<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-interfaces</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257171"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>interfaces — Shorewall interfaces file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">/etc/shorewall/interfaces</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257202"></a><h2>Description</h2><p>The interfaces file serves to define the firewall's network interfaces to Shorewall. The order of entries in this file is not significant in determining zone composition.</p><p>The columns in the file are as follows.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>ZONE</strong></span> - <span class="emphasis"><em>zone-name</em></span></span></dt><dd><p>Zone for this interface. Must match the name of a zone declared in /etc/shorewall/zones. You may not list the firewall zone in this column.</p><p>If the interface serves multiple zones that will be defined in the <a class="ulink" href="shorewall-hosts.html" target="_self">shorewall-hosts</a>(5) file, you should place "-" in this column.</p><p>If there are multiple interfaces to the same zone, you must list them in separate entries.</p><p>Example:</p><div class="blockquote"><blockquote class="blockquote"><pre class="programlisting">#ZONE INTERFACE BROADCAST loc eth1 - loc eth2 -</pre></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>INTERFACE</strong></span> - <span class="emphasis"><em>interface</em></span><span class="bold"><strong>[:</strong></span><span class="emphasis"><em>port</em></span><span class="bold"><strong>]</strong></span></span></dt><dd><p>Name of interface. Each interface may be listed only once in this file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) here; see <a class="ulink" href="http://www.shorewall.net/FAQ.htm#faq18" target="_self">http://www.shorewall.net/FAQ.htm#faq18</a></p><p>You may use wildcards here by specifying a prefix followed by the plus sign ("+"). For example, if you want to make an entry that applies to all PPP interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …</p><p>Care must be exercised when using wildcards where there is another zone that uses a matching specific interface. See <a class="ulink" href="shorewall-nesting.html" target="_self">shorewall-nesting</a>(5) for a discussion of this problem.</p><p>There is no need to define the loopback interface (lo) in this file.</p><p>(Shorewall-perl only) If a <em class="replaceable"><code>port</code></em> is given, then the <em class="replaceable"><code>interface</code></em> must have been defined previously with the <code class="option">bridge</code> option. The OPTIONS column must be empty when a <em class="replaceable"><code>port</code></em> is given.</p></dd><dt><span class="term"><span class="bold"><strong>BROADCAST</strong></span> (Optional) - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>detect</strong></span>|<span class="emphasis"><em>address</em></span>[,<span class="emphasis"><em>address</em></span>]...}</span></dt><dd><p>The broadcast address(es) for the network(s) to which the interface belongs. For P-T-P interfaces, this column is left blank. If the interface has multiple addresses on multiple subnets then list the broadcast addresses as a comma-separated list.</p><p>If you use the special value <span class="bold"><strong>detect</strong></span>, Shorewall will detect the broadcast address(es) for you. If you select this option, the interface must be up before the firewall is started.</p><p>If you don't want to give a value for this column but you want to enter a value in the OPTIONS column, enter <span class="bold"><strong>-</strong></span> in this column.</p><p><span class="bold"><strong>Note to Shorewall-perl users:</strong></span> Shorewall-perl only supports <code class="option">detect</code> or <span class="bold"><strong>-</strong></span> in this column. If you specify <em class="replaceable"><code>address</code></em>es, a compilation warning will be issued.</p></dd><dt><span class="term"><span class="bold"><strong>OPTIONS</strong></span> (Optional) - [<span class="emphasis"><em>option</em></span>[<span class="bold"><strong>,</strong></span><span class="emphasis"><em>option</em></span>]...]</span></dt><dd><p>A comma-separated list of options from the following list. The order in which you list the options is not significant but the list should have no embedded white space.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>arp_filter[={0|1}]</strong></span></span></dt><dd><p>If specified, this interface will only respond to ARP who-has requests for IP addresses configured on the interface. If not specified, the interface can respond to ARP who-has requests for IP addresses on any of the firewall's interface. The interface must be up when Shorewall is started.</p><p>The option value (0 or 1) may only be specified if you are using Shorewall-perl. With Shorewall-perl, only those interfaces with the <code class="option">arp_filter</code> option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given.</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card <em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in the INTERFACE column.</p></div></dd><dt><span class="term"><span class="bold"><strong>arp_ignore</strong></span>[=<span class="emphasis"><em>number</em></span>]</span></dt><dd><p>If specified, this interface will respond to arp requests based on the value of <span class="emphasis"><em>number</em></span> (defaults to 1).</p><p>1 - reply only if the target IP address is local address configured on the incoming interface</p><p>2 - reply only if the target IP address is local address configured on the incoming interface and the sender's IP address is part from same subnet on this interface</p><p>3 - do not reply for local addresses configured with scope host, only resolutions for global and link</p><p>4-7 - reserved</p><p>8 - do not reply for all local addresses</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card <em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in the INTERFACE column.</p></div><p></p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Do not specify <span class="bold"><strong>arp_ignore</strong></span> for any interface involved in <a class="ulink" href="../ProxyARP.htm" target="_self">Proxy ARP</a>.</p></div></dd><dt><span class="term"><span class="bold"><strong>blacklist</strong></span></span></dt><dd><p>Check packets arriving on this interface against the <a class="ulink" href="shorewall-blacklist.html" target="_self">shorewall-blacklist</a>(5) file.</p></dd><dt><span class="term"><span class="bold"><strong>bridge</strong></span></span></dt><dd><p>(Shorewall-perl only) Designates the interface as a bridge.</p></dd><dt><span class="term"><span class="bold"><strong>detectnets</strong></span> (Deprecated)</span></dt><dd><p>Automatically tailors the zone named in the ZONE column to include only those hosts routed through the interface.</p><p></p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Do not set the <span class="bold"><strong>detectnets</strong></span> option on your internet interface.</p><p>Support for this option will be removed in a future release of Shorewall-perl. Better to use the <span class="bold"><strong>routefilter</strong></span> option together with the <span class="bold"><strong>logmartians</strong></span> option.</p></div></dd><dt><span class="term"><span class="bold"><strong>dhcp</strong></span></span></dt><dd><p>Specify this option when any of the following are true:</p><div class="orderedlist"><ol type="1" compact="compact"><li><p>the interface gets its IP address via DHCP</p></li><li><p>the interface is used by a DHCP server running on the firewall</p></li><li><p>you have a static IP but are on a LAN segment with lots of DHCP clients.</p></li><li><p>the interface is a bridge with a DHCP server on one port and DHCP clients on another port.</p></li></ol></div></dd><dt><span class="term"><span class="bold"><strong>logmartians[={0|1}]</strong></span></span></dt><dd><p>Turn on kernel martian logging (logging of packets with impossible source addresses. It is strongly suggested that if you set <span class="bold"><strong>routefilter</strong></span> on an interface that you also set <span class="bold"><strong>logmartians</strong></span>. Even if you do not specify the <code class="option">routefilter</code> option, it is a good idea to specify <code class="option">logmartians</code> because your distribution may be enabling route filtering without you knowing it.</p><p>The option value (0 or 1) may only be specified if you are using Shorewall-perl. With Shorewall-perl, only those interfaces with the <code class="option">logmartians</code> option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given.</p><p>To find out if route filtering is set on a given <em class="replaceable"><code>interface</code></em>, check the contents of <code class="filename">/proc/sys/net/ipv4/conf/<em class="replaceable"><code>interface</code></em>/rp_filter</code> - a non-zero value indicates that route filtering is enabled.</p><p>Example:</p><pre class="programlisting"> teastep@lists:~$ <span class="command"><strong>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </strong></span> 1 teastep@lists:~$ </pre><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card <em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in the INTERFACE column.</p></div><div class="blockquote"><blockquote class="blockquote"><p>This option may also be enabled globally in the <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) file.</p></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>maclist</strong></span></span></dt><dd><p>Connection requests from this interface are compared against the contents of <a class="ulink" href="shorewall-maclist.html" target="_self">shorewall-maclist</a>(5). If this option is specified, the interface must be an ethernet NIC and must be up before Shorewall is started.</p></dd><dt><span class="term"><span class="bold"><strong>mss</strong></span>[=<span class="emphasis"><em>number</em></span>]</span></dt><dd><p>Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets entering or leaving on this interface to have their MSS field set to the specified <em class="replaceable"><code>number</code></em>.</p></dd><dt><span class="term"><span class="bold"><strong>norfc1918</strong></span></span></dt><dd><p>This interface should not receive any packets whose source is in one of the ranges reserved by RFC 1918 (i.e., private or "non-routable" addresses). If packet mangling or connection-tracking match is enabled in your kernel, packets whose destination addresses are reserved by RFC 1918 are also rejected.</p></dd><dt><span class="term"><span class="bold"><strong>nosmurfs</strong></span></span></dt><dd><p>Filter packets for smurfs (packets with a broadcast address as the source).</p><p>Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). After logging, the packets are dropped.</p></dd><dt><span class="term"><span class="bold"><strong>optional</strong></span></span></dt><dd><p>Only supported by Shorewall-perl. When <code class="option">optional</code> is specified for an interface, Shorewall will be silent when:</p><div class="itemizedlist"><ul type="disc"><li><p>a <code class="filename">/proc/sys/net/ipv4/conf/</code> entry for the interface cannot be modified (including for proxy ARP).</p></li><li><p>The first address of the interface cannot be obtained.</p></li></ul></div><p></p><div class="blockquote"><blockquote class="blockquote"><p>I specify <code class="option">optional</code> on interfaces to Xen virtual machines that may or may not be running when Shorewall is [re]started.</p><p></p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Use <code class="option">optional</code> at your own risk. If you [re]start Shorewall when an 'optional' interface is not available and then do a <span class="command"><strong>shorewall save</strong></span>, subsequent <span class="command"><strong>shorewall restore</strong></span> and <span class="command"><strong>shorewall -f start</strong></span> operations will instantiate a ruleset that does not support that interface, even if it is available at the time of the restore/start.</p></div></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>proxyarp[={0|1}]</strong></span></span></dt><dd><p>Sets /proc/sys/net/ipv4/conf/<span class="emphasis"><em>interface</em></span>/proxy_arp. Do NOT use this option if you are employing Proxy ARP through entries in <a class="ulink" href="shorewall-proxyarp.html" target="_self">shorewall-proxyarp</a>(5). This option is intended solely for use with Proxy ARP sub-networking as described at: <a class="ulink" href="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html" target="_self">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. </a></p><p><span class="bold"><strong>Note</strong></span>: This option does not work with a wild-card <em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in the INTERFACE column.</p><p>The option value (0 or 1) may only be specified if you are using Shorewall-perl. With Shorewall-perl, only those interfaces with the <code class="option">proxyarp</code> option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given.</p></dd><dt><span class="term"><span class="bold"><strong>routeback</strong></span></span></dt><dd><p>If specified, indicates that Shorewall should include rules that allow filtering traffic arriving on this interface back out that same interface. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard.</p></dd><dt><span class="term"><span class="bold"><strong>routefilter[={0|1}]</strong></span></span></dt><dd><p>Turn on kernel route filtering for this interface (anti-spoofing measure).</p><p>The option value (0 or 1) may only be specified if you are using Shorewall-perl. With Shorewall-perl, only those interfaces with the <code class="option">routefilter</code> option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given.</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card <em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in the INTERFACE column.</p></div><div class="blockquote"><blockquote class="blockquote"><p>This option can also be enabled globally in the <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) file.</p></blockquote></div></dd><dt><span class="term"><span class="bold"><strong>sourceroute[={0|1}]</strong></span></span></dt><dd><p>If this option is not specified for an interface, then source-routed packets will not be accepted from that interface (sets /proc/sys/net/ipv4/conf/<span class="emphasis"><em>interface</em></span>/accept_source_route to 1). Only set this option if you know what you are doing. This might represent a security risk and is not usually needed.</p><p>The option value (0 or 1) may only be specified if you are using Shorewall-perl. With Shorewall-perl, only those interfaces with the <code class="option">sourceroute</code> option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given.</p><p></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This option does not work with a wild-card <em class="replaceable"><code>interface</code></em> name (e.g., eth0.+) in the INTERFACE column.</p></div></dd><dt><span class="term"><span class="bold"><strong>tcpflags</strong></span></span></dt><dd><p>Packets arriving on this interface are checked for certain illegal combinations of TCP flags. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL.</p></dd><dt><span class="term"><span class="bold"><strong>upnp</strong></span></span></dt><dd><p>Incoming requests from this interface may be remapped via UPNP (upnpd). See <a class="ulink" href="../UPnP.html" target="_self">http://www.shorewall.net/UPnP.html</a>.</p></dd></dl></div></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258369"></a><h2>Example</h2><div class="variablelist"><dl><dt><span class="term">Example 1:</span></dt><dd><p>Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network and that your local subnet is 192.168.1.0/24. The interface gets it's IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using eth2.</p><p>Your entries for this setup would look like:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS net eth0 206.191.149.223 dhcp loc eth1 192.168.1.255 dmz eth2 192.168.2.255</pre></dd><dt><span class="term">Example 2:</span></dt><dd><p>The same configuration without specifying broadcast addresses is:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp loc eth1 detect dmz eth2 detect</pre></dd><dt><span class="term">Example 3:</span></dt><dd><p>You have a simple dial-in system with no ethernet connections.</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS net ppp0 -</pre></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258437"></a><h2>FILES</h2><p>/etc/shorewall/interfaces</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258447"></a><h2>See ALSO</h2><p>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>