<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall-interfaces</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>interfaces</refname>

    <refpurpose>Shorewall interfaces file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/interfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The interfaces file serves to define the firewall's network
    interfaces to Shorewall. The order of entries in this file is not
    significant in determining zone composition.</para>

    <para>The columns in the file are as follows.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ZONE</emphasis> -
        <emphasis>zone-name</emphasis></term>

        <listitem>
          <para>Zone for this interface. Must match the name of a zone
          declared in /etc/shorewall/zones. You may not list the firewall zone
          in this column.</para>

          <para>If the interface serves multiple zones that will be defined in
          the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
          file, you should place "-" in this column.</para>

          <para>If there are multiple interfaces to the same zone, you must
          list them in separate entries.</para>

          <para>Example:</para>

          <blockquote>
            <programlisting>#ZONE   INTERFACE       BROADCAST
loc     eth1            -
loc     eth2            -</programlisting>
          </blockquote>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">INTERFACE</emphasis> -
        <emphasis>interface</emphasis><emphasis
        role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
        role="bold">]</emphasis></term>

        <listitem>
          <para>Name of interface. Each interface may be listed only once in
          this file. You may NOT specify the name of a "virtual" interface
          (e.g., eth0:0) here; see <ulink
          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>

          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
          ppp1, ppp2, …</para>

          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
          a matching specific interface. See <ulink
          url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
          discussion of this problem.</para>

          <para>Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
          an interface name.</para>

          <para>There is no need to define the loopback interface (lo) in this
          file.</para>

          <para>(Shorewall-perl only) If a <replaceable>port</replaceable> is
          given, then the <replaceable>interface</replaceable> must have been
          defined previously with the <option>bridge</option> option. The
          OPTIONS column may not contain the following options when a
          <replaceable>port</replaceable> is given.</para>

          <simplelist>
            <member>arp_filter</member>

            <member>arp_ignore</member>

            <member>bridge</member>

            <member>log_martians</member>

            <member>mss</member>

            <member>optional</member>

            <member>proxyarp</member>

            <member>routefilter</member>

            <member>sourceroute</member>

            <member>upnp</member>
          </simplelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">BROADCAST</emphasis> (Optional) -
        {<emphasis role="bold">-</emphasis>|<emphasis
        role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>

        <listitem>
          <para>The broadcast address(es) for the network(s) to which the
          interface belongs. For P-T-P interfaces, this column is left blank.
          If the interface has multiple addresses on multiple subnets then
          list the broadcast addresses as a comma-separated list.</para>

          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you. If you select this option, the interface must
          be up before the firewall is started.</para>

          <para>If you don't want to give a value for this column but you want
          to enter a value in the OPTIONS column, enter <emphasis
          role="bold">-</emphasis> in this column.</para>

          <para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
          Shorewall-perl only supports <option>detect</option> or <emphasis
          role="bold">-</emphasis> in this column. If you specify
          <replaceable>address</replaceable>es, a compilation warning will be
          issued.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>

        <listitem>
          <para>A comma-separated list of options from the following list. The
          order in which you list the options is not significant but the list
          should have no embedded white space.</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>

              <listitem>
                <para>If specified, this interface will only respond to ARP
                who-has requests for IP addresses configured on the interface.
                If not specified, the interface can respond to ARP who-has
                requests for IP addresses on any of the firewall's interface.
                The interface must be up when Shorewall is started.</para>

                <para>The option value (0 or 1) may only be specified if you
                are using Shorewall-perl. With Shorewall-perl, only those
                interfaces with the <option>arp_filter</option> option will
                have their setting changes; the value assigned to the setting
                will be the value specified (if any) or 1 if no value is
                given.</para>

                <para></para>

                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
                  the INTERFACE column.</para>
                </note>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>

              <listitem>
                <para>If specified, this interface will respond to arp
                requests based on the value of <emphasis>number</emphasis>
                (defaults to 1).</para>

                <para>1 - reply only if the target IP address is local address
                configured on the incoming interface</para>

                <para>2 - reply only if the target IP address is local address
                configured on the incoming interface and the sender's IP
                address is part from same subnet on this interface</para>

                <para>3 - do not reply for local addresses configured with
                scope host, only resolutions for global and link</para>

                <para>4-7 - reserved</para>

                <para>8 - do not reply for all local addresses</para>

                <para></para>

                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
                  the INTERFACE column.</para>
                </note>

                <para></para>

                <warning>
                  <para>Do not specify <emphasis
                  role="bold">arp_ignore</emphasis> for any interface involved
                  in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
                </warning>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
                <para>Check packets arriving on this interface against the
                <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">bridge</emphasis></term>

              <listitem>
                <para>(Shorewall-perl only) Designates the interface as a
                bridge.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">dhcp</emphasis></term>

              <listitem>
                <para>Specify this option when any of the following are
                true:</para>

                <orderedlist spacing="compact">
                  <listitem>
                    <para>the interface gets its IP address via DHCP</para>
                  </listitem>

                  <listitem>
                    <para>the interface is used by a DHCP server running on
                    the firewall</para>
                  </listitem>

                  <listitem>
                    <para>the interface has a static IP but is on a LAN
                    segment with lots of DHCP clients.</para>
                  </listitem>

                  <listitem>
                    <para>the interface is a <ulink
                    url="../SimpleBridge.html">simple bridge</ulink> with a
                    DHCP server on one port and DHCP clients on another
                    port.</para>

                    <note>
                      <para>If you use <ulink
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
                      url="shorewall-rules.html">shorewall-rules</ulink>(8).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
                </orderedlist>

                <para>This option allows DHCP datagrams to enter and leave the
                interface.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">logmartians[={0|1}]</emphasis></term>

              <listitem>
                <para>Turn on kernel martian logging (logging of packets with
                impossible source addresses. It is strongly suggested that if
                you set <emphasis role="bold">routefilter</emphasis> on an
                interface that you also set <emphasis
                role="bold">logmartians</emphasis>. Even if you do not specify
                the <option>routefilter</option> option, it is a good idea to
                specify <option>logmartians</option> because your distribution
                may be enabling route filtering without you knowing it.</para>

                <para>The option value (0 or 1) may only be specified if you
                are using Shorewall-perl. With Shorewall-perl, only those
                interfaces with the <option>logmartians</option> option will
                have their setting changes; the value assigned to the setting
                will be the value specified (if any) or 1 if no value is
                given.</para>

                <para>To find out if route filtering is set on a given
                <replaceable>interface</replaceable>, check the contents of
                <filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
                - a non-zero value indicates that route filtering is
                enabled.</para>

                <para>Example:</para>

                <programlisting>        teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
        1
        teastep@lists:~$ </programlisting>

                <para></para>

                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
                  the INTERFACE column.</para>
                </note>

                <blockquote>
                  <para>This option may also be enabled globally in the <ulink
                  url="shorewall.conf.html">shorewall.conf</ulink>(5)
                  file.</para>
                </blockquote>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">maclist</emphasis></term>

              <listitem>
                <para>Connection requests from this interface are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC and must be up before Shorewall is started.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
                packets entering or leaving on this interface to have their
                MSS field set to the specified
                <replaceable>number</replaceable>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">norfc1918</emphasis></term>

              <listitem>
                <para>This interface should not receive any packets whose
                source is in one of the ranges reserved by RFC 1918 (i.e.,
                private or "non-routable" addresses). If packet mangling or
                connection-tracking match is enabled in your kernel, packets
                whose destination addresses are reserved by RFC 1918 are also
                rejected.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>

              <listitem>
                <para>Filter packets for smurfs (packets with a broadcast
                address as the source).</para>

                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
                logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>

              <listitem>
                <para>Only supported by Shorewall-perl. When
                <option>optional</option> is specified for an interface,
                Shorewall will be silent when:</para>

                <itemizedlist>
                  <listitem>
                    <para>a <filename
                    class="directory">/proc/sys/net/ipv4/conf/</filename>
                    entry for the interface cannot be modified (including for
                    proxy ARP).</para>
                  </listitem>

                  <listitem>
                    <para>The first address of the interface cannot be
                    obtained.</para>
                  </listitem>
                </itemizedlist>

                <para></para>

                <blockquote>
                  <para>I specify <option>optional</option> on interfaces to
                  Xen virtual machines that may or may not be running when
                  Shorewall is [re]started.</para>

                  <para></para>

                  <caution>
                    <para>Use <option>optional</option> at your own risk. If
                    you [re]start Shorewall when an 'optional' interface is
                    not available and then do a <command>shorewall
                    save</command>, subsequent <command>shorewall
                    restore</command> and <command>shorewall -f
                    start</command> operations will instantiate a ruleset that
                    does not support that interface, even if it is available
                    at the time of the restore/start.</para>
                  </caution>
                </blockquote>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>

              <listitem>
                <para>Sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                Do NOT use this option if you are employing Proxy ARP through
                entries in <ulink
                url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
                This option is intended solely for use with Proxy ARP
                sub-networking as described at: <ulink
                url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                </ulink></para>

                <para><emphasis role="bold">Note</emphasis>: This option does
                not work with a wild-card <replaceable>interface</replaceable>
                name (e.g., eth0.+) in the INTERFACE column.</para>

                <para>The option value (0 or 1) may only be specified if you
                are using Shorewall-perl. With Shorewall-perl, only those
                interfaces with the <option>proxyarp</option> option will have
                their setting changed; the value assigned to the setting will
                be the value specified (if any) or 1 if no value is
                given.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>

              <listitem>
                <para>If specified, indicates that Shorewall should include
                rules that allow traffic arriving on this interface to be
                routed back out that same interface. This option is also
                required when you have used a wildcard in the INTERFACE column
                if you want to allow traffic between the interfaces that match
                the wildcard.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">routefilter[={0|1}]</emphasis></term>

              <listitem>
                <para>Turn on kernel route filtering for this interface
                (anti-spoofing measure).</para>

                <para>The option value (0 or 1) may only be specified if you
                are using Shorewall-perl. With Shorewall-perl, only those
                interfaces with the <option>routefilter</option> option will
                have their setting changes; the value assigned to the setting
                will be the value specified (if any) or 1 if no value is
                given.</para>

                <para></para>

                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
                  the INTERFACE column.</para>
                </note>

                <blockquote>
                  <para>This option can also be enabled globally in the <ulink
                  url="shorewall.conf.html">shorewall.conf</ulink>(5)
                  file.</para>
                </blockquote>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">sourceroute[={0|1}]</emphasis></term>

              <listitem>
                <para>If this option is not specified for an interface, then
                source-routed packets will not be accepted from that interface
                (sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
                to 1). Only set this option if you know what you are doing.
                This might represent a security risk and is not usually
                needed.</para>

                <para>The option value (0 or 1) may only be specified if you
                are using Shorewall-perl. With Shorewall-perl, only those
                interfaces with the <option>sourceroute</option> option will
                have their setting changes; the value assigned to the setting
                will be the value specified (if any) or 1 if no value is
                given.</para>

                <para></para>

                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
                  the INTERFACE column.</para>
                </note>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>

              <listitem>
                <para>Packets arriving on this interface are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">upnp</emphasis></term>

              <listitem>
                <para>Incoming requests from this interface may be remapped
                via UPNP (upnpd). See <ulink
                url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
          connected to your local network and that your local subnet is
          192.168.1.0/24. The interface gets it's IP address via DHCP from
          subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
          using eth2.</para>

          <para>Your entries for this setup would look like:</para>

          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
net     eth0      206.191.149.223  dhcp
loc     eth1      192.168.1.255
dmz     eth2      192.168.2.255</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 2:</term>

        <listitem>
          <para>The same configuration without specifying broadcast addresses
          is:</para>

          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
net     eth0      detect           dhcp
loc     eth1      detect
dmz     eth2      detect</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 3:</term>

        <listitem>
          <para>You have a simple dial-in system with no ethernet
          connections.</para>

          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
net     ppp0      -</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/interfaces</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
</refentry>