<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-interfaces</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257171"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>interfaces — Shorewall interfaces file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">/etc/shorewall/interfaces</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257202"></a><h2>Description</h2><p>The interfaces file serves to define the firewall's network
interfaces to Shorewall. The order of entries in this file is not
significant in determining zone composition.</p><p>The columns in the file are as follows.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>ZONE</strong></span> -
<span class="emphasis"><em>zone-name</em></span></span></dt><dd><p>Zone for this interface. Must match the name of a zone
declared in /etc/shorewall/zones. You may not list the firewall zone
in this column.</p><p>If the interface serves multiple zones that will be defined in
the <a class="ulink" href="shorewall-hosts.html" target="_self">shorewall-hosts</a>(5)
file, you should place "-" in this column.</p><p>If there are multiple interfaces to the same zone, you must
list them in separate entries.</p><p>Example:</p><div class="blockquote"><blockquote class="blockquote"><pre class="programlisting">#ZONE INTERFACE BROADCAST
loc eth1 -
loc eth2 -</pre></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>INTERFACE</strong></span> -
<span class="emphasis"><em>interface</em></span><span class="bold"><strong>[:</strong></span><span class="emphasis"><em>port</em></span><span class="bold"><strong>]</strong></span></span></dt><dd><p>Name of interface. Each interface may be listed only once in
this file. You may NOT specify the name of a "virtual" interface
(e.g., eth0:0) here; see <a class="ulink" href="http://www.shorewall.net/FAQ.htm#faq18" target="_self">http://www.shorewall.net/FAQ.htm#faq18</a></p><p>You may use wildcards here by specifying a prefix followed by
the plus sign ("+"). For example, if you want to make an entry that
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …</p><p>Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See <a class="ulink" href="shorewall-nesting.html" target="_self">shorewall-nesting</a>(5) for a
discussion of this problem.</p><p>There is no need to define the loopback interface (lo) in this
file.</p><p>(Shorewall-perl only) If a <em class="replaceable"><code>port</code></em> is
given, then the <em class="replaceable"><code>interface</code></em> must have been
defined previously with the <code class="option">bridge</code> option. The
OPTIONS column must be empty when a <em class="replaceable"><code>port</code></em>
is given.</p></dd><dt><span class="term"><span class="bold"><strong>BROADCAST</strong></span> (Optional) -
{<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>detect</strong></span>|<span class="emphasis"><em>address</em></span>[,<span class="emphasis"><em>address</em></span>]...}</span></dt><dd><p>The broadcast address(es) for the network(s) to which the
interface belongs. For P-T-P interfaces, this column is left
blank. If the interface has multiple addresses on multiple subnets
then list the broadcast addresses as a comma-separated list.</p><p>If you use the special value <span class="bold"><strong>detect</strong></span>, Shorewall will detect the broadcast
address(es) for you. If you select this option, the interface must
be up before the firewall is started.</p><p>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <span class="bold"><strong>-</strong></span> in this column.</p><p><span class="bold"><strong>Note to Shorewall-perl users:</strong></span>
Shorewall-perl only supports <code class="option">detect</code> or <span class="bold"><strong>-</strong></span> in this column. If you specify
<em class="replaceable"><code>address</code></em>es, a compilation warning will be
issued.</p></dd><dt><span class="term"><span class="bold"><strong>OPTIONS</strong></span> (Optional) -
[<span class="emphasis"><em>option</em></span>[<span class="bold"><strong>,</strong></span><span class="emphasis"><em>option</em></span>]...]</span></dt><dd><p>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list
should have no embedded white space.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>arp_filter[={0|1}]</strong></span></span></dt><dd><p>If specified, this interface will only respond to ARP
who-has requests for IP addresses configured on the interface.
If not specified, the interface can respond to ARP who-has
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</p><p>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <code class="option">arp_filter</code> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card
<em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in
the INTERFACE column.</p></div></dd><dt><span class="term"><span class="bold"><strong>arp_ignore</strong></span>[=<span class="emphasis"><em>number</em></span>]</span></dt><dd><p>If specified, this interface will respond to arp
requests based on the value of <span class="emphasis"><em>number</em></span>
(defaults to 1).</p><p>1 - reply only if the target IP address is local address
configured on the incoming interface</p><p>2 - reply only if the target IP address is local address
configured on the incoming interface and the sender's IP
address is part from same subnet on this interface</p><p>3 - do not reply for local addresses configured with
scope host, only resolutions for global and link</p><p>4-7 - reserved</p><p>8 - do not reply for all local addresses</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card
<em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in
the INTERFACE column.</p></div><p></p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Do not specify <span class="bold"><strong>arp_ignore</strong></span> for any interface involved
in <a class="ulink" href="../ProxyARP.htm" target="_self">Proxy ARP</a>.</p></div></dd><dt><span class="term"><span class="bold"><strong>blacklist</strong></span></span></dt><dd><p>Check packets arriving on this interface against the
<a class="ulink" href="shorewall-blacklist.html" target="_self">shorewall-blacklist</a>(5)
file.</p></dd><dt><span class="term"><span class="bold"><strong>bridge</strong></span></span></dt><dd><p>(Shorewall-perl only) Designates the interface as a
bridge.</p></dd><dt><span class="term"><span class="bold"><strong>detectnets</strong></span>
(Deprecated)</span></dt><dd><p>Automatically tailors the zone named in the ZONE column
to include only those hosts routed through the
interface.</p><p></p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Do not set the <span class="bold"><strong>detectnets</strong></span> option on your internet
interface.</p><p>Support for this option will be removed in a future
release of Shorewall-perl. Better to use the <span class="bold"><strong>routefilter</strong></span> option together with the
<span class="bold"><strong>logmartians</strong></span> option.</p></div></dd><dt><span class="term"><span class="bold"><strong>dhcp</strong></span></span></dt><dd><p>Specify this option when any of the following are
true:</p><div class="orderedlist"><ol type="1" compact="compact"><li><p>the interface gets its IP address via DHCP</p></li><li><p>the interface is used by a DHCP server running on
the firewall</p></li><li><p>you have a static IP but are on a LAN segment with
lots of DHCP clients.</p></li><li><p>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</p></li></ol></div></dd><dt><span class="term"><span class="bold"><strong>logmartians[={0|1}]</strong></span></span></dt><dd><p>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <span class="bold"><strong>routefilter</strong></span> on an
interface that you also set <span class="bold"><strong>logmartians</strong></span>. Even if you do not specify
the <code class="option">routefilter</code> option, it is a good idea to
specify <code class="option">logmartians</code> because your distribution
may be enabling route filtering without you knowing it.</p><p>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <code class="option">logmartians</code> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</p><p>To find out if route filtering is set on a given
<em class="replaceable"><code>interface</code></em>, check the contents of
<code class="filename">/proc/sys/net/ipv4/conf/<em class="replaceable"><code>interface</code></em>/rp_filter</code>
- a non-zero value indicates that route filtering is
enabled.</p><p>Example:</p><pre class="programlisting"> teastep@lists:~$ <span class="command"><strong>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </strong></span>
1
teastep@lists:~$ </pre><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card
<em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in
the INTERFACE column.</p></div><div class="blockquote"><blockquote class="blockquote"><p>This option may also be enabled globally in the <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5)
file.</p></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>maclist</strong></span></span></dt><dd><p>Connection requests from this interface are compared
against the contents of <a class="ulink" href="shorewall-maclist.html" target="_self">shorewall-maclist</a>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</p></dd><dt><span class="term"><span class="bold"><strong>mss</strong></span>[=<span class="emphasis"><em>number</em></span>]</span></dt><dd><p>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
packets entering or leaving on this interface to have their
MSS field set to the specified
<em class="replaceable"><code>number</code></em>.</p></dd><dt><span class="term"><span class="bold"><strong>norfc1918</strong></span></span></dt><dd><p>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</p></dd><dt><span class="term"><span class="bold"><strong>nosmurfs</strong></span></span></dt><dd><p>Filter packets for smurfs (packets with a broadcast
address as the source).</p><p>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). After
logging, the packets are dropped.</p></dd><dt><span class="term"><span class="bold"><strong>optional</strong></span></span></dt><dd><p>Only supported by Shorewall-perl. When
<code class="option">optional</code> is specified for an interface,
Shorewall will be silent when:</p><div class="itemizedlist"><ul type="disc"><li><p>a <code class="filename">/proc/sys/net/ipv4/conf/</code>
entry for the interface cannot be modified (including for
proxy ARP).</p></li><li><p>The first address of the interface cannot be
obtained.</p></li></ul></div><p></p><div class="blockquote"><blockquote class="blockquote"><p>I specify <code class="option">optional</code> on interfaces to
Xen virtual machines that may or may not be running when
Shorewall is [re]started.</p><p></p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Use <code class="option">optional</code> at your own risk. If
you [re]start Shorewall when an 'optional' interface is
not available and then do a <span class="command"><strong>shorewall
save</strong></span>, subsequent <span class="command"><strong>shorewall
restore</strong></span> and <span class="command"><strong>shorewall -f
start</strong></span> operations will instantiate a ruleset that
does not support that interface, even if it is available
at the time of the restore/start.</p></div></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>proxyarp[={0|1}]</strong></span></span></dt><dd><p>Sets
/proc/sys/net/ipv4/conf/<span class="emphasis"><em>interface</em></span>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <a class="ulink" href="shorewall-proxyarp.html" target="_self">shorewall-proxyarp</a>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <a class="ulink" href="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html" target="_self">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</a></p><p><span class="bold"><strong>Note</strong></span>: This option does
not work with a wild-card <em class="replaceable"><code>interface</code></em>
name (e.g., eth0.+) in the INTERFACE column.</p><p>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <code class="option">proxyarp</code> option will have
their setting changes; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
given.</p></dd><dt><span class="term"><span class="bold"><strong>routeback</strong></span></span></dt><dd><p>If specified, indicates that Shorewall should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
want to allow traffic between the interfaces that match the
wildcard.</p></dd><dt><span class="term"><span class="bold"><strong>routefilter[={0|1}]</strong></span></span></dt><dd><p>Turn on kernel route filtering for this interface
(anti-spoofing measure).</p><p>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <code class="option">routefilter</code> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card
<em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in
the INTERFACE column.</p></div><div class="blockquote"><blockquote class="blockquote"><p>This option can also be enabled globally in the <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5)
file.</p></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>sourceroute[={0|1}]</strong></span></span></dt><dd><p>If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface
(sets
/proc/sys/net/ipv4/conf/<span class="emphasis"><em>interface</em></span>/accept_source_route
to 1). Only set this option if you know what you are doing.
This might represent a security risk and is not usually
needed.</p><p>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <code class="option">sourceroute</code> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card
<em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in
the INTERFACE column.</p></div></dd><dt><span class="term"><span class="bold"><strong>tcpflags</strong></span></span></dt><dd><p>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</p></dd><dt><span class="term"><span class="bold"><strong>upnp</strong></span></span></dt><dd><p>Incoming requests from this interface may be remapped
via UPNP (upnpd). See <a class="ulink" href="../UPnP.html" target="_self">http://www.shorewall.net/UPnP.html</a>.</p></dd></dl></div></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258369"></a><h2>Example</h2><div class="variablelist"><dl><dt><span class="term">Example 1:</span></dt><dd><p>Suppose you have eth0 connected to a DSL modem and eth1
connected to your local network and that your local subnet is
192.168.1.0/24. The interface gets it's IP address via DHCP from
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
using eth2.</p><p>Your entries for this setup would look like:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.191.149.223 dhcp
loc eth1 192.168.1.255
dmz eth2 192.168.2.255</pre></dd><dt><span class="term">Example 2:</span></dt><dd><p>The same configuration without specifying broadcast addresses
is:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc eth1 detect
dmz eth2 detect</pre></dd><dt><span class="term">Example 3:</span></dt><dd><p>You have a simple dial-in system with no ethernet
connections.</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 -</pre></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258437"></a><h2>FILES</h2><p>/etc/shorewall/interfaces</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258447"></a><h2>See ALSO</h2><p>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>
