shorewall_code/Samples/two-interfaces/interfaces
2002-06-25 19:27:55 +00:00

107 lines
3.9 KiB
Plaintext
Executable File

#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# place "-" in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure).
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27 and you want pings from the internet
# to be ignored. You interface a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 noping,dhcp
# local eth1 192.168.1.255 routestopped
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect noping,dhcp
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests.
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE