2
# Shorewall6 version 4 - Interfaces File
4
# For information about entries in this file, type "man shorewall6-interfaces"
6
# The manpage is also online at
7
# http://www.shorewall.net/manpages6/shorewall6-interfaces.html
9
###############################################################################
11
# The interfaces file serves to define the firewall's network
12
# interfaces to shorewall6. The order of entries in this file is
13
# not significant in determining zone composition.
15
# The columns in the file are as follows.
18
# Zone for this interface. Must match the name of a zone
19
# declared in /etc/shorewall6/zones. You may not list the
20
# firewall zone in this column.
22
# If the interface serves multiple zones that will be
23
# defined in the shorewall6-hosts(5) file, you should
24
# place "-" in this column.
26
# If there are multiple interfaces to the same zone, you
27
# must list them in separate entries.
31
# #ZONE INTERFACE BROADCAST
35
# INTERFACE - interface[:port]
36
# Logical name of interface. Each interface may be listed
37
# only once in this file. You may NOT specify the name of
38
# a "virtual" interface (e.g., eth0:0) here; see
39
# http://www.shorewall.net/FAQ.htm#faq18. If the physical
40
# option is not specified, then the logical name is also
41
# the name of the actual interface.
43
# You may use wildcards here by specifying a prefix
44
# followed by the plus sign ("+"). For example, if you
45
# want to make an entry that applies to all PPP
46
# interfaces, use 'ppp+'; that would match ppp0, ppp1,
47
# ppp2, ...Please note that the '+' means 'one or more
48
# additional characters' so 'ppp' does not match 'ppp+'.
50
# Care must be exercised when using wildcards where there
51
# is another zone that uses a matching specific interface.
52
# See shorewall6-nesting(5) for a discussion of this
55
# Shorewall6 allows '+' as an interface name.
57
# There is no need to define the loopback interface (lo)
60
# If a port is given, then the interface must have been
61
# defined previously with the bridge option. The OPTIONS
62
# column must be empty when a port is given.
65
# Enter '-' in this column. It is here for compatibility
66
# between Shorewall6 and Shorewall.
68
# OPTIONS (Optional) - [option[,option]...]
69
# A comma-separated list of options from the following
70
# list. The order in which you list the options is not
71
# significant but the list should have no embedded white
75
# Check packets arriving on this interface against
76
# the shorewall6-blacklist(5) file.
78
# Beginning with Shorewall 4.4.13:
80
# o If a zone is given in the ZONES column, then the
81
# behavior is as if blacklist had been specified in
82
# the IN_OPTIONS column of shorewall6-zones(5).
83
# o Otherwise, the option is ignored with a warning:
85
# WARNING: The 'blacklist' option is ignored on mult-zone
89
# Designates the interface as a bridge. Beginning
90
# with Shorewall 4.4.7, setting this option also
94
# Specify this option when any of the following are
97
# 1. the interface gets its IP address via DHCP
98
# 2. the interface is used by a DHCP server running on
100
# 3. the interface has a static IP but is on a LAN
101
# segment with lots of DHCP clients.
102
# 4. the interface is a simple bridge with a DHCP
103
# server on one port and DHCP clients on another
107
# If you use Shorewall-perl for firewall/bridging,
108
# then you need to include DHCP-specific rules in
109
# shorewall-rules(8). DHCP uses UDP ports 546 and
112
# This option allows DHCP datagrams to enter and
113
# leave the interface.
116
# Added in Shorewall 4.4.20. This option should be
117
# used on bridges or other interfaces with the
118
# routeback option. On these interfaces, it should
119
# list those local networks that are not routed out
120
# of the bridge or interface.
124
# /proc/sys/net/ipv6/conf/interface/forwarding
125
# option to the specified value. If no value is
126
# supplied, then 1 is assumed.
129
# Causes forwarded TCP SYN packets entering or
130
# leaving on this interface to have their MSS field
131
# set to the specified number.
134
# Limit the zone named in the ZONE column to only
135
# the listed networks. If you specify this option,
136
# be sure to include the link-local network
140
# When optional is specified for an interface,
141
# shorewall6 will be silent when:
143
# o a /proc/sys/net/ipv6/conf/ entry for the
144
# interface cannot be modified.
145
# o The first global IPv6 address of the interface
146
# cannot be obtained.
148
# This option may not be specified together with
152
# Added in Shorewall 4.4.4. When specified, the
153
# interface or port name in the INTERFACE column is
154
# a logical name that refers to the name given in
155
# this option. It is useful when you want to specify
156
# the same wildcard port name on two or more
158
# http://www.shorewall.net/bridge-Shorewall-perl.htm
161
# If the interface name is a wildcard name (ends
162
# with '+'), then the physical name must also end in
165
# If physical is not specified, then it's value
166
# defaults to the interface name.
169
# Added in Shorewall 4.4.10. When specified, the
170
# firewall will fail to start if the interface named
171
# in the INTERFACE column is not usable. May not be
172
# specified together with optional.
175
# If specified, indicates that shorewall6 should
176
# include rules that allow traffic arriving on this
177
# interface to be routed back out that same
178
# interface. This option is also required when you
179
# have used a wildcard in the INTERFACE column if
180
# you want to allow traffic between the interfaces
181
# that match the wildcard.
183
# Beginning with Shorewall 4.4.20, if you specify
184
# this option, then you should also specify filter;
187
# sourceroute[={0|1}]
188
# If this option is not specified for an interface,
189
# then source-routed packets will not be accepted
190
# from that interface (sets
191
# /proc/sys/net/ipv6/conf/interface/accept_source_ro
192
# ute to 1). Only set this option if you know what
193
# you are doing. This might represent a security
194
# risk and is not usually needed.
196
# Only those interfaces with the sourceroute option
197
# will have their setting changes; the value
198
# assigned to the setting will be the value
199
# specified (if any) or 1 if no value is given.
203
# This option does not work with a wild-card
204
# interface name (e.g., eth0.+) in the INTERFACE
208
# Packets arriving on this interface are checked for
209
# certain illegal combinations of TCP flags. Packets
210
# found to have such a combination of flags are
211
# handled according to the setting of
212
# TCP_FLAGS_DISPOSITION after having been logged
213
# according to the setting of TCP_FLAGS_LOG_LEVEL.
216
# Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
218
# Note: This option does not work with a wild-card
219
# interface name (e.g., eth0.+) in the INTERFACE
222
# Only those interfaces with the proxyndp option
223
# will have their setting changed; the value
224
# assigned to the setting will be the value
225
# specified (if any) or 1 if no value is given.
228
# Added in Shorewall 4.4.10. Causes the generated
229
# script to wait up to seconds seconds for the
230
# interface to become usable before applying the
231
# required or optional options.
236
# Suppose you have eth0 connected to a DSL modem and eth1
237
# connected to your local network You have a DMZ using
240
# Your entries for this setup would look like:
242
# #ZONE INTERFACE UNICAST OPTIONS
247
# Example 4 (Shorewall 4.4.9 and later):
248
# You have a bridge with no IP address and you want to
249
# allow traffic through the bridge.
251
# #ZONE INTERFACE BROADCAST OPTIONS
254
###############################################################################
255
#ZONE INTERFACE ANYCAST OPTIONS