1SHOREWALL-INTERFACE(5)        Configuration Files       SHOREWALL-INTERFACE(5)
2
3
4

NAME

6       interfaces - Shorewall interfaces file
7

SYNOPSIS

9       /etc/shorewall[6]/interfaces
10

DESCRIPTION

12       The interfaces file serves to define the firewall's network interfaces
13       to Shorewall. The order of entries in this file is not significant in
14       determining zone composition.
15
16       Beginning with Shorewall 4.5.3, the interfaces file supports two
17       different formats:
18
19       FORMAT 1 (default - deprecated)
20           There is a BROADCAST column which can be used to specify the
21           broadcast address associated with the interface.
22
23       FORMAT 2
24           The BROADCAST column is omitted.
25
26       The format is specified by a line as follows:
27
28       ?FORMAT {1|2}
29
30       The columns in the file are as follows.
31
32       ZONE - zone-name
33           Zone for this interface. Must match the name of a zone declared in
34           /etc/shorewall/zones. You may not list the firewall zone in this
35           column.
36
37           If the interface serves multiple zones that will be defined in the
38           shorewall-hosts[1](5) file, you should place "-" in this column.
39
40           If there are multiple interfaces to the same zone, you must list
41           them in separate entries.
42
43           Example:
44
45               #ZONE   INTERFACE       BROADCAST
46               loc     eth1            -
47               loc     eth2            -
48
49       INTERFACE - interface[:port]
50           Logical name of interface. Each interface may be listed only once
51           in this file. You may NOT specify the name of a "virtual" interface
52           (e.g., eth0:0) here; see https://shorewall.org/FAQ.htm#faq18[2]. If
53           the physical option is not specified, then the logical name is also
54           the name of the actual interface.
55
56           You may use wildcards here by specifying a prefix followed by the
57           plus sign ("+"). For example, if you want to make an entry that
58           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
59           ppp1, ppp2, ...
60
61           When using Shorewall versions before 4.1.4, care must be exercised
62           when using wildcards where there is another zone that uses a
63           matching specific interface. See shorewall-nesting[3](5) for a
64           discussion of this problem.
65
66           Shorewall allows '+' as an interface name, but that usage is
67           deprecated. A better approach is to specify 'physical=+' in the
68           OPTIONS column (see below).
69
70           There is no need to define the loopback interface (lo) in this
71           file.
72
73           If a port is given, then the interface must have been defined
74           previously with the bridge option. The OPTIONS column may not
75           contain the following options when a port is given.
76               arp_filter
77               arp_ignore
78               bridge
79               log_martians
80               mss
81               optional
82               proxyarp
83               required
84               routefilter
85               sourceroute
86               upnp
87               wait
88           Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
89           interface, then that zone must be defined as type local in
90           shorewall6-zones[4](5).
91
92       BROADCAST (Optional) - {-|detect|address[,address]...}
93           Only available if FORMAT 1.
94
95           If you use the special value detect, Shorewall will detect the
96           broadcast address(es) for you if your iptables and kernel include
97           Address Type Match support.
98
99           If your iptables and/or kernel lack Address Type Match support then
100           you may list the broadcast address(es) for the network(s) to which
101           the interface belongs. For P-T-P interfaces, this column is left
102           blank. If the interface has multiple addresses on multiple subnets
103           then list the broadcast addresses as a comma-separated list.
104
105           If you don't want to give a value for this column but you want to
106           enter a value in the OPTIONS column, enter - in this column.
107
108       OPTIONS (Optional) - [option[,option]...]
109           A comma-separated list of options from the following list. The
110           order in which you list the options is not significant but the list
111           should have no embedded white-space.
112
113           accept_ra[={0|1|2}]
114               IPv6 only; added in Shorewall 4.5.16. Values are:
115
116               0
117                   Do not accept Router Advertisements.
118
119               1
120                   Accept Route Advertisements if forwarding is disabled.
121
122               2
123                   Overrule forwarding behavior. Accept Route Advertisements
124                   even if forwarding is enabled.
125
126               If the option is specified without a value, then the value 1 is
127               assumed.
128
129                   Note
130                   This option does not work with a wild-card physical name
131                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
132                   option is specified, a warning is issued and the option is
133                   ignored.
134
135           arp_filter[={0|1}]
136               IPv4 only. If specified, this interface will only respond to
137               ARP who-has requests for IP addresses configured on the
138               interface. If not specified, the interface can respond to ARP
139               who-has requests for IP addresses on any of the firewall's
140               interface. The interface must be up when Shorewall is started.
141
142               Only those interfaces with the arp_filter option will have
143               their setting changed; the value assigned to the setting will
144               be the value specified (if any) or 1 if no value is given.
145
146                   Note
147                   This option does not work with a wild-card physical name
148                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
149                   option is specified, a warning is issued and the option is
150                   ignored.
151
152           arp_ignore[=number]
153               IPv4 only. If specified, this interface will respond to arp
154               requests based on the value of number (defaults to 1).
155
156               1 - reply only if the target IP address is local address
157               configured on the incoming interface
158
159               2 - reply only if the target IP address is local address
160               configured on the incoming interface and the sender's IP
161               address is part from same subnet on this interface's address
162
163               3 - do not reply for local addresses configured with scope
164               host, only resolutions for global and link
165
166               4-7 - reserved
167
168               8 - do not reply for all local addresses
169
170                   Note
171                   This option does not work with a wild-card physical name
172                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
173                   option is specified, a warning is issued and the option is
174                   ignored.
175
176                   Warning
177                   Do not specify arp_ignore for any interface involved in
178                   Proxy ARP[5].
179
180           blacklist
181               Checks packets arriving on this interface against the
182               shorewall-blacklist[6](5) file.
183
184               Beginning with Shorewall 4.4.13:
185
186               •   If a zone is given in the ZONES column, then the behavior
187                   is as if blacklist had been specified in the IN_OPTIONS
188                   column of shorewall-zones[4](5).
189
190               •   Otherwise, the option is ignored with a warning: WARNING:
191                   The 'blacklist' option is ignored on multi-zone interfaces
192
193           bridge
194               Designates the interface as a bridge. Beginning with Shorewall
195               4.4.7, setting this option also sets routeback.
196
197                   Note
198                   If you have a bridge that you don't intend to define bport
199                   zones on, then it is best to omit this option and simply
200                   specify routeback.
201
202           dbl={none|src|dst|src-dst}
203               Added in Shorewall 5.0.10. This option defined whether or not
204               dynamic blacklisting is applied to packets entering the
205               firewall through this interface and whether the source address
206               and/or destination address is to be compared against the
207               ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
208               shorewall.conf(5)[7]). The default is determine by the setting
209               of DYNAMIC_BLACKLIST:
210
211               DYNAMIC_BLACKLIST=No
212                   Default is none (e.g., no dynamic blacklist checking).
213
214               DYNAMIC_BLACKLIST=Yes
215                   Default is src (e.g., the source IP address is checked).
216
217               DYNAMIC_BLACKLIST=ipset[-only]
218                   Default is src.
219
220               DYNAMIC_BLACKLIST=ipset[-only],src-dst...
221                   Default is src-dst (e.g., the source IP addresses in
222                   checked against the ipset on input and the destination IP
223                   address is checked against the ipset on packets originating
224                   from the firewall and leaving through this interface).
225
226               The normal setting for this option will be dst or none for
227               internal interfaces and src or src-dst for Internet-facing
228               interfaces.
229
230           destonly
231               Added in Shorewall 4.5.17. Causes the compiler to omit rules to
232               handle traffic from this interface.
233
234           dhcp
235               Specify this option when any of the following are true:
236
237                1. the interface gets its IP address via DHCP
238
239                2. the interface is used by a DHCP server running on the
240                   firewall
241
242                3. the interface has a static IP but is on a LAN segment with
243                   lots of DHCP clients.
244
245                4. the interface is a simple bridge[8] with a DHCP server on
246                   one port and DHCP clients on another port.
247
248                       Note
249                       If you use Shorewall-perl for firewall/bridging[9],
250                       then you need to include DHCP-specific rules in
251                       shorewall-rules[10](5). DHCP uses UDP ports 67 and 68.
252
253               This option allows DHCP datagrams to enter and leave the
254               interface.
255
256           forward[={0|1}]
257               IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding
258               option to the specified value. If no value is supplied, then 1
259               is assumed.
260
261                   Note
262                   This option does not work with a wild-card physical name
263                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
264                   option is specified, a warning is issued and the option is
265                   ignored.
266
267           ignore[=1]
268               When specified, causes the generated script to ignore up/down
269               events from Shorewall-init for this device. Additionally, the
270               option exempts the interface from hairpin filtering. When '=1'
271               is omitted, the ZONE column must contain '-' and ignore must be
272               the only OPTION.
273
274               Beginning with Shorewall 4.5.5, may be specified as 'ignore=1'
275               which only causes the generated script to ignore up/down events
276               from Shorewall-init; hairpin filtering is still applied. In
277               this case, the above restrictions on the ZONE and OPTIONS
278               columns are lifted.
279
280           loopback
281               Added in Shorewall 4.6.6. Designates the interface as the
282               loopback interface. This option is assumed if the interface's
283               physical name is 'lo'. Only one interface man have the loopback
284               option specified.
285
286           logmartians[={0|1}]
287               IPv4 only. Turn on kernel martian logging (logging of packets
288               with impossible source addresses. It is strongly suggested that
289               if you set routefilter on an interface that you also set
290               logmartians. Even if you do not specify the routefilter option,
291               it is a good idea to specify logmartians because your
292               distribution may have enabled route filtering without you
293               knowing it.
294
295               Only those interfaces with the logmartians option will have
296               their setting changed; the value assigned to the setting will
297               be the value specified (if any) or 1 if no value is given.
298
299               To find out if route filtering is set on a given interface,
300               check the contents of
301               /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
302               indicates that route filtering is enabled.
303
304               Example:
305
306                           teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
307                           1
308                           teastep@lists:~$
309
310
311                   Note
312                   This option does not work with a wild-card physical name
313                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
314                   option is specified, a warning is issued and the option is
315                   ignored.
316               This option may also be enabled globally in the
317               shorewall.conf[7](5) file.
318
319           maclist
320               Connection requests from this interface are compared against
321               the contents of shorewall-maclist[11](5). If this option is
322               specified, the interface must be an Ethernet NIC and must be up
323               before Shorewall is started.
324
325           mss=number
326               Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
327               entering or leaving on this interface to have their MSS field
328               set to the specified number.
329
330           nets=(net[,...])
331               Limit the zone named in the ZONE column to only the listed
332               networks. The parentheses may be omitted if only a single net
333               is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
334               zone is supported. Beginning with Shorewall 4.4.1, multicast
335               traffic to the zone is also supported.
336
337           nets=dynamic
338               Defines the zone as dynamic. Requires ipset match support in
339               your iptables and kernel. See
340               https://shorewall.org/Dynamic.html[12] for further information.
341
342           nodbl
343               Added in Shorewall 5.0.8. When specified, dynamic blacklisting
344               is disabled on the interface. Beginning with Shorewall 5.0.10,
345               nodbl is equivalent to dbl=none.
346
347           nosmurfs
348               IPv4 only. Filter packets for smurfs (packets with a broadcast
349               address as the source).
350
351               Smurfs will be optionally logged based on the setting of
352               SMURF_LOG_LEVEL in shorewall.conf[7](5). After logging, the
353               packets are dropped.
354
355           omitanycast
356               IPv6 only. Added in Shorewall 5.2.8.
357
358               Shorewall6 has traditionally generated rules for IPv6 anycast
359               addresses. These rules include:
360
361                1. Packets with these destination IP addresses are dropped by
362                   REJECT rules.
363
364                2. Packets with these source IP addresses are dropped by the
365                   'nosmurfs' interface option and by the 'dropSmurfs' action.
366
367                3. Packets with these destination IP addresses are not logged
368                   during policy enforcement.
369
370                4. Packets with these destination IP addresses are processes
371                   by the 'Broadcast' action.
372
373               This can be inhibited for individual interfaces by specifying
374               noanycast for those interfaces.
375
376                   Note
377                   RFC 2526 describes IPv6 subnet anycast addresses. The RFC
378                   makes a distinction between subnets with "IPv6 address
379                   types required to have 64-bit interface identifiers in
380                   EUI-64 format" and all other subnets. When generating these
381                   anycast addresses, the Shorewall compiler does not make
382                   this distinction and unconditionally assumes that the last
383                   128 addresses in the subnet are reserved as anycast
384                   addresses.
385
386           optional
387               This option indicates that the firewall should be able to
388               start, even if the interface is not usable for handling
389               traffic. It allows use of the enable and disable commands on
390               the interface.
391
392               When optional is specified for an interface, Shorewall will be
393               silent when:
394
395               •   a /proc/sys/net/ipv[46]/conf/ entry for the interface
396                   cannot be modified (including for proxy ARP or proxy NDP).
397
398               •   The first address of the interface cannot be obtained.
399
400               •   The gateway of the interface can not be obtained (provider
401                   interface).
402
403               •   The interface has been disabled using the disable command.
404
405               May not be specified with required.
406
407           physical=name
408               Added in Shorewall 4.4.4. When specified, the interface or port
409               name in the INTERFACE column is a logical name that refers to
410               the name given in this option. It is useful when you want to
411               specify the same wildcard port name on two or more bridges. See
412               https://shorewall.org/bridge-Shorewall-perl.html#Multiple[13].
413
414               If the interface name is a wildcard name (ends with '+'), then
415               the physical name must also end in '+'. The physical name may
416               end in '+' (or be exactly '+') when the interface name is not a
417               wildcard name.
418
419               If physical is not specified, then it's value defaults to the
420               interface name.
421
422           proxyarp[={0|1}]
423               IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do
424               NOT use this option if you are employing Proxy ARP through
425               entries in shorewall-proxyarp[14](5). This option is intended
426               solely for use with Proxy ARP sub-networking as described at:
427               http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[15]
428
429                   Note
430                   This option does not work with a wild-card physical name
431                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
432                   option is specified, a warning is issued and the option is
433                   ignored.
434               Only those interfaces with the proxyarp option will have their
435               setting changed; the value assigned to the setting will be the
436               value specified (if any) or 1 if no value is given.
437
438           proxyndp[={0|1}]
439               IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
440
441                   Note
442                   This option does not work with a wild-card physical name
443                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
444                   option is specified, a warning is issued and the option is
445                   ignored.
446               Only those interfaces with the proxyndp option will have their
447               setting changed; the value assigned to the setting will be the
448               value specified (if any) or 1 if no value is given.
449
450           required
451               Added in Shorewall 4.4.10. If this option is set, the firewall
452               will fail to start if the interface is not usable. May not be
453               specified together with optional.
454
455           routeback[={0|1}]
456               If specified, indicates that Shorewall should include rules
457               that allow traffic arriving on this interface to be routed back
458               out that same interface. This option is also required when you
459               have used a wildcard in the INTERFACE column if you want to
460               allow traffic between the interfaces that match the wildcard.
461
462               Beginning with Shorewall 4.4.20, if you specify this option,
463               then you should also specify either sfilter (see below) or
464               routefilter on all interfaces (see below).
465
466               Beginning with Shorewall 4.5.18, you may specify this option to
467               explicitly reset (e.g., routeback=0). This can be used to
468               override Shorewall's default setting for bridge devices which
469               is routeback=1.
470
471           routefilter[={0|1|2}]
472               IPv4 only. Turn on kernel route filtering for this interface
473               (anti-spoofing measure).
474
475               Only those interfaces with the routefilter option will have
476               their setting changes; the value assigned to the setting will
477               be the value specified (if any) or 1 if no value is given.
478
479               The value 2 is only available with Shorewall 4.4.5.1 and later
480               when the kernel version is 2.6.31 or later. It specifies a
481               loose form of reverse path filtering.
482
483                   Note
484                   This option does not work with a wild-card physical name
485                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
486                   option is specified, a warning is issued and the option is
487                   ignored.
488               This option can also be enabled globally via the ROUTE_FILTER
489               option in the shorewall.conf[7](5) file.
490
491                   Important
492                   If ROUTE_FILTER=Yes in shorewall.conf[7](5), or if your
493                   distribution sets net.ipv4.conf.all.rp_filter=1 in
