# # Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # # ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you may # place "-" in this column. # # INTERFACE Name of interface # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left black. # # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started and you must have iproute # installed. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. # # OPTIONS A comma-separated list of options including the # following: # # dhcp - interface is managed by DHCP or used by # a DHCP server running on the firewall. # noping - icmp echo-request (ping) packets should # be ignored on this interface # routestopped - When the firewall is stopped, allow # and route traffic to and from this # interface. # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" # addresses. If packet mangling is # enabled in shorewall.conf, packets # whose destination addresses are # reserved by RFC 1918 are also rejected. # multi - This interface has multiple IP # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). # dropunclean - Logs and drops mangled/invalid packets # # logunclean - Logs mangled/invalid packets but does # not drop them. # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your # local subnet is 192.168.1.0/24. The interface gets # it's IP address via DHCP from subnet # 206.191.149.192/27 and you want pings from the internet # to be ignored. You interface a DMZ with subnet # 192.168.2.0/24 using eth2. You want to be able to # access the firewall from the local network when the # firewall is stopped. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 noping,dhcp # local eth1 192.168.1.255 routestopped # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # # net eth0 detect noping,dhcp # loc eth1 detect routestopped # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet # connections and you want to ignore ping requests. # # net ppp0 - noping ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,norfc1918,dhcp loc eth1 detect routestopped dmz eth2 detect routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE