"Fossies" - the Fresh Open Source Software Archive

Member "shorewall6-5.2.8/Samples6/Universal/interfaces.annotated" (24 Sep 2020, 26744 Bytes) of package /linux/misc/shorewall/shorewall6-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "interfaces.annotated": 5.2.7_vs_5.2.8.

    1 #
    2 # Shorewall version 4 - Interfaces File
    3 #
    4 # For information about entries in this file, type "man shorewall-interfaces"
    5 #
    6 # The manpage is also online at
    7 # https://shorewall.org/manpages/shorewall-interfaces.html
    8 #
    9 ###############################################################################
   10 # 
   11 # The interfaces file serves to define the firewall's network interfaces to
   12 # Shorewall. The order of entries in this file is not significant in determining
   13 # zone composition.
   14 # 
   15 # Beginning with Shorewall 4.5.3, the interfaces file supports two different
   16 # formats:
   17 # 
   18 # FORMAT 1 (default - deprecated)
   19 # 
   20 #     There is a BROADCAST column which can be used to specify the broadcast
   21 #     address associated with the interface.
   22 # 
   23 # FORMAT 2
   24 # 
   25 #     The BROADCAST column is omitted.
   26 # 
   27 # The format is specified by a line as follows:
   28 # 
   29 #     ?FORMAT {1|2}
   30 # 
   31 # The columns in the file are as follows.
   32 # 
   33 # ZONE - zone-name
   34 # 
   35 #     Zone for this interface. Must match the name of a zone declared in /etc/
   36 #     shorewall/zones. You may not list the firewall zone in this column.
   37 # 
   38 #     If the interface serves multiple zones that will be defined in the
   39 #     shorewall-hosts(5) file, you should place "-" in this column.
   40 # 
   41 #     If there are multiple interfaces to the same zone, you must list them in
   42 #     separate entries.
   43 # 
   44 #     Example:
   45 # 
   46 #         #ZONE   INTERFACE       BROADCAST
   47 #         loc     eth1            -
   48 #         loc     eth2            -
   49 # 
   50 # INTERFACE - interface[:port]
   51 # 
   52 #     Logical name of interface. Each interface may be listed only once in this
   53 #     file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0)
   54 #     here; see https://shorewall.org/FAQ.htm#faq18. If the physical option is
   55 #     not specified, then the logical name is also the name of the actual
   56 #     interface.
   57 # 
   58 #     You may use wildcards here by specifying a prefix followed by the plus sign
   59 #     ("+"). For example, if you want to make an entry that applies to all PPP
   60 #     interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …
   61 # 
   62 #     When using Shorewall versions before 4.1.4, care must be exercised when
   63 #     using wildcards where there is another zone that uses a matching specific
   64 #     interface. See shorewall-nesting(5) for a discussion of this problem.
   65 # 
   66 #     Shorewall allows '+' as an interface name, but that usage is deprecated. A
   67 #     better approach is to specify 'physical=+' in the OPTIONS column (see
   68 #     below).
   69 # 
   70 #     There is no need to define the loopback interface (lo) in this file.
   71 # 
   72 #     If a port is given, then the interface must have been defined previously
   73 #     with the bridge option. The OPTIONS column may not contain the following
   74 #     options when a port is given.
   75 # 
   76 #     arp_filter
   77 #     arp_ignore
   78 #     bridge
   79 #     log_martians
   80 #     mss
   81 #     optional
   82 #     proxyarp
   83 #     required
   84 #     routefilter
   85 #     sourceroute
   86 #     upnp
   87 #     wait
   88 # 
   89 #     Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
   90 #     interface, then that zone must be defined as type local in shorewall6-zones
   91 #     (5).
   92 # 
   93 # BROADCAST (Optional) - {-|detect|address[,address]...}
   94 # 
   95 #     Only available if FORMAT 1.