494                   /etc/sysctl.conf, then setting routefilter=0 in an
495                   interface entry will not disable route filtering on that
496                   interface! The effective setting for an interface is the
497                   maximum of the contents of
498                   /proc/sys/net/ipv4/conf/all/rp_filter and the routefilter
499                   setting specified in this file
500                   (/proc/sys/net/ipv4/conf/interface/rp_filter).
501
502                   Note
503                   There are certain cases where routefilter cannot be used on
504                   an interface:
505
506                   •   If USE_DEFAULT_RT=Yes in shorewall.conf[7](5) and the
507                       interface is listed in shorewall-providers[16](5).
508
509                   •   If there is an entry for the interface in
510                       shorewall-providers[16](5) that doesn't specify the
511                       balance option.
512
513                   •   If IPSEC is used to allow a road-warrior to have a
514                       local address, then any interface through which the
515                       road-warrior might connect cannot specify routefilter.
516               Beginning with Shorewall 5.1.1, when routefilter is set to a
517               non-zero value, the logmartians option is also implicitly set.
518               If you actually want route filtering without logging, then you
519               must also specify logmartians=0 after routefilter.
520
521           rpfilter
522               Added in Shorewall 4.5.7. This is an anti-spoofing measure that
523               requires the 'RPFilter Match' capability in your iptables and
524               kernel. It provides a more efficient alternative to the sfilter
525               option below. It performs a function similar to routefilter
526               (see above) but works with Multi-ISP configurations that do not
527               use balanced routes.
528
529           sfilter=(net[,...])
530               Added in Shorewall 4.4.20. This option provides an
531               anti-spoofing alternative to routefilter on interfaces where
532               that option cannot be used, but where the routeback option is
533               required (on a bridge, for example). On these interfaces,
534               sfilter should list those local networks that are connected to
535               the firewall through other interfaces.
536
537           sourceroute[={0|1}]
538               If this option is not specified for an interface, then
539               source-routed packets will not be accepted from that interface
540               unless it has been explicitly enabled via sysconf. Only set
541               this option to 1 (enable source routing) if you know what you
542               are doing. This might represent a security risk and is usually
543               unneeded.
544
545               Only those interfaces with the sourceroute option will have
546               their setting changed; the value assigned to the setting will
547               be the value specified (if any) or 1 if no value is given.
548
549                   Note
550                   This option does not work with a wild-card physical name
551                   (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
552                   option is specified, a warning is issued and the option is
553                   ignored.
554
555           tcpflags[={0|1}]
556               Packets arriving on this interface are checked for certain
557               illegal combinations of TCP flags. Packets found to have such a
558               combination of flags are handled according to the setting of
559               TCP_FLAGS_DISPOSITION after having been logged according to the
560               setting of TCP_FLAGS_LOG_LEVEL.
561
562               Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To
563               disable this option, specify tcpflags=0.
564
565           unmanaged
566               Added in Shorewall 4.5.18. Causes all traffic between the
567               firewall and hosts on the interface to be accepted. When this
568               option is given:
569
570               •   The ZONE column must contain '-'.
571
572               •   Only the following other options are allowed with
573                   unmanaged:
574                       arp_filter
575                       arp_ignore
576                       ignore
577                       routefilter
578                       optional
579                       physical
580                       routefilter
581                       proxyarp
582                       proxyudp
583                       sourceroute
584
585           upnp
586               Incoming requests from this interface may be remapped via UPNP
587               (upnpd). See https://shorewall.org/UPnP.html[17]. Supported in
588               IPv4 and in IPv6 in Shorewall 5.1.4 and later.
589
590           upnpclient
591               This option is intended for laptop users who always run
592               Shorewall on their system yet need to run UPnP-enabled client
593               apps such as Transmission (BitTorrent client). The option
594               causes Shorewall to detect the default gateway through the
595               interface and to accept UDP packets from that gateway. Note
596               that, like all aspects of UPnP, this is a security hole so use
597               this option at your own risk. Supported in IPv4 and in IPv6 in
598               Shorewall 5.1.4 and later.
599
600           wait=seconds
601               Added in Shorewall 4.4.10. Causes the generated script to wait
602               up to seconds seconds for the interface to become usable before
603               applying the required or optional options.
604

EXAMPLE

606       IPv4 Example 1:
607           Suppose you have eth0 connected to a DSL modem and eth1 connected
608           to your local network and that your local subnet is 192.168.1.0/24.
609           The interface gets its IP address via DHCP from subnet
610           206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
611           eth2. Your iptables and/or kernel do not support "Address Type
612           Match" and you prefer to specify broadcast addresses explicitly
613           rather than having Shorewall detect them.
614
615           Your entries for this setup would look like:
616
617               ?FORMAT 1
618               #ZONE   INTERFACE BROADCAST        OPTIONS
619               net     eth0      206.191.149.223  dhcp
620               loc     eth1      192.168.1.255
621               dmz     eth2      192.168.2.255
622
623       Example 2:
624           The same configuration without specifying broadcast addresses is:
625
626               ?FORMAT 2
627               #ZONE   INTERFACE OPTIONS
628               net     eth0      dhcp
629               loc     eth1
630               dmz     eth2
631
632       Example 3:
633           You have a simple dial-in system with no Ethernet connections.
634
635               ?FORMAT 2
636               #ZONE   INTERFACE OPTIONS
637               net     ppp0      -
638
639       Example 4 (Shorewall 4.4.9 and later):
640           You have a bridge with no IP address and you want to allow traffic
641           through the bridge.
642
643               ?FORMAT 2
644               #ZONE   INTERFACE OPTIONS
645               -       br0       bridge
646

FILES

648       /etc/shorewall/interfaces
649
650       /etc/shorewall6/interfaces
651

SEE ALSO

653       https://shorewall.org/configuration_file_basics.htm#Pairs[18]
654
655       shorewall(8)
656

NOTES

658        1. shorewall-hosts
659           https://shorewall.org/manpages/shorewall-hosts.html
660
661        2. https://shorewall.org/FAQ.htm#faq18
662           https://shorewall.org/FAQ.htm#faq18
663
664        3. shorewall-nesting
665           https://shorewall.org/manpages/shorewall-nesting.html
666
667        4. shorewall6-zones
668           https://shorewall.org/manpages/shorewall-zones.html
669
670        5. Proxy ARP
671           https://shorewall.org/ProxyARP.htm
672
673        6. shorewall-blacklist
674           https://shorewall.org/manpages/shorewall-blacklist.html
675
676        7. shorewall.conf(5)
677           https://shorewall.org/manpages/shorewall.conf.html
678
679        8. simple bridge
680           https://shorewall.org/SimpleBridge.html
681
682        9. Shorewall-perl for firewall/bridging
683           https://shorewall.org/bridge-Shorewall-perl.html
684
685       10. shorewall-rules
686           https://shorewall.org/manpages/shorewall-rules.html
687
688       11. shorewall-maclist
689           https://shorewall.org/manpages/shorewall-maclist.html
690
691       12. https://shorewall.org/Dynamic.html
692           https://shorewall.org/Dynamic.html
693
694       13. https://shorewall.org/bridge-Shorewall-perl.html#Multiple
695           https://shorewall.org/bridge-Shorewall-perl.html#Multiple
696
697       14. shorewall-proxyarp
698           https://shorewall.org/manpages/shorewall-proxyarp.html
699
700       15. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
701           http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
702
703       16. shorewall-providers
704           https://shorewall.org/manpages/shorewall-providers.html
705
706       17. https://shorewall.org/UPnP.html
707           https://shorewall.org/UPnP.html
708
709       18. https://shorewall.org/configuration_file_basics.htm#Pairs
710           https://shorewall.org/configuration_file_basics.htm#Pairs
711
712
713
714Configuration Files               09/24/2020            SHOREWALL-INTERFACE(5)
Impressum