shorewall6-interfaces5interfacesshorewall6 interfaces file/etc/shorewall6/interfacesDescriptionThe interfaces file serves to define the firewall's network
interfaces to shorewall6. The order of entries in this file is not
significant in determining zone composition.The columns in the file are as follows.ZONE -
zone-nameZone for this interface. Must match the name of a zone
declared in /etc/shorewall6/zones. You may not list the firewall
zone in this column.If the interface serves multiple zones that will be defined in
the shorewall6-hosts(5)
file, you should place "-" in this column.If there are multiple interfaces to the same zone, you must
list them in separate entries.Example:
#ZONE INTERFACE BROADCAST
loc eth1 -
loc eth2 -
INTERFACE -
interface[:port]Name of interface. Each interface may be listed only once in
this file. You may NOT specify the name of a "virtual" interface
(e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18You may use wildcards here by specifying a prefix followed by
the plus sign ("+"). For example, if you want to make an entry that
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See shorewall6-nesting(5) for a
discussion of this problem.Shorewall6-perl allows '+' as an interface name.There is no need to define the loopback interface (lo) in this
file.If a port is given, then the
interface must have been defined
previously with the option. The OPTIONS
column must be empty when a port is
given.UNICAST - -Enter '-' in this column. It
is here for compatibility between Shorewall6 and Shorewall.OPTIONS (Optional) -
[option[,option]...]A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list
should have no embedded white space.blacklistCheck packets arriving on this interface against the
shorewall6-blacklist(5)
file.bridge(shorewall6-perl only) Designates the interface as a
bridge.mss[=number]Causes forwarded TCP SYN packets entering or leaving on
this interface to have their MSS field set to the specified
number.optionalWhen is specified for an
interface, shorewall6 will be silent when:a /proc/sys/net/ipv5/conf/
entry for the interface cannot be modified.The first global IPv6 address of the interface
cannot be obtained.routebackIf specified, indicates that shorewall6 should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
want to allow traffic between the interfaces that match the
wildcard.routefilter[={0|1}]Turn on kernel route filtering for this interface
(anti-spoofing measure).The option value (0 or 1) may only be specified if you
are using shorewall6-perl. With shorewall6-perl, only those
interfaces with the option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.This option does not work with a wild-card
interface name (e.g., eth0.+) in
the INTERFACE column.
This option can also be enabled globally in the shorewall6.conf(5)
file.
sourceroute[={0|1}]If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface
(sets
/proc/sys/net/ipv6/conf/interface/accept_source_route
to 1). Only set this option if you know what you are doing.
This might represent a security risk and is not usually
needed.Only those interfaces with the
option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.This option does not work with a wild-card
interface name (e.g., eth0.+) in
the INTERFACE column.tcpflagsPackets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.upnpIncoming requests from this interface may be remapped
via UPNP (upnpd). See http://www.shorewall.net/UPnP.html.ExampleExample 1:Suppose you have eth0 connected to a DSL modem and eth1
connected to your local network You have a DMZ using eth2.Your entries for this setup would look like:#ZONE INTERFACE UNICAST OPTIONS
net eth0 -
loc eth1 -
dmz eth2 -FILES/etc/shorewall6/interfacesSee ALSOshorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)