"Fossies" - the Fresh Open Source Software Archive

Member "shorewall-docs-xml-5.2.8/manpages/shorewall-interfaces.xml" (24 Sep 2020, 48952 Bytes) of package /linux/misc/shorewall/shorewall-docs-xml-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
    3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
    4 <refentry>
    5   <refmeta>
    6     <refentrytitle>shorewall-interfaces</refentrytitle>
    7 
    8     <manvolnum>5</manvolnum>
    9 
   10     <refmiscinfo>Configuration Files</refmiscinfo>
   11   </refmeta>
   12 
   13   <refnamediv>
   14     <refname>interfaces</refname>
   15 
   16     <refpurpose>Shorewall interfaces file</refpurpose>
   17   </refnamediv>
   18 
   19   <refsynopsisdiv>
   20     <cmdsynopsis>
   21       <command>/etc/shorewall[6]/interfaces</command>
   22     </cmdsynopsis>
   23   </refsynopsisdiv>
   24 
   25   <refsect1>
   26     <title>Description</title>
   27 
   28     <para>The interfaces file serves to define the firewall's network
   29     interfaces to Shorewall. The order of entries in this file is not
   30     significant in determining zone composition.</para>
   31 
   32     <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
   33     different formats:</para>
   34 
   35     <variablelist>
   36       <varlistentry>
   37         <term>FORMAT 1 (default - deprecated)</term>
   38 
   39         <listitem>
   40           <para>There is a BROADCAST column which can be used to specify the
   41           broadcast address associated with the interface.</para>
   42         </listitem>
   43       </varlistentry>
   44 
   45       <varlistentry>
   46         <term>FORMAT 2</term>
   47 
   48         <listitem>
   49           <para>The BROADCAST column is omitted.</para>
   50         </listitem>
   51       </varlistentry>
   52     </variablelist>
   53 
   54     <para>The format is specified by a line as follows:</para>
   55 
   56     <blockquote>
   57       <para><emphasis role="bold">?FORMAT {1|2}</emphasis></para>
   58     </blockquote>
   59 
   60     <para>The columns in the file are as follows.</para>
   61 
   62     <variablelist>
   63       <varlistentry>
   64         <term><emphasis role="bold">ZONE</emphasis> -
   65         <emphasis>zone-name</emphasis></term>
   66 
   67         <listitem>
   68           <para>Zone for this interface. Must match the name of a zone
   69           declared in /etc/shorewall/zones. You may not list the firewall zone
   70           in this column.</para>
   71 
   72           <para>If the interface serves multiple zones that will be defined in
   73           the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
   74           file, you should place "-" in this column.</para>
   75 
   76           <para>If there are multiple interfaces to the same zone, you must
   77           list them in separate entries.</para>
   78 
   79           <para>Example:</para>
   80 
   81           <blockquote>
   82             <programlisting>#ZONE   INTERFACE       BROADCAST
   83 loc     eth1            -
   84 loc     eth2            -</programlisting>
   85           </blockquote>
   86         </listitem>
   87       </varlistentry>
   88 
   89       <varlistentry>
   90         <term><emphasis role="bold">INTERFACE</emphasis> -
   91         <emphasis>interface</emphasis><emphasis
   92         role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
   93         role="bold">]</emphasis></term>
   94 
   95         <listitem>
   96           <para>Logical name of interface. Each interface may be listed only
   97           once in this file. You may NOT specify the name of a "virtual"
   98           interface (e.g., eth0:0) here; see <ulink
   99           url="../FAQ.htm#faq18">https://shorewall.org/FAQ.htm#faq18</ulink>.
  100           If the <option>physical</option> option is not specified, then the
  101           logical name is also the name of the actual interface.</para>
  102 
  103           <para>You may use wildcards here by specifying a prefix followed by
  104           the plus sign ("+"). For example, if you want to make an entry that
  105           applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
  106           ppp1, ppp2, …</para>
  107 
  108           <para>When using Shorewall versions before 4.1.4, care must be
  109           exercised when using wildcards where there is another zone that uses
  110           a matching specific interface. See <ulink
  111           url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
  112           discussion of this problem.</para>
  113 
  114           <para>Shorewall allows '+' as an interface name, but that usage is
  115           deprecated. A better approach is to specify
  116           '<option>physical</option>=+' in the OPTIONS column (see
  117           below).</para>
  118 
  119           <para>There is no need to define the loopback interface (lo) in this
  120           file.</para>
  121 
  122           <para>If a <replaceable>port</replaceable> is given, then the
  123           <replaceable>interface</replaceable> must have been defined
  124           previously with the <option>bridge</option> option. The OPTIONS
  125           column may not contain the following options when a
  126           <replaceable>port</replaceable> is given.</para>
  127 
  128           <simplelist>
  129             <member>arp_filter</member>
  130 
  131             <member>arp_ignore</member>
  132 
  133             <member>bridge</member>
  134 
  135             <member>log_martians</member>
  136 
  137             <member>mss</member>
  138 
  139             <member>optional</member>
  140 
  141             <member>proxyarp</member>
  142 
  143             <member>required</member>
  144 
  145             <member>routefilter</member>
  146 
  147             <member>sourceroute</member>
  148 
  149             <member>upnp</member>
  150 
  151             <member>wait</member>
  152           </simplelist>
  153 
  154           <para>Beginning with Shorewall 4.5.17, if you specify a zone for the
  155           'lo' interface, then that zone must be defined as type
  156           <option>local</option> in <ulink
  157           url="shorewall-zones.html">shorewall6-zones</ulink>(5).</para>
  158         </listitem>
  159       </varlistentry>
  160 
  161       <varlistentry>
  162         <term><emphasis role="bold">BROADCAST</emphasis> (Optional) -
  163         {<emphasis role="bold">-</emphasis>|<emphasis
  164         role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
  165 
  166         <listitem>
  167           <para>Only available if FORMAT 1.</para>
  168 
  169           <para>If you use the special value <emphasis
  170           role="bold">detect</emphasis>, Shorewall will detect the broadcast
  171           address(es) for you if your iptables and kernel include Address Type
  172           Match support.</para>
  173 
  174           <para>If your iptables and/or kernel lack Address Type Match support
  175           then you may list the broadcast address(es) for the network(s) to
  176           which the interface belongs. For P-T-P interfaces, this column is
  177           left blank. If the interface has multiple addresses on multiple
  178           subnets then list the broadcast addresses as a comma-separated
  179           list.</para>
  180 
  181           <para>If you don't want to give a value for this column but you want
  182           to enter a value in the OPTIONS column, enter <emphasis
  183           role="bold">-</emphasis> in this column.</para>
  184         </listitem>
  185       </varlistentry>
  186 
  187       <varlistentry>
  188         <term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
  189         [<emphasis>option</emphasis>[<emphasis
  190         role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
  191 
  192         <listitem>
  193           <para>A comma-separated list of options from the following list. The
  194           order in which you list the options is not significant but the list
  195           should have no embedded white-space.</para>
  196 
  197           <variablelist>
  198             <varlistentry>
  199               <term><emphasis
  200               role="bold">accept_ra</emphasis>[={0|1|2}]</term>
  201 
  202               <listitem>
  203                 <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
  204 
  205                 <variablelist>
  206                   <varlistentry>
  207                     <term>0</term>
  208 
  209                     <listitem>
  210                       <para>Do not accept Router Advertisements.</para>
  211                     </listitem>
  212                   </varlistentry>
  213 
  214                   <varlistentry>
  215                     <term>1</term>
  216 
  217                     <listitem>
  218                       <para>Accept Route Advertisements if forwarding is
  219                       disabled.</para>
  220                     </listitem>
  221                   </varlistentry>
  222 
  223                   <varlistentry>
  224                     <term>2</term>
  225 
  226                     <listitem>
  227                       <para>Overrule forwarding behavior. Accept Route
  228                       Advertisements even if forwarding is enabled.</para>
  229                     </listitem>
  230                   </varlistentry>
  231                 </variablelist>
  232 
  233                 <para>If the option is specified without a value, then the
  234                 value 1 is assumed.</para>
  235 
  236                 <note>
  237                   <para>This option does not work with a wild-card <emphasis
  238                   role="bold">physical</emphasis> name (e.g., eth0.+).
  239                   Beginning with Shorewall 5.1.10, If this option is
  240                   specified, a warning is issued and the option is
  241                   ignored.</para>
  242                 </note>
  243               </listitem>
  244             </varlistentry>
  245 
  246             <varlistentry>
  247               <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
  248 
  249               <listitem>
  250                 <para>IPv4 only. If specified, this interface will only
  251                 respond to ARP who-has requests for IP addresses configured on
  252                 the interface. If not specified, the interface can respond to
  253                 ARP who-has requests for IP addresses on any of the firewall's
  254                 interface. The interface must be up when Shorewall is
  255                 started.</para>
  256 
  257                 <para>Only those interfaces with the
  258                 <option>arp_filter</option> option will have their setting
  259                 changed; the value assigned to the setting will be the value
  260                 specified (if any) or 1 if no value is given.</para>
  261 
  262                 <note>
  263                   <para>This option does not work with a wild-card <emphasis
  264                   role="bold">physical</emphasis> name (e.g., eth0.+).
  265                   Beginning with Shorewall 5.1.10, If this option is
  266                   specified, a warning is issued and the option is
  267                   ignored.</para>
  268                 </note>
  269               </listitem>
  270             </varlistentry>
  271 
  272             <varlistentry>
  273               <term><emphasis
  274               role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
  275 
  276               <listitem>
  277                 <para>IPv4 only. If specified, this interface will respond to
  278                 arp requests based on the value of <emphasis>number</emphasis>
  279                 (defaults to 1).</para>
  280 
  281                 <para>1 - reply only if the target IP address is local address
  282                 configured on the incoming interface</para>
  283 
  284                 <para>2 - reply only if the target IP address is local address
  285                 configured on the incoming interface and the sender's IP
  286                 address is part from same subnet on this interface's
  287                 address</para>
  288 
  289                 <para>3 - do not reply for local addresses configured with
  290                 scope host, only resolutions for global and link</para>
  291 
  292                 <para>4-7 - reserved</para>
  293 
  294                 <para>8 - do not reply for all local addresses</para>
  295 
  296                 <note>
  297                   <para>This option does not work with a wild-card <emphasis
  298                   role="bold">physical</emphasis> name (e.g., eth0.+).
  299                   Beginning with Shorewall 5.1.10, If this option is
  300                   specified, a warning is issued and the option is
  301                   ignored.</para>
  302                 </note>
  303 
  304                 <warning>
  305                   <para>Do not specify <emphasis
  306                   role="bold">arp_ignore</emphasis> for any interface involved
  307                   in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
  308                 </warning>
  309               </listitem>
  310             </varlistentry>
  311 
  312             <varlistentry>
  313               <term><emphasis role="bold">blacklist</emphasis></term>
  314 
  315               <listitem>
  316                 <para>Checks packets arriving on this interface against the
  317                 <ulink
  318                 url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
  319                 file.</para>
  320 
  321                 <para>Beginning with Shorewall 4.4.13:</para>
  322 
  323                 <itemizedlist>
  324                   <listitem>
  325                     <para>If a <replaceable>zone</replaceable> is given in the
  326                     ZONES column, then the behavior is as if <emphasis
  327                     role="bold">blacklist</emphasis> had been specified in the
  328                     IN_OPTIONS column of <ulink
  329                     url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
  330                   </listitem>
  331 
  332                   <listitem>
  333                     <para>Otherwise, the option is ignored with a
  334                     warning:</para>
  335 
  336                     <blockquote>
  337                       <para><emphasis role="bold">WARNING: The 'blacklist'
  338                       option is ignored on multi-zone
  339                       interfaces</emphasis></para>
  340                     </blockquote>
  341                   </listitem>
  342                 </itemizedlist>
  343               </listitem>
  344             </varlistentry>
  345 
  346             <varlistentry>
  347               <term><emphasis role="bold">bridge</emphasis></term>
  348 
  349               <listitem>
  350                 <para>Designates the interface as a bridge. Beginning with
  351                 Shorewall 4.4.7, setting this option also sets
  352                 <option>routeback</option>.</para>
  353 
  354                 <note>
  355                   <para>If you have a bridge that you don't intend to define
  356                   bport zones on, then it is best to omit this option and
  357                   simply specify <option>routeback</option>.</para>
  358                 </note>
  359               </listitem>
  360             </varlistentry>
  361 
  362             <varlistentry>
  363               <term><emphasis
  364               role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
  365 
  366               <listitem>
  367                 <para>Added in Shorewall 5.0.10. This option defined whether
  368                 or not dynamic blacklisting is applied to packets entering the
  369                 firewall through this interface and whether the source address
  370                 and/or destination address is to be compared against the
  371                 ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
  372                 <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
  373                 The default is determine by the setting of
  374                 DYNAMIC_BLACKLIST:</para>
  375 
  376                 <variablelist>
  377                   <varlistentry>
  378                     <term>DYNAMIC_BLACKLIST=No</term>
  379 
  380                     <listitem>
  381                       <para>Default is <emphasis role="bold">none</emphasis>
  382                       (e.g., no dynamic blacklist checking).</para>
  383                     </listitem>
  384                   </varlistentry>
  385 
  386                   <varlistentry>
  387                     <term>DYNAMIC_BLACKLIST=Yes</term>
  388 
  389                     <listitem>
  390                       <para>Default is <emphasis role="bold">src</emphasis>
  391                       (e.g., the source IP address is checked).</para>
  392                     </listitem>
  393                   </varlistentry>
  394 
  395                   <varlistentry>
  396                     <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
  397 
  398                     <listitem>
  399                       <para>Default is <emphasis
  400                       role="bold">src</emphasis>.</para>
  401                     </listitem>
  402                   </varlistentry>
  403 
  404                   <varlistentry>
  405                     <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
  406 
  407                     <listitem>
  408                       <para>Default is <emphasis
  409                       role="bold">src-dst</emphasis> (e.g., the source IP
  410                       addresses in checked against the ipset on input and the
  411                       destination IP address is checked against the ipset on
  412                       packets originating from the firewall and leaving
  413                       through this interface).</para>
  414                     </listitem>
  415                   </varlistentry>
  416                 </variablelist>
  417 
  418                 <para>The normal setting for this option will be <emphasis
  419                 role="bold">dst</emphasis> or <emphasis
  420                 role="bold">none</emphasis> for internal interfaces and
  421                 <emphasis role="bold">src</emphasis> or <emphasis
  422                 role="bold">src-dst</emphasis> for Internet-facing
  423                 interfaces.</para>
  424               </listitem>
  425             </varlistentry>
  426 
  427             <varlistentry>
  428               <term><emphasis role="bold">destonly</emphasis></term>
  429 
  430               <listitem>
  431                 <para>Added in Shorewall 4.5.17. Causes the compiler to omit
  432                 rules to handle traffic from this interface.</para>
  433               </listitem>
  434             </varlistentry>
  435 
  436             <varlistentry>
  437               <term><emphasis role="bold">dhcp</emphasis></term>
  438 
  439               <listitem>
  440                 <para>Specify this option when any of the following are
  441                 true:</para>
  442 
  443                 <orderedlist spacing="compact">
  444                   <listitem>
  445                     <para>the interface gets its IP address via DHCP</para>
  446                   </listitem>
  447 
  448                   <listitem>
  449                     <para>the interface is used by a DHCP server running on
  450                     the firewall</para>
  451                   </listitem>
  452 
  453                   <listitem>
  454                     <para>the interface has a static IP but is on a LAN
  455                     segment with lots of DHCP clients.</para>
  456                   </listitem>
  457 
  458                   <listitem>
  459                     <para>the interface is a <ulink
  460                     url="../SimpleBridge.html">simple bridge</ulink> with a
  461                     DHCP server on one port and DHCP clients on another
  462                     port.</para>
  463 
  464                     <note>
  465                       <para>If you use <ulink
  466                       url="../bridge-Shorewall-perl.html">Shorewall-perl for
  467                       firewall/bridging</ulink>, then you need to include
  468                       DHCP-specific rules in <ulink
  469                       url="shorewall-rules.html">shorewall-rules</ulink>(5).
  470                       DHCP uses UDP ports 67 and 68.</para>
  471                     </note>
  472                   </listitem>
  473                 </orderedlist>
  474 
  475                 <para>This option allows DHCP datagrams to enter and leave the
  476                 interface.</para>
  477               </listitem>
  478             </varlistentry>
  479 
  480             <varlistentry>
  481               <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
  482 
  483               <listitem>
  484                 <para>IPv6 only Sets the
  485                 /proc/sys/net/ipv6/conf/interface/forwarding option to the
  486                 specified value. If no value is supplied, then 1 is
  487                 assumed.</para>
  488 
  489                 <note>
  490                   <para>This option does not work with a wild-card <emphasis
  491                   role="bold">physical</emphasis> name (e.g., eth0.+).
  492                   Beginning with Shorewall 5.1.10, If this option is
  493                   specified, a warning is issued and the option is
  494                   ignored.</para>
  495                 </note>
  496               </listitem>
  497             </varlistentry>
  498 
  499             <varlistentry>
  500               <term><emphasis role="bold">ignore[=1]</emphasis></term>
  501 
  502               <listitem>
  503                 <para>When specified, causes the generated script to ignore
  504                 up/down events from Shorewall-init for this device.
  505                 Additionally, the option exempts the interface from hairpin
  506                 filtering. When '=1' is omitted, the ZONE column must contain
  507                 '-' and <option>ignore</option> must be the only
  508                 OPTION.</para>
  509 
  510                 <para>Beginning with Shorewall 4.5.5, may be specified as
  511                 '<option>ignore=1</option>' which only causes the generated
  512                 script to ignore up/down events from Shorewall-init; hairpin
  513                 filtering is still applied. In this case, the above
  514                 restrictions on the ZONE and OPTIONS columns are
  515                 lifted.</para>
  516               </listitem>
  517             </varlistentry>
  518 
  519             <varlistentry>
  520               <term><emphasis role="bold">loopback</emphasis></term>
  521 
  522               <listitem>
  523                 <para>Added in Shorewall 4.6.6. Designates the interface as
  524                 the loopback interface. This option is assumed if the
  525                 interface's physical name is 'lo'. Only one interface man have
  526                 the <option>loopback</option> option specified.</para>
  527               </listitem>
  528             </varlistentry>
  529 
  530             <varlistentry>
  531               <term><emphasis
  532               role="bold">logmartians[={0|1}]</emphasis></term>
  533 
  534               <listitem>
  535                 <para>IPv4 only. Turn on kernel martian logging (logging of
  536                 packets with impossible source addresses. It is strongly
  537                 suggested that if you set <emphasis
  538                 role="bold">routefilter</emphasis> on an interface that you
  539                 also set <emphasis role="bold">logmartians</emphasis>. Even if
  540                 you do not specify the <option>routefilter</option> option, it
  541                 is a good idea to specify <option>logmartians</option> because
  542                 your distribution may have enabled route filtering without you
  543                 knowing it.</para>
  544 
  545                 <para>Only those interfaces with the
  546                 <option>logmartians</option> option will have their setting
  547                 changed; the value assigned to the setting will be the value
  548                 specified (if any) or 1 if no value is given.</para>
  549 
  550                 <para>To find out if route filtering is set on a given
  551                 <replaceable>interface</replaceable>, check the contents of
  552                 <filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
  553                 - a non-zero value indicates that route filtering is
  554                 enabled.</para>
  555 
  556                 <para>Example:</para>
  557 
  558                 <programlisting>        teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
  559         1
  560         teastep@lists:~$ </programlisting>
  561 
  562                 <para/>
  563 
  564                 <note>
  565                   <para>This option does not work with a wild-card <emphasis
  566                   role="bold">physical</emphasis> name (e.g., eth0.+).
  567                   Beginning with Shorewall 5.1.10, If this option is
  568                   specified, a warning is issued and the option is
  569                   ignored.</para>
  570                 </note>
  571 
  572                 <blockquote>
  573                   <para>This option may also be enabled globally in the <ulink
  574                   url="shorewall.conf.html">shorewall.conf</ulink>(5)
  575                   file.</para>
  576                 </blockquote>
  577               </listitem>
  578             </varlistentry>
  579 
  580             <varlistentry>
  581               <term><emphasis role="bold">maclist</emphasis></term>
  582 
  583               <listitem>
  584                 <para>Connection requests from this interface are compared
  585                 against the contents of <ulink
  586                 url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
  587                 this option is specified, the interface must be an Ethernet
  588                 NIC and must be up before Shorewall is started.</para>
  589               </listitem>
  590             </varlistentry>
  591 
  592             <varlistentry>
  593               <term><emphasis role="bold"><emphasis
  594               role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
  595 
  596               <listitem>
  597                 <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
  598                 packets entering or leaving on this interface to have their
  599                 MSS field set to the specified
  600                 <replaceable>number</replaceable>.</para>
  601               </listitem>
  602             </varlistentry>
  603 
  604             <varlistentry>
  605               <term><emphasis
  606               role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>
  607 
  608               <listitem>
  609                 <para>Limit the zone named in the ZONE column to only the
  610                 listed networks. The parentheses may be omitted if only a
  611                 single <replaceable>net</replaceable> is given (e.g.,
  612                 nets=192.168.1.0/24). Limited broadcast to the zone is
  613                 supported. Beginning with Shorewall 4.4.1, multicast traffic
  614                 to the zone is also supported.</para>
  615               </listitem>
  616             </varlistentry>
  617 
  618             <varlistentry>
  619               <term><emphasis role="bold">nets=dynamic</emphasis></term>
  620 
  621               <listitem>
  622                 <para>Defines the zone as <firstterm>dynamic</firstterm>.
  623                 Requires ipset match support in your iptables and kernel. See
  624                 <ulink
  625                 url="../Dynamic.html">https://shorewall.org/Dynamic.html</ulink>
  626                 for further information.</para>
  627               </listitem>
  628             </varlistentry>
  629 
  630             <varlistentry>
  631               <term><emphasis role="bold">nodbl</emphasis></term>
  632 
  633               <listitem>
  634                 <para>Added in Shorewall 5.0.8. When specified, dynamic
  635                 blacklisting is disabled on the interface. Beginning with
  636                 Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
  637                 equivalent to <emphasis
  638                 role="bold">dbl=none</emphasis>.</para>
  639               </listitem>
  640             </varlistentry>
  641 
  642             <varlistentry>
  643               <term><emphasis role="bold">nosmurfs</emphasis></term>
  644 
  645               <listitem>
  646                 <para>IPv4 only. Filter packets for smurfs (packets with a
  647                 broadcast address as the source).</para>
  648 
  649                 <para>Smurfs will be optionally logged based on the setting of
  650                 SMURF_LOG_LEVEL in <ulink
  651                 url="shorewall.conf.html">shorewall.conf</ulink>(5). After
  652                 logging, the packets are dropped.</para>
  653               </listitem>
  654             </varlistentry>
  655 
  656             <varlistentry>
  657               <term>omitanycast</term>
  658 
  659               <listitem>
  660                 <para>IPv6 only. Added in Shorewall 5.2.8.</para>
  661 
  662                 <para>Shorewall6 has traditionally generated rules for IPv6
  663                 <emphasis>anycast</emphasis> addresses. These rules
  664                 include:</para>
  665 
  666                 <orderedlist numeration="loweralpha">
  667                   <listitem>
  668                     <para>Packets with these destination IP addresses are
  669                     dropped by REJECT rules.</para>
  670                   </listitem>
  671 
  672                   <listitem>
  673                     <para>Packets with these source IP addresses are dropped
  674                     by the 'nosmurfs' interface option and by the 'dropSmurfs'
  675                     action.</para>
  676                   </listitem>
  677 
  678                   <listitem>
  679                     <para>Packets with these destination IP addresses are not
  680                     logged during policy enforcement.</para>
  681                   </listitem>
  682 
  683                   <listitem>
  684                     <para>Packets with these destination IP addresses are
  685                     processes by the 'Broadcast' action.</para>
  686                   </listitem>
  687                 </orderedlist>
  688 
  689                 <para>This can be inhibited for individual interfaces by
  690                 specifying <emphasis role="bold">noanycast</emphasis> for
  691                 those interfaces.</para>
  692 
  693                 <note>
  694                   <para>RFC 2526 describes IPv6 subnet anycast addresses. The
  695                   RFC makes a distinction between subnets with "IPv6 address
  696                   types required to have 64-bit interface identifiers in
  697                   EUI-64 format" and all other subnets. When generating these
  698                   anycast addresses, the Shorewall compiler does not make this
  699                   distinction and unconditionally assumes that the last 128
  700                   addresses in the subnet are reserved as anycast
  701                   addresses.</para>
  702                 </note>
  703               </listitem>
  704             </varlistentry>
  705 
  706             <varlistentry>
  707               <term><emphasis role="bold">optional</emphasis></term>
  708 
  709               <listitem>
  710                 <para>This option indicates that the firewall should be able
  711                 to start, even if the interface is not usable for handling
  712                 traffic. It allows use of the <command>enable</command> and
  713                 <command>disable</command> commands on the interface.</para>
  714 
  715                 <para>When <option>optional</option> is specified for an
  716                 interface, Shorewall will be silent when:</para>
  717 
  718                 <itemizedlist>
  719                   <listitem>
  720                     <para>a <filename
  721                     class="directory">/proc/sys/net/ipv[46]/conf/</filename>
  722                     entry for the interface cannot be modified (including for
  723                     proxy ARP or proxy NDP).</para>
  724                   </listitem>
  725 
  726                   <listitem>
  727                     <para>The first address of the interface cannot be
  728                     obtained.</para>
  729                   </listitem>
  730 
  731                   <listitem>
  732                     <para>The gateway of the interface can not be obtained
  733                     (provider interface).</para>
  734                   </listitem>
  735 
  736                   <listitem>
  737                     <para>The interface has been disabled using the
  738                     <command>disable</command> command.</para>
  739                   </listitem>
  740                 </itemizedlist>
  741 
  742                 <para>May not be specified with <emphasis
  743                 role="bold">required</emphasis>.</para>
  744               </listitem>
  745             </varlistentry>
  746 
  747             <varlistentry>
  748               <term><emphasis role="bold">physical</emphasis>=<emphasis
  749               role="bold"><emphasis>name</emphasis></emphasis></term>
  750 
  751               <listitem>
  752                 <para>Added in Shorewall 4.4.4. When specified, the interface
  753                 or port name in the INTERFACE column is a logical name that
  754                 refers to the name given in this option. It is useful when you
  755                 want to specify the same wildcard port name on two or more
  756                 bridges. See <ulink
  757                 url="../bridge-Shorewall-perl.html#Multiple">https://shorewall.org/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
  758 
  759                 <para>If the <emphasis>interface</emphasis> name is a wildcard
  760                 name (ends with '+'), then the physical
  761                 <emphasis>name</emphasis> must also end in '+'. The physical
  762                 <replaceable>name</replaceable> may end in '+' (or be exactly
  763                 '+') when the <replaceable>interface</replaceable> name is not
  764                 a wildcard name.</para>
  765 
  766                 <para>If <option>physical</option> is not specified, then it's
  767                 value defaults to the <emphasis>interface</emphasis>
  768                 name.</para>
  769               </listitem>
  770             </varlistentry>
  771 
  772             <varlistentry>
  773               <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
  774 
  775               <listitem>
  776                 <para>IPv4 only. Sets
  777                 /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
  778                 Do NOT use this option if you are employing Proxy ARP through
  779                 entries in <ulink
  780                 url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
  781                 This option is intended solely for use with Proxy ARP
  782                 sub-networking as described at: <ulink
  783                 url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
  784                 </ulink></para>
  785 
  786                 <note>
  787                   <para>This option does not work with a wild-card <emphasis
  788                   role="bold">physical</emphasis> name (e.g., eth0.+).
  789                   Beginning with Shorewall 5.1.10, If this option is
  790                   specified, a warning is issued and the option is
  791                   ignored.</para>
  792                 </note>
  793 
  794                 <para>Only those interfaces with the <option>proxyarp</option>
  795                 option will have their setting changed; the value assigned to
  796                 the setting will be the value specified (if any) or 1 if no
  797                 value is given.</para>
  798               </listitem>
  799             </varlistentry>
  800 
  801             <varlistentry>
  802               <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
  803 
  804               <listitem>
  805                 <para>IPv6 only. Sets
  806                 /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
  807 
  808                 <note>
  809                   <para>This option does not work with a wild-card <emphasis
  810                   role="bold">physical</emphasis> name (e.g., eth0.+).
  811                   Beginning with Shorewall 5.1.10, If this option is
  812                   specified, a warning is issued and the option is
  813                   ignored.</para>
  814                 </note>
  815 
  816                 <para>Only those interfaces with the <option>proxyndp</option>
  817                 option will have their setting changed; the value assigned to
  818                 the setting will be the value specified (if any) or 1 if no
  819                 value is given.</para>
  820               </listitem>
  821             </varlistentry>
  822 
  823             <varlistentry>
  824               <term><emphasis role="bold">required</emphasis></term>
  825 
  826               <listitem>
  827                 <para>Added in Shorewall 4.4.10. If this option is set, the
  828                 firewall will fail to start if the interface is not usable.
  829                 May not be specified together with <emphasis
  830                 role="bold">optional</emphasis>.</para>
  831               </listitem>
  832             </varlistentry>
  833 
  834             <varlistentry>
  835               <term><emphasis role="bold">routeback[={0|1}]</emphasis></term>
  836 
  837               <listitem>
  838                 <para>If specified, indicates that Shorewall should include
  839                 rules that allow traffic arriving on this interface to be
  840                 routed back out that same interface. This option is also
  841                 required when you have used a wildcard in the INTERFACE column
  842                 if you want to allow traffic between the interfaces that match
  843                 the wildcard.</para>
  844 
  845                 <para>Beginning with Shorewall 4.4.20, if you specify this
  846                 option, then you should also specify either
  847                 <option>sfilter</option> (see below) or
  848                 <option>routefilter</option> on all interfaces (see
  849                 below).</para>
  850 
  851                 <para>Beginning with Shorewall 4.5.18, you may specify this
  852                 option to explicitly reset (e.g., <emphasis
  853                 role="bold">routeback=0</emphasis>). This can be used to
  854                 override Shorewall's default setting for bridge devices which
  855                 is <emphasis role="bold">routeback=1</emphasis>.</para>
  856               </listitem>
  857             </varlistentry>
  858 
  859             <varlistentry>
  860               <term><emphasis
  861               role="bold">routefilter[={0|1|2}]</emphasis></term>
  862 
  863               <listitem>
  864                 <para>IPv4 only. Turn on kernel route filtering for this
  865                 interface (anti-spoofing measure).</para>
  866 
  867                 <para>Only those interfaces with the
  868                 <option>routefilter</option> option will have their setting
  869                 changes; the value assigned to the setting will be the value
  870                 specified (if any) or 1 if no value is given.</para>
  871 
  872                 <para>The value 2 is only available with Shorewall 4.4.5.1 and
  873                 later when the kernel version is 2.6.31 or later. It specifies
  874                 a <firstterm>loose</firstterm> form of reverse path
  875                 filtering.</para>
  876 
  877                 <note>
  878                   <para>This option does not work with a wild-card <emphasis
  879                   role="bold">physical</emphasis> name (e.g., eth0.+).
  880                   Beginning with Shorewall 5.1.10, If this option is
  881                   specified, a warning is issued and the option is
  882                   ignored.</para>
  883                 </note>
  884 
  885                 <para>This option can also be enabled globally via the
  886                 ROUTE_FILTER option in the <ulink
  887                 url="shorewall.conf.html">shorewall.conf</ulink>(5)
  888                 file.</para>
  889 
  890                 <important>
  891                   <para>If ROUTE_FILTER=Yes in <ulink
  892                   url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
  893                   your distribution sets net.ipv4.conf.all.rp_filter=1 in
  894                   <filename>/etc/sysctl.conf</filename>, then setting
  895                   <emphasis role="bold">routefilter</emphasis>=0 in an
  896                   <replaceable>interface</replaceable> entry will not disable
  897                   route filtering on that
  898                   <replaceable>interface</replaceable>! The effective setting
  899                   for an <replaceable>interface</replaceable> is the maximum
  900                   of the contents of
  901                   <filename>/proc/sys/net/ipv4/conf/all/rp_filter</filename>
  902                   and the routefilter setting specified in this file
  903                   (/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter).</para>
  904                 </important>
  905 
  906                 <note>
  907                   <para>There are certain cases where
  908                   <option>routefilter</option> cannot be used on an
  909                   interface:</para>
  910 
  911                   <itemizedlist>
  912                     <listitem>
  913                       <para>If USE_DEFAULT_RT=Yes in <ulink
  914                       url="shorewall.conf.html">shorewall.conf</ulink>(5) and
  915                       the interface is listed in <ulink
  916                       url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
  917                     </listitem>
  918 
  919                     <listitem>
  920                       <para>If there is an entry for the interface in <ulink
  921                       url="shorewall-providers.html">shorewall-providers</ulink>(5)
  922                       that doesn't specify the <option>balance</option>
  923                       option.</para>
  924                     </listitem>
  925 
  926                     <listitem>
  927                       <para>If IPSEC is used to allow a road-warrior to have a
  928                       local address, then any interface through which the
  929                       road-warrior might connect cannot specify
  930                       <option>routefilter</option>.</para>
  931                     </listitem>
  932                   </itemizedlist>
  933                 </note>
  934 
  935                 <para>Beginning with Shorewall 5.1.1, when
  936                 <option>routefilter</option> is set to a non-zero value, the
  937                 <option>logmartians</option> option is also implicitly set. If
  938                 you actually want route filtering without logging, then you
  939                 must also specify <option>logmartians=0</option> after
  940                 <option>routefilter</option>.</para>
  941               </listitem>
  942             </varlistentry>
  943 
  944             <varlistentry>
  945               <term><emphasis role="bold">rpfilter</emphasis></term>
  946 
  947               <listitem>
  948                 <para>Added in Shorewall 4.5.7. This is an anti-spoofing
  949                 measure that requires the 'RPFilter Match' capability in your
  950                 iptables and kernel. It provides a more efficient alternative
  951                 to the <option>sfilter</option> option below. It performs a
  952                 function similar to <option>routefilter</option> (see above)
  953                 but works with Multi-ISP configurations that do not use
  954                 balanced routes.</para>
  955               </listitem>
  956             </varlistentry>
  957 
  958             <varlistentry>
  959               <term><emphasis
  960               role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
  961 
  962               <listitem>
  963                 <para>Added in Shorewall 4.4.20. This option provides an
  964                 anti-spoofing alternative to <option>routefilter</option> on
  965                 interfaces where that option cannot be used, but where the
  966                 <option>routeback</option> option is required (on a bridge,
  967                 for example). On these interfaces, <option>sfilter</option>
  968                 should list those local networks that are connected to the
  969                 firewall through other interfaces.</para>
  970               </listitem>
  971             </varlistentry>
  972 
  973             <varlistentry>
  974               <term><emphasis
  975               role="bold">sourceroute[={0|1}]</emphasis></term>
  976 
  977               <listitem>
  978                 <para>If this option is not specified for an interface, then
  979                 source-routed packets will not be accepted from that interface
  980                 unless it has been explicitly enabled via sysconf. Only set
  981                 this option to 1 (enable source routing) if you know what you
  982                 are doing. This might represent a security risk and is usually
  983                 unneeded.</para>
  984 
  985                 <para>Only those interfaces with the
  986                 <option>sourceroute</option> option will have their setting
  987                 changed; the value assigned to the setting will be the value
  988                 specified (if any) or 1 if no value is given.</para>
  989 
  990                 <note>
  991                   <para>This option does not work with a wild-card <emphasis
  992                   role="bold">physical</emphasis> name (e.g., eth0.+).
  993                   Beginning with Shorewall 5.1.10, If this option is
  994                   specified, a warning is issued and the option is
  995                   ignored.</para>
  996                 </note>
  997               </listitem>
  998             </varlistentry>
  999 
 1000             <varlistentry>
 1001               <term><emphasis role="bold">tcpflags[={0|1}]</emphasis></term>
 1002 
 1003               <listitem>
 1004                 <para>Packets arriving on this interface are checked for
 1005                 certain illegal combinations of TCP flags. Packets found to
 1006                 have such a combination of flags are handled according to the
 1007                 setting of TCP_FLAGS_DISPOSITION after having been logged
 1008                 according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
 1009 
 1010                 <para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
 1011                 default. To disable this option, specify tcpflags=0.</para>
 1012               </listitem>
 1013             </varlistentry>
 1014 
 1015             <varlistentry>
 1016               <term><emphasis role="bold">unmanaged</emphasis></term>
 1017 
 1018               <listitem>
 1019                 <para>Added in Shorewall 4.5.18. Causes all traffic between
 1020                 the firewall and hosts on the interface to be accepted. When
 1021                 this option is given:</para>
 1022 
 1023                 <itemizedlist>
 1024                   <listitem>
 1025                     <para>The ZONE column must contain '-'.</para>
 1026                   </listitem>
 1027 
 1028                   <listitem>
 1029                     <para>Only the following other options are allowed with
 1030                     <emphasis role="bold">unmanaged</emphasis>:</para>
 1031 
 1032                     <simplelist>
 1033                       <member><emphasis
 1034                       role="bold">arp_filter</emphasis></member>
 1035 
 1036                       <member><emphasis
 1037                       role="bold">arp_ignore</emphasis></member>
 1038 
 1039                       <member><emphasis role="bold">ignore</emphasis></member>
 1040 
 1041                       <member><emphasis
 1042                       role="bold">routefilter</emphasis></member>
 1043 
 1044                       <member><emphasis
 1045                       role="bold">optional</emphasis></member>
 1046 
 1047                       <member><emphasis
 1048                       role="bold">physical</emphasis></member>
 1049 
 1050                       <member><emphasis
 1051                       role="bold">routefilter</emphasis></member>
 1052 
 1053                       <member><emphasis
 1054                       role="bold">proxyarp</emphasis></member>
 1055 
 1056                       <member><emphasis
 1057                       role="bold">proxyudp</emphasis></member>
 1058 
 1059                       <member><emphasis
 1060                       role="bold">sourceroute</emphasis></member>
 1061                     </simplelist>
 1062                   </listitem>
 1063                 </itemizedlist>
 1064               </listitem>
 1065             </varlistentry>
 1066 
 1067             <varlistentry>
 1068               <term><emphasis role="bold">upnp</emphasis></term>
 1069 
 1070               <listitem>
 1071                 <para>Incoming requests from this interface may be remapped
 1072                 via UPNP (upnpd). See <ulink
 1073                 url="../UPnP.html">https://shorewall.org/UPnP.html</ulink>.
 1074                 Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
 1075                 later.</para>
 1076               </listitem>
 1077             </varlistentry>
 1078 
 1079             <varlistentry>
 1080               <term><emphasis role="bold">upnpclient</emphasis></term>
 1081 
 1082               <listitem>
 1083                 <para>This option is intended for laptop users who always run
 1084                 Shorewall on their system yet need to run UPnP-enabled client
 1085                 apps such as Transmission (BitTorrent client). The option
 1086                 causes Shorewall to detect the default gateway through the
 1087                 interface and to accept UDP packets from that gateway. Note
 1088                 that, like all aspects of UPnP, this is a security hole so use
 1089                 this option at your own risk. Supported in IPv4 and in IPv6 in
 1090                 Shorewall 5.1.4 and later.</para>
 1091               </listitem>
 1092             </varlistentry>
 1093 
 1094             <varlistentry>
 1095               <term><emphasis
 1096               role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>
 1097 
 1098               <listitem>
 1099                 <para>Added in Shorewall 4.4.10. Causes the generated script
 1100                 to wait up to <emphasis>seconds</emphasis> seconds for the
 1101                 interface to become usable before applying the <emphasis
 1102                 role="bold">required</emphasis> or <emphasis
 1103                 role="bold">optional</emphasis> options.</para>
 1104               </listitem>
 1105             </varlistentry>
 1106           </variablelist>
 1107         </listitem>
 1108       </varlistentry>
 1109     </variablelist>
 1110   </refsect1>
 1111 
 1112   <refsect1>
 1113     <title>Example</title>
 1114 
 1115     <variablelist>
 1116       <varlistentry>
 1117         <term>IPv4 Example 1:</term>
 1118 
 1119         <listitem>
 1120           <para>Suppose you have eth0 connected to a DSL modem and eth1
 1121           connected to your local network and that your local subnet is
 1122           192.168.1.0/24. The interface gets its IP address via DHCP from
 1123           subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
 1124           using eth2. Your iptables and/or kernel do not support "Address Type
 1125           Match" and you prefer to specify broadcast addresses explicitly
 1126           rather than having Shorewall detect them.</para>
 1127 
 1128           <para>Your entries for this setup would look like:</para>
 1129 
 1130           <programlisting>?FORMAT 1
 1131 #ZONE   INTERFACE BROADCAST        OPTIONS
 1132 net     eth0      206.191.149.223  dhcp
 1133 loc     eth1      192.168.1.255
 1134 dmz     eth2      192.168.2.255</programlisting>
 1135         </listitem>
 1136       </varlistentry>
 1137 
 1138       <varlistentry>
 1139         <term>Example 2:</term>
 1140 
 1141         <listitem>
 1142           <para>The same configuration without specifying broadcast addresses
 1143           is:</para>
 1144 
 1145           <programlisting>?FORMAT 2
 1146 #ZONE   INTERFACE OPTIONS
 1147 net     eth0      dhcp
 1148 loc     eth1      
 1149 dmz     eth2</programlisting>
 1150         </listitem>
 1151       </varlistentry>
 1152 
 1153       <varlistentry>
 1154         <term>Example 3:</term>
 1155 
 1156         <listitem>
 1157           <para>You have a simple dial-in system with no Ethernet
 1158           connections.</para>
 1159 
 1160           <programlisting>?FORMAT 2
 1161 #ZONE   INTERFACE OPTIONS
 1162 net     ppp0      -</programlisting>
 1163         </listitem>
 1164       </varlistentry>
 1165 
 1166       <varlistentry>
 1167         <term>Example 4 (Shorewall 4.4.9 and later):</term>
 1168 
 1169         <listitem>
 1170           <para>You have a bridge with no IP address and you want to allow
 1171           traffic through the bridge.</para>
 1172 
 1173           <programlisting>?FORMAT 2
 1174 #ZONE   INTERFACE OPTIONS
 1175 -       br0       bridge</programlisting>
 1176         </listitem>
 1177       </varlistentry>
 1178     </variablelist>
 1179   </refsect1>
 1180 
 1181   <refsect1>
 1182     <title>FILES</title>
 1183 
 1184     <para>/etc/shorewall/interfaces</para>
 1185 
 1186     <para>/etc/shorewall6/interfaces</para>
 1187   </refsect1>
 1188 
 1189   <refsect1>
 1190     <title>See ALSO</title>
 1191 
 1192     <para><ulink
 1193     url="../configuration_file_basics.htm#Pairs">https://shorewall.org/configuration_file_basics.htm#Pairs</ulink></para>
 1194 
 1195     <para>shorewall(8)</para>
 1196   </refsect1>
 1197 </refentry>