2006-11-15 19:15:40 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-11-02 20:35:58 +01:00
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2006-11-15 19:15:40 +01:00
|
|
|
<refentry>
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>shorewall-interfaces</refentrytitle>
|
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>interfaces</refname>
|
|
|
|
|
|
|
|
<refpurpose>Shorewall interfaces file</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
|
|
|
<command>/etc/shorewall/interfaces</command>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
<para>The interfaces file serves to define the firewall's network
|
2008-01-09 20:23:10 +01:00
|
|
|
interfaces to Shorewall. The order of entries in this file is not
|
|
|
|
significant in determining zone composition.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2008-07-10 15:33:54 +02:00
|
|
|
<term><emphasis role="bold">ZONE</emphasis> -
|
2006-11-22 19:41:13 +01:00
|
|
|
<emphasis>zone-name</emphasis></term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
2007-01-18 18:26:07 +01:00
|
|
|
<para>Zone for this interface. Must match the name of a zone
|
|
|
|
declared in /etc/shorewall/zones. You may not list the firewall zone
|
|
|
|
in this column.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<para>If the interface serves multiple zones that will be defined in
|
2007-01-18 18:26:07 +01:00
|
|
|
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
|
|
|
|
file, you should place "-" in this column.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<para>If there are multiple interfaces to the same zone, you must
|
|
|
|
list them in separate entries.</para>
|
|
|
|
|
|
|
|
<para>Example:</para>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST
|
|
|
|
loc eth1 -
|
|
|
|
loc eth2 -</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2008-07-10 15:33:54 +02:00
|
|
|
<term><emphasis role="bold">INTERFACE</emphasis> -
|
2007-06-07 17:12:39 +02:00
|
|
|
<emphasis>interface</emphasis><emphasis
|
|
|
|
role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
|
|
|
|
role="bold">]</emphasis></term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
2009-11-11 19:45:01 +01:00
|
|
|
<para>Logical name of interface. Each interface may be listed only
|
|
|
|
once in this file. You may NOT specify the name of a "virtual"
|
|
|
|
interface (e.g., eth0:0) here; see <ulink
|
|
|
|
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
|
|
|
|
If the <option>physical</option> option is not specified, then the
|
|
|
|
logical name is also the name of the actual interface.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
2007-01-29 17:55:55 +01:00
|
|
|
<para>You may use wildcards here by specifying a prefix followed by
|
|
|
|
the plus sign ("+"). For example, if you want to make an entry that
|
2008-01-11 00:53:13 +01:00
|
|
|
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
|
|
|
|
ppp1, ppp2, …</para>
|
|
|
|
|
2008-01-12 02:47:58 +01:00
|
|
|
<para>When using Shorewall versions before 4.1.4, care must be
|
|
|
|
exercised when using wildcards where there is another zone that uses
|
|
|
|
a matching specific interface. See <ulink
|
2008-11-18 23:55:34 +01:00
|
|
|
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
2008-01-12 00:14:59 +01:00
|
|
|
discussion of this problem.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Shorewall allows '+' as an interface name.</para>
|
2008-11-30 19:39:28 +01:00
|
|
|
|
2006-11-15 19:15:40 +01:00
|
|
|
<para>There is no need to define the loopback interface (lo) in this
|
|
|
|
file.</para>
|
2007-06-07 17:12:39 +02:00
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>If a <replaceable>port</replaceable> is given, then the
|
|
|
|
<replaceable>interface</replaceable> must have been defined
|
|
|
|
previously with the <option>bridge</option> option. The OPTIONS
|
|
|
|
column may not contain the following options when a
|
2009-03-07 21:22:20 +01:00
|
|
|
<replaceable>port</replaceable> is given.</para>
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
<member>arp_filter</member>
|
|
|
|
|
|
|
|
<member>arp_ignore</member>
|
|
|
|
|
|
|
|
<member>bridge</member>
|
|
|
|
|
|
|
|
<member>log_martians</member>
|
|
|
|
|
|
|
|
<member>mss</member>
|
|
|
|
|
|
|
|
<member>optional</member>
|
|
|
|
|
|
|
|
<member>proxyarp</member>
|
|
|
|
|
|
|
|
<member>routefilter</member>
|
|
|
|
|
|
|
|
<member>sourceroute</member>
|
|
|
|
|
|
|
|
<member>upnp</member>
|
|
|
|
</simplelist>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2008-07-10 15:33:54 +02:00
|
|
|
<term><emphasis role="bold">BROADCAST</emphasis> (Optional) -
|
2006-11-22 19:41:13 +01:00
|
|
|
{<emphasis role="bold">-</emphasis>|<emphasis
|
|
|
|
role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
2006-11-22 19:41:13 +01:00
|
|
|
<para>If you use the special value <emphasis
|
|
|
|
role="bold">detect</emphasis>, Shorewall will detect the broadcast
|
2009-08-28 22:45:00 +02:00
|
|
|
address(es) for you if your iptables and kernel include Address Type
|
2009-11-06 17:07:13 +01:00
|
|
|
Match support.</para>
|
2009-08-28 22:45:00 +02:00
|
|
|
|
|
|
|
<para>If your iptables and/or kernel lack Address Type Match support
|
|
|
|
then you may list the broadcast address(es) for the network(s) to
|
|
|
|
which the interface belongs. For P-T-P interfaces, this column is
|
|
|
|
left blank. If the interface has multiple addresses on multiple
|
|
|
|
subnets then list the broadcast addresses as a comma-separated
|
|
|
|
list.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<para>If you don't want to give a value for this column but you want
|
2006-11-22 19:41:13 +01:00
|
|
|
to enter a value in the OPTIONS column, enter <emphasis
|
|
|
|
role="bold">-</emphasis> in this column.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2008-07-10 15:33:54 +02:00
|
|
|
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
|
2006-11-22 19:41:13 +01:00
|
|
|
[<emphasis>option</emphasis>[<emphasis
|
|
|
|
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>A comma-separated list of options from the following list. The
|
|
|
|
order in which you list the options is not significant but the list
|
|
|
|
should have no embedded white space.</para>
|
|
|
|
|
|
|
|
<variablelist>
|
2007-05-08 21:05:25 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If specified, this interface will only respond to ARP
|
|
|
|
who-has requests for IP addresses configured on the interface.
|
|
|
|
If not specified, the interface can respond to ARP who-has
|
|
|
|
requests for IP addresses on any of the firewall's interface.
|
|
|
|
The interface must be up when Shorewall is started.</para>
|
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Only those interfaces with the
|
|
|
|
<option>arp_filter</option> option will have their setting
|
2009-10-14 00:47:13 +02:00
|
|
|
changed; the value assigned to the setting will be the value
|
2009-07-16 02:50:55 +02:00
|
|
|
specified (if any) or 1 if no value is given.</para>
|
2007-05-08 21:05:25 +02:00
|
|
|
|
2007-09-10 17:38:01 +02:00
|
|
|
<para></para>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<note>
|
|
|
|
<para>This option does not work with a wild-card
|
|
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
|
|
the INTERFACE column.</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis
|
|
|
|
role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If specified, this interface will respond to arp
|
|
|
|
requests based on the value of <emphasis>number</emphasis>
|
|
|
|
(defaults to 1).</para>
|
|
|
|
|
|
|
|
<para>1 - reply only if the target IP address is local address
|
|
|
|
configured on the incoming interface</para>
|
|
|
|
|
|
|
|
<para>2 - reply only if the target IP address is local address
|
|
|
|
configured on the incoming interface and the sender's IP
|
2009-11-06 17:07:13 +01:00
|
|
|
address is part from same subnet on this interface's
|
|
|
|
address</para>
|
2007-05-08 21:05:25 +02:00
|
|
|
|
|
|
|
<para>3 - do not reply for local addresses configured with
|
|
|
|
scope host, only resolutions for global and link</para>
|
|
|
|
|
|
|
|
<para>4-7 - reserved</para>
|
|
|
|
|
|
|
|
<para>8 - do not reply for all local addresses</para>
|
|
|
|
|
2007-09-10 17:38:01 +02:00
|
|
|
<para></para>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<note>
|
|
|
|
<para>This option does not work with a wild-card
|
|
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
|
|
the INTERFACE column.</para>
|
|
|
|
</note>
|
|
|
|
|
2007-09-10 17:38:01 +02:00
|
|
|
<para></para>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<warning>
|
|
|
|
<para>Do not specify <emphasis
|
|
|
|
role="bold">arp_ignore</emphasis> for any interface involved
|
|
|
|
in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
|
|
|
|
</warning>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">blacklist</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Check packets arriving on this interface against the
|
|
|
|
<ulink
|
|
|
|
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
|
|
|
file.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2007-06-07 17:12:39 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">bridge</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Designates the interface as a bridge.</para>
|
2007-06-07 17:12:39 +02:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2006-11-15 19:15:40 +01:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">dhcp</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Specify this option when any of the following are
|
|
|
|
true:</para>
|
|
|
|
|
|
|
|
<orderedlist spacing="compact">
|
|
|
|
<listitem>
|
|
|
|
<para>the interface gets its IP address via DHCP</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>the interface is used by a DHCP server running on
|
|
|
|
the firewall</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2008-11-02 20:35:58 +01:00
|
|
|
<para>the interface has a static IP but is on a LAN
|
|
|
|
segment with lots of DHCP clients.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-29 19:23:52 +01:00
|
|
|
<para>the interface is a <ulink
|
|
|
|
url="../SimpleBridge.html">simple bridge</ulink> with a
|
|
|
|
DHCP server on one port and DHCP clients on another
|
|
|
|
port.</para>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>If you use <ulink
|
|
|
|
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
|
|
|
firewall/bridging</ulink>, then you need to include
|
|
|
|
DHCP-specific rules in <ulink
|
|
|
|
url="shorewall-rules.html">shorewall-rules</ulink>(8).
|
|
|
|
DHCP uses UDP ports 67 and 68.</para>
|
|
|
|
</note>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
2008-11-02 20:35:58 +01:00
|
|
|
|
|
|
|
<para>This option allows DHCP datagrams to enter and leave the
|
|
|
|
interface.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2007-05-08 21:05:25 +02:00
|
|
|
<term><emphasis
|
|
|
|
role="bold">logmartians[={0|1}]</emphasis></term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Turn on kernel martian logging (logging of packets with
|
2007-02-16 21:56:24 +01:00
|
|
|
impossible source addresses. It is strongly suggested that if
|
|
|
|
you set <emphasis role="bold">routefilter</emphasis> on an
|
|
|
|
interface that you also set <emphasis
|
|
|
|
role="bold">logmartians</emphasis>. Even if you do not specify
|
|
|
|
the <option>routefilter</option> option, it is a good idea to
|
|
|
|
specify <option>logmartians</option> because your distribution
|
2009-11-06 17:07:13 +01:00
|
|
|
may have enabled route filtering without you knowing
|
|
|
|
it.</para>
|
2007-02-16 21:56:24 +01:00
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Only those interfaces with the
|
|
|
|
<option>logmartians</option> option will have their setting
|
2009-10-14 00:47:13 +02:00
|
|
|
changed; the value assigned to the setting will be the value
|
2009-07-16 02:50:55 +02:00
|
|
|
specified (if any) or 1 if no value is given.</para>
|
2007-05-08 21:05:25 +02:00
|
|
|
|
2007-02-16 21:56:24 +01:00
|
|
|
<para>To find out if route filtering is set on a given
|
|
|
|
<replaceable>interface</replaceable>, check the contents of
|
|
|
|
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
|
2008-07-10 15:33:54 +02:00
|
|
|
- a non-zero value indicates that route filtering is
|
2007-02-16 21:56:24 +01:00
|
|
|
enabled.</para>
|
|
|
|
|
|
|
|
<para>Example:</para>
|
|
|
|
|
|
|
|
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
|
|
|
|
1
|
|
|
|
teastep@lists:~$ </programlisting>
|
|
|
|
|
2007-09-10 17:38:01 +02:00
|
|
|
<para></para>
|
|
|
|
|
2007-04-17 19:06:49 +02:00
|
|
|
<note>
|
|
|
|
<para>This option does not work with a wild-card
|
|
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
|
|
the INTERFACE column.</para>
|
|
|
|
</note>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<blockquote>
|
|
|
|
<para>This option may also be enabled globally in the <ulink
|
|
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
|
|
|
file.</para>
|
|
|
|
</blockquote>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">maclist</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Connection requests from this interface are compared
|
2007-01-14 23:34:51 +01:00
|
|
|
against the contents of <ulink
|
|
|
|
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
|
|
|
this option is specified, the interface must be an ethernet
|
|
|
|
NIC and must be up before Shorewall is started.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2007-08-16 18:08:53 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis
|
2009-04-15 01:25:19 +02:00
|
|
|
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
2007-08-16 18:08:53 +02:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
|
|
|
packets entering or leaving on this interface to have their
|
|
|
|
MSS field set to the specified
|
|
|
|
<replaceable>number</replaceable>.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2007-05-08 21:05:25 +02:00
|
|
|
|
2009-08-28 22:45:00 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis
|
|
|
|
role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Limit the zone named in the ZONE column to only the
|
|
|
|
listed networks. The parentheses may be omitted if only a
|
|
|
|
single <replaceable>net</replaceable> is given (e.g.,
|
2009-08-29 00:17:10 +02:00
|
|
|
nets=192.168.1.0/24). Limited broadcast to the zone is
|
|
|
|
supported. Beginning with Shorewall 4.4.1, multicast traffic
|
|
|
|
to the zone is also supported.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">nets=dynamic</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Defines the zone as <firstterm>dynamic</firstterm>.
|
|
|
|
Requires ipset match support in your iptables and kernel. See
|
|
|
|
<ulink
|
|
|
|
url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
|
|
|
|
for further information.</para>
|
2009-08-28 22:45:00 +02:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">nosmurfs</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Filter packets for smurfs (packets with a broadcast
|
|
|
|
address as the source).</para>
|
|
|
|
|
|
|
|
<para>Smurfs will be optionally logged based on the setting of
|
|
|
|
SMURF_LOG_LEVEL in <ulink
|
|
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
|
|
|
logging, the packets are dropped.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2007-05-08 21:05:25 +02:00
|
|
|
<term><emphasis role="bold">optional</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>When <option>optional</option> is specified for an
|
|
|
|
interface, Shorewall will be silent when:</para>
|
2007-05-08 21:05:25 +02:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>a <filename
|
|
|
|
class="directory">/proc/sys/net/ipv4/conf/</filename>
|
|
|
|
entry for the interface cannot be modified (including for
|
|
|
|
proxy ARP).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The first address of the interface cannot be
|
|
|
|
obtained.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2007-09-10 17:38:01 +02:00
|
|
|
<para></para>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>I specify <option>optional</option> on interfaces to
|
|
|
|
Xen virtual machines that may or may not be running when
|
|
|
|
Shorewall is [re]started.</para>
|
|
|
|
|
|
|
|
<para></para>
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
<para>Use <option>optional</option> at your own risk. If
|
|
|
|
you [re]start Shorewall when an 'optional' interface is
|
|
|
|
not available and then do a <command>shorewall
|
|
|
|
save</command>, subsequent <command>shorewall
|
|
|
|
restore</command> and <command>shorewall -f
|
|
|
|
start</command> operations will instantiate a ruleset that
|
|
|
|
does not support that interface, even if it is available
|
|
|
|
at the time of the restore/start.</para>
|
|
|
|
</caution>
|
|
|
|
</blockquote>
|
2007-05-08 21:05:25 +02:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2009-11-06 17:07:13 +01:00
|
|
|
<varlistentry>
|
|
|
|
<term>physical=<emphasis
|
|
|
|
role="bold"><emphasis>name</emphasis></emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2009-11-11 19:45:01 +01:00
|
|
|
<para>Added in Shorewall 4.4.4. When specified, the interface
|
|
|
|
or port name in the INTERFACE column is a logical name that
|
|
|
|
refers to the name given in this option. It is useful when you
|
|
|
|
want to specify the same wildcard port name on two or more
|
|
|
|
bridges. See <ulink
|
2009-11-06 17:07:13 +01:00
|
|
|
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
|
2009-11-11 00:48:49 +01:00
|
|
|
|
|
|
|
<para>If the <emphasis>interface</emphasis> name is a wildcard
|
|
|
|
name (ends with '+'), then the physical
|
|
|
|
<emphasis>name</emphasis> must also end in '+'.</para>
|
|
|
|
|
|
|
|
<para>If <option>physical</option> is not specified, then it's
|
|
|
|
value defaults to the <emphasis>interface</emphasis>
|
|
|
|
name.</para>
|
2009-11-06 17:07:13 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Sets
|
2006-11-15 21:04:33 +01:00
|
|
|
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
|
|
|
Do NOT use this option if you are employing Proxy ARP through
|
2007-01-14 23:34:51 +01:00
|
|
|
entries in <ulink
|
|
|
|
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
|
|
|
This option is intended solely for use with Proxy ARP
|
2007-01-18 18:26:07 +01:00
|
|
|
sub-networking as described at: <ulink
|
2007-05-08 21:05:25 +02:00
|
|
|
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
2007-09-10 17:38:01 +02:00
|
|
|
</ulink></para>
|
|
|
|
|
|
|
|
<para><emphasis role="bold">Note</emphasis>: This option does
|
|
|
|
not work with a wild-card <replaceable>interface</replaceable>
|
|
|
|
name (e.g., eth0.+) in the INTERFACE column.</para>
|
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Only those interfaces with the <option>proxyarp</option>
|
|
|
|
option will have their setting changed; the value assigned to
|
|
|
|
the setting will be the value specified (if any) or 1 if no
|
|
|
|
value is given.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">routeback</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If specified, indicates that Shorewall should include
|
2009-03-24 17:11:22 +01:00
|
|
|
rules that allow traffic arriving on this interface to be
|
|
|
|
routed back out that same interface. This option is also
|
|
|
|
required when you have used a wildcard in the INTERFACE column
|
|
|
|
if you want to allow traffic between the interfaces that match
|
|
|
|
the wildcard.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis
|
2009-12-20 01:02:28 +01:00
|
|
|
role="bold">routefilter[={0|1|2}]</emphasis></term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
2007-05-08 21:05:25 +02:00
|
|
|
<para>Turn on kernel route filtering for this interface
|
|
|
|
(anti-spoofing measure).</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Only those interfaces with the
|
|
|
|
<option>routefilter</option> option will have their setting
|
|
|
|
changes; the value assigned to the setting will be the value
|
|
|
|
specified (if any) or 1 if no value is given.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
2009-12-20 01:02:28 +01:00
|
|
|
<para>The value 2 is only available with Shorewall 4.4.5.1 and
|
|
|
|
later when the kernel version is 2.6.31 or later. It specifies
|
|
|
|
a <firstterm>loose</firstterm> form of reverse path
|
|
|
|
filtering.</para>
|
2007-09-10 17:38:01 +02:00
|
|
|
|
2007-04-17 19:06:49 +02:00
|
|
|
<note>
|
|
|
|
<para>This option does not work with a wild-card
|
|
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
|
|
the INTERFACE column.</para>
|
|
|
|
</note>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<blockquote>
|
|
|
|
<para>This option can also be enabled globally in the <ulink
|
|
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
|
|
|
file.</para>
|
|
|
|
</blockquote>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2007-05-08 21:05:25 +02:00
|
|
|
<term><emphasis
|
|
|
|
role="bold">sourceroute[={0|1}]</emphasis></term>
|
2006-11-15 19:15:40 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If this option is not specified for an interface, then
|
|
|
|
source-routed packets will not be accepted from that interface
|
|
|
|
(sets
|
2006-11-15 21:04:33 +01:00
|
|
|
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
|
2006-11-20 18:52:52 +01:00
|
|
|
to 1). Only set this option if you know what you are doing.
|
2009-10-14 00:47:13 +02:00
|
|
|
This might represent a security risk and is usually
|
|
|
|
unneeded.</para>
|
2007-04-17 19:06:49 +02:00
|
|
|
|
2009-07-16 02:50:55 +02:00
|
|
|
<para>Only those interfaces with the
|
|
|
|
<option>sourceroute</option> option will have their setting
|
2009-10-14 00:47:13 +02:00
|
|
|
changed; the value assigned to the setting will be the value
|
2009-07-16 02:50:55 +02:00
|
|
|
specified (if any) or 1 if no value is given.</para>
|
2007-05-08 21:05:25 +02:00
|
|
|
|
2007-09-10 17:38:01 +02:00
|
|
|
<para></para>
|
|
|
|
|
2007-04-17 19:06:49 +02:00
|
|
|
<note>
|
|
|
|
<para>This option does not work with a wild-card
|
|
|
|
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
|
|
|
the INTERFACE column.</para>
|
|
|
|
</note>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2007-05-08 21:05:25 +02:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">tcpflags</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Packets arriving on this interface are checked for
|
|
|
|
certain illegal combinations of TCP flags. Packets found to
|
|
|
|
have such a combination of flags are handled according to the
|
|
|
|
setting of TCP_FLAGS_DISPOSITION after having been logged
|
|
|
|
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2006-11-15 19:15:40 +01:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">upnp</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Incoming requests from this interface may be remapped
|
2007-01-27 19:53:50 +01:00
|
|
|
via UPNP (upnpd). See <ulink
|
|
|
|
url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
|
2006-11-15 19:15:40 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2009-06-15 22:34:35 +02:00
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">upnpclient</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>This option is intended for laptop users who always run
|
|
|
|
Shorewall on their system yet need to run UPnP-enabled client
|
|
|
|
apps such as Transmission (BitTorrent client). The option
|
|
|
|
causes Shorewall to detect the default gateway through the
|
|
|
|
interface and to accept UDP packets from that gateway. Note
|
|
|
|
that, like all aspects of UPnP, this is a security hole so use
|
2009-07-16 02:50:55 +02:00
|
|
|
this option at your own risk.</para>
|
2009-06-15 22:34:35 +02:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2006-11-15 19:15:40 +01:00
|
|
|
</variablelist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Example</title>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 1:</term>
|
|
|
|
|
|
|
|
<listitem>
|
2006-11-20 18:52:52 +01:00
|
|
|
<para>Suppose you have eth0 connected to a DSL modem and eth1
|
2006-11-15 19:15:40 +01:00
|
|
|
connected to your local network and that your local subnet is
|
2009-10-14 00:47:13 +02:00
|
|
|
192.168.1.0/24. The interface gets its IP address via DHCP from
|
2006-11-15 19:15:40 +01:00
|
|
|
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
|
|
|
|
using eth2.</para>
|
|
|
|
|
|
|
|
<para>Your entries for this setup would look like:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
net eth0 206.191.149.223 dhcp
|
|
|
|
loc eth1 192.168.1.255
|
|
|
|
dmz eth2 192.168.2.255</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 2:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The same configuration without specifying broadcast addresses
|
|
|
|
is:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
net eth0 detect dhcp
|
|
|
|
loc eth1 detect
|
|
|
|
dmz eth2 detect</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 3:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>You have a simple dial-in system with no ethernet
|
|
|
|
connections.</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
net ppp0 -</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>FILES</title>
|
|
|
|
|
|
|
|
<para>/etc/shorewall/interfaces</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5),
|
|
|
|
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
|
|
|
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
2008-07-10 16:00:00 +02:00
|
|
|
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
2006-11-15 19:15:40 +01:00
|
|
|
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
|
|
|
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
|
|
|
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
|
|
</refsect1>
|
2008-08-03 04:33:35 +02:00
|
|
|
</refentry>
|