shorewall-interfaces.5

sharewall is very good

.\"     Title: shorewall-interfaces
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
.\"      Date: 03/19/2009
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "SHOREWALL\-INTERFACE" "5" "03/19/2009" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" toupper - uppercase a string (locale-aware)
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de toupper
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
\\$*
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH-xref - format a cross-reference to an SH section
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de SH-xref
.ie n \{\
.\}
.toupper \\$*
.el \{\
\\$*
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH - level-one heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SH
.\" put an extra blank line of space above the head in non-TTY output
.if t \{\
.sp 1
.\}
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[an-margin]u
.ti 0
.HTML-TAG ".NH \\n[an-level]"
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
\." make the size of the head bigger
.ps +3
.ft B
.ne (2v + 1u)
.ie n \{\
.\" if n (TTY output), use uppercase
.toupper \\$*
.\}
.el \{\
.nr an-break-flag 0
.\" if not n (not TTY), use normal case (not uppercase)
\\$1
.in \\n[an-margin]u
.ti 0
.\" if not n (not TTY), put a border/line under subheading
.sp -.6
\l'\n(.lu'
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SS - level-two heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SS
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[IN]u
.ti \\n[SN]u
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.ps \\n[PS-SS]u
\." make the size of the head bigger
.ps +2
.ft B
.ne (2v + 1u)
.if \\n[.$] \&\\$*
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BB/BE - put background/screen (filled box) around block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BB
.if t \{\
.sp -.5
.br
.in +2n
.ll -2n
.gcolor red
.di BX
.\}
..
.de EB
.if t \{\
.if "\\$2"adjust-for-leading-newline" \{\
.sp -1
.\}
.br
.di
.in
.ll
.gcolor
.nr BW \\n(.lu-\\n(.i
.nr BH \\n(dn+.5v
.ne \\n(BHu+.5v
.ie "\\$2"adjust-for-leading-newline" \{\
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.el \{\
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.in 0
.sp -.5v
.nf
.BX
.in
.sp .5v
.fi
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BM/EM - put colored marker in margin next to block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BM
.if t \{\
.br
.ll -2n
.gcolor red
.di BX
.\}
..
.de EM
.if t \{\
.br
.di
.ll
.gcolor
.nr BH \\n(dn
.ne \\n(BHu
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
.in 0
.nf
.BX
.in
.fi
.\}
..
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "Name"
interfaces \- Shorewall interfaces file
.SH "Synopsis"
.fam C
.HP \w'\fB/etc/shorewall/interfaces\fR\ 'u
\fB/etc/shorewall/interfaces\fR
.fam
.SH "Description"
.PP
The interfaces file serves to define the firewall\'s network interfaces to Shorewall\&. The order of entries in this file is not significant in determining zone composition\&.
.PP
The columns in the file are as follows\&.
.PP
\fBZONE\fR \- \fIzone\-name\fR
.RS 4
Zone for this interface\&. Must match the name of a zone declared in /etc/shorewall/zones\&. You may not list the firewall zone in this column\&.
.sp
If the interface serves multiple zones that will be defined in the
\m[blue]\fBshorewall\-hosts\fR\m[]\&\s-2\u[1]\d\s+2(5) file, you should place "\-" in this column\&.
.sp
If there are multiple interfaces to the same zone, you must list them in separate entries\&.
.sp
Example:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
#ZONE   INTERFACE       BROADCAST
loc     eth1            \-
loc     eth2            \-
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
\fBINTERFACE\fR \- \fIinterface\fR\fB[:\fR\fIport\fR\fB]\fR
.RS 4
Name of interface\&. Each interface may be listed only once in this file\&. You may NOT specify the name of a "virtual" interface (e\&.g\&., eth0:0) here; see
\m[blue]\fBhttp://www\&.shorewall\&.net/FAQ\&.htm#faq18\fR\m[]
.sp
You may use wildcards here by specifying a prefix followed by the plus sign ("+")\&. For example, if you want to make an entry that applies to all PPP interfaces, use \'ppp+\'; that would match ppp0, ppp1, ppp2, \&...
.sp
When using Shorewall versions before 4\&.1\&.4, care must be exercised when using wildcards where there is another zone that uses a matching specific interface\&. See
\m[blue]\fBshorewall\-nesting\fR\m[]\&\s-2\u[2]\d\s+2(5) for a discussion of this problem\&.
.sp
Beginning with Shorewall 4\&.2\&.3, Shorewall\-perl allows \'+\' as an interface name\&.
.sp
There is no need to define the loopback interface (lo) in this file\&.
.sp
(Shorewall\-perl only) If a
\fIport\fR
is given, then the
\fIinterface\fR
must have been defined previously with the
\fBbridge\fR
option\&. The OPTIONS column may not contain the following options when a
\fIport\fR
is given\&.
.RS 4
arp_filter
.RE
.RS 4
arp_ignore
.RE
.RS 4
bridge
.RE
.RS 4
log_martians
.RE
.RS 4
mss
.RE
.RS 4
optional
.RE
.RS 4
proxyarp
.RE
.RS 4
routefilter
.RE
.RS 4
sourceroute
.RE
.RS 4
upnp
.RE
.RE
.PP
\fBBROADCAST\fR (Optional) \- {\fB\-\fR|\fBdetect\fR|\fIaddress\fR[,\fIaddress\fR]\&.\&.\&.}
.RS 4
The broadcast address(es) for the network(s) to which the interface belongs\&. For P\-T\-P interfaces, this column is left blank\&. If the interface has multiple addresses on multiple subnets then list the broadcast addresses as a comma\-separated list\&.
.sp
If you use the special value
\fBdetect\fR, Shorewall will detect the broadcast address(es) for you\&. If you select this option, the interface must be up before the firewall is started\&.
.sp
If you don\'t want to give a value for this column but you want to enter a value in the OPTIONS column, enter
\fB\-\fR
in this column\&.
.sp
\fBNote to Shorewall\-perl users:\fR
Shorewall\-perl only supports
\fBdetect\fR
or
\fB\-\fR
in this column\&. If you specify
\fIaddress\fRes, a compilation warning will be issued\&.
.RE
.PP
\fBOPTIONS\fR (Optional) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.]
.RS 4
A comma\-separated list of options from the following list\&. The order in which you list the options is not significant but the list should have no embedded white space\&.
.PP
\fBarp_filter[={0|1}]\fR
.RS 4
If specified, this interface will only respond to ARP who\-has requests for IP addresses configured on the interface\&. If not specified, the interface can respond to ARP who\-has requests for IP addresses on any of the firewall\'s interface\&. The interface must be up when Shorewall is started\&.
.sp
The option value (0 or 1) may only be specified if you are using Shorewall\-perl\&. With Shorewall\-perl, only those interfaces with the
\fBarp_filter\fR
option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This option does not work with a wild\-card
\fIinterface\fR
name (e\&.g\&., eth0\&.+) in the INTERFACE column\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBarp_ignore\fR[=\fInumber\fR]
.RS 4
If specified, this interface will respond to arp requests based on the value of
\fInumber\fR
(defaults to 1)\&.
.sp
1 \- reply only if the target IP address is local address configured on the incoming interface
.sp
2 \- reply only if the target IP address is local address configured on the incoming interface and the sender\'s IP address is part from same subnet on this interface
.sp
3 \- do not reply for local addresses configured with scope host, only resolutions for global and link
.sp
4\-7 \- reserved
.sp
8 \- do not reply for all local addresses
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This option does not work with a wild\-card
\fIinterface\fR
name (e\&.g\&., eth0\&.+) in the INTERFACE column\&.
.sp .5v
.EM yellow
.RE
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
Do not specify
\fBarp_ignore\fR
for any interface involved in
\m[blue]\fBProxy ARP\fR\m[]\&\s-2\u[3]\d\s+2\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBblacklist\fR
.RS 4
Check packets arriving on this interface against the
\m[blue]\fBshorewall\-blacklist\fR\m[]\&\s-2\u[4]\d\s+2(5) file\&.
.RE
.PP
\fBbridge\fR
.RS 4
(Shorewall\-perl only) Designates the interface as a bridge\&.
.RE
.PP
\fBdetectnets\fR (Deprecated and not supported by Shorewall\-perl)
.RS 4
Automatically tailors the zone named in the ZONE column to include only those hosts routed through the interface\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
Do not set the
\fBdetectnets\fR
option on your internet interface\&.
.sp
Support for this option will be removed in a future release of Shorewall\-perl\&. Better to use the
\fBroutefilter\fR
option together with the
\fBlogmartians\fR
option\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBdhcp\fR
.RS 4
Specify this option when any of the following are true:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
the interface gets its IP address via DHCP
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c