1shorewall-interfaces(5) shorewall-interfaces(5)
2
3
4
6 interfaces - Shorewall interfaces file
7
9 /etc/shorewall/interfaces
10
12 The interfaces file serves to define the firewall's network interfaces
13 to Shorewall.The order of entries in this file is not significant in
14 determining zone composition.
15
16 The columns in the file are as follows.
17
18 ZONE — zone-name
19 Zone for this interface. Must match the name of a zone declared
20 in /etc/shorewall/zones. You may not list the firewall zone in
21 this column.
22
23 If the interface serves multiple zones that will be defined in
24 the shorewall-hosts ⟨shorewall-hosts.html⟩ (5) file, you should
25 place "-" in this column.
26
27 If there are multiple interfaces to the same zone, you must list
28 them in separate entries.
29
30 Example:
31 #ZONE INTERFACE BROADCAST
32 loc eth1 -
33 loc eth2 -
34
35 INTERFACE — interface[:port]
36 Name of interface. Each interface may be listed only once in
37 this file. You may NOT specify the name of a "virtual" interface
38 (e.g., eth0:0) here; see ⟨http://www.shore‐
39 wall.net/FAQ.htm#faq18⟩
40
41 You may use wildcards here by specifying a prefix followed by
42 the plus sign ("+"). For example, if you want to make an entry
43 that applies to all PPP interfaces, use 'ppp+'; that would match
44 ppp0, ppp1, ppp2, ...
45
46 Care must be exercised when using wildcards where there is an‐
47 other zone that uses a matching specific interface. See shore‐
48 wall-nesting ⟨shorewall-nesting.html⟩ (8) for a discussion of
49 this problem.
50
51 There is no need to define the loopback interface (lo) in this
52 file.
53
54 (Shorewall-perl only) If a port is given, then the interface
55 must have been defined previously with the bridge option. The
56 OPTIONS column must be empty when a port is given.
57
58 BROADCAST (Optional) — {-|detect|address[,address]...}
59 The broadcast address(es) for the network(s) to which the inter‐
60 face belongs. For P-T-P interfaces, this column is left blank.If
61 the interface has multiple addresses on multiple subnets then
62 list the broadcast addresses as a comma-separated list.
63
64 If you use the special value detect, Shorewall will detect the
65 broadcast address(es) for you. If you select this option, the
66 interface must be up before the firewall is started.
67
68 If you don't want to give a value for this column but you want
69 to enter a value in the OPTIONS column, enter - in this column.
70
71 Note to Shorewall-perl users: Shorewall-perl only supports de‐
72 tect or - in this column. If you specify addresses, a compila‐
73 tion warning will be issued.
74
75 OPTIONS (Optional) — [option[,option]...]
76 A comma-separated list of options from the following list. The
77 order in which you list the options is not significant but the
78 list should have no embedded white space.
79
80 arp_filter[={0|1}]
81 If specified, this interface will only respond to ARP
82 who-has requests for IP addresses configured on the in‐
83 terface. If not specified, the interface can respond to
84 ARP who-has requests for IP addresses on any of the fire‐
85 wall's interface. The interface must be up when Shore‐
86 wall is started.
87
88 The option value (0 or 1) may only be specified if you
89 are using Shorewall-perl. With Shorewall-perl, only those
90 interfaces with the arp_filter option will have their
91 setting changes; the value assigned to the setting will
92 be the value specified (if any) or 1 if no value is giv‐
93 en.
94
95 Note
96
97 This option does not work with a wild-card interface name
98 (e.g., eth0.+) in the INTERFACE column.
99
100 arp_ignore[=number]
101 If specified, this interface will respond to arp requests
102 based on the value of number (defaults to 1).
103
104 1 - reply only if the target IP address is local address
105 configured on the incoming interface
106
107 2 - reply only if the target IP address is local address
108 configured on the incoming interface and the sender's IP
109 address is part from same subnet on this interface
110
111 3 - do not reply for local addresses configured with
112 scope host, only resolutions for global and link
113
114 4-7 - reserved
115
116 8 - do not reply for all local addresses
117
118 Note
119
120 This option does not work with a wild-card interface name
121 (e.g., eth0.+) in the INTERFACE column.
122
123 Warning
124
125 Do not specify arp_ignore for any interface involved in
126 Proxy ARP ⟨../ProxyARP.htm⟩ .
127
128 blacklist
129 Check packets arriving on this interface against the
130 shorewall-blacklist ⟨shorewall-blacklist.html⟩ (5) file.
131
132 bridge (Shorewall-perl only) Designates the interface as a
133 bridge.
134
135 detectnets (Deprecated)
136 Automatically tailors the zone named in the ZONE column
137 to include only those hosts routed through the interface.
138
139 Warning
140
141 Do not set the detectnets option on your internet inter‐
142 face.
143
144 Support for this option will be removed in a future re‐
145 lease of Shorewall-perl. Better to use the routefilter
146 option together with the logmartians option.
147
148 dhcp Specify this option when any of the following are true:
149
150 1. the interface gets its IP address via DHCP
151
152 2. the interface is used by a DHCP server running on the
153 firewall
154
155 3. you have a static IP but are on a LAN segment with
156 lots of DHCP clients.
157
158 4. the interface is a bridge with a DHCP server on one
159 port and DHCP clients on another port.
160
161 logmartians[={0|1}]
162 Turn on kernel martian logging (logging of packets with
163 impossible source addresses. It is strongly suggested
164 that if you set routefilter on an interface that you also
165 set logmartians. Even if you do not specify the route‐
166 filter option, it is a good idea to specify logmartians
167 because your distribution may be enabling route filtering
168 without you knowing it.
169
170 The option value (0 or 1) may only be specified if you
171 are using Shorewall-perl. With Shorewall-perl, only those
172 interfaces with the logmartians option will have their
173 setting changes; the value assigned to the setting will
174 be the value specified (if any) or 1 if no value is giv‐
175 en.
176
177 To find out if route filtering is set on a given inter‐
178 face, check the contents of /proc/sys/net/ipv4/conf/in‐
179 terface/rp_filter — a non-zero value indicates that route
180 filtering is enabled.
181
182 Example:
183
184 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
185 1
186 teastep@lists:~$
187
188 Note
189
190 This option does not work with a wild-card interface name
191 (e.g., eth0.+) in the INTERFACE column.
192 This option may also be enabled globally in the shore‐
193 wall.conf ⟨shorewall.conf.html⟩ (5) file.
194
195 maclist
196 Connection requests from this interface are compared
197 against the contents of shorewall-maclist
198 ⟨shorewall-maclist.html⟩ (5). If this option is speci‐
199 fied, the interface must be an ethernet NIC and must be
200 up before Shorewall is started.
201
202 mss[=number]
203 Added in Shorewall 4.0.3. Causes forwarded TCP SYN pack‐
204 ets entering or leaving on this interface to have their
205 MSS field set to the specified number.
206
207 norfc1918
208 This interface should not receive any packets whose
209 source is in one of the ranges reserved by RFC 1918
210 (i.e., private or "non-routable" addresses). If packet
211 mangling or connection-tracking match is enabled in your
212 kernel, packets whose destination addresses are reserved
213 by RFC 1918 are also rejected.
214
215 nosmurfs
216 Filter packets for smurfs (packets with a broadcast ad‐
217 dress as the source).
218
219 Smurfs will be optionally logged based on the setting of
220 SMURF_LOG_LEVEL in shorewall.conf ⟨shorewall.conf.html⟩
221 (5). After logging, the packets are dropped.
222
223 optional
224 Only supported by Shorewall-perl. When optional is speci‐
225 fied for an interface, Shorewall will be silent when:
226
227 · a /proc/sys/net/ipv4/conf/ entry for the interface can‐
228 not be modified (including for proxy ARP).
229
230 · The first address of the interface cannot be obtained.
231
232 I specify optional on interfaces to Xen virtual machines
233 that may or may not be running when Shorewall is
234 [re]started.
235
236 Caution
237
238 Use optional at your own risk. If you [re]start
239 Shorewall when an 'optional' interface is not
240 available and then do a shorewall save, subsequent
241 shorewall restore and shorewall -f start opera‐
242 tions will instantiate a ruleset that does not
243 support that interface, even if it is available at
244 the time of the restore/start.
