'\" t .\" Title: shorewall6-interfaces .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 .\" Date: 10/19/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-INTERFAC" "5" "10/19/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" interfaces \- shorewall6 interfaces file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/interfaces\fR\ 'u \fB/etc/shorewall6/interfaces\fR .SH "DESCRIPTION" .PP The interfaces file serves to define the firewall\*(Aqs network interfaces to shorewall6\&. The order of entries in this file is not significant in determining zone composition\&. .PP Beginning with Shorewall 4\&.5\&.3, the interfaces file supports two different formats: .PP FORMAT 1 (default \- deprecated) .RS 4 There is a ANYCAST column which provides compatibility with older versions of Shorewall\&.\&. .RE .PP FORMAT 2 .RS 4 The BROADCAST column is omitted\&. .RE .PP The format is specified by a line as follows: .PP \fB[?]FORMAT {1|2}\fR .PP The optional \*(Aq?\*(Aq was introduced in Shorewall 4\&.5\&.11 and ?FORMAT is the preferred form; the form without the \*(Aq?\*(Aq is deprecated\&. .PP The columns in the file are as follows\&. .PP \fBZONE\fR \- \fIzone\-name\fR .RS 4 Zone for this interface\&. Must match the name of a zone declared in /etc/shorewall6/zones\&. You may not list the firewall zone in this column\&. .sp If the interface serves multiple zones that will be defined in the \m[blue]\fBshorewall6\-hosts\fR\m[]\&\s-2\u[1]\d\s+2(5) file, you should place "\-" in this column\&. .sp If there are multiple interfaces to the same zone, you must list them in separate entries\&. .sp Example: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE BROADCAST loc eth1 \- loc eth2 \- .fi .if n \{\ .RE .\} Beginning with Shorewall 4\&.5\&.17, if you specify a zone for the \*(Aqlo\*(Aq interface, then that zone must be defined as type \fBlocal\fR in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR\fB[:\fR\fIport\fR\fB]\fR .RS 4 Logical name of interface\&. Each interface may be listed only once in this file\&. You may NOT specify the name of a "virtual" interface (e\&.g\&., eth0:0) here; see \m[blue]\fBhttp://www\&.shorewall\&.net/FAQ\&.htm#faq18\fR\m[]\&\s-2\u[3]\d\s+2\&. If the \fBphysical\fR option is not specified, then the logical name is also the name of the actual interface\&. .sp You may use wildcards here by specifying a prefix followed by the plus sign ("+")\&. For example, if you want to make an entry that applies to all PPP interfaces, use \*(Aqppp+\*(Aq; that would match ppp0, ppp1, ppp2, \&...Please note that the \*(Aq+\*(Aq means \*(Aq\fBone\fR or more additional characters\*(Aq so \*(Aqppp\*(Aq does not match \*(Aqppp+\*(Aq\&. .sp Care must be exercised when using wildcards where there is another zone that uses a matching specific interface\&. See \m[blue]\fBshorewall6\-nesting\fR\m[]\&\s-2\u[4]\d\s+2(5) for a discussion of this problem\&. .sp Shorewall6 allows \*(Aq+\*(Aq as an interface name\&. .sp There is no need to define the loopback interface (lo) in this file\&. .sp If a \fIport\fR is given, then the \fIinterface\fR must have been defined previously with the \fBbridge\fR option\&. The OPTIONS column must be empty when a \fIport\fR is given\&. .RE .PP \fBANYCAST\fR \- \fB\-\fR .RS 4 Enter \*(Aq\fB\-\*(Aq\fR in this column\&. It is here for compatibility between Shorewall6 and Shorewall and is omitted if FORMAT is 2\&. .RE .PP \fBOPTIONS\fR (Optional) \- [\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list of options from the following list\&. The order in which you list the options is not significant but the list should have no embedded white\-space\&. .PP \fBaccept_ra\fR[={0|1|2}] .RS 4 Added in Shorewall 4\&.5\&.16\&. Values are: .PP 0 .RS 4 Do not accept Router Advertisements\&. .RE .PP 1 .RS 4 Accept Route Advertisements if forwarding is disabled\&. .RE .PP 2 .RS 4 Overrule forwarding behavior\&. Accept Route Advertisements even if forwarding is enabled\&. .RE .sp If the option is specified without a value, then the value 1 is assumed\&. .RE .PP \fBblacklist\fR .RS 4 Check packets arriving on this interface against the \m[blue]\fBshorewall6\-blacklist\fR\m[]\&\s-2\u[5]\d\s+2(5) file\&. .sp Beginning with Shorewall 4\&.4\&.13: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If a \fIzone\fR is given in the ZONES column, then the behavior is as if \fBblacklist\fR had been specified in the IN_OPTIONS column of \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Otherwise, the option is ignored with a warning: \fBWARNING: The \*(Aqblacklist\*(Aq option is ignored on multi\-zone interfaces\fR .RE .RE .PP \fBbridge\fR .RS 4 Designates the interface as a bridge\&. Beginning with Shorewall 4\&.4\&.7, setting this option also sets \fBrouteback\fR\&. .RE .PP \fBdestonly\fR .RS 4 Added in Shorewall 4\&.5\&.17\&. Causes the compiler to omit rules to handle traffic from this interface\&. .RE .PP \fBdhcp\fR .RS 4 Specify this option when any of the following are true: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} the interface gets its IP address via DHCP .