shorewall_code/Samples/three-interfaces/interfaces

192 lines
6.5 KiB
Plaintext
Raw Normal View History

#
# Shorewall 2.0 -- Sample Interface File For Three Interfaces
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE
# Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE
# Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST
# The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS
# A comma-separated list of options including the
# following:
#
# dhcp
# Interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# norfc1918
# This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# nobogons
# This interface should not receive
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
#
# I PERSONALLY RECOMMEND AGAINST USING
# THE 'nobogons' OPTION.
# routefilter
# Turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# blacklist
# Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# logmartians
# Turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
# maclist
# Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags
# Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp
# Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# netnotsyn
# TCP packets that don't have the SYN flag set and
# which are not part of an established connection
# will be accepted from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
#
# This option has no effect if NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
# routeback
# If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
# arp_filter
# If specified, this interface will only respond
# to ARP who-has requests for IP addresses
# configured on the interface. If not specified,
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
# nosmurfs
# Filter packets for smurfs (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based on the setting
# of SMURF_LOG_LEVEL in shorewall.conf. After logging,
# the packets are dropped.
# detectnets
# Automatically taylors the zone named in the ZONE column
# to include only those hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1:
# Suppose you have eth0 connected to a DSL modem,
# eth1 connected to your local network and eth2
# connected to your dmz. Assuming that your local
# subnet is 192.168.1.0/24 and your dmz subnet is
# 192.168.2.0/24 . The eth0 interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27.
#
# Your entries for this setup would look like:
#
# #ZONE INTERFACE BROADCAST OPTIONS
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2:
# The same configuration without specifying broadcast
# addresses is:
#
# #ZONE INTERFACE BROADCAST OPTIONS
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE