
293 knowing it.
294 Only those interfaces with the logmartians option will have
296 their setting changed; the value assigned to the setting will
297 be the value specified (if any) or 1 if no value is given.
298 To find out if route filtering is set on a given interface,
300 check the contents of
301 /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
302 indicates that route filtering is enabled.
303 Example:
305 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
307 1
308 teastep@lists:~$
309 Note
312 This option does not work with a wild-card physical name
313 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
314 option is specified, a warning is issued and the option is
315 ignored.
316 This option may also be enabled globally in the
317 shorewall.conf[7](5) file.
318 maclist
320 Connection requests from this interface are compared against
321 the contents of shorewall-maclist[11](5). If this option is
322 specified, the interface must be an Ethernet NIC and must be up
323 before Shorewall is started.
324 mss=number
326 Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
327 entering or leaving on this interface to have their MSS field
328 set to the specified number.
329 nets=(net[,...])
331 Limit the zone named in the ZONE column to only the listed
332 networks. The parentheses may be omitted if only a single net
333 is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
334 zone is supported. Beginning with Shorewall 4.4.1, multicast
335 traffic to the zone is also supported.
336 nets=dynamic
338 Defines the zone as dynamic. Requires ipset match support in
339 your iptables and kernel. See
340 https://shorewall.org/Dynamic.html[12] for further information.
341 nodbl
343 Added in Shorewall 5.0.8. When specified, dynamic blacklisting
344 is disabled on the interface. Beginning with Shorewall 5.0.10,
345 nodbl is equivalent to dbl=none.
346 nosmurfs
348 IPv4 only. Filter packets for smurfs (packets with a broadcast
349 address as the source).
350 Smurfs will be optionally logged based on the setting of
352 SMURF_LOG_LEVEL in shorewall.conf[7](5). After logging, the
353 packets are dropped.
354 optional
356 This option indicates that the firewall should be able to
357 start, even if the interface is not usable for handling
358 traffic. It allows use of the enable and disable commands on
359 the interface.
360 When optional is specified for an interface, Shorewall will be
362 silent when:
363 · a /proc/sys/net/ipv[46]/conf/ entry for the interface
365 cannot be modified (including for proxy ARP or proxy NDP).
366 · The first address of the interface cannot be obtained.
368 · The gateway of the interface can not be obtained (provider
370 interface).
371 · The interface has been disabled using the disable command.
373 May not be specified with required.
375 physical=name
377 Added in Shorewall 4.4.4. When specified, the interface or port
378 name in the INTERFACE column is a logical name that refers to
379 the name given in this option. It is useful when you want to
380 specify the same wildcard port name on two or more bridges. See
381 https://shorewall.org/bridge-Shorewall-perl.html#Multiple[13].
382 If the interface name is a wildcard name (ends with '+'), then
384 the physical name must also end in '+'. The physical name may
385 end in '+' (or be exactly '+') when the interface name is not a
386 wildcard name.
387 If physical is not specified, then it's value defaults to the
389 interface name.
390 proxyarp[={0|1}]
392 IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do
393 NOT use this option if you are employing Proxy ARP through
394 entries in shorewall-proxyarp[14](5). This option is intended
395 solely for use with Proxy ARP sub-networking as described at:
396 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[15]
397 Note
399 This option does not work with a wild-card physical name
400 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
401 option is specified, a warning is issued and the option is
402 ignored.
403 Only those interfaces with the proxyarp option will have their
404 setting changed; the value assigned to the setting will be the
405 value specified (if any) or 1 if no value is given.
406 proxyndp[={0|1}]
408 IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
409 Note
411 This option does not work with a wild-card physical name
412 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
413 option is specified, a warning is issued and the option is
414 ignored.
415 Only those interfaces with the proxyndp option will have their
416 setting changed; the value assigned to the setting will be the
417 value specified (if any) or 1 if no value is given.
418 required
420 Added in Shorewall 4.4.10. If this option is set, the firewall
421 will fail to start if the interface is not usable. May not be
422 specified together with optional.
423 routeback[={0|1}]
425 If specified, indicates that Shorewall should include rules
426 that allow traffic arriving on this interface to be routed back
427 out that same interface. This option is also required when you
428 have used a wildcard in the INTERFACE column if you want to
429 allow traffic between the interfaces that match the wildcard.
430 Beginning with Shorewall 4.4.20, if you specify this option,
432 then you should also specify either sfilter (see below) or
433 routefilter on all interfaces (see below).
434 Beginning with Shorewall 4.5.18, you may specify this option to
436 explicitly reset (e.g., routeback=0). This can be used to
437 override Shorewall's default setting for bridge devices which
438 is routeback=1.
439 routefilter[={0|1|2}]
441 IPv4 only. Turn on kernel route filtering for this interface
442 (anti-spoofing measure).
443 Only those interfaces with the routefilter option will have
445 their setting changes; the value assigned to the setting will
446 be the value specified (if any) or 1 if no value is given.
447 The value 2 is only available with Shorewall 4.4.5.1 and later
449 when the kernel version is 2.6.31 or later. It specifies a
450 loose form of reverse path filtering.
451 Note
453 This option does not work with a wild-card physical name
454 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
455 option is specified, a warning is issued and the option is
456 ignored.
457 This option can also be enabled globally via the ROUTE_FILTER
458 option in the shorewall.conf[7](5) file.
459 Important
461 If ROUTE_FILTER=Yes in shorewall.conf[7](5), or if your
462 distribution sets net.ipv4.conf.all.rp_filter=1 in
463 /etc/sysctl.conf, then setting routefilter=0 in an
464 interface entry will not disable route filtering on that
465 interface! The effective setting for an interface is the
466 maximum of the contents of
467 /proc/sys/net/ipv4/conf/all/rp_filter and the routefilter
468 setting specified in this file
469 (/proc/sys/net/ipv4/conf/interface/rp_filter).
470 Note
472 There are certain cases where routefilter cannot be used on
473 an interface:
474 · If USE_DEFAULT_RT=Yes in shorewall.conf[7](5) and the
476 interface is listed in shorewall-providers[16](5).
477 · If there is an entry for the interface in
479 shorewall-providers[16](5) that doesn't specify the
480 balance option.
481 · If IPSEC is used to allow a road-warrior to have a
483 local address, then any interface through which the
484 road-warrior might connect cannot specify routefilter.
485 Beginning with Shorewall 5.1.1, when routefilter is set to a
486 non-zero value, the logmartians option is also implicitly set.
487 If you actually want route filtering without logging, then you
488 must also specify logmartians=0 after routefilter.
489 rpfilter
491 Added in Shorewall 4.5.7. This is an anti-spoofing measure that
492 requires the 'RPFilter Match' capability in your iptables and
493 kernel. It provides a more efficient alternative to the sfilter
494 option below. It performs a function similar to routefilter
495 (see above) but works with Multi-ISP configurations that do not
496 use balanced routes.
497 sfilter=(net[,...])
499 Added in Shorewall 4.4.20. This option provides an
500 anti-spoofing alternative to routefilter on interfaces where
501 that option cannot be used, but where the routeback option is
502 required (on a bridge, for example). On these interfaces,
503 sfilter should list those local networks that are connected to
504 the firewall through other interfaces.
505 sourceroute[={0|1}]
507 If this option is not specified for an interface, then
508 source-routed packets will not be accepted from that interface
509 unless it has been explicitly enabled via sysconf. Only set
510 this option to 1 (enable source routing) if you know what you
511 are doing. This might represent a security risk and is usually
512 unneeded.
513 Only those interfaces with the sourceroute option will have
515 their setting changed; the value assigned to the setting will
516 be the value specified (if any) or 1 if no value is given.
517 Note
519 This option does not work with a wild-card physical name
520 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
521 option is specified, a warning is issued and the option is
522 ignored.
523 tcpflags[={0|1}]
525 Packets arriving on this interface are checked for certain
526 illegal combinations of TCP flags. Packets found to have such a
527 combination of flags are handled according to the setting of
528 TCP_FLAGS_DISPOSITION after having been logged according to the
529 setting of TCP_FLAGS_LOG_LEVEL.
530 Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To
532 disable this option, specify tcpflags=0.
533 unmanaged
535 Added in Shorewall 4.5.18. Causes all traffic between the
536 firewall and hosts on the interface to be accepted. When this
537 option is given:
538 · The ZONE column must contain '-'.
540 · Only the following other options are allowed with
542 unmanaged:
543 arp_filter
544 arp_ignore
545 ignore
546 routefilter
547 optional
548 physical
549 routefilter
550 proxyarp
551 proxyudp
552 sourceroute
553 upnp
555 Incoming requests from this interface may be remapped via UPNP
556 (upnpd). See https://shorewall.org/UPnP.html[17]. Supported in
557 IPv4 and in IPv6 in Shorewall 5.1.4 and later.
558 upnpclient
560 This option is intended for laptop users who always run
561 Shorewall on their system yet need to run UPnP-enabled client
562 apps such as Transmission (BitTorrent client). The option
563 causes Shorewall to detect the default gateway through the
564 interface and to accept UDP packets from that gateway. Note
565 that, like all aspects of UPnP, this is a security hole so use
566 this option at your own risk. Supported in IPv4 and in IPv6 in
567 Shorewall 5.1.4 and later.
568 wait=seconds
570 Added in Shorewall 4.4.10. Causes the generated script to wait
571 up to seconds seconds for the interface to become usable before
572 applying the required or optional options.
573
575 IPv4 Example 1:
576 Suppose you have eth0 connected to a DSL modem and eth1 connected
577 to your local network and that your local subnet is 192.168.1.0/24.
578 The interface gets its IP address via DHCP from subnet
579 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
580 eth2. Your iptables and/or kernel do not support "Address Type
581 Match" and you prefer to specify broadcast addresses explicitly
582 rather than having Shorewall detect them.
583 Your entries for this setup would look like:
585 ?FORMAT 1
587 #ZONE INTERFACE BROADCAST OPTIONS
588 net eth0 206.191.149.223 dhcp
589 loc eth1 192.168.1.255
590 dmz eth2 192.168.2.255
591 Example 2:
593 The same configuration without specifying broadcast addresses is:
594 ?FORMAT 2
596 #ZONE INTERFACE OPTIONS
597 net eth0 dhcp
598 loc eth1
599 dmz eth2
600 Example 3:
602 You have a simple dial-in system with no Ethernet connections.
603 ?FORMAT 2
605 #ZONE INTERFACE OPTIONS
606 net ppp0 -
607 Example 4 (Shorewall 4.4.9 and later):
609 You have a bridge with no IP address and you want to allow traffic
610 through the bridge.
611 ?FORMAT 2
613 #ZONE INTERFACE OPTIONS
614 - br0 bridge
615
617 /etc/shorewall/interfaces
618 /etc/shorewall6/interfaces
620
622 https://shorewall.org/configuration_file_basics.htm#Pairs[18]
623 shorewall(8)
625
627 1. shorewall-hosts
628 https://shorewall.org/manpages/shorewall-hosts.html
629 2. https://shorewall.org/FAQ.htm#faq18
631 https://shorewall.org/FAQ.htm#faq18
632 3. shorewall-nesting
634 https://shorewall.org/manpages/shorewall-nesting.html
635 4. shorewall6-zones
637 https://shorewall.org/manpages/shorewall-zones.html
638 5. Proxy ARP
640 https://shorewall.org/ProxyARP.htm
641 6. shorewall-blacklist
643 https://shorewall.org/manpages/shorewall-blacklist.html
644 7. shorewall.conf(5)
646 https://shorewall.org/manpages/shorewall.conf.html
647 8. simple bridge
649 https://shorewall.org/SimpleBridge.html
650 9. Shorewall-perl for firewall/bridging
652 https://shorewall.org/bridge-Shorewall-perl.html
653 10. shorewall-rules
655 https://shorewall.org/manpages/shorewall-rules.html
656 11. shorewall-maclist
658 https://shorewall.org/manpages/shorewall-maclist.html
659 12. https://shorewall.org/Dynamic.html
661 https://shorewall.org/Dynamic.html
662 13. https://shorewall.org/bridge-Shorewall-perl.html#Multiple
664 https://shorewall.org/bridge-Shorewall-perl.html#Multiple
665 14. shorewall-proxyarp
667 https://shorewall.org/manpages/shorewall-proxyarp.html
668 15. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
670 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
671 16. shorewall-providers
673 https://shorewall.org/manpages/shorewall-providers.html
674 17. https://shorewall.org/UPnP.html
676 https://shorewall.org/UPnP.html
677 18. https://shorewall.org/configuration_file_basics.htm#Pairs
679 https://shorewall.org/configuration_file_basics.htm#Pairs
680Configuration Files 07/29/2020 SHOREWALL-INTERFACE(5)