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} the interface is used by a DHCP server running on the firewall .RE .sp .RS 4 .ie n \{\ \h'-04' 3.\h'+01'\c .\} .el \{\ .sp -1 .IP " 3." 4.2 .\} the interface has a static IP but is on a LAN segment with lots of DHCP clients\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 4.\h'+01'\c .\} .el \{\ .sp -1 .IP " 4." 4.2 .\} the interface is a \m[blue]\fBsimple bridge\fR\m[]\&\s-2\u[6]\d\s+2 with a DHCP server on one port and DHCP clients on another port\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br If you use \m[blue]\fBShorewall\-perl for firewall/bridging\fR\m[]\&\s-2\u[7]\d\s+2, then you need to include DHCP\-specific rules in \m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[8]\d\s+2(8)\&. DHCP uses UDP ports 546 and 547\&. .sp .5v .RE .RE .sp This option allows DHCP datagrams to enter and leave the interface\&. .RE .PP \fBforward\fR[={0|1}] .RS 4 Sets the /proc/sys/net/ipv6/conf/interface/forwarding option to the specified value\&. If no value is supplied, then 1 is assumed\&. .RE .PP \fBignore[=1]\fR .RS 4 When specified, causes the generated script to ignore up/down events from Shorewall\-init for this device\&. Additionally, the option exempts the interface from hairpin filtering\&. When \*(Aq=1\*(Aq is omitted, the ZONE column must contain \*(Aq\-\*(Aq and \fBignore\fR must be the only OPTION\&. .sp Beginning with Shorewall 4\&.5\&.5, may be specified as \*(Aq\fBignore=1\fR\*(Aq which only causes the generated script to ignore up/down events from Shorewall\-init; hairpin filtering is still applied\&. In this case, the above restrictions on the ZONE and OPTIONS columns are lifted\&. .RE .PP \fBmss\fR=\fInumber\fR .RS 4 Causes forwarded TCP SYN packets entering or leaving on this interface to have their MSS field set to the specified \fInumber\fR\&. .RE .PP \fBnets=(\fR\fB\fInet\fR\fR\fB[,\&.\&.\&.])\fR .RS 4 Limit the zone named in the ZONE column to only the listed networks\&. If you specify this option, be sure to include the link\-local network (ff80::/10)\&. .RE .PP \fBnets=dynamic\fR .RS 4 Added in Shorewall 4\&.4\&.21\&. Defines the zone as dynamic\&. Requires ipset match support in your iptables and kernel\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/Dynamic\&.html\fR\m[]\&\s-2\u[9]\d\s+2 for further information\&. .RE .PP \fBoptional\fR .RS 4 When \fBoptional\fR is specified for an interface, shorewall6 will be silent when: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} a /proc/sys/net/ipv6/conf/ entry for the interface cannot be modified\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The first global IPv6 address of the interface cannot be obtained\&. .RE .sp This option may not be specified together with \fBrequired\fR\&. .RE .PP \fBphysical\fR=\fB\fIname\fR\fR .RS 4 Added in Shorewall 4\&.4\&.4\&. When specified, the interface or port name in the INTERFACE column is a logical name that refers to the name given in this option\&. It is useful when you want to specify the same wildcard port name on two or more bridges\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/bridge\-Shorewall\-perl\&.html#Multiple\fR\m[]\&\s-2\u[10]\d\s+2\&. .sp If the \fIinterface\fR name is a wildcard name (ends with \*(Aq+\*(Aq), then the physical \fIname\fR must also end in \*(Aq+\*(Aq\&. .sp If \fBphysical\fR is not specified, then it\*(Aqs value defaults to the \fIinterface\fR name\&. .RE .PP \fBrequired\fR .RS 4 Added in Shorewall 4\&.4\&.10\&. When specified, the firewall will fail to start if the interface named in the INTERFACE column is not usable\&. May not be specified together with \fBoptional\fR\&. .RE .PP \fBrouteback[={0|1}]\fR .RS 4 If specified, indicates that shorewall6 should include rules that allow traffic arriving on this interface to be routed back out that same interface\&. This option is also required when you have used a wildcard in the INTERFACE column if you want to allow traffic between the interfaces that match the wildcard\&. .sp If you specify this option, then you should also specify \fBrpfilter\fR (see below) if you are running Shorewall 4\&.5\&.7 or later; otherwise, you should specify \fBsfilter\fR (see below)\&. .sp Beginning with Shorewall 4\&.5\&.18, you may specify this option to explicitly reset (e\&.g\&., \fBrouteback=0\fR)\&. This can be used to override Shorewall\*(Aqs default setting for bridge devices which is \fBrouteback=1\fR\&. .RE .PP \fBrpfilter\fR .RS 4 Added in Shorewall 4\&.5\&.7\&. This is an anti\-spoofing measure that requires the \*(AqRPFilter Match\*(Aq capability in your iptables and kernel\&. It provides a more efficient alternative to the \fBsfilter\fR option below\&. .RE .PP \fBsourceroute[={0|1}]\fR .RS 4 If this option is not specified for an interface, then source\-routed packets will not be accepted from that interface unless explicitly enabled via sysconf\&. Only set this option to 1 (enable source routing) if you know what you are doing\&. This might represent a security risk and is not usually needed\&. .sp Only those interfaces with the \fBsourceroute\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br This option does not work with a wild\-card \fIinterface\fR name (e\&.g\&., eth0\&.+) in the INTERFACE column\&. .sp .5v .RE .RE .PP \fBsfilter=(\fR\fB\fInet\fR\fR\fB[,\&.\&.\&.])\fR .RS 4 Added in Shorewall 4\&.4\&.20\&. At this writing (spring 2011), Linux does not support reverse path filtering (RFC3704) for IPv6\&. In its absence, \fBsfilter\fR may be used as an anti\-spoofing measure\&. .sp This option should be used on bridges or other interfaces with the \fBrouteback\fR option\&. On these interfaces, \fBsfilter\fR should list those local networks that are connected to the firewall through other interfaces\&. .RE .PP \fBtcpflags[={0|1}]\fR .RS 4 Packets arriving on this interface are checked for certain illegal combinations of TCP flags\&. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL\&. .sp Beginning with Shorewall 4\&.6\&.0, tcpflags=1 is the default\&. To disable this option, specify tcpflags=0\&. .RE .PP \fBproxyndp\fR[={0|1}] .RS 4 Sets /proc/sys/net/ipv6/conf/\fIinterface\fR/proxy_ndp\&. .sp \fBNote\fR: This option does not work with a wild\-card \fIinterface\fR name (e\&.g\&., eth0\&.+) in the INTERFACE column\&. .sp Only those interfaces with the \fBproxyndp\fR option will have their setting changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given\&. .RE .PP unmanaged .RS 4 Added in Shorewall 4\&.5\&.18\&. Causes all traffic between the firewall and hosts on the interface to be accepted\&. When this option is given: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} The ZONE column must contain \*(Aq\-\*(Aq\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} Only the following other options are allowed with \fBunmanaged\fR: .RS 4 \fBaccept_ra\fR .RE .RS 4 \fBforward\fR .RE .RS 4 \fBignore\fR .RE .RS 4 \fBoptional\fR .RE .RS 4 \fBphysical\fR .RE .RS 4 \fBsourceroute\fR .RE .RS 4 \fBproxyndp\fR .RE .RE .RE .PP \fBwait\fR=\fIseconds\fR .RS 4 Added in Shorewall 4\&.4\&.10\&. Causes the generated script to wait up to \fIseconds\fR seconds for the interface to become usable before applying the \fBrequired\fR or \fBoptional\fR options\&. .RE .RE .SH "EXAMPLE" .PP Example 1: .RS 4 Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network You have a DMZ using eth2\&. .sp Your entries for this setup would look like: .sp .if n \{\ .RS 4 .\} .nf FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 \- loc eth1 \- dmz eth2 \- .fi .if n \{\ .RE .\} .RE .PP Example 4 (Shorewall 4\&.4\&.9 and later): .RS 4 You have a bridge with no IP address and you want to allow traffic through the bridge\&. .sp .if n \{\ .RS 4 .\} .nf FORMAT 2 #ZONE INTERFACE OPTIONS \- br0 routeback .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall6/interfaces .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[11]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-maclist(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall6\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-hosts .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-hosts.html .RE .IP " 2." 4 shorewall6-zones .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-zones.html .RE .IP " 3." 4 http://www.shorewall.net/FAQ.htm#faq18 .RS 4 \%http://www.shorewall.net/FAQ.htm#faq18 .RE .IP " 4." 4 shorewall6-nesting .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-nesting.html .RE .IP " 5." 4 shorewall6-blacklist .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-blacklist.html .RE .IP " 6." 4 simple bridge .RS 4 \%http://www.shorewall.net/SimpleBridge.html .RE .IP " 7." 4 Shorewall-perl for firewall/bridging .RS 4 \%http://www.shorewall.net/bridge-Shorewall-perl.html .RE .IP " 8." 4 shorewall-rules .RS 4 \%http://www.shorewall.net/manpages/shorewall-rules.html .RE .IP " 9." 4 http://www.shorewall.net/Dynamic.html .RS 4 \%http://www.shorewall.net/Dynamic.html .RE .IP "10." 4 http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple .RS 4 \%http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple .RE .IP "11." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE