#
# Shorewall version 3.3 - Interfaces File
#
# /etc/shorewall/interfaces
#
#	You must add an entry in this file for each network interface on your
#	firewall system.
#
# Columns are:
#
#	ZONE		Zone for this interface. Must match the name of a
#			zone defined in /etc/shorewall/zones. You may not
#			list the firewall zone in this column.
#
#			If the interface serves multiple zones that will be
#			defined in the /etc/shorewall/hosts file, you should
#			place "-" in this column.
#
#			If there are multiple interfaces to the same zone,
#			you must list them in separate entries:
#
#			Example:
#
#				loc	eth1	-
#				loc	eth2	-
#
#	INTERFACE	Name of interface. Each interface may be listed only
#			once in this file. You may NOT specify the name of
#			an alias (e.g., eth0:0) here; see
#			http://www.shorewall.net/FAQ.htm#faq18
#
#			You may specify wildcards here. For example, if you
#			want to make an entry that applies to all PPP
#			interfaces, use 'ppp+'.
#
#			There is no need to define the loopback	interface (lo)
#			in this file.
#
#	BROADCAST	The broadcast address for the subnetwork to which the
#			interface belongs. For P-T-P interfaces, this
#			column is left blank.If the interface has multiple
#			addresses on multiple subnets then list the broadcast
#			addresses as a comma-separated list.
#
#			If you use the special value "detect", Shorewall
#			will detect the broadcast address(es) for you. If you
#			select this option, the interface must be up before
#			the firewall is started.
#
#			If you don't want to give a value for this column but
#			you want to enter a value in the OPTIONS column, enter
#			"-" in this column.
#
#	OPTIONS		A comma-separated list of options including the
#			following:
#
#			dhcp	     - Specify this option when any of
#				       the following are true:
#				       1. the interface gets its IP address
#					  via DHCP
#				       2. the interface is used by
#					  a DHCP server running on the firewall
#				       3. you have a static IP but are on a LAN
#					  segment with lots of Laptop DHCP
#					  clients.
#				       4. the interface is a bridge with
#					  a DHCP server on one port and DHCP
#					  clients on another port.
#
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses). If packet mangling or
#				       connection-tracking match is enabled in
#				       your kernel, packets whose destination
#				       addresses are reserved by RFC 1918 are
#				       also rejected.
#
#			routefilter  - turn on kernel route filtering for this
#				       interface (anti-spoofing measure). This
#				       option can also be enabled globally in
#				       the /etc/shorewall/shorewall.conf file.
#
#			logmartians  - turn on kernel martian logging (logging
#				       of packets with impossible source
#				       addresses. It is suggested that if you
#				       set routefilter on an interface that
#				       you also set logmartians. This option
#				       may also be enabled globally in the
#				       /etc/shorewall/shorewall.conf file.
#
#			blacklist    - Check packets arriving on this interface
#				       against the /etc/shorewall/blacklist
#				       file.
#
#			maclist	     - Connection requests from this interface
#				       are compared against the contents of
#				       /etc/shorewall/maclist. If this option
#				       is specified, the interface must be
#				       an ethernet NIC and must be up before
#				       Shorewall is started.
#
#			tcpflags     - Packets arriving on this interface are
#				       checked for certain illegal combinations
#				       of TCP flags. Packets found to have
#				       such a combination of flags are handled
#				       according to the setting of
#				       TCP_FLAGS_DISPOSITION after having been
#				       logged according to the setting of
#				       TCP_FLAGS_LOG_LEVEL.
#
#			proxyarp     -
#				Sets
#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
#				Do NOT use this option if you are
#				employing Proxy ARP through entries in
#				/etc/shorewall/proxyarp. This option is
#				intended soley for use with Proxy ARP
#				sub-networking as described at:
#				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#			routeback    - If specified, indicates that Shorewall
#				       should include rules that allow
#				       filtering traffic arriving on this
#				       interface back out that same interface.
#
#			arp_filter   - If specified, this interface will only
#				       respond to ARP who-has requests for IP
#				       addresses configured on the interface.
#				       If not specified, the interface can
#				       respond to ARP who-has requests for
#				       IP addresses on any of the firewall's
#				       interface. The interface must be up
#				       when Shorewall is started.
#
#			arp_ignore[=<number>]
#				     - If specified, this interface will
#				       respond to arp requests based on the
#				       value of <number>.
#
#				       1 - reply only if the target IP address
#				       is local address configured on the
#				       incoming interface
#
#				       2 - reply only if the target IP address
#				       is local address configured on the
#				       incoming interface and both with the
#				       sender's IP address are part from same
#				       subnet on this interface
#
#				       3 - do not reply for local addresses
#				       configured with scope host, only
#				       resolutions for global and link
#				       addresses are replied
#
#				       4-7 - reserved
#
#				       8 - do not reply for all local
#				       addresses
#
#				       If no <number> is given then the value
#				       1 is assumed
#
#				       WARNING -- DO NOT SPECIFY arp_ignore
#				       FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
#			nosmurfs     - Filter packets for smurfs
#				       (packets with a broadcast
#				       address as the source).
#
#				       Smurfs will be optionally logged based
#				       on the setting of SMURF_LOG_LEVEL in
#				       shorewall.conf. After logging, the
#				       packets are dropped.
#
#			detectnets   - Automatically taylors the zone named
#				       in the ZONE column to include only those
#				       hosts routed through the interface.
#
#			sourceroute  - If this option is not specified for an
#				       interface, then source-routed packets
#				       will not be accepted from that
#				       interface (sets /proc/sys/net/ipv4/
#				       conf/<interface>/
#				       accept_source_route to 1).
#				       Only set this option if you know what
#				       you are you doing. This might represent
#				       a security risk and is not usually
#				       needed.
#
#			upnp	     - Incoming requests from this interface
#				       may be remapped via UPNP (upnpd).
#
#			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
#				 INTERNET INTERFACE.
#
#			The order in which you list the options is not
#			significant but the list should have no embedded white
#			space.
#
#	Example 1:	Suppose you have eth0 connected to a DSL modem and
#			eth1 connected to your local network and that your
#			local subnet is 192.168.1.0/24. The interface gets
#			it's IP address via DHCP from subnet
#			206.191.149.192/27. You have a DMZ with subnet
#			192.168.2.0/24 using eth2.
#
#			Your entries for this setup would look like:
#
#			net	eth0	206.191.149.223	dhcp
#			local	eth1	192.168.1.255
#			dmz	eth2	192.168.2.255
#
#	Example 2:	The same configuration without specifying broadcast
#			addresses is:
#
#			net	eth0	detect		dhcp
#			loc	eth1	detect
#			dmz	eth2	detect
#
#	Example 3:	You have a simple dial-in system with no ethernet
#			connections.
#
#			net	ppp0	-
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE