1shorewall-interfaces(5)                                shorewall-interfaces(5)
2
3
4

NAME

6       interfaces - Shorewall interfaces file
7

SYNOPSIS

9       /etc/shorewall/interfaces
10

DESCRIPTION

12       The  interfaces file serves to define the firewall's network interfaces
13       to Shorewall.The order of entries in this file is  not  significant  in
14       determining zone composition.
15
16       The columns in the file are as follows.
17
18       ZONE zone-name
19              Zone  for this interface. Must match the name of a zone declared
20              in /etc/shorewall/zones. You may not list the firewall  zone  in
21              this column.
22
23              If  the  interface serves multiple zones that will be defined in
24              the shorewall-hosts ⟨shorewall-hosts.html⟩ (5) file, you  should
25              place "-" in this column.
26
27              If there are multiple interfaces to the same zone, you must list
28              them in separate entries.
29
30              Example:
31              #ZONE   INTERFACE       BROADCAST
32              loc     eth1            -
33              loc     eth2            -
34
35       INTERFACE interface[:port]
36              Name of interface. Each interface may be  listed  only  once  in
37              this file. You may NOT specify the name of a "virtual" interface
38              (e.g.,      eth0:0)      here;      see       ⟨http://www.shore
39              wall.net/FAQ.htm#faq18⟩
40
41              You  may  use  wildcards here by specifying a prefix followed by
42              the plus sign ("+"). For example, if you want to make  an  entry
43              that applies to all PPP interfaces, use 'ppp+'; that would match
44              ppp0, ppp1, ppp2, ...
45
46              Care must be exercised when using wildcards where there  is  an‐
47              other zone that uses a matching specific interface. See shore‐
48              wall-nesting ⟨shorewall-nesting.html⟩ (8) for  a  discussion  of
49              this problem.
50
51              There  is  no need to define the loopback interface (lo) in this
52              file.
53
54              (Shorewall-perl only) If a port is  given,  then  the  interface
55              must  have  been  defined previously with the bridge option. The
56              OPTIONS column must be empty when a port is given.
57
58       BROADCAST (Optional) — {-|detect|address[,address]...}
59              The broadcast address(es) for the network(s) to which the inter‐
60              face belongs. For P-T-P interfaces, this column is left blank.If
61              the interface has multiple addresses on  multiple  subnets  then
62              list the broadcast addresses as a comma-separated list.
63
64              If  you  use the special value detect, Shorewall will detect the
65              broadcast address(es) for you. If you select  this  option,  the
66              interface must be up before the firewall is started.
67
68              If  you  don't want to give a value for this column but you want
69              to enter a value in the OPTIONS column, enter - in this column.
70
71              Note to Shorewall-perl users: Shorewall-perl only  supports  de‐
72              tect  or  - in this column. If you specify addresses, a compila‐
73              tion warning will be issued.
74
75       OPTIONS (Optional) — [option[,option]...]
76              A comma-separated list of options from the following  list.  The
77              order  in  which you list the options is not significant but the
78              list should have no embedded white space.
79
80              arp_filter[={0|1}]
81                     If specified, this interface will  only  respond  to  ARP
82                     who-has  requests  for IP addresses configured on the in‐
83                     terface.  If not specified, the interface can respond  to
84                     ARP who-has requests for IP addresses on any of the fire‐
85                     wall's interface.  The interface must be up  when  Shore‐
86                     wall is started.
87
88                     The  option  value  (0 or 1) may only be specified if you
89                     are using Shorewall-perl. With Shorewall-perl, only those
90                     interfaces  with  the  arp_filter  option will have their
91                     setting changes; the value assigned to the  setting  will
92                     be  the value specified (if any) or 1 if no value is giv‐
93                     en.
94
95                     Note
96
97                     This option does not work with a wild-card interface name
98                     (e.g., eth0.+) in the INTERFACE column.
99
100              arp_ignore[=number]
101                     If specified, this interface will respond to arp requests
102                     based on the value of number (defaults to 1).
103
104                     1 - reply only if the target IP address is local  address
105                     configured on the incoming interface
106
107                     2  - reply only if the target IP address is local address
108                     configured on the incoming interface and the sender's  IP
109                     address is part from same subnet on this interface
110
111                     3  -  do  not  reply  for local addresses configured with
112                     scope host, only resolutions for global and link
113
114                     4-7 - reserved
115
116                     8 - do not reply for all local addresses
117
118                     Note
119
120                     This option does not work with a wild-card interface name
121                     (e.g., eth0.+) in the INTERFACE column.
122
123                     Warning
124
125                     Do not specify arp_ignore for any interface involved in
126                     Proxy ARP ⟨../ProxyARP.htm⟩ .
127
128              blacklist
129                     Check packets arriving on this interface against the
130                     shorewall-blacklist ⟨shorewall-blacklist.html⟩ (5) file.
131
132              bridge (Shorewall-perl  only)  Designates  the  interface  as  a
133                     bridge.
134
135              detectnets (Deprecated)
136                     Automatically tailors the zone named in the  ZONE  column
137                     to include only those hosts routed through the interface.
138
139                     Warning
140
141                     Do  not set the detectnets option on your internet inter‐
142                     face.
143
144                     Support for this option will be removed in a  future  re‐
145                     lease  of  Shorewall-perl.  Better to use the routefilter
146                     option together with the logmartians option.
147
148              dhcp   Specify this option when any of the following are true:
149
150                     1.  the interface gets its IP address via DHCP
151
152                     2.  the interface is used by a DHCP server running on the
153                         firewall
154
155                     3.  you  have  a  static IP but are on a LAN segment with
156                         lots of DHCP clients.
157
158                     4.  the interface is a bridge with a DHCP server  on  one
159                         port and DHCP clients on another port.
160
161              logmartians[={0|1}]
162                     Turn  on  kernel martian logging (logging of packets with
163                     impossible source addresses.  It  is  strongly  suggested
164                     that if you set routefilter on an interface that you also
165                     set logmartians. Even if you do not  specify  the  route‐
166                     filter  option,  it is a good idea to specify logmartians
167                     because your distribution may be enabling route filtering
168                     without you knowing it.
169
170                     The  option  value  (0 or 1) may only be specified if you
171                     are using Shorewall-perl. With Shorewall-perl, only those
172                     interfaces  with  the  logmartians option will have their
173                     setting changes; the value assigned to the  setting  will
174                     be  the value specified (if any) or 1 if no value is giv‐
175                     en.
176
177                     To find out if route filtering is set on a  given  inter‐
178                     face,  check  the contents of /proc/sys/net/ipv4/conf/in‐
179                     terface/rp_filter — a non-zero value indicates that route
180                     filtering is enabled.
181
182                     Example:
183
184                             teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
185                             1
186                             teastep@lists:~$
187
188                     Note
189
190                     This option does not work with a wild-card interface name
191                     (e.g., eth0.+) in the INTERFACE column.
192                     This option may also be enabled globally in the shore‐
193                     wall.conf ⟨shorewall.conf.html⟩ (5) file.
194
195              maclist
196                     Connection  requests  from  this  interface  are compared
197                     against the contents of shorewall-maclist
198                     ⟨shorewall-maclist.html⟩  (5).  If  this option is speci‐
199                     fied, the interface must be an ethernet NIC and  must  be
200                     up before Shorewall is started.
201
202              mss[=number]
203                     Added  in Shorewall 4.0.3. Causes forwarded TCP SYN pack‐
204                     ets entering or leaving on this interface to  have  their
205                     MSS field set to the specified number.
206
207              norfc1918
208                     This  interface  should  not  receive  any  packets whose
209                     source is in one of  the  ranges  reserved  by  RFC  1918
210                     (i.e.,  private  or  "non-routable" addresses). If packet
211                     mangling or connection-tracking match is enabled in  your
212                     kernel,  packets whose destination addresses are reserved
213                     by RFC 1918 are also rejected.
214
215              nosmurfs
216                     Filter packets for smurfs (packets with a  broadcast  ad‐
217                     dress as the source).
218
219                     Smurfs  will be optionally logged based on the setting of
220                     SMURF_LOG_LEVEL in  shorewall.conf  ⟨shorewall.conf.html⟩
221                     (5). After logging, the packets are dropped.
222
223              optional
224                     Only supported by Shorewall-perl. When optional is speci‐
225                     fied for an interface, Shorewall will be silent when:
226
227                     · a /proc/sys/net/ipv4/conf/ entry for the interface can‐
228                       not be modified (including for proxy ARP).
229
230                     · The first address of the interface cannot be obtained.
231
232                     I  specify optional on interfaces to Xen virtual machines
233                     that  may  or  may  not  be  running  when  Shorewall  is
234                     [re]started.
235
236                            Caution
237
238                            Use  optional  at  your own risk. If you [re]start
239                            Shorewall when  an  'optional'  interface  is  not
240                            available and then do a shorewall save, subsequent
241                            shorewall restore and shorewall  -f  start  opera‐
242                            tions  will  instantiate  a  ruleset that does not
243                            support that interface, even if it is available at
244                            the time of the restore/start.
245
246              proxyarp[={0|1}]
247                     Sets /proc/sys/net/ipv4/conf/interface/proxy_arp.  Do NOT
248                     use this option if you are employing  Proxy  ARP  through
249                     entries  in  shorewall-proxyarp ⟨shorewall-proxyarp.html⟩
250                     (5).  This option is intended solely for use  with  Proxy
251                     ARP sub-networking as described at: http://tldp.org/HOW
252                     TO/Proxy-ARP-Subnet/index.html.  ⟨http://tldp.org/HOWTO/
253                     Proxy-ARP-Subnet/index.html⟩
254
255                     Note:  This  option does not work with a wild-card inter‐
256                     face name (e.g., eth0.+) in the INTERFACE column.
257
258                     The option value (0 or 1) may only be  specified  if  you
259                     are using Shorewall-perl. With Shorewall-perl, only those
260                     interfaces with the proxyarp option will have their  set‐
261                     ting  changes;  the value assigned to the setting will be
262                     the value specified (if any) or 1 if no value is given.
263
264              routeback
265                     If specified, indicates  that  Shorewall  should  include
266                     rules  that  allow filtering traffic arriving on this in‐
267                     terface back out that same interface. This option is also
268                     required  when  you have used a wildcard in the INTERFACE
269                     column if you want to allow traffic  between  the  inter‐
270                     faces that match the wildcard.
271
272              routefilter[={0|1}]
273                     Turn  on kernel route filtering for this interface (anti-
274                     spoofing measure).
275
276                     The option value (0 or 1) may only be  specified  if  you
277                     are using Shorewall-perl. With Shorewall-perl, only those
278                     interfaces with the routefilter option  will  have  their
279                     setting  changes;  the value assigned to the setting will
280                     be the value specified (if any) or 1 if no value is  giv‐
281                     en.
282
283                     Note
284
285                     This option does not work with a wild-card interface name
286                     (e.g., eth0.+) in the INTERFACE column.
287                     This option can also be enabled globally in the shore‐
288                     wall.conf ⟨shorewall.conf.html⟩ (5) file.
289
290              sourceroute[={0|1}]
291                     If  this  option  is not specified for an interface, then
292                     source-routed packets will not be accepted from that  in‐
293                     terface    (sets    /proc/sys/net/ipv4/conf/interface/ac‐
294                     cept_source_route to 1). Only set this option if you know
295                     what you are doing.  This might represent a security risk
296                     and is not usually needed.
297
298                     The option value (0 or 1) may only be  specified  if  you
299                     are using Shorewall-perl. With Shorewall-perl, only those
300                     interfaces with the sourceroute option  will  have  their
301                     setting  changes;  the value assigned to the setting will
302                     be the value specified (if any) or 1 if no value is  giv‐
303                     en.
304
305                     Note
306
307                     This option does not work with a wild-card interface name
308                     (e.g., eth0.+) in the INTERFACE column.
309
310              tcpflags
311                     Packets arriving on this interface are checked  for  cer‐
312                     tain  illegal combinations of TCP flags. Packets found to
313                     have such a combination of flags are handled according to
314                     the  setting  of  TCP_FLAGS_DISPOSITION after having been
315                     logged according to the setting of TCP_FLAGS_LOG_LEVEL.
316
317              upnp   Incoming requests from this interface may be remapped via
318                     UPNP (upnpd). See http://www.shorewall.net/UPnP.html ⟨../
319                     UPnP.html⟩ .
320

EXAMPLE

322       Example 1:
323              Suppose you have eth0 connected to a DSL modem and eth1 connect‐
324              ed  to  your  local  network  and  that  your  local  subnet  is
325              192.168.1.0/24. The interface gets it's IP address via DHCP from
326              subnet   206.191.149.192/27.   You   have   a  DMZ  with  subnet
327              192.168.2.0/24 using eth2.
328
329              Your entries for this setup would look like:
330
331              #ZONE   INTERFACE BROADCAST        OPTIONS
332              net     eth0      206.191.149.223  dhcp
333              loc     eth1      192.168.1.255
334              dmz     eth2      192.168.2.255
335
336       Example 2:
337              The same configuration without  specifying  broadcast  addresses
338              is:
339
340              #ZONE   INTERFACE BROADCAST        OPTIONS
341              net     eth0      detect           dhcp
342              loc     eth1      detect
343              dmz     eth2      detect
344
345       Example 3:
346              You have a simple dial-in system with no ethernet connections.
347
348              #ZONE   INTERFACE BROADCAST        OPTIONS
349              net     ppp0      -
350

FILES

352       /etc/shorewall/interfaces
353

SEE ALSO

355       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
356       blacklist(5),   shorewall-hosts(5),   shorewall-ipsec(5),    shorewall-
357       maclist(5),  shorewall-masq(5),  shorewall-nat(5), shorewall-netmap(5),
358       shorewall-params(5),    shorewall-policy(5),    shorewall-providers(5),
359       shorewall-proxyarp(5),       shorewall-route_routes(5),      shorewall-
360       routestopped(5), shorewall-rules(5),  shorewall.conf(5),  shorewall-tc‐
361       classes(5),  shorewall-tcdevices(5),  shorewall-tcrules(5),  shorewall-
362       tos(5), shorewall-tunnels(5), shorewall-zones(5)
363
364
365
366                                  19 May 2008          shorewall-interfaces(5)
Impressum