shorewall6-interfaces 5 interfaces shorewall6 interfaces file /etc/shorewall6/interfaces Description The interfaces file serves to define the firewall's network interfaces to shorewall6. The order of entries in this file is not significant in determining zone composition. The columns in the file are as follows. ZONE - zone-name Zone for this interface. Must match the name of a zone declared in /etc/shorewall6/zones. You may not list the firewall zone in this column. If the interface serves multiple zones that will be defined in the shorewall6-hosts(5) file, you should place "-" in this column. If there are multiple interfaces to the same zone, you must list them in separate entries. Example:
#ZONE INTERFACE BROADCAST loc eth1 - loc eth2 -
INTERFACE - interface[:port] Name of interface. Each interface may be listed only once in this file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18 You may use wildcards here by specifying a prefix followed by the plus sign ("+"). For example, if you want to make an entry that applies to all PPP interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, … Care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See shorewall6-nesting(5) for a discussion of this problem. Shorewall6-perl allows '+' as an interface name. There is no need to define the loopback interface (lo) in this file. If a port is given, then the interface must have been defined previously with the option. The OPTIONS column must be empty when a port is given. UNICAST - - Enter '-' in this column. It is here for compatibility between Shorewall6 and Shorewall. OPTIONS (Optional) - [option[,option]...] A comma-separated list of options from the following list. The order in which you list the options is not significant but the list should have no embedded white space. blacklist Check packets arriving on this interface against the shorewall6-blacklist(5) file. bridge (shorewall6-perl only) Designates the interface as a bridge. mss[=number] Causes forwarded TCP SYN packets entering or leaving on this interface to have their MSS field set to the specified number. optional When is specified for an interface, shorewall6 will be silent when: a /proc/sys/net/ipv5/conf/ entry for the interface cannot be modified. The first global IPv6 address of the interface cannot be obtained. routeback If specified, indicates that shorewall6 should include rules that allow filtering traffic arriving on this interface back out that same interface. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard. routefilter[={0|1}] Turn on kernel route filtering for this interface (anti-spoofing measure). The option value (0 or 1) may only be specified if you are using shorewall6-perl. With shorewall6-perl, only those interfaces with the option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. This option does not work with a wild-card interface name (e.g., eth0.+) in the INTERFACE column.
This option can also be enabled globally in the shorewall6.conf(5) file.
sourceroute[={0|1}] If this option is not specified for an interface, then source-routed packets will not be accepted from that interface (sets /proc/sys/net/ipv6/conf/interface/accept_source_route to 1). Only set this option if you know what you are doing. This might represent a security risk and is not usually needed. Only those interfaces with the option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. This option does not work with a wild-card interface name (e.g., eth0.+) in the INTERFACE column. tcpflags Packets arriving on this interface are checked for certain illegal combinations of TCP flags. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL. upnp Incoming requests from this interface may be remapped via UPNP (upnpd). See http://www.shorewall.net/UPnP.html.
Example Example 1: Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network You have a DMZ using eth2. Your entries for this setup would look like: #ZONE INTERFACE UNICAST OPTIONS net eth0 - loc eth1 - dmz eth2 - FILES /etc/shorewall6/interfaces See ALSO shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)