shorewall-interfaces.5

sharewall is very good

.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
the interface is used by a DHCP server running on the firewall
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
the interface has a static IP but is on a LAN segment with lots of DHCP clients\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
the interface is a
\m[blue]\fBsimple bridge\fR\m[]\&\s-2\u[5]\d\s+2
with a DHCP server on one port and DHCP clients on another port\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
If you use
\m[blue]\fBShorewall\-perl for firewall/bridging\fR\m[]\&\s-2\u[6]\d\s+2, then you need to include DHCP\-specific rules in
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[7]\d\s+2(8)\&. DHCP uses UDP ports 67 and 68\&.
.sp .5v
.EM yellow
.RE
.RE
.RS 4
This option allows DHCP datagrams to enter and leave the interface\&.
.RE
.PP
\fBlogmartians[={0|1}]\fR
.RS 4
Turn on kernel martian logging (logging of packets with impossible source addresses\&. It is strongly suggested that if you set
\fBroutefilter\fR
on an interface that you also set
\fBlogmartians\fR\&. Even if you do not specify the
\fBroutefilter\fR
option, it is a good idea to specify
\fBlogmartians\fR
because your distribution may be enabling route filtering without you knowing it\&.
.sp
The option value (0 or 1) may only be specified if you are using Shorewall\-perl\&. With Shorewall\-perl, only those interfaces with the
\fBlogmartians\fR
option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&.
.sp
To find out if route filtering is set on a given
\fIinterface\fR, check the contents of
\FC/proc/sys/net/ipv4/conf/\fIinterface\fR/rp_filter\F[]
\- a non\-zero value indicates that route filtering is enabled\&.
.sp
Example:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        teastep@lists:~$ \fBcat /proc/sys/net/ipv4/conf/eth0/rp_filter \fR
        1
        teastep@lists:~$ 
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This option does not work with a wild\-card
\fIinterface\fR
name (e\&.g\&., eth0\&.+) in the INTERFACE column\&.
.sp .5v
.EM yellow
.RE
This option may also be enabled globally in the
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5) file\&.
.RE
.PP
\fBmaclist\fR
.RS 4
Connection requests from this interface are compared against the contents of
\m[blue]\fBshorewall\-maclist\fR\m[]\&\s-2\u[9]\d\s+2(5)\&. If this option is specified, the interface must be an ethernet NIC and must be up before Shorewall is started\&.
.RE
.PP
\fBmss\fR[=\fInumber\fR]
.RS 4
Added in Shorewall 4\&.0\&.3\&. Causes forwarded TCP SYN packets entering or leaving on this interface to have their MSS field set to the specified
\fInumber\fR\&.
.RE
.PP
\fBnorfc1918\fR
.RS 4
This interface should not receive any packets whose source is in one of the ranges reserved by RFC 1918 (i\&.e\&., private or "non\-routable" addresses)\&. If packet mangling or connection\-tracking match is enabled in your kernel, packets whose destination addresses are reserved by RFC 1918 are also rejected\&.
.RE
.PP
\fBnosmurfs\fR
.RS 4
Filter packets for smurfs (packets with a broadcast address as the source)\&.
.sp
Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5)\&. After logging, the packets are dropped\&.
.RE
.PP
\fBoptional\fR
.RS 4
Only supported by Shorewall\-perl\&. When
\fBoptional\fR
is specified for an interface, Shorewall will be silent when:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
a
\FC/proc/sys/net/ipv4/conf/\F[]
entry for the interface cannot be modified (including for proxy ARP)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The first address of the interface cannot be obtained\&.
.RE
.RS 4

I specify
\fBoptional\fR
on interfaces to Xen virtual machines that may or may not be running when Shorewall is [re]started\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBCaution\fR
.ps -1
.br
Use
\fBoptional\fR
at your own risk\&. If you [re]start Shorewall when an \'optional\' interface is not available and then do a
\fBshorewall save\fR, subsequent
\fBshorewall restore\fR
and
\fBshorewall \-f start\fR
operations will instantiate a ruleset that does not support that interface, even if it is available at the time of the restore/start\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBproxyarp[={0|1}]\fR
.RS 4
Sets /proc/sys/net/ipv4/conf/\fIinterface\fR/proxy_arp\&. Do NOT use this option if you are employing Proxy ARP through entries in
\m[blue]\fBshorewall\-proxyarp\fR\m[]\&\s-2\u[10]\d\s+2(5)\&. This option is intended solely for use with Proxy ARP sub\-networking as described at:
\m[blue]\fBhttp://tldp\&.org/HOWTO/Proxy\-ARP\-Subnet/index\&.html\&. \fR\m[]\&\s-2\u[11]\d\s+2
.sp
\fBNote\fR: This option does not work with a wild\-card
\fIinterface\fR
name (e\&.g\&., eth0\&.+) in the INTERFACE column\&.
.sp
The option value (0 or 1) may only be specified if you are using Shorewall\-perl\&. With Shorewall\-perl, only those interfaces with the
\fBproxyarp\fR
option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&.
.RE
.PP
\fBrouteback\fR
.RS 4
If specified, indicates that Shorewall should include rules that allow filtering traffic arriving on this interface back out that same interface\&. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard\&.
.RE
.PP
\fBroutefilter[={0|1}]\fR
.RS 4
Turn on kernel route filtering for this interface (anti\-spoofing measure)\&.
.sp
The option value (0 or 1) may only be specified if you are using Shorewall\-perl\&. With Shorewall\-perl, only those interfaces with the
\fBroutefilter\fR
option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This option does not work with a wild\-card
\fIinterface\fR
name (e\&.g\&., eth0\&.+) in the INTERFACE column\&.
.sp .5v
.EM yellow
.RE
This option can also be enabled globally in the
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[8]\d\s+2(5) file\&.
.RE
.PP
\fBsourceroute[={0|1}]\fR
.RS 4
If this option is not specified for an interface, then source\-routed packets will not be accepted from that interface (sets /proc/sys/net/ipv4/conf/\fIinterface\fR/accept_source_route to 1)\&. Only set this option if you know what you are doing\&. This might represent a security risk and is not usually needed\&.
.sp
The option value (0 or 1) may only be specified if you are using Shorewall\-perl\&. With Shorewall\-perl, only those interfaces with the
\fBsourceroute\fR
option will have their setting changes; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&.
.sp
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This option does not work with a wild\-card
\fIinterface\fR
name (e\&.g\&., eth0\&.+) in the INTERFACE column\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBtcpflags\fR
.RS 4
Packets arriving on this interface are checked for certain illegal combinations of TCP flags\&. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL\&.
.RE
.PP
\fBupnp\fR
.RS 4
Incoming requests from this interface may be remapped via UPNP (upnpd)\&. See
\m[blue]\fBhttp://www\&.shorewall\&.net/UPnP\&.html\fR\m[]\&\s-2\u[12]\d\s+2\&.
.RE
.RE
.SH "Example"
.PP
Example 1:
.RS 4
Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network and that your local subnet is 192\&.168\&.1\&.0/24\&. The interface gets it\'s IP address via DHCP from subnet 206\&.191\&.149\&.192/27\&. You have a DMZ with subnet 192\&.168\&.2\&.0/24 using eth2\&.
.sp
Your entries for this setup would look like:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
#ZONE   INTERFACE BROADCAST        OPTIONS
net     eth0      206\&.191\&.149\&.223  dhcp
loc     eth1      192\&.168\&.1\&.255
dmz     eth2      192\&.168\&.2\&.255
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 2:
.RS 4
The same configuration without specifying broadcast addresses is:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
#ZONE   INTERFACE BROADCAST        OPTIONS
net     eth0      detect           dhcp
loc     eth1      detect
dmz     eth2      detect
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 3:
.RS 4
You have a simple dial\-in system with no ethernet connections\&.
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
#ZONE   INTERFACE BROADCAST        OPTIONS
net     ppp0      \-
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.SH "FILES"
.PP
/etc/shorewall/interfaces
.SH "See ALSO"
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "Notes"
.IP " 1." 4
shorewall-hosts
.RS 4
\%http://www.shorewall.net/manpages/shorewall-hosts.html
.RE
.IP " 2." 4
shorewall-nesting
.RS 4
\%http://www.shorewall.net/manpages/shorewall-nesting.html
.RE
.IP " 3." 4
Proxy ARP
.RS 4
\%http://www.shorewall.net/ProxyARP.htm
.RE
.IP " 4." 4
shorewall-blacklist
.RS 4
\%http://www.shorewall.net/manpages/shorewall-blacklist.html
.RE
.IP " 5." 4
simple bridge
.RS 4
\%http://www.shorewall.net/SimpleBridge.html
.RE
.IP " 6." 4
Shorewall-perl for firewall/bridging
.RS 4
\%http://www.shorewall.net/bridge-Shorewall-perl.html
.RE
.IP " 7." 4
shorewall-rules
.RS 4
\%http://www.shorewall.net/manpages/shorewall-rules.html
.RE
.IP " 8." 4
shorewall.conf
.RS 4
\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP " 9." 4
shorewall-maclist
.RS 4
\%http://www.shorewall.net/manpages/shorewall-maclist.html
.RE
.IP "10." 4
shorewall-proxyarp
.RS 4
\%http://www.shorewall.net/manpages/shorewall-proxyarp.html
.RE
.IP "11." 4
http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
.RS 4
\%http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html
.RE
.IP "12." 4
http://www.shorewall.net/UPnP.html
.RS 4
\%http://www.shorewall.net/UPnP.html
.RE