2003-03-12 21:55:17 +01:00
|
|
|
#
|
2004-03-14 19:16:35 +01:00
|
|
|
# Shorewall 2.0 -- Sample Interface File For Three Interfaces
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# /etc/shorewall/interfaces
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
2002-05-18 21:48:34 +02:00
|
|
|
# You must add an entry in this file for each network interface on your
|
|
|
|
# firewall system.
|
|
|
|
#
|
2002-05-01 00:42:57 +02:00
|
|
|
# Columns are:
|
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# ZONE
|
|
|
|
# Zone for this interface. Must match the short name
|
2002-05-01 00:42:57 +02:00
|
|
|
# of a zone defined in /etc/shorewall/zones.
|
|
|
|
#
|
2002-05-18 21:48:34 +02:00
|
|
|
# If the interface serves multiple zones that will be
|
2002-09-23 23:36:27 +02:00
|
|
|
# defined in the /etc/shorewall/hosts file, you should
|
2002-05-18 21:48:34 +02:00
|
|
|
# place "-" in this column.
|
2003-03-12 21:55:17 +01:00
|
|
|
#
|
|
|
|
# INTERFACE
|
|
|
|
# Name of interface. Each interface may be listed only
|
2002-11-24 21:27:16 +01:00
|
|
|
# once in this file. You may NOT specify the name of
|
|
|
|
# an alias (e.g., eth0:0) here; see
|
|
|
|
# http://www.shorewall.net/FAQ.htm#faq18
|
|
|
|
#
|
2004-03-14 19:16:35 +01:00
|
|
|
# There is no need to define the loopback interface (lo)
|
|
|
|
# in this file.
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# BROADCAST
|
|
|
|
# The broadcast address for the subnetwork to which the
|
2002-05-01 00:42:57 +02:00
|
|
|
# interface belongs. For P-T-P interfaces, this
|
2003-03-12 21:55:17 +01:00
|
|
|
# column is left blank.If the interface has multiple
|
2002-09-23 23:36:27 +02:00
|
|
|
# addresses on multiple subnets then list the broadcast
|
|
|
|
# addresses as a comma-separated list.
|
2003-03-12 21:55:17 +01:00
|
|
|
#
|
2002-05-01 00:42:57 +02:00
|
|
|
# If you use the special value "detect", the firewall
|
|
|
|
# will detect the broadcast address for you. If you
|
|
|
|
# select this option, the interface must be up before
|
2002-09-23 23:36:27 +02:00
|
|
|
# the firewall is started, you must have iproute
|
|
|
|
# installed and the interface must only be associated
|
|
|
|
# with a single subnet.
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
|
|
|
# If you don't want to give a value for this column but
|
|
|
|
# you want to enter a value in the OPTIONS column, enter
|
|
|
|
# "-" in this column.
|
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# OPTIONS
|
|
|
|
# A comma-separated list of options including the
|
2002-05-01 00:42:57 +02:00
|
|
|
# following:
|
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# dhcp
|
|
|
|
# Interface is managed by DHCP or used by
|
|
|
|
# a DHCP server running on the firewall or
|
|
|
|
# you have a static IP but are on a LAN
|
|
|
|
# segment with lots of Laptop DHCP clients.
|
|
|
|
# norfc1918
|
|
|
|
# This interface should not receive
|
|
|
|
# any packets whose source is in one
|
|
|
|
# of the ranges reserved by RFC 1918
|
|
|
|
# (i.e., private or "non-routable"
|
|
|
|
# addresses. If packet mangling is
|
|
|
|
# enabled in shorewall.conf, packets
|
|
|
|
# whose destination addresses are
|
|
|
|
# reserved by RFC 1918 are also rejected.
|
2004-03-29 04:19:34 +02:00
|
|
|
# nobogons
|
|
|
|
# This interface should not receive
|
|
|
|
# any packets whose source is in one
|
|
|
|
# of the ranges reserved by IANA (this
|
|
|
|
# option does not cover those ranges
|
|
|
|
# reserved by RFC 1918 -- see above).
|
2005-01-26 01:00:44 +01:00
|
|
|
#
|
|
|
|
# I PERSONALLY RECOMMEND AGAINST USING
|
|
|
|
# THE 'nobogons' OPTION.
|
2003-03-12 21:55:17 +01:00
|
|
|
# routefilter
|
|
|
|
# Turn on kernel route filtering for this
|
|
|
|
# interface (anti-spoofing measure). This
|
|
|
|
# option can also be enabled globally in
|
|
|
|
# the /etc/shorewall/shorewall.conf file.
|
|
|
|
# blacklist
|
|
|
|
# Check packets arriving on this interface
|
|
|
|
# against the /etc/shorewall/blacklist
|
|
|
|
# file.
|
2004-11-10 22:30:46 +01:00
|
|
|
# logmartians
|
|
|
|
# Turn on kernel martian logging (logging
|
|
|
|
# of packets with impossible source
|
|
|
|
# addresses. It is suggested that if you
|
|
|
|
# set routefilter on an interface that
|
|
|
|
# you also set logmartians. This option
|
|
|
|
# may also be enabled globally in the
|
|
|
|
# /etc/shorewall/shorewall.conf file.
|
2003-03-12 21:55:17 +01:00
|
|
|
# maclist
|
|
|
|
# Connection requests from this interface
|
|
|
|
# are compared against the contents of
|
|
|
|
# /etc/shorewall/maclist. If this option
|
|
|
|
# is specified, the interface must be
|
|
|
|
# an ethernet NIC and must be up before
|
|
|
|
# Shorewall is started.
|
|
|
|
# tcpflags
|
|
|
|
# Packets arriving on this interface are
|
|
|
|
# checked for certain illegal combinations
|
|
|
|
# of TCP flags. Packets found to have
|
|
|
|
# such a combination of flags are handled
|
|
|
|
# according to the setting of
|
|
|
|
# TCP_FLAGS_DISPOSITION after having been
|
|
|
|
# logged according to the setting of
|
|
|
|
# TCP_FLAGS_LOG_LEVEL.
|
|
|
|
# proxyarp
|
|
|
|
# Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
2002-07-25 21:01:17 +02:00
|
|
|
# Do NOT use this option if you are
|
|
|
|
# employing Proxy ARP through entries in
|
|
|
|
# /etc/shorewall/proxyarp. This option is
|
|
|
|
# intended soley for use with Proxy ARP
|
|
|
|
# sub-networking as described at:
|
|
|
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
2003-07-21 20:01:35 +02:00
|
|
|
# netnotsyn
|
|
|
|
# TCP packets that don't have the SYN flag set and
|
|
|
|
# which are not part of an established connection
|
|
|
|
# will be accepted from this interface, even if
|
|
|
|
# NEWNOTSYN=No has been specified in
|
2004-11-10 22:30:46 +01:00
|
|
|
# /etc/shorewall/shorewall.conf. In other
|
|
|
|
# words, packets coming in on this interface
|
|
|
|
# are processed as if NEWNOTSYN=Yes had been
|
|
|
|
# specified in /etc/shorewall/shorewall.conf.
|
2003-07-21 20:01:35 +02:00
|
|
|
#
|
|
|
|
# This option has no effect if NEWNOTSYN=Yes.
|
2004-11-10 22:30:46 +01:00
|
|
|
#
|
|
|
|
# It is the opinion of the author that
|
|
|
|
# NEWNOTSYN=No creates more problems than
|
|
|
|
# it solves and I recommend against using
|
|
|
|
# that setting in shorewall.conf (hence
|
|
|
|
# making the use of the 'newnotsyn'
|
|
|
|
# interface option unnecessary).
|
2003-11-12 01:13:04 +01:00
|
|
|
# routeback
|
|
|
|
# If specified, indicates that Shorewall
|
|
|
|
# should include rules that allow filtering
|
|
|
|
# traffic arriving on this interface back
|
|
|
|
# out that same interface.
|
2003-10-06 22:20:34 +02:00
|
|
|
# arp_filter
|
|
|
|
# If specified, this interface will only respond
|
|
|
|
# to ARP who-has requests for IP addresses
|
|
|
|
# configured on the interface. If not specified,
|
|
|
|
# the interface can respond to ARP who-has requests
|
|
|
|
# for IP addresses on any of the firewall's interface.
|
|
|
|
# The interface must be up when shorewall is started.
|
2004-03-14 19:16:35 +01:00
|
|
|
# nosmurfs
|
|
|
|
# Filter packets for smurfs (packets with a broadcast
|
|
|
|
# address as the source).
|
|
|
|
#
|
|
|
|
# Smurfs will be optionally logged based on the setting
|
|
|
|
# of SMURF_LOG_LEVEL in shorewall.conf. After logging,
|
|
|
|
# the packets are dropped.
|
|
|
|
# detectnets
|
|
|
|
# Automatically taylors the zone named in the ZONE column
|
|
|
|
# to include only those hosts routed through the interface.
|
|
|
|
#
|
|
|
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# The order in which you list the options is not
|
|
|
|
# significant but the list should have no embedded white
|
|
|
|
# space.
|
|
|
|
#
|
|
|
|
# Example 1:
|
|
|
|
# Suppose you have eth0 connected to a DSL modem,
|
|
|
|
# eth1 connected to your local network and eth2
|
|
|
|
# connected to your dmz. Assuming that your local
|
|
|
|
# subnet is 192.168.1.0/24 and your dmz subnet is
|
|
|
|
# 192.168.2.0/24 . The eth0 interface gets
|
2002-05-01 00:42:57 +02:00
|
|
|
# it's IP address via DHCP from subnet
|
2003-03-12 21:55:17 +01:00
|
|
|
# 206.191.149.192/27.
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
|
|
|
# Your entries for this setup would look like:
|
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# #ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
# net eth0 206.191.149.223 dhcp
|
|
|
|
# local eth1 192.168.1.255
|
|
|
|
# dmz eth2 192.168.2.255
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# Example 2:
|
|
|
|
# The same configuration without specifying broadcast
|
2002-05-01 00:42:57 +02:00
|
|
|
# addresses is:
|
|
|
|
#
|
2003-03-12 21:55:17 +01:00
|
|
|
# #ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
# net eth0 detect dhcp
|
|
|
|
# loc eth1 detect
|
|
|
|
# dmz eth2 detect
|
2002-05-01 00:42:57 +02:00
|
|
|
#
|
|
|
|
##############################################################################
|
2003-02-05 22:31:54 +01:00
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
2003-03-12 21:55:17 +01:00
|
|
|
net eth0 detect dhcp,routefilter,norfc1918
|
|
|
|
loc eth1 detect
|
|
|
|
dmz eth2 detect
|
2002-05-01 00:42:57 +02:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|