# # Shorewall 2.2 -- Sample Interface File For One Interface # # /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # # ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 # # You may specify wildcards here. For example, if you # want to make a entry that applies to all PPP # interfaces, use 'ppp+' # # There is no need to define the loopback interface (lo) # in this file. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started, you must have iproute # installed and the interface must only be associated # with a single subnet. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. # # OPTIONS A comma-separated list of options including the # following: # # dhcp # Interface is managed by DHCP or used by # a DHCP server running on the firewall or # you have a static IP but are on a LAN # segment with lots of Laptop DHCP clients. # norfc1918 # This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" # addresses. If packet mangling is # enabled in shorewall.conf, packets # whose destination addresses are # reserved by RFC 1918 are also rejected. # nobogons # This interface should not receive # any packets whose source is in one # of the ranges reserved by IANA (this # option does not cover those ranges # reserved by RFC 1918 -- see above). # # I PERSONALLY RECOMMEND AGAINST USING # THE 'nobogons' OPTION. # routefilter # Turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. # blacklist # Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. # logmartians # Turn on kernel martian logging (logging # of packets with impossible source # addresses. It is suggested that if you # set routefilter on an interface that # you also set logmartians. This option # may also be enabled globally in the # /etc/shorewall/shorewall.conf file. # maclist # Connection requests from this interface # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. # tcpflags # Packets arriving on this interface are # checked for certain illegal combinations # of TCP flags. Packets found to have # such a combination of flags are handled # according to the setting of # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # proxyarp # Sets /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in # /etc/shorewall/proxyarp. This option is # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # newnotsyn # TCP packets that don't have the SYN flag set and # which are not part of an established connection # will be accepted from this interface, even if # NEWNOTSYN=No has been specified in # /etc/shorewall/shorewall.conf. In other # words, packets coming in on this interface # are processed as if NEWNOTSYN=Yes had been # specified in /etc/shorewall/shorewall.conf. # # This option has no effect if NEWNOTSYN=Yes # # It is the opinion of the author that # NEWNOTSYN=No creates more problems than # it solves and I recommend against using # that setting in shorewall.conf (hence # making the use of the 'newnotsyn' # interface option unnecessary). # routeback # If specified, indicates that Shorewall # should include rules that allow filtering # traffic arriving on this interface back # out that same interface. # arp_filter # If specified, this interface will only respond # to ARP who-has requests for IP addresses # configured on the interface. If not specified, # the interface can respond to ARP who-has requests # for IP addresses on any of the firewall's interface. # The interface must be up when shorewall is started. # nosmurfs # Filter packers for smurfs (Packets with a broadcast # address as the source). # detectnets # Automatically taylors the zone named in the ZONE # column to include only those hosts routed through # the interface. # # WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE! # # The order in which you list the options is not # significant but the list should have no embedded white # space. # # Example 1: # Suppose you have eth0 connected to a DSL modem # that gets it's IP address via DHCP from subnet # 206.191.149.192/27. # # Your entries for this setup would look like: # # #ZONE INTERFACE BROADCAST OPTIONS # net eth0 206.191.149.223 dhcp # # Example 2: # The same configuration without specifying broadcast # addresses is: # # #ZONE INTERFACE BROADCAST OPTIONS # net eth0 detect dhcp # # Example 3: # You have a simple dial-in system with no ethernet # connections. # #ZONE INTERFACE BROADCAST OPTIONS # net ppp0 - ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,dhcp,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE