2
# Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
3
# Copyright (C) 2006,2008 by the Shorewall Team
5
# This library is free software; you can redistribute it and/or
6
# modify it under the terms of the GNU Lesser General Public
7
# License as published by the Free Software Foundation; either
8
# version 2.1 of the License, or (at your option) any later version.
10
# See the file README.txt for further details.
11
#------------------------------------------------------------------------------
12
# For information about entries in this file, type "man shorewall6-interfaces"
13
###############################################################################
15
# The interfaces file serves to define the firewall's network
16
# interfaces to shorewall6. The order of entries in this file is
17
# not significant in determining zone composition.
19
# The columns in the file are as follows.
22
# Zone for this interface. Must match the name of a zone
23
# declared in /etc/shorewall6/zones. You may not list the
24
# firewall zone in this column.
26
# If the interface serves multiple zones that will be
27
# defined in the shorewall6-hosts(5) file, you should
28
# place "-" in this column.
30
# If there are multiple interfaces to the same zone, you
31
# must list them in separate entries.
35
# #ZONE INTERFACE BROADCAST
39
# INTERFACE - interface[:port]
40
# Logical name of interface. Each interface may be listed
41
# only once in this file. You may NOT specify the name of
42
# a "virtual" interface (e.g., eth0:0) here; see
43
# http://www.shorewall.net/FAQ.htm#faq18. If the physical
44
# option is not specified, then the logical name is also
45
# the name of the actual interface.
47
# You may use wildcards here by specifying a prefix
48
# followed by the plus sign ("+"). For example, if you
49
# want to make an entry that applies to all PPP
50
# interfaces, use 'ppp+'; that would match ppp0, ppp1,
51
# ppp2, ...Please note that the '+' means 'one or more
52
# additional characters' so 'ppp' does not match 'ppp+'.
54
# Care must be exercised when using wildcards where there
55
# is another zone that uses a matching specific interface.
56
# See shorewall6-nesting(5) for a discussion of this
59
# Shorewall6 allows '+' as an interface name.
61
# There is no need to define the loopback interface (lo)
64
# If a port is given, then the interface must have been
65
# defined previously with the bridge option. The OPTIONS
66
# column must be empty when a port is given.
69
# Enter '-' in this column. It is here for compatibility
70
# between Shorewall6 and Shorewall.
72
# OPTIONS (Optional) - [option[,option]...]
73
# A comma-separated list of options from the following
74
# list. The order in which you list the options is not
75
# significant but the list should have no embedded white
79
# Check packets arriving on this interface against
80
# the shorewall6-blacklist(5) file.
82
# Beginning with Shorewall 4.4.13:
84
# o If a zone is given in the ZONES column, then the
85
# behavior is as if blacklist had been specified in
86
# the IN_OPTIONS column of shorewall6-zones(5).
87
# o Otherwise, the option is ignored with a warning:
89
# WARNING: The 'blacklist' option is ignored on mult-zone
93
# Designates the interface as a bridge. Beginning
94
# with Shorewall 4.4.7, setting this option also
98
# Specify this option when any of the following are
101
# 1. the interface gets its IP address via DHCP
102
# 2. the interface is used by a DHCP server running on
104
# 3. the interface has a static IP but is on a LAN
105
# segment with lots of DHCP clients.
106
# 4. the interface is a simple bridge with a DHCP
107
# server on one port and DHCP clients on another
111
# If you use Shorewall-perl for firewall/bridging,
112
# then you need to include DHCP-specific rules in
113
# shorewall-rules(8). DHCP uses UDP ports 546 and
116
# This option allows DHCP datagrams to enter and
117
# leave the interface.
120
# Added in Shorewall 4.4.20. This option should be
121
# used on bridges or other interfaces with the
122
# routeback option. On these interfaces, it should
123
# list those local networks that are not routed out
124
# of the bridge or interface.
128
# /proc/sys/net/ipv6/conf/interface/forwarding
129
# option to the specified value. If no value is
130
# supplied, then 1 is assumed.
133
# Causes forwarded TCP SYN packets entering or
134
# leaving on this interface to have their MSS field
135
# set to the specified number.
138
# Limit the zone named in the ZONE column to only
139
# the listed networks. If you specify this option,
140
# be sure to include the link-local network
144
# When optional is specified for an interface,
145
# shorewall6 will be silent when:
147
# o a /proc/sys/net/ipv6/conf/ entry for the
148
# interface cannot be modified.
149
# o The first global IPv6 address of the interface
150
# cannot be obtained.
152
# This option may not be specified together with
156
# Added in Shorewall 4.4.4. When specified, the
157
# interface or port name in the INTERFACE column is
158
# a logical name that refers to the name given in
159
# this option. It is useful when you want to specify
160
# the same wildcard port name on two or more
162
# http://www.shorewall.net/bridge-Shorewall-perl.htm
165
# If the interface name is a wildcard name (ends
166
# with '+'), then the physical name must also end in
169
# If physical is not specified, then it's value
170
# defaults to the interface name.
173
# Added in Shorewall 4.4.10. When specified, the
174
# firewall will fail to start if the interface named
175
# in the INTERFACE column is not usable. May not be
176
# specified together with optional.
179
# If specified, indicates that shorewall6 should
180
# include rules that allow traffic arriving on this
181
# interface to be routed back out that same
182
# interface. This option is also required when you
183
# have used a wildcard in the INTERFACE column if
184
# you want to allow traffic between the interfaces
185
# that match the wildcard.
187
# Beginning with Shorewall 4.4.20, if you specify
188
# this option, then you should also specify filter;
191
# sourceroute[={0|1}]
192
# If this option is not specified for an interface,
193
# then source-routed packets will not be accepted
194
# from that interface (sets
195
# /proc/sys/net/ipv6/conf/interface/accept_source_ro
196
# ute to 1). Only set this option if you know what
197
# you are doing. This might represent a security
198
# risk and is not usually needed.
200
# Only those interfaces with the sourceroute option
201
# will have their setting changes; the value
202
# assigned to the setting will be the value
203
# specified (if any) or 1 if no value is given.
207
# This option does not work with a wild-card
208
# interface name (e.g., eth0.+) in the INTERFACE
212
# Packets arriving on this interface are checked for
213
# certain illegal combinations of TCP flags. Packets
214
# found to have such a combination of flags are
215
# handled according to the setting of
216
# TCP_FLAGS_DISPOSITION after having been logged
217
# according to the setting of TCP_FLAGS_LOG_LEVEL.
220
# Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
222
# Note: This option does not work with a wild-card
223
# interface name (e.g., eth0.+) in the INTERFACE
226
# Only those interfaces with the proxyndp option
227
# will have their setting changed; the value
228
# assigned to the setting will be the value
229
# specified (if any) or 1 if no value is given.
232
# Added in Shorewall 4.4.10. Causes the generated
233
# script to wait up to seconds seconds for the
234
# interface to become usable before applying the
235
# required or optional options.
240
# Suppose you have eth0 connected to a DSL modem and eth1
241
# connected to your local network You have a DMZ using
244
# Your entries for this setup would look like:
246
# #ZONE INTERFACE UNICAST OPTIONS
251
# Example 4 (Shorewall 4.4.9 and later):
252
# You have a bridge with no IP address and you want to
253
# allow traffic through the bridge.
255
# #ZONE INTERFACE BROADCAST OPTIONS
258
###############################################################################
259
#ZONE INTERFACE BROADCAST OPTIONS
260
net eth0 detect tcpflags,forward=1
261
loc eth1 detect tcpflags,forward=1
262
dmz eth2 detect tcpflags,forward=1