# # Shorewall version 3.2 - Sample Interfaces File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. # # # /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # # ZONE Zone for this interface. Must match the name of a # zone defined in /etc/shorewall/zones. You may not # list the firewall zone in this column. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # # If there are multiple interfaces to the same zone, # you must list them in separate entries: # # Example: # # loc eth1 - # loc eth2 - # # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 # # You may specify wildcards here. For example, if you # want to make an entry that applies to all PPP # interfaces, use 'ppp+'. # # There is no need to define the loopback interface (lo) # in this file. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # # If you use the special value "detect", Shorewall # will detect the broadcast address(es) for you. If you # select this option, the interface must be up before # the firewall is started. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. # # OPTIONS A comma-separated list of options including the # following: # # dhcp - Specify this option when any of # the following are true: # 1. the interface gets its IP address # via DHCP # 2. the interface is used by # a DHCP server running on the firewall # 3. you have a static IP but are on a LAN # segment with lots of Laptop DHCP # clients. # 4. the interface is a bridge with # a DHCP server on one port and DHCP # clients on another port. # # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" # addresses). If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are # also rejected. # # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. # # logmartians - turn on kernel martian logging (logging # of packets with impossible source # addresses. It is suggested that if you # set routefilter on an interface that # you also set logmartians. This option # may also be enabled globally in the # /etc/shorewall/shorewall.conf file. # # blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. # # maclist - Connection requests from this interface # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. # # tcpflags - Packets arriving on this interface are # checked for certain illegal combinations # of TCP flags. Packets found to have # such a combination of flags are handled # according to the setting of # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in # /etc/shorewall/proxyarp. This option is # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # # routeback - If specified, indicates that Shorewall # should include rules that allow # filtering traffic arriving on this # interface back out that same interface. # # arp_filter - If specified, this interface will only # respond to ARP who-has requests for IP # addresses configured on the interface. # If not specified, the interface can # respond to ARP who-has requests for # IP addresses on any of the firewall's # interface. The interface must be up # when Shorewall is started. # # arp_ignore[=] # - If specified, this interface will # respond to arp requests based on the # value of . # # 1 - reply only if the target IP address # is local address configured on the # incoming interface # # 2 - reply only if the target IP address # is local address configured on the # incoming interface and both with the # sender's IP address are part from same # subnet on this interface # # 3 - do not reply for local addresses # configured with scope host, only # resolutions for global and link # addresses are replied # # 4-7 - reserved # # 8 - do not reply for all local # addresses # # If no is given then the value # 1 is assumed # # WARNING -- DO NOT SPECIFY arp_ignore # FOR ANY INTERFACE INVOLVED IN PROXY ARP. # # nosmurfs - Filter packets for smurfs # (packets with a broadcast # address as the source). # # Smurfs will be optionally logged based # on the setting of SMURF_LOG_LEVEL in # shorewall.conf. After logging, the # packets are dropped. # # detectnets - Automatically taylors the zone named # in the ZONE column to include only those # hosts routed through the interface. # # sourceroute - If this option is not specified for an # interface, then source-routed packets # will not be accepted from that # interface (sets /proc/sys/net/ipv4/ # conf// # accept_source_route to 1). # Only set this option if you know what # you are you doing. This might represent # a security risk and is not usually # needed. # # upnp - Incoming requests from this interface # may be remapped via UPNP (upnpd). # # WARNING: DO NOT SET THE detectnets OPTION ON YOUR # INTERNET INTERFACE. # # The order in which you list the options is not # significant but the list should have no embedded white # space. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your # local subnet is 192.168.1.0/24. The interface gets # it's IP address via DHCP from subnet # 206.191.149.192/27. You have a DMZ with subnet # 192.168.2.0/24 using eth2. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 dhcp # local eth1 192.168.1.255 # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # # net eth0 detect dhcp # loc eth1 detect # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet # connections. # # net ppp0 - # # For additional information, see # http://shorewall.net/Documentation.htm#Interfaces # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians loc eth1 detect tcpflags,detectnets,nosmurfs dmz eth2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE