1SHOREWALL-INTERFACE(5) Configuration Files SHOREWALL-INTERFACE(5)
2
6 interfaces - Shorewall interfaces file
7
9 /etc/shorewall[6]/interfaces
10
12 The interfaces file serves to define the firewall's network interfaces
13 to Shorewall. The order of entries in this file is not significant in
14 determining zone composition.
15 Beginning with Shorewall 4.5.3, the interfaces file supports two
17 different formats:
18 FORMAT 1 (default - deprecated)
20 There is a BROADCAST column which can be used to specify the
21 broadcast address associated with the interface.
22 FORMAT 2
24 The BROADCAST column is omitted.
25 The format is specified by a line as follows:
27 ?FORMAT {1|2}
29 The columns in the file are as follows.
31 ZONE - zone-name
33 Zone for this interface. Must match the name of a zone declared in
34 /etc/shorewall/zones. You may not list the firewall zone in this
35 column.
36 If the interface serves multiple zones that will be defined in the
38 shorewall-hosts[1](5) file, you should place "-" in this column.
39 If there are multiple interfaces to the same zone, you must list
41 them in separate entries.
42 Example:
44 #ZONE INTERFACE BROADCAST
46 loc eth1 -
47 loc eth2 -
48 INTERFACE - interface[:port]
50 Logical name of interface. Each interface may be listed only once
51 in this file. You may NOT specify the name of a "virtual" interface
52 (e.g., eth0:0) here; see https://shorewall.org/FAQ.htm#faq18[2]. If
53 the physical option is not specified, then the logical name is also
54 the name of the actual interface.
55 You may use wildcards here by specifying a prefix followed by the
57 plus sign ("+"). For example, if you want to make an entry that
58 applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
59 ppp1, ppp2, ...
60 When using Shorewall versions before 4.1.4, care must be exercised
62 when using wildcards where there is another zone that uses a
63 matching specific interface. See shorewall-nesting[3](5) for a
64 discussion of this problem.
65 Shorewall allows '+' as an interface name, but that usage is
67 deprecated. A better approach is to specify 'physical=+' in the
68 OPTIONS column (see below).
69 There is no need to define the loopback interface (lo) in this
71 file.
72 If a port is given, then the interface must have been defined
74 previously with the bridge option. The OPTIONS column may not
75 contain the following options when a port is given.
76 arp_filter
77 arp_ignore
78 bridge
79 log_martians
80 mss
81 optional
82 proxyarp
83 required
84 routefilter
85 sourceroute
86 upnp
87 wait
88 Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
89 interface, then that zone must be defined as type local in
90 shorewall6-zones[4](5).
91 BROADCAST (Optional) - {-|detect|address[,address]...}
93 Only available if FORMAT 1.
94 If you use the special value detect, Shorewall will detect the
96 broadcast address(es) for you if your iptables and kernel include
97 Address Type Match support.
98 If your iptables and/or kernel lack Address Type Match support then
100 you may list the broadcast address(es) for the network(s) to which
101 the interface belongs. For P-T-P interfaces, this column is left
102 blank. If the interface has multiple addresses on multiple subnets
103 then list the broadcast addresses as a comma-separated list.
104 If you don't want to give a value for this column but you want to
106 enter a value in the OPTIONS column, enter - in this column.
107 OPTIONS (Optional) - [option[,option]...]
109 A comma-separated list of options from the following list. The
110 order in which you list the options is not significant but the list
111 should have no embedded white-space.
112 accept_ra[={0|1|2}]
114 IPv6 only; added in Shorewall 4.5.16. Values are:
115 0
117 Do not accept Router Advertisements.
118 1
120 Accept Route Advertisements if forwarding is disabled.
121 2
123 Overrule forwarding behavior. Accept Route Advertisements
124 even if forwarding is enabled.
125 If the option is specified without a value, then the value 1 is
127 assumed.
128 Note
130 This option does not work with a wild-card physical name
131 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
132 option is specified, a warning is issued and the option is
133 ignored.
134 arp_filter[={0|1}]
136 IPv4 only. If specified, this interface will only respond to
137 ARP who-has requests for IP addresses configured on the
138 interface. If not specified, the interface can respond to ARP
139 who-has requests for IP addresses on any of the firewall's
140 interface. The interface must be up when Shorewall is started.
141 Only those interfaces with the arp_filter option will have
143 their setting changed; the value assigned to the setting will
144 be the value specified (if any) or 1 if no value is given.
145 Note
147 This option does not work with a wild-card physical name
148 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
149 option is specified, a warning is issued and the option is
150 ignored.
151 arp_ignore[=number]
153 IPv4 only. If specified, this interface will respond to arp
154 requests based on the value of number (defaults to 1).
155 1 - reply only if the target IP address is local address
157 configured on the incoming interface
158 2 - reply only if the target IP address is local address
160 configured on the incoming interface and the sender's IP
161 address is part from same subnet on this interface's address
162 3 - do not reply for local addresses configured with scope
164 host, only resolutions for global and link
165 4-7 - reserved
167 8 - do not reply for all local addresses
169 Note
171 This option does not work with a wild-card physical name
172 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
173 option is specified, a warning is issued and the option is
174 ignored.
175 Warning
177 Do not specify arp_ignore for any interface involved in
178 Proxy ARP[5].
179 blacklist
181 Checks packets arriving on this interface against the
182 shorewall-blacklist[6](5) file.
183 Beginning with Shorewall 4.4.13:
185 • If a zone is given in the ZONES column, then the behavior
187 is as if blacklist had been specified in the IN_OPTIONS
188 column of shorewall-zones[4](5).
189 • Otherwise, the option is ignored with a warning: WARNING:
191 The 'blacklist' option is ignored on multi-zone interfaces
192 bridge
194 Designates the interface as a bridge. Beginning with Shorewall
195 4.4.7, setting this option also sets routeback.
196 Note
198 If you have a bridge that you don't intend to define bport
199 zones on, then it is best to omit this option and simply
200 specify routeback.
201 dbl={none|src|dst|src-dst}
203 Added in Shorewall 5.0.10. This option defined whether or not
204 dynamic blacklisting is applied to packets entering the
205 firewall through this interface and whether the source address
206 and/or destination address is to be compared against the
207 ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
208 shorewall.conf(5)[7]). The default is determine by the setting
209 of DYNAMIC_BLACKLIST:
210 DYNAMIC_BLACKLIST=No
212 Default is none (e.g., no dynamic blacklist checking).
213 DYNAMIC_BLACKLIST=Yes
215 Default is src (e.g., the source IP address is checked).
216 DYNAMIC_BLACKLIST=ipset[-only]
218 Default is src.
219 DYNAMIC_BLACKLIST=ipset[-only],src-dst...
221 Default is src-dst (e.g., the source IP addresses in
222 checked against the ipset on input and the destination IP
223 address is checked against the ipset on packets originating
224 from the firewall and leaving through this interface).
225 The normal setting for this option will be dst or none for
227 internal interfaces and src or src-dst for Internet-facing
228 interfaces.
229 destonly
231 Added in Shorewall 4.5.17. Causes the compiler to omit rules to
232 handle traffic from this interface.
233 dhcp
235 Specify this option when any of the following are true:
236 1. the interface gets its IP address via DHCP
238 2. the interface is used by a DHCP server running on the
240 firewall
241 3. the interface has a static IP but is on a LAN segment with
243 lots of DHCP clients.
244 4. the interface is a simple bridge[8] with a DHCP server on
246 one port and DHCP clients on another port.
247 Note
249 If you use Shorewall-perl for firewall/bridging[9],
250 then you need to include DHCP-specific rules in
251 shorewall-rules[10](5). DHCP uses UDP ports 67 and 68.
252 This option allows DHCP datagrams to enter and leave the
254 interface.
255 forward[={0|1}]
257 IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding
258 option to the specified value. If no value is supplied, then 1
259 is assumed.
260 Note
262 This option does not work with a wild-card physical name
263 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
264 option is specified, a warning is issued and the option is
265 ignored.
266 ignore[=1]
268 When specified, causes the generated script to ignore up/down
269 events from Shorewall-init for this device. Additionally, the
270 option exempts the interface from hairpin filtering. When '=1'
271 is omitted, the ZONE column must contain '-' and ignore must be
272 the only OPTION.
273 Beginning with Shorewall 4.5.5, may be specified as 'ignore=1'
275 which only causes the generated script to ignore up/down events
276 from Shorewall-init; hairpin filtering is still applied. In
277 this case, the above restrictions on the ZONE and OPTIONS
278 columns are lifted.
279 loopback
281 Added in Shorewall 4.6.6. Designates the interface as the
282 loopback interface. This option is assumed if the interface's
283 physical name is 'lo'. Only one interface man have the loopback
284 option specified.
285 logmartians[={0|1}]
287 IPv4 only. Turn on kernel martian logging (logging of packets
288 with impossible source addresses. It is strongly suggested that
289 if you set routefilter on an interface that you also set
290 logmartians. Even if you do not specify the routefilter option,
291 it is a good idea to specify logmartians because your
292 distribution may have enabled route filtering without you
293 knowing it.
294 Only those interfaces with the logmartians option will have
296 their setting changed; the value assigned to the setting will
297 be the value specified (if any) or 1 if no value is given.
298 To find out if route filtering is set on a given interface,
300 check the contents of
301 /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero value
302 indicates that route filtering is enabled.
303 Example:
305 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
307 1
308 teastep@lists:~$
309 Note
312 This option does not work with a wild-card physical name
313 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
314 option is specified, a warning is issued and the option is
315 ignored.
316 This option may also be enabled globally in the
317 shorewall.conf[7](5) file.
318 maclist
320 Connection requests from this interface are compared against
321 the contents of shorewall-maclist[11](5). If this option is
322 specified, the interface must be an Ethernet NIC and must be up
323 before Shorewall is started.
324 mss=number
326 Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets
327 entering or leaving on this interface to have their MSS field
328 set to the specified number.
329 nets=(net[,...])
331 Limit the zone named in the ZONE column to only the listed
332 networks. The parentheses may be omitted if only a single net
333 is given (e.g., nets=192.168.1.0/24). Limited broadcast to the
334 zone is supported. Beginning with Shorewall 4.4.1, multicast
335 traffic to the zone is also supported.
336 nets=dynamic
338 Defines the zone as dynamic. Requires ipset match support in
339 your iptables and kernel. See
340 https://shorewall.org/Dynamic.html[12] for further information.
341 nodbl
343 Added in Shorewall 5.0.8. When specified, dynamic blacklisting
344 is disabled on the interface. Beginning with Shorewall 5.0.10,
345 nodbl is equivalent to dbl=none.
346 nosmurfs
348 IPv4 only. Filter packets for smurfs (packets with a broadcast
349 address as the source).
350 Smurfs will be optionally logged based on the setting of
352 SMURF_LOG_LEVEL in shorewall.conf[7](5). After logging, the
353 packets are dropped.
354 omitanycast
356 IPv6 only. Added in Shorewall 5.2.8.
357 Shorewall6 has traditionally generated rules for IPv6 anycast
359 addresses. These rules include:
360 1. Packets with these destination IP addresses are dropped by
362 REJECT rules.
363 2. Packets with these source IP addresses are dropped by the
365 'nosmurfs' interface option and by the 'dropSmurfs' action.
366 3. Packets with these destination IP addresses are not logged
368 during policy enforcement.
369 4. Packets with these destination IP addresses are processes
371 by the 'Broadcast' action.
372 This can be inhibited for individual interfaces by specifying
374 noanycast for those interfaces.
375 Note
377 RFC 2526 describes IPv6 subnet anycast addresses. The RFC
378 makes a distinction between subnets with "IPv6 address
379 types required to have 64-bit interface identifiers in
380 EUI-64 format" and all other subnets. When generating these
381 anycast addresses, the Shorewall compiler does not make
382 this distinction and unconditionally assumes that the last
383 128 addresses in the subnet are reserved as anycast
384 addresses.
385 optional
387 This option indicates that the firewall should be able to
388 start, even if the interface is not usable for handling
389 traffic. It allows use of the enable and disable commands on
390 the interface.
391 When optional is specified for an interface, Shorewall will be
393 silent when:
394 • a /proc/sys/net/ipv[46]/conf/ entry for the interface
396 cannot be modified (including for proxy ARP or proxy NDP).
397 • The first address of the interface cannot be obtained.
399 • The gateway of the interface can not be obtained (provider
401 interface).
402 • The interface has been disabled using the disable command.
404 May not be specified with required.
406 physical=name
408 Added in Shorewall 4.4.4. When specified, the interface or port
409 name in the INTERFACE column is a logical name that refers to
410 the name given in this option. It is useful when you want to
411 specify the same wildcard port name on two or more bridges. See
412 https://shorewall.org/bridge-Shorewall-perl.html#Multiple[13].
413 If the interface name is a wildcard name (ends with '+'), then
415 the physical name must also end in '+'. The physical name may
416 end in '+' (or be exactly '+') when the interface name is not a
417 wildcard name.
418 If physical is not specified, then it's value defaults to the
420 interface name.
421 proxyarp[={0|1}]
423 IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do
424 NOT use this option if you are employing Proxy ARP through
425 entries in shorewall-proxyarp[14](5). This option is intended
426 solely for use with Proxy ARP sub-networking as described at:
427 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.[15]
428 Note
430 This option does not work with a wild-card physical name
431 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
432 option is specified, a warning is issued and the option is
433 ignored.
434 Only those interfaces with the proxyarp option will have their
435 setting changed; the value assigned to the setting will be the
436 value specified (if any) or 1 if no value is given.
437 proxyndp[={0|1}]
439 IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
440 Note
442 This option does not work with a wild-card physical name
443 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
444 option is specified, a warning is issued and the option is
445 ignored.
446 Only those interfaces with the proxyndp option will have their
447 setting changed; the value assigned to the setting will be the
448 value specified (if any) or 1 if no value is given.
449 required
451 Added in Shorewall 4.4.10. If this option is set, the firewall
452 will fail to start if the interface is not usable. May not be
453 specified together with optional.
454 routeback[={0|1}]
456 If specified, indicates that Shorewall should include rules
457 that allow traffic arriving on this interface to be routed back
458 out that same interface. This option is also required when you
459 have used a wildcard in the INTERFACE column if you want to
460 allow traffic between the interfaces that match the wildcard.
461 Beginning with Shorewall 4.4.20, if you specify this option,
463 then you should also specify either sfilter (see below) or
464 routefilter on all interfaces (see below).
465 Beginning with Shorewall 4.5.18, you may specify this option to
467 explicitly reset (e.g., routeback=0). This can be used to
468 override Shorewall's default setting for bridge devices which
469 is routeback=1.
470 routefilter[={0|1|2}]
472 IPv4 only. Turn on kernel route filtering for this interface
473 (anti-spoofing measure).
474 Only those interfaces with the routefilter option will have
476 their setting changes; the value assigned to the setting will
477 be the value specified (if any) or 1 if no value is given.
478 The value 2 is only available with Shorewall 4.4.5.1 and later
480 when the kernel version is 2.6.31 or later. It specifies a
481 loose form of reverse path filtering.
482 Note
484 This option does not work with a wild-card physical name
485 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
486 option is specified, a warning is issued and the option is
487 ignored.
488 This option can also be enabled globally via the ROUTE_FILTER
489 option in the shorewall.conf[7](5) file.
490 Important
492 If ROUTE_FILTER=Yes in shorewall.conf[7](5), or if your
493 distribution sets net.ipv4.conf.all.rp_filter=1 in
494 /etc/sysctl.conf, then setting routefilter=0 in an
495 interface entry will not disable route filtering on that
496 interface! The effective setting for an interface is the
497 maximum of the contents of
498 /proc/sys/net/ipv4/conf/all/rp_filter and the routefilter
499 setting specified in this file
500 (/proc/sys/net/ipv4/conf/interface/rp_filter).
501 Note
503 There are certain cases where routefilter cannot be used on
504 an interface:
505 • If USE_DEFAULT_RT=Yes in shorewall.conf[7](5) and the
507 interface is listed in shorewall-providers[16](5).
508 • If there is an entry for the interface in
510 shorewall-providers[16](5) that doesn't specify the
511 balance option.
512 • If IPSEC is used to allow a road-warrior to have a
514 local address, then any interface through which the
515 road-warrior might connect cannot specify routefilter.
516 Beginning with Shorewall 5.1.1, when routefilter is set to a
517 non-zero value, the logmartians option is also implicitly set.
518 If you actually want route filtering without logging, then you
519 must also specify logmartians=0 after routefilter.
520 rpfilter
522 Added in Shorewall 4.5.7. This is an anti-spoofing measure that
523 requires the 'RPFilter Match' capability in your iptables and
524 kernel. It provides a more efficient alternative to the sfilter
525 option below. It performs a function similar to routefilter
526 (see above) but works with Multi-ISP configurations that do not
527 use balanced routes.
528 sfilter=(net[,...])
530 Added in Shorewall 4.4.20. This option provides an
531 anti-spoofing alternative to routefilter on interfaces where
532 that option cannot be used, but where the routeback option is
533 required (on a bridge, for example). On these interfaces,
534 sfilter should list those local networks that are connected to
535 the firewall through other interfaces.
536 sourceroute[={0|1}]
538 If this option is not specified for an interface, then
539 source-routed packets will not be accepted from that interface
540 unless it has been explicitly enabled via sysconf. Only set
541 this option to 1 (enable source routing) if you know what you
542 are doing. This might represent a security risk and is usually
543 unneeded.
544 Only those interfaces with the sourceroute option will have
546 their setting changed; the value assigned to the setting will
547 be the value specified (if any) or 1 if no value is given.
548 Note
550 This option does not work with a wild-card physical name
551 (e.g., eth0.+). Beginning with Shorewall 5.1.10, If this
552 option is specified, a warning is issued and the option is
553 ignored.
554 tcpflags[={0|1}]
556 Packets arriving on this interface are checked for certain
557 illegal combinations of TCP flags. Packets found to have such a
558 combination of flags are handled according to the setting of
559 TCP_FLAGS_DISPOSITION after having been logged according to the
560 setting of TCP_FLAGS_LOG_LEVEL.
561 Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To
563 disable this option, specify tcpflags=0.
564 unmanaged
566 Added in Shorewall 4.5.18. Causes all traffic between the
567 firewall and hosts on the interface to be accepted. When this
568 option is given:
569 • The ZONE column must contain '-'.
571 • Only the following other options are allowed with
573 unmanaged:
574 arp_filter
575 arp_ignore
576 ignore
577 routefilter
578 optional
579 physical
580 routefilter
581 proxyarp
582 proxyudp
583 sourceroute
584 upnp
586 Incoming requests from this interface may be remapped via UPNP
587 (upnpd). See https://shorewall.org/UPnP.html[17]. Supported in
588 IPv4 and in IPv6 in Shorewall 5.1.4 and later.
589 upnpclient
591 This option is intended for laptop users who always run
592 Shorewall on their system yet need to run UPnP-enabled client
593 apps such as Transmission (BitTorrent client). The option
594 causes Shorewall to detect the default gateway through the
595 interface and to accept UDP packets from that gateway. Note
596 that, like all aspects of UPnP, this is a security hole so use
597 this option at your own risk. Supported in IPv4 and in IPv6 in
598 Shorewall 5.1.4 and later.
599 wait=seconds
601 Added in Shorewall 4.4.10. Causes the generated script to wait
602 up to seconds seconds for the interface to become usable before
603 applying the required or optional options.
604
606 IPv4 Example 1:
607 Suppose you have eth0 connected to a DSL modem and eth1 connected
608 to your local network and that your local subnet is 192.168.1.0/24.
609 The interface gets its IP address via DHCP from subnet
610 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using
611 eth2. Your iptables and/or kernel do not support "Address Type
612 Match" and you prefer to specify broadcast addresses explicitly
613 rather than having Shorewall detect them.
614 Your entries for this setup would look like:
616 ?FORMAT 1
618 #ZONE INTERFACE BROADCAST OPTIONS
619 net eth0 206.191.149.223 dhcp
620 loc eth1 192.168.1.255
621 dmz eth2 192.168.2.255
622 Example 2:
624 The same configuration without specifying broadcast addresses is:
625 ?FORMAT 2
627 #ZONE INTERFACE OPTIONS
628 net eth0 dhcp
629 loc eth1
630 dmz eth2
631 Example 3:
633 You have a simple dial-in system with no Ethernet connections.
634 ?FORMAT 2
636 #ZONE INTERFACE OPTIONS
637 net ppp0 -
638 Example 4 (Shorewall 4.4.9 and later):
640 You have a bridge with no IP address and you want to allow traffic
641 through the bridge.
642 ?FORMAT 2
644 #ZONE INTERFACE OPTIONS
645 - br0 bridge
646
648 /etc/shorewall/interfaces
649 /etc/shorewall6/interfaces
651
653 https://shorewall.org/configuration_file_basics.htm#Pairs[18]
654 shorewall(8)
656
658 1. shorewall-hosts
659 https://shorewall.org/manpages/shorewall-hosts.html
660 2. https://shorewall.org/FAQ.htm#faq18
662 https://shorewall.org/FAQ.htm#faq18
663 3. shorewall-nesting
665 https://shorewall.org/manpages/shorewall-nesting.html
666 4. shorewall6-zones
668 https://shorewall.org/manpages/shorewall-zones.html
669 5. Proxy ARP
671 https://shorewall.org/ProxyARP.htm
672 6. shorewall-blacklist
674 https://shorewall.org/manpages/shorewall-blacklist.html
675 7. shorewall.conf(5)
677 https://shorewall.org/manpages/shorewall.conf.html
678 8. simple bridge
680 https://shorewall.org/SimpleBridge.html
681 9. Shorewall-perl for firewall/bridging
683 https://shorewall.org/bridge-Shorewall-perl.html
684 10. shorewall-rules
686 https://shorewall.org/manpages/shorewall-rules.html
687 11. shorewall-maclist
689 https://shorewall.org/manpages/shorewall-maclist.html
690 12. https://shorewall.org/Dynamic.html
692 https://shorewall.org/Dynamic.html
693 13. https://shorewall.org/bridge-Shorewall-perl.html#Multiple
695 https://shorewall.org/bridge-Shorewall-perl.html#Multiple
696 14. shorewall-proxyarp
698 https://shorewall.org/manpages/shorewall-proxyarp.html
699 15. http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
701 http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
702 16. shorewall-providers
704 https://shorewall.org/manpages/shorewall-providers.html
705 17. https://shorewall.org/UPnP.html
707 https://shorewall.org/UPnP.html
708 18. https://shorewall.org/configuration_file_basics.htm#Pairs
710 https://shorewall.org/configuration_file_basics.htm#Pairs
711Configuration Files 09/24/2020 SHOREWALL-INTERFACE(5)