245
246 proxyarp[={0|1}]
247 Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT
248 use this option if you are employing Proxy ARP through
249 entries in shorewall-proxyarp ⟨shorewall-proxyarp.html⟩
250 (5). This option is intended solely for use with Proxy
251 ARP sub-networking as described at: http://tldp.org/HOW‐
252 TO/Proxy-ARP-Subnet/index.html. ⟨http://tldp.org/HOWTO/
253 Proxy-ARP-Subnet/index.html⟩
254
255 Note: This option does not work with a wild-card inter‐
256 face name (e.g., eth0.+) in the INTERFACE column.
257
258 The option value (0 or 1) may only be specified if you
259 are using Shorewall-perl. With Shorewall-perl, only those
260 interfaces with the proxyarp option will have their set‐
261 ting changes; the value assigned to the setting will be
262 the value specified (if any) or 1 if no value is given.
263
264 routeback
265 If specified, indicates that Shorewall should include
266 rules that allow filtering traffic arriving on this in‐
267 terface back out that same interface. This option is also
268 required when you have used a wildcard in the INTERFACE
269 column if you want to allow traffic between the inter‐
270 faces that match the wildcard.
271
272 routefilter[={0|1}]
273 Turn on kernel route filtering for this interface (anti-
274 spoofing measure).
275
276 The option value (0 or 1) may only be specified if you
277 are using Shorewall-perl. With Shorewall-perl, only those
278 interfaces with the routefilter option will have their
279 setting changes; the value assigned to the setting will
280 be the value specified (if any) or 1 if no value is giv‐
281 en.
282
283 Note
284
285 This option does not work with a wild-card interface name
286 (e.g., eth0.+) in the INTERFACE column.
287 This option can also be enabled globally in the shore‐
288 wall.conf ⟨shorewall.conf.html⟩ (5) file.
289
290 sourceroute[={0|1}]
291 If this option is not specified for an interface, then
292 source-routed packets will not be accepted from that in‐
293 terface (sets /proc/sys/net/ipv4/conf/interface/ac‐
294 cept_source_route to 1). Only set this option if you know
295 what you are doing. This might represent a security risk
296 and is not usually needed.
297
298 The option value (0 or 1) may only be specified if you
299 are using Shorewall-perl. With Shorewall-perl, only those
300 interfaces with the sourceroute option will have their
301 setting changes; the value assigned to the setting will
302 be the value specified (if any) or 1 if no value is giv‐
303 en.
304
305 Note
306
307 This option does not work with a wild-card interface name
308 (e.g., eth0.+) in the INTERFACE column.
309
310 tcpflags
311 Packets arriving on this interface are checked for cer‐
312 tain illegal combinations of TCP flags. Packets found to
313 have such a combination of flags are handled according to
314 the setting of TCP_FLAGS_DISPOSITION after having been
315 logged according to the setting of TCP_FLAGS_LOG_LEVEL.
316
317 upnp Incoming requests from this interface may be remapped via
318 UPNP (upnpd). See http://www.shorewall.net/UPnP.html ⟨../
319 UPnP.html⟩ .
320
322 Example 1:
323 Suppose you have eth0 connected to a DSL modem and eth1 connect‐
324 ed to your local network and that your local subnet is
325 192.168.1.0/24. The interface gets it's IP address via DHCP from
326 subnet 206.191.149.192/27. You have a DMZ with subnet
327 192.168.2.0/24 using eth2.
328
329 Your entries for this setup would look like:
330
331 #ZONE INTERFACE BROADCAST OPTIONS
332 net eth0 206.191.149.223 dhcp
333 loc eth1 192.168.1.255
334 dmz eth2 192.168.2.255
335
336 Example 2:
337 The same configuration without specifying broadcast addresses
338 is:
339
340 #ZONE INTERFACE BROADCAST OPTIONS
341 net eth0 detect dhcp
342 loc eth1 detect
343 dmz eth2 detect
344
345 Example 3:
346 You have a simple dial-in system with no ethernet connections.
347
348 #ZONE INTERFACE BROADCAST OPTIONS
349 net ppp0 -
350
352 /etc/shorewall/interfaces
353
355 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
356 blacklist(5), shorewall-hosts(5), shorewall-ipsec(5), shorewall-
357 maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
358 shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
359 shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-
360 routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tc‐
361 classes(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
362 tos(5), shorewall-tunnels(5), shorewall-zones(5)
363
364
365
366 19 May 2008 shorewall-interfaces(5)