<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall6-interfaces</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>interfaces</refname>

    <refpurpose>shorewall6 interfaces file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/interfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The interfaces file serves to define the firewall's network
    interfaces to shorewall6. The order of entries in this file is not
    significant in determining zone composition.</para>

    <para>The columns in the file are as follows.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ZONE</emphasis> -
        <emphasis>zone-name</emphasis></term>

        <listitem>
          <para>Zone for this interface. Must match the name of a zone
          declared in /etc/shorewall6/zones. You may not list the firewall
          zone in this column.</para>

          <para>If the interface serves multiple zones that will be defined in
          the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
          file, you should place "-" in this column.</para>

          <para>If there are multiple interfaces to the same zone, you must
          list them in separate entries.</para>

          <para>Example:</para>

          <blockquote>
            <programlisting>#ZONE   INTERFACE       BROADCAST
loc     eth1            -
loc     eth2            -</programlisting>
          </blockquote>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">INTERFACE</emphasis> -
        <emphasis>interface</emphasis><emphasis
        role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
        role="bold">]</emphasis></term>

        <listitem>
          <para>Logical name of interface. Each interface may be listed only
          once in this file. You may NOT specify the name of a "virtual"
          interface (e.g., eth0:0) here; see <ulink
          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
          If the <option>physical</option> option is not specified, then the
          logical name is also the name of the actual interface.</para>

          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
          ppp1, ppp2, …</para>

          <para>Care must be exercised when using wildcards where there is
          another zone that uses a matching specific interface. See <ulink
          url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
          discussion of this problem.</para>

          <para>Shorewall6 allows '+' as an interface name.</para>

          <para>There is no need to define the loopback interface (lo) in this
          file.</para>

          <para>If a <replaceable>port</replaceable> is given, then the
          <replaceable>interface</replaceable> must have been defined
          previously with the <option>bridge</option> option. The OPTIONS
          column must be empty when a <replaceable>port</replaceable> is
          given.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">UNICAST</emphasis> - <emphasis
        role="bold">-</emphasis></term>

        <listitem>
          <para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
          is here for compatibility between Shorewall6 and Shorewall.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>

        <listitem>
          <para>A comma-separated list of options from the following list. The
          order in which you list the options is not significant but the list
          should have no embedded white space.</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
                <para>Check packets arriving on this interface against the
                <ulink
                url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
                file.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">bridge</emphasis></term>

              <listitem>
                <para>Designates the interface as a bridge.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>

              <listitem>
                <para>Causes forwarded TCP SYN packets entering or leaving on
                this interface to have their MSS field set to the specified
                <replaceable>number</replaceable>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>

              <listitem>
                <para>Limit the zone named in the ZONE column to only the
                listed networks. The parentheses may be omitted if only a
                single <replaceable>net</replaceable> is given.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>

              <listitem>
                <para>When <option>optional</option> is specified for an
                interface, shorewall6 will be silent when:</para>

                <itemizedlist>
                  <listitem>
                    <para>a <filename
                    class="directory">/proc/sys/net/ipv6/conf/</filename>
                    entry for the interface cannot be modified.</para>
                  </listitem>

                  <listitem>
                    <para>The first global IPv6 address of the interface
                    cannot be obtained.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>physical=<emphasis
              role="bold"><emphasis>name</emphasis></emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.4. When specified, the interface
                or port name in the INTERFACE column is a logical name that
                refers to the name given in this option. It is useful when you
                want to specify the same wildcard port name on two or more
                bridges. See <ulink
                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>

                <para>If the <emphasis>interface</emphasis> name is a wildcard
                name (ends with '+'), then the physical
                <emphasis>name</emphasis> must also end in '+'.</para>

                <para>If <option>physical</option> is not specified, then it's
                value defaults to the <emphasis>interface</emphasis>
                name.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>

              <listitem>
                <para>If specified, indicates that shorewall6 should include
                rules that allow traffic arriving on this interface to be
                routed back out that same interface. This option is also
                required when you have used a wildcard in the INTERFACE column
                if you want to allow traffic between the interfaces that match
                the wildcard.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">sourceroute[={0|1}]</emphasis></term>

              <listitem>
                <para>If this option is not specified for an interface, then
                source-routed packets will not be accepted from that interface
                (sets
                /proc/sys/net/ipv6/conf/<emphasis></emphasis>/accept_source_route
                to 1). Only set this option if you know what you are doing.
                This might represent a security risk and is not usually
                needed.</para>

                <para>Only those interfaces with the
                <option>sourceroute</option> option will have their setting
                changes; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
                  the INTERFACE column.</para>
                </note>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>

              <listitem>
                <para>Packets arriving on this interface are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>proxyndp[={0|1}]</term>

              <listitem>
                <para>Sets
                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>

                <para><emphasis role="bold">Note</emphasis>: This option does
                not work with a wild-card <replaceable>interface</replaceable>
                name (e.g., eth0.+) in the INTERFACE column.</para>

                <para>Only those interfaces with the <option>proxyndp</option>
                option will have their setting changed; the value assigned to
                the setting will be the value specified (if any) or 1 if no
                value is given.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
          connected to your local network You have a DMZ using eth2.</para>

          <para>Your entries for this setup would look like:</para>

          <programlisting>#ZONE   INTERFACE UNICAST        OPTIONS
net     eth0      -
loc     eth1      -
dmz     eth2      -</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall6/interfaces</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
</refentry>