mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-04 05:23:14 +01:00
71e7eb26f6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8994 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
307 lines
11 KiB
XML
307 lines
11 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall6-interfaces</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>interfaces</refname>
|
|
|
|
<refpurpose>shorewall6 interfaces file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall6/interfaces</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The interfaces file serves to define the firewall's network
|
|
interfaces to shorewall6. The order of entries in this file is not
|
|
significant in determining zone composition.</para>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ZONE</emphasis> -
|
|
<emphasis>zone-name</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Zone for this interface. Must match the name of a zone
|
|
declared in /etc/shorewall6/zones. You may not list the firewall
|
|
zone in this column.</para>
|
|
|
|
<para>If the interface serves multiple zones that will be defined in
|
|
the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
|
|
file, you should place "-" in this column.</para>
|
|
|
|
<para>If there are multiple interfaces to the same zone, you must
|
|
list them in separate entries.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE INTERFACE BROADCAST
|
|
loc eth1 -
|
|
loc eth2 -</programlisting>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">INTERFACE</emphasis> -
|
|
<emphasis>interface</emphasis><emphasis
|
|
role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
|
|
role="bold">]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Name of interface. Each interface may be listed only once in
|
|
this file. You may NOT specify the name of a "virtual" interface
|
|
(e.g., eth0:0) here; see <ulink
|
|
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
|
|
|
<para>You may use wildcards here by specifying a prefix followed by
|
|
the plus sign ("+"). For example, if you want to make an entry that
|
|
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
|
|
ppp1, ppp2, …</para>
|
|
|
|
<para>Care must be exercised when using wildcards where there is
|
|
another zone that uses a matching specific interface. See <ulink
|
|
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
|
|
discussion of this problem.</para>
|
|
|
|
<para>Shorewall6-perl allows '+' as an interface name.</para>
|
|
|
|
<para>There is no need to define the loopback interface (lo) in this
|
|
file.</para>
|
|
|
|
<para>If a <replaceable>port</replaceable> is given, then the
|
|
<replaceable>interface</replaceable> must have been defined
|
|
previously with the <option>bridge</option> option. The OPTIONS
|
|
column must be empty when a <replaceable>port</replaceable> is
|
|
given.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">UNICAST</emphasis> - <emphasis
|
|
role="bold">-</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
|
|
is here for compatibility between Shorewall6 and Shorewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
|
|
[<emphasis>option</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
|
|
|
<listitem>
|
|
<para>A comma-separated list of options from the following list. The
|
|
order in which you list the options is not significant but the list
|
|
should have no embedded white space.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">blacklist</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Check packets arriving on this interface against the
|
|
<ulink
|
|
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
|
file.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">bridge</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>(shorewall6-perl only) Designates the interface as a
|
|
bridge.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">mss</emphasis>[=<emphasis>number</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>Causes forwarded TCP SYN packets entering or leaving on
|
|
this interface to have their MSS field set to the specified
|
|
<replaceable>number</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">optional</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>When <option>optional</option> is specified for an
|
|
interface, shorewall6 will be silent when:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>a <filename
|
|
class="directory">/proc/sys/net/ipv5/conf/</filename>
|
|
entry for the interface cannot be modified.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The first global IPv6 address of the interface
|
|
cannot be obtained.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">routeback</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If specified, indicates that shorewall6 should include
|
|
rules that allow filtering traffic arriving on this interface
|
|
back out that same interface. This option is also required
|
|
when you have used a wildcard in the INTERFACE column if you
|
|
want to allow traffic between the interfaces that match the
|
|
wildcard.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">routefilter[={0|1}]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Turn on kernel route filtering for this interface
|
|
(anti-spoofing measure).</para>
|
|
|
|
<para>The option value (0 or 1) may only be specified if you
|
|
are using shorewall6-perl. With shorewall6-perl, only those
|
|
interfaces with the <option>routefilter</option> option will
|
|
have their setting changes; the value assigned to the setting
|
|
will be the value specified (if any) or 1 if no value is
|
|
given.</para>
|
|
|
|
<para></para>
|
|
|
|
<note>
|
|
<para>This option does not work with a wild-card
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
the INTERFACE column.</para>
|
|
</note>
|
|
|
|
<blockquote>
|
|
<para>This option can also be enabled globally in the <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
|
file.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">sourceroute[={0|1}]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If this option is not specified for an interface, then
|
|
source-routed packets will not be accepted from that interface
|
|
(sets
|
|
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
|
|
to 1). Only set this option if you know what you are doing.
|
|
This might represent a security risk and is not usually
|
|
needed.</para>
|
|
|
|
<para>Only those interfaces with the
|
|
<option>sourceroute</option> option will have their setting
|
|
changes; the value assigned to the setting will be the value
|
|
specified (if any) or 1 if no value is given.</para>
|
|
|
|
<note>
|
|
<para>This option does not work with a wild-card
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
the INTERFACE column.</para>
|
|
</note>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">tcpflags</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets arriving on this interface are checked for
|
|
certain illegal combinations of TCP flags. Packets found to
|
|
have such a combination of flags are handled according to the
|
|
setting of TCP_FLAGS_DISPOSITION after having been logged
|
|
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">upnp</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Incoming requests from this interface may be remapped
|
|
via UPNP (upnpd). See <ulink
|
|
url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example 1:</term>
|
|
|
|
<listitem>
|
|
<para>Suppose you have eth0 connected to a DSL modem and eth1
|
|
connected to your local network You have a DMZ using eth2.</para>
|
|
|
|
<para>Your entries for this setup would look like:</para>
|
|
|
|
<programlisting>#ZONE INTERFACE UNICAST OPTIONS
|
|
net eth0 -
|
|
loc eth1 -
|
|
dmz eth2 -</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall6/interfaces</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
|
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
|
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
|
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
|
|
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
|
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|