shorewall_code/manpages6/shorewall6-interfaces.xml

396 lines
15 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-interfaces</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>interfaces</refname>
<refpurpose>shorewall6 interfaces file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/interfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The interfaces file serves to define the firewall's network
interfaces to shorewall6. The order of entries in this file is not
significant in determining zone composition.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ZONE</emphasis> -
<emphasis>zone-name</emphasis></term>
<listitem>
<para>Zone for this interface. Must match the name of a zone
declared in /etc/shorewall6/zones. You may not list the firewall
zone in this column.</para>
<para>If the interface serves multiple zones that will be defined in
the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must
list them in separate entries.</para>
<para>Example:</para>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST
loc eth1 -
loc eth2 -</programlisting>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis><emphasis
role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
role="bold">]</emphasis></term>
<listitem>
<para>Logical name of interface. Each interface may be listed only
once in this file. You may NOT specify the name of a "virtual"
interface (e.g., eth0:0) here; see <ulink
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
If the <option>physical</option> option is not specified, then the
logical name is also the name of the actual interface.</para>
<para>You may use wildcards here by specifying a prefix followed by
the plus sign ("+"). For example, if you want to make an entry that
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …</para>
<para>Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See <ulink
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
discussion of this problem.</para>
<para>Shorewall6 allows '+' as an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this
file.</para>
<para>If a <replaceable>port</replaceable> is given, then the
<replaceable>interface</replaceable> must have been defined
previously with the <option>bridge</option> option. The OPTIONS
column must be empty when a <replaceable>port</replaceable> is
given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">UNICAST</emphasis> - <emphasis
role="bold">-</emphasis></term>
<listitem>
<para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
is here for compatibility between Shorewall6 and Shorewall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list
should have no embedded white space.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">blacklist[=<replaceable>value</replaceable>]</emphasis></term>
<listitem>
<para>The value may be specified when running Shorewall 4.4.13
2010-09-15 01:47:45 +02:00
or later and can have a value in the range 1-2. Specifying no
value is equivalent to blacklist=1.</para>
<orderedlist>
<listitem>
2010-09-15 01:47:45 +02:00
<para>Input blacklisting (default if no value given). This
setting is intended for Internet-facing interfaces.</para>
<para>Traffic entering this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
firewall and leaving by this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
2010-09-15 01:47:45 +02:00
<para>Output blacklisting. This setting is intended for
internal interfaces.</para>
<para>Traffic entering on this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bridge</emphasis></term>
<listitem>
<para>Designates the interface as a bridge. Beginning with
Shorewall 4.4.7, setting this option also sets
<option>routeback</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
<listitem>
<para>Sets the /proc/sys/net/ipv6/conf/interface/forwarding
option to the specified value. If no value is supplied, then 1
is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
<listitem>
<para>Causes forwarded TCP SYN packets entering or leaving on
this interface to have their MSS field set to the specified
<replaceable>number</replaceable>.</para>
</listitem>
</varlistentry>
2009-08-28 22:45:00 +02:00
<varlistentry>
<term><emphasis
role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>
<listitem>
<para>Limit the zone named in the ZONE column to only the
listed networks. If you specify this option, be sure to
include the link-local network (ff80::/10).</para>
2009-08-28 22:45:00 +02:00
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>When <option>optional</option> is specified for an
interface, shorewall6 will be silent when:</para>
<itemizedlist>
<listitem>
<para>a <filename
class="directory">/proc/sys/net/ipv6/conf/</filename>
entry for the interface cannot be modified.</para>
</listitem>
<listitem>
<para>The first global IPv6 address of the interface
cannot be obtained.</para>
</listitem>
</itemizedlist>
<para>This option may not be specified together with <emphasis
role="bold">required</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">physical</emphasis>=<emphasis
role="bold"><emphasis>name</emphasis></emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. When specified, the interface
or port name in the INTERFACE column is a logical name that
refers to the name given in this option. It is useful when you
want to specify the same wildcard port name on two or more
bridges. See <ulink
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
2009-11-11 00:48:49 +01:00
<para>If the <emphasis>interface</emphasis> name is a wildcard
name (ends with '+'), then the physical
<emphasis>name</emphasis> must also end in '+'.</para>
<para>If <option>physical</option> is not specified, then it's
value defaults to the <emphasis>interface</emphasis>
name.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">required</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.10. When specified, the firewall
will fail to start if the interface named in the INTERFACE
column is not usable. May not be specified together with
<emphasis role="bold">optional</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>If specified, indicates that shorewall6 should include
rules that allow traffic arriving on this interface to be
routed back out that same interface. This option is also
required when you have used a wildcard in the INTERFACE column
if you want to allow traffic between the interfaces that match
the wildcard.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">sourceroute[={0|1}]</emphasis></term>
<listitem>
<para>If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface
(sets
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
to 1). Only set this option if you know what you are doing.
This might represent a security risk and is not usually
needed.</para>
<para>Only those interfaces with the
<option>sourceroute</option> option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
<listitem>
<para>Sets
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>Only those interfaces with the <option>proxyndp</option>
option will have their setting changed; the value assigned to
the setting will be the value specified (if any) or 1 if no
value is given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.10. Causes the generated script
to wait up to <emphasis>seconds</emphasis> seconds for the
interface to become usable before applying the <emphasis
role="bold">required</emphasis> or <emphasis
role="bold">optional</emphasis> options.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Suppose you have eth0 connected to a DSL modem and eth1
connected to your local network You have a DMZ using eth2.</para>
<para>Your entries for this setup would look like:</para>
<programlisting>#ZONE INTERFACE UNICAST OPTIONS
net eth0 -
loc eth1 -
dmz eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4 (Shorewall 4.4.9 and later):</term>
<listitem>
<para>You have a bridge with no IP address and you want to allow
traffic through the bridge.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- br0 - routeback</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/interfaces</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
2010-09-15 01:47:45 +02:00
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>