mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 17:13:11 +01:00
011345f9b6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4012 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
244 lines
8.5 KiB
Plaintext
244 lines
8.5 KiB
Plaintext
#
|
|
# Shorewall version 3.2 - Sample Interfaces File for two-interface configuration.
|
|
# Copyright (C) 2006 by the Shorewall Team
|
|
#
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
#
|
|
# See the file README.txt for further details.
|
|
#
|
|
#
|
|
# /etc/shorewall/interfaces
|
|
#
|
|
# You must add an entry in this file for each network interface on your
|
|
# firewall system.
|
|
#
|
|
# Columns are:
|
|
#
|
|
# ZONE Zone for this interface. Must match the name of a
|
|
# zone defined in /etc/shorewall/zones. You may not
|
|
# list the firewall zone in this column.
|
|
#
|
|
# If the interface serves multiple zones that will be
|
|
# defined in the /etc/shorewall/hosts file, you should
|
|
# place "-" in this column.
|
|
#
|
|
# If there are multiple interfaces to the same zone,
|
|
# you must list them in separate entries:
|
|
#
|
|
# Example:
|
|
#
|
|
# loc eth1 -
|
|
# loc eth2 -
|
|
#
|
|
# INTERFACE Name of interface. Each interface may be listed only
|
|
# once in this file. You may NOT specify the name of
|
|
# an alias (e.g., eth0:0) here; see
|
|
# http://www.shorewall.net/FAQ.htm#faq18
|
|
#
|
|
# You may specify wildcards here. For example, if you
|
|
# want to make an entry that applies to all PPP
|
|
# interfaces, use 'ppp+'.
|
|
#
|
|
# There is no need to define the loopback interface (lo)
|
|
# in this file.
|
|
#
|
|
# BROADCAST The broadcast address for the subnetwork to which the
|
|
# interface belongs. For P-T-P interfaces, this
|
|
# column is left blank.If the interface has multiple
|
|
# addresses on multiple subnets then list the broadcast
|
|
# addresses as a comma-separated list.
|
|
#
|
|
# If you use the special value "detect", Shorewall
|
|
# will detect the broadcast address(es) for you. If you
|
|
# select this option, the interface must be up before
|
|
# the firewall is started.
|
|
#
|
|
# If you don't want to give a value for this column but
|
|
# you want to enter a value in the OPTIONS column, enter
|
|
# "-" in this column.
|
|
#
|
|
# OPTIONS A comma-separated list of options including the
|
|
# following:
|
|
#
|
|
# dhcp - Specify this option when any of
|
|
# the following are true:
|
|
# 1. the interface gets its IP address
|
|
# via DHCP
|
|
# 2. the interface is used by
|
|
# a DHCP server running on the firewall
|
|
# 3. you have a static IP but are on a LAN
|
|
# segment with lots of Laptop DHCP
|
|
# clients.
|
|
# 4. the interface is a bridge with
|
|
# a DHCP server on one port and DHCP
|
|
# clients on another port.
|
|
#
|
|
# norfc1918 - This interface should not receive
|
|
# any packets whose source is in one
|
|
# of the ranges reserved by RFC 1918
|
|
# (i.e., private or "non-routable"
|
|
# addresses). If packet mangling or
|
|
# connection-tracking match is enabled in
|
|
# your kernel, packets whose destination
|
|
# addresses are reserved by RFC 1918 are
|
|
# also rejected.
|
|
#
|
|
# routefilter - turn on kernel route filtering for this
|
|
# interface (anti-spoofing measure). This
|
|
# option can also be enabled globally in
|
|
# the /etc/shorewall/shorewall.conf file.
|
|
#
|
|
# logmartians - turn on kernel martian logging (logging
|
|
# of packets with impossible source
|
|
# addresses. It is suggested that if you
|
|
# set routefilter on an interface that
|
|
# you also set logmartians. This option
|
|
# may also be enabled globally in the
|
|
# /etc/shorewall/shorewall.conf file.
|
|
#
|
|
# blacklist - Check packets arriving on this interface
|
|
# against the /etc/shorewall/blacklist
|
|
# file.
|
|
#
|
|
# maclist - Connection requests from this interface
|
|
# are compared against the contents of
|
|
# /etc/shorewall/maclist. If this option
|
|
# is specified, the interface must be
|
|
# an ethernet NIC and must be up before
|
|
# Shorewall is started.
|
|
#
|
|
# tcpflags - Packets arriving on this interface are
|
|
# checked for certain illegal combinations
|
|
# of TCP flags. Packets found to have
|
|
# such a combination of flags are handled
|
|
# according to the setting of
|
|
# TCP_FLAGS_DISPOSITION after having been
|
|
# logged according to the setting of
|
|
# TCP_FLAGS_LOG_LEVEL.
|
|
#
|
|
# proxyarp -
|
|
# Sets
|
|
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
|
# Do NOT use this option if you are
|
|
# employing Proxy ARP through entries in
|
|
# /etc/shorewall/proxyarp. This option is
|
|
# intended soley for use with Proxy ARP
|
|
# sub-networking as described at:
|
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
|
#
|
|
# routeback - If specified, indicates that Shorewall
|
|
# should include rules that allow
|
|
# filtering traffic arriving on this
|
|
# interface back out that same interface.
|
|
#
|
|
# arp_filter - If specified, this interface will only
|
|
# respond to ARP who-has requests for IP
|
|
# addresses configured on the interface.
|
|
# If not specified, the interface can
|
|
# respond to ARP who-has requests for
|
|
# IP addresses on any of the firewall's
|
|
# interface. The interface must be up
|
|
# when Shorewall is started.
|
|
#
|
|
# arp_ignore[=<number>]
|
|
# - If specified, this interface will
|
|
# respond to arp requests based on the
|
|
# value of <number>.
|
|
#
|
|
# 1 - reply only if the target IP address
|
|
# is local address configured on the
|
|
# incoming interface
|
|
#
|
|
# 2 - reply only if the target IP address
|
|
# is local address configured on the
|
|
# incoming interface and both with the
|
|
# sender's IP address are part from same
|
|
# subnet on this interface
|
|
#
|
|
# 3 - do not reply for local addresses
|
|
# configured with scope host, only
|
|
# resolutions for global and link
|
|
# addresses are replied
|
|
#
|
|
# 4-7 - reserved
|
|
#
|
|
# 8 - do not reply for all local
|
|
# addresses
|
|
#
|
|
# If no <number> is given then the value
|
|
# 1 is assumed
|
|
#
|
|
# WARNING -- DO NOT SPECIFY arp_ignore
|
|
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
|
|
#
|
|
# nosmurfs - Filter packets for smurfs
|
|
# (packets with a broadcast
|
|
# address as the source).
|
|
#
|
|
# Smurfs will be optionally logged based
|
|
# on the setting of SMURF_LOG_LEVEL in
|
|
# shorewall.conf. After logging, the
|
|
# packets are dropped.
|
|
#
|
|
# detectnets - Automatically taylors the zone named
|
|
# in the ZONE column to include only those
|
|
# hosts routed through the interface.
|
|
#
|
|
# sourceroute - If this option is not specified for an
|
|
# interface, then source-routed packets
|
|
# will not be accepted from that
|
|
# interface (sets /proc/sys/net/ipv4/
|
|
# conf/<interface>/
|
|
# accept_source_route to 1).
|
|
# Only set this option if you know what
|
|
# you are you doing. This might represent
|
|
# a security risk and is not usually
|
|
# needed.
|
|
#
|
|
# upnp - Incoming requests from this interface
|
|
# may be remapped via UPNP (upnpd).
|
|
#
|
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
|
# INTERNET INTERFACE.
|
|
#
|
|
# The order in which you list the options is not
|
|
# significant but the list should have no embedded white
|
|
# space.
|
|
#
|
|
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
|
# eth1 connected to your local network and that your
|
|
# local subnet is 192.168.1.0/24. The interface gets
|
|
# it's IP address via DHCP from subnet
|
|
# 206.191.149.192/27. You have a DMZ with subnet
|
|
# 192.168.2.0/24 using eth2.
|
|
#
|
|
# Your entries for this setup would look like:
|
|
#
|
|
# net eth0 206.191.149.223 dhcp
|
|
# local eth1 192.168.1.255
|
|
# dmz eth2 192.168.2.255
|
|
#
|
|
# Example 2: The same configuration without specifying broadcast
|
|
# addresses is:
|
|
#
|
|
# net eth0 detect dhcp
|
|
# loc eth1 detect
|
|
# dmz eth2 detect
|
|
#
|
|
# Example 3: You have a simple dial-in system with no ethernet
|
|
# connections.
|
|
#
|
|
# net ppp0 -
|
|
#
|
|
# For additional information, see
|
|
# http://shorewall.net/Documentation.htm#Interfaces
|
|
#
|
|
###############################################################################
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
|
|
loc eth1 detect tcpflags,detectnets,nosmurfs
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|