Provided by: shorewall-common_4.0.6-1_all bug

NAME

       interfaces - Shorewall interfaces file

SYNOPSIS

       /etc/shorewall/interfaces

DESCRIPTION

       The  interfaces file serves to define the firewall’s network interfaces
       to Shorewall.

       The columns in the file are as follows.

       ZONEzone-name
              Zone for this interface. Must match the name of a zone  declared
              in  /etc/shorewall/zones.  You may not list the firewall zone in
              this column.

              If the interface serves multiple zones that will be  defined  in
              the  shorewall-hosts 〈shorewall-hosts.html〉 (5) file, you should
              place "-" in this column.

              If there are multiple interfaces to the same zone, you must list
              them in separate entries.

              Example:
              #ZONE   INTERFACE       BROADCAST
              loc     eth1            -
              loc     eth2            -

       INTERFACEinterface[:port]
              Name  of  interface.  Each  interface may be listed only once in
              this file. You may NOT specify the name of a "virtual" interface
              (e.g.,               eth0:0)              here;              see
              〈http://www.shorewall.net/FAQ.htm#faq18〉

              You may use wildcards here by specifying a  prefix  followed  by
              the  plus  sign ("+"). For example, if you want to make an entry
              that applies to all PPP interfaces, use ’ppp+’; that would match
              ppp1, ppp2, ...

              There  is  no need to define the loopback interface (lo) in this
              file.

              (Shorewall-perl only) If a port is  given,  then  the  interface
              must  have  been  defined previously with the bridge option. The
              OPTIONS column must be empty when a port is given.

       BROADCAST (Optional) — {-|detect|address[,address]...}
              The broadcast  address(es)  for  the  network(s)  to  which  the
              interface  belongs.  For  P-T-P  interfaces, this column is left
              blank.If  the  interface  has  multiple  addresses  on  multiple
              subnets  then  list the broadcast addresses as a comma-separated
              list.

              If you use the special value detect, Shorewall will  detect  the
              broadcast  address(es)  for  you. If you select this option, the
              interface must be up before the firewall is started.

              If you don’t want to give a value for this column but  you  want
              to  enter a value in the OPTIONS column, enter - in this column.

              Note  to  Shorewall-perl  users:  Shorewall-perl  only  supports
              detect  or  -  in  this  column.  If  you  specify  addresses, a
              compilation warning will be issued.

       OPTIONS (Optional) — [option[,option]...]
              A comma-separated list of options from the following  list.  The
              order  in  which you list the options is not significant but the
              list should have no embedded white space.

              arp_filter[={0|1}]
                     If specified, this interface will  only  respond  to  ARP
                     who-has  requests  for  IP  addresses  configured  on the
                     interface.  If not specified, the interface  can  respond
                     to  ARP  who-has  requests for IP addresses on any of the
                     firewall’s interface.  The  interface  must  be  up  when
                     Shorewall is started.

                     The  option  value  (0 or 1) may only be specified if you
                     are using Shorewall-perl. With Shorewall-perl, only those
                     interfaces  with  the  arp_filter  option will have their
                     setting changes; the value assigned to the  setting  will
                     be  the  value  specified  (if  any)  or 1 if no value is
                     given.

                     Note

                     This option does not work with a wild-card interface name
                     (e.g., eth0.+) in the INTERFACE column.

              arp_ignore[=number]
                     If specified, this interface will respond to arp requests
                     based on the value of number (defaults to 1).

                     1 - reply only if the target IP address is local  address
                     configured on the incoming interface

                     2  - reply only if the target IP address is local address
                     configured on the incoming interface and the sender’s  IP
                     address is part from same subnet on this interface

                     3  -  do  not  reply  for local addresses configured with
                     scope host, only resolutions for global and link

                     4-7 - reserved

                     8 - do not reply for all local addresses

                     Note

                     This option does not work with a wild-card interface name
                     (e.g., eth0.+) in the INTERFACE column.

                     Warning

                     Do  not  specify arp_ignore for any interface involved in
                     Proxy ARP 〈../ProxyARP.htm〉 .

              blacklist
                     Check packets arriving  on  this  interface  against  the
                     shorewall-blacklist  〈shorewall-blacklist.html〉 (5) file.

              bridge (Shorewall-perl  only)  Designates  the  interface  as  a
                     bridge.

              detectnets (Deprecated)
                     Automatically  tailors  the zone named in the ZONE column
                     to include only those hosts routed through the interface.

                     Warning

                     Do  not  set  the  detectnets  option  on  your  internet
                     interface.

                     Support for this option  will  be  removed  in  a  future
                     release  of Shorewall-perl. Better to use the routefilter
                     option together with the logmartians option.

              dhcp   Specify this option when any of the following are true:

                     1.  the interface gets its IP address via DHCP

                     2.  the interface is used by a DHCP server running on the
                         firewall

                     3.  you  have  a  static IP but are on a LAN segment with
                         lots of DHCP clients.

                     4.  the interface is a bridge with a DHCP server  on  one
                         port and DHCP clients on another port.

              logmartians[={0|1}]
                     Turn  on  kernel martian logging (logging of packets with
                     impossible source addresses.  It  is  strongly  suggested
                     that if you set routefilter on an interface that you also
                     set  logmartians.  Even  if  you  do  not   specify   the
                     routefilter   option,  it  is  a  good  idea  to  specify
                     logmartians because your  distribution  may  be  enabling
                     route filtering without you knowing it.

                     The  option  value  (0 or 1) may only be specified if you
                     are using Shorewall-perl. With Shorewall-perl, only those
                     interfaces  with  the  logmartians option will have their
                     setting changes; the value assigned to the  setting  will
                     be  the  value  specified  (if  any)  or 1 if no value is
                     given.

                     To find  out  if  route  filtering  is  set  on  a  given
                     interface,        check       the       contents       of
                     /proc/sys/net/ipv4/conf/interface/rp_filter — a  non-zero
                     value indicates that route filtering is enabled.

                     Example:

                             teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
                             1
                             teastep@lists:~$

                     Note

                     This option does not work with a wild-card interface name
                     (e.g., eth0.+) in the INTERFACE column.
                     This  option  may  also  be  enabled  globally   in   the
                     shorewall.conf 〈shorewall.conf.html〉 (5) file.

              maclist
                     Connection  requests  from  this  interface  are compared
                     against     the     contents     of     shorewall-maclist
                     〈shorewall-maclist.html〉   (5).   If   this   option   is
                     specified, the interface must be an ethernet NIC and must
                     be up before Shorewall is started.

              mss[=number]
                     Added  in  Shorewall  4.0.3.  Causes  forwarded  TCP  SYN
                     packets entering or leaving on  this  interface  to  have
                     their MSS field set to the specified number.

              norfc1918
                     This  interface  should  not  receive  any  packets whose
                     source is in one of  the  ranges  reserved  by  RFC  1918
                     (i.e.,  private  or  "non-routable" addresses). If packet
                     mangling or connection-tracking match is enabled in  your
                     kernel,  packets whose destination addresses are reserved
                     by RFC 1918 are also rejected.

              nosmurfs
                     Filter packets  for  smurfs  (packets  with  a  broadcast
                     address as the source).

                     Smurfs  will be optionally logged based on the setting of
                     SMURF_LOG_LEVEL in  shorewall.conf  〈shorewall.conf.html〉
                     (5). After logging, the packets are dropped.

              optional
                     Only   supported  by  Shorewall-perl.  When  optional  is
                     specified for an  interface,  Shorewall  will  be  silent
                     when:

                     · a  /proc/sys/net/ipv4/conf/  entry  for  the  interface
                       cannot be modified (including for proxy ARP).

                     · The first address of the interface cannot be  obtained.

                     I  specify optional on interfaces to Xen virtual machines
                     that  may  or  may  not  be  running  when  Shorewall  is
                     [re]started.

                             Caution

                             Use  optional  at your own risk. If you [re]start
                             Shorewall when an  ’optional’  interface  is  not
                             available   and   then   do   a  shorewall  save,
                             subsequent shorewall  restore  and  shorewall  -f
                             start  operations will instantiate a ruleset that
                             does not support that interface, even  if  it  is
                             available at the time of the restore/start.

              proxyarp[={0|1}]
                     Sets /proc/sys/net/ipv4/conf/interface/proxy_arp.  Do NOT
                     use this option if you are employing  Proxy  ARP  through
                     entries  in  shorewall-proxyarp 〈shorewall-proxyarp.html〉
                     (5).  This option is intended solely for use  with  Proxy
                     ARP       sub-networking       as      described      at:
                     http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                     〈http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.htmlNote:   This  option  does  not  work  with  a  wild-card
                     interface name (e.g., eth0.+) in the INTERFACE column.

                     The option value (0 or 1) may only be  specified  if  you
                     are using Shorewall-perl. With Shorewall-perl, only those
                     interfaces with  the  proxyarp  option  will  have  their
                     setting  changes;  the value assigned to the setting will
                     be the value specified (if any)  or  1  if  no  value  is
                     given.

              routeback
                     If  specified,  indicates  that  Shorewall should include
                     rules that  allow  filtering  traffic  arriving  on  this
                     interface  back  out  that same interface. This option is
                     also required when  you  have  used  a  wildcard  in  the
                     INTERFACE column if you want to allow traffic between the
                     interfaces that match the wildcard.

              routefilter[={0|1}]
                     Turn on kernel route filtering for this interface  (anti-
                     spoofing measure).

                     The  option  value  (0 or 1) may only be specified if you
                     are using Shorewall-perl. With Shorewall-perl, only those
                     interfaces  with  the  routefilter option will have their
                     setting changes; the value assigned to the  setting  will
                     be  the  value  specified  (if  any)  or 1 if no value is
                     given.

                     Note

                     This option does not work with a wild-card interface name
                     (e.g., eth0.+) in the INTERFACE column.
                     This   option   can  also  be  enabled  globally  in  the
                     shorewall.conf 〈shorewall.conf.html〉 (5) file.

              sourceroute[={0|1}]
                     If this option is not specified for  an  interface,  then
                     source-routed  packets  will  not  be  accepted from that
                     interface                                           (sets
                     /proc/sys/net/ipv4/conf/interface/accept_source_route  to
                     1). Only set this option if you know what you are  doing.
                     This  might  represent a security risk and is not usually
                     needed.

                     The option value (0 or 1) may only be  specified  if  you
                     are using Shorewall-perl. With Shorewall-perl, only those
                     interfaces with the sourceroute option  will  have  their
                     setting  changes;  the value assigned to the setting will
                     be the value specified (if any)  or  1  if  no  value  is
                     given.

                     Note

                     This option does not work with a wild-card interface name
                     (e.g., eth0.+) in the INTERFACE column.

              tcpflags
                     Packets  arriving  on  this  interface  are  checked  for
                     certain  illegal combinations of TCP flags. Packets found
                     to have such a combination of flags are handled according
                     to the setting of TCP_FLAGS_DISPOSITION after having been
                     logged according to the setting of TCP_FLAGS_LOG_LEVEL.

              upnp   Incoming requests from this interface may be remapped via
                     UPNP   (upnpd).   See  http://www.shorewall.net/UPnP.html
                     〈../UPnP.html〉 .

EXAMPLE

       Example 1:
              Suppose you  have  eth0  connected  to  a  DSL  modem  and  eth1
              connected  to  your  local network and that your local subnet is
              192.168.1.0/24. The interface gets it’s IP address via DHCP from
              subnet   206.191.149.192/27.   You   have   a  DMZ  with  subnet
              192.168.2.0/24 using eth2.

              Your entries for this setup would look like:

              #ZONE   INTERFACE BROADCAST        OPTIONS
              net     eth0      206.191.149.223  dhcp
              loc     eth1      192.168.1.255
              dmz     eth2      192.168.2.255

       Example 2:
              The same configuration without  specifying  broadcast  addresses
              is:

              #ZONE   INTERFACE BROADCAST        OPTIONS
              net     eth0      detect           dhcp
              loc     eth1      detect
              dmz     eth2      detect

       Example 3:
              You have a simple dial-in system with no ethernet connections.

              #ZONE   INTERFACE BROADCAST        OPTIONS
              net     ppp0      -

FILES

       /etc/shorewall/interfaces

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),   shorewall-hosts(5),   shorewall-ipsec(5),    shorewall-
       maclist(5),  shorewall-masq(5),  shorewall-nat(5), shorewall-netmap(5),
       shorewall-params(5),    shorewall-policy(5),    shorewall-providers(5),
       shorewall-proxyarp(5),       shorewall-route_routes(5),      shorewall-
       routestopped(5),  shorewall-rules(5),   shorewall.conf(5),   shorewall-
       tcclasses(5),  shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
       tos(5), shorewall-tunnels(5), shorewall-zones(5)

                               23 November 2007        shorewall-interfaces(5)