   96 # 
   97 #     If you use the special value detect, Shorewall will detect the broadcast
   98 #     address(es) for you if your iptables and kernel include Address Type Match
   99 #     support.
  100 # 
  101 #     If your iptables and/or kernel lack Address Type Match support then you may
  102 #     list the broadcast address(es) for the network(s) to which the interface
  103 #     belongs. For P-T-P interfaces, this column is left blank. If the interface
  104 #     has multiple addresses on multiple subnets then list the broadcast
  105 #     addresses as a comma-separated list.
  106 # 
  107 #     If you don't want to give a value for this column but you want to enter a
  108 #     value in the OPTIONS column, enter - in this column.
  109 # 
  110 # OPTIONS (Optional) - [option[,option]...]
  111 # 
  112 #     A comma-separated list of options from the following list. The order in
  113 #     which you list the options is not significant but the list should have no
  114 #     embedded white-space.
  115 # 
  116 #     accept_ra[={0|1|2}]
  117 # 
  118 #         IPv6 only; added in Shorewall 4.5.16. Values are:
  119 # 
  120 #         0
  121 # 
  122 #             Do not accept Router Advertisements.
  123 # 
  124 #         1
  125 # 
  126 #             Accept Route Advertisements if forwarding is disabled.
  127 # 
  128 #         2
  129 # 
  130 #             Overrule forwarding behavior. Accept Route Advertisements even if
  131 #             forwarding is enabled.
  132 # 
  133 #         If the option is specified without a value, then the value 1 is
  134 #         assumed.
  135 # 
  136 #         Note
  137 # 
  138 #         This option does not work with a wild-card physical name (e.g.,
  139 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  140 #         a warning is issued and the option is ignored.
  141 # 
  142 #     arp_filter[={0|1}]
  143 # 
  144 #         IPv4 only. If specified, this interface will only respond to ARP
  145 #         who-has requests for IP addresses configured on the interface. If not
  146 #         specified, the interface can respond to ARP who-has requests for IP
  147 #         addresses on any of the firewall's interface. The interface must be up
  148 #         when Shorewall is started.
  149 # 
  150 #         Only those interfaces with the arp_filter option will have their
  151 #         setting changed; the value assigned to the setting will be the value
  152 #         specified (if any) or 1 if no value is given.
  153 # 
  154 #         Note
  155 # 
  156 #         This option does not work with a wild-card physical name (e.g.,
  157 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  158 #         a warning is issued and the option is ignored.
  159 # 
  160 #     arp_ignore[=number]
  161 # 
  162 #         IPv4 only. If specified, this interface will respond to arp requests
  163 #         based on the value of number (defaults to 1).
  164 # 
  165 #         1 - reply only if the target IP address is local address configured on
  166 #         the incoming interface
  167 # 
  168 #         2 - reply only if the target IP address is local address configured on
  169 #         the incoming interface and the sender's IP address is part from same
  170 #         subnet on this interface's address
  171 # 
  172 #         3 - do not reply for local addresses configured with scope host, only
  173 #         resolutions for global and link
  174 # 
  175 #         4-7 - reserved
  176 # 
  177 #         8 - do not reply for all local addresses
  178 # 
  179 #         Note
  180 # 
  181 #         This option does not work with a wild-card physical name (e.g.,
  182 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  183 #         a warning is issued and the option is ignored.
  184 # 
  185 #         Warning
  186 # 
  187 #         Do not specify arp_ignore for any interface involved in Proxy ARP.
  188 # 
  189 #     blacklist
  190 # 
  191 #         Checks packets arriving on this interface against the
  192 #         shorewall-blacklist(5) file.
  193 # 
  194 #         Beginning with Shorewall 4.4.13:
  195 # 
  196 #           ☆ If a zone is given in the ZONES column, then the behavior is as if 
  197 #             blacklist had been specified in the IN_OPTIONS column of
  198 #             shorewall-zones(5).
  199 # 
  200 #           ☆ Otherwise, the option is ignored with a warning:
  201 # 
  202 #                 WARNING: The 'blacklist' option is ignored on multi-zone
  203 #                 interfaces
  204 # 
  205 #     bridge
  206 # 
  207 #         Designates the interface as a bridge. Beginning with Shorewall 4.4.7,
  208 #         setting this option also sets routeback.
  209 # 
  210 #         Note
  211 # 
  212 #         If you have a bridge that you don't intend to define bport zones on,
  213 #         then it is best to omit this option and simply specify routeback.
  214 # 
  215 #     dbl={none|src|dst|src-dst}
  216 # 
  217 #         Added in Shorewall 5.0.10. This option defined whether or not dynamic
  218 #         blacklisting is applied to packets entering the firewall through this
  219 #         interface and whether the source address and/or destination address is
  220 #         to be compared against the ipset-based dynamic blacklist
  221 #         (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is
  222 #         determine by the setting of DYNAMIC_BLACKLIST:
  223 # 
  224 #         DYNAMIC_BLACKLIST=No
  225 # 
  226 #             Default is none (e.g., no dynamic blacklist checking).
  227 # 
  228 #         DYNAMIC_BLACKLIST=Yes
  229 # 
  230 #             Default is src (e.g., the source IP address is checked).
  231 # 
  232 #         DYNAMIC_BLACKLIST=ipset[-only]
  233 # 
  234 #             Default is src.
  235 # 
  236 #         DYNAMIC_BLACKLIST=ipset[-only],src-dst...
  237 # 
  238 #             Default is src-dst (e.g., the source IP addresses in checked
  239 #             against the ipset on input and the destination IP address is
  240 #             checked against the ipset on packets originating from the firewall
  241 #             and leaving through this interface).
  242 # 
  243 #         The normal setting for this option will be dst or none for internal
  244 #         interfaces and src or src-dst for Internet-facing interfaces.
  245 # 
  246 #     destonly
  247 # 
  248 #         Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle
  249 #         traffic from this interface.
  250 # 
  251 #     dhcp
  252 # 
  253 #         Specify this option when any of the following are true:
  254 # 
  255 #          1. the interface gets its IP address via DHCP
  256 # 
  257 #          2. the interface is used by a DHCP server running on the firewall
  258 # 
  259 #          3. the interface has a static IP but is on a LAN segment with lots of
  260 #             DHCP clients.
  261 # 
  262 #          4. the interface is a simple bridge with a DHCP server on one port and
  263 #             DHCP clients on another port.
  264 # 
  265 #             Note
  266 # 
  267 #             If you use Shorewall-perl for firewall/bridging, then you need to
  268 #             include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP
  269 #             ports 67 and 68.
  270 # 
  271 #         This option allows DHCP datagrams to enter and leave the interface.
  272 # 
  273 #     forward[={0|1}]
  274 # 
  275 #         IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding option
  276 #         to the specified value. If no value is supplied, then 1 is assumed.
  277 # 
  278 #         Note
  279 # 
  280 #         This option does not work with a wild-card physical name (e.g.,
  281 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  282 #         a warning is issued and the option is ignored.
  283 # 
  284 #     ignore[=1]
  285 # 
  286 #         When specified, causes the generated script to ignore up/down events
  287 #         from Shorewall-init for this device. Additionally, the option exempts
  288 #         the interface from hairpin filtering. When '=1' is omitted, the ZONE
  289 #         column must contain '-' and ignore must be the only OPTION.
  290 # 
  291 #         Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which
  292 #         only causes the generated script to ignore up/down events from
  293 #         Shorewall-init; hairpin filtering is still applied. In this case, the
  294 #         above restrictions on the ZONE and OPTIONS columns are lifted.
  295 # 
  296 #     loopback
  297 # 
  298 #         Added in Shorewall 4.6.6. Designates the interface as the loopback
  299 #         interface. This option is assumed if the interface's physical name is
  300 #         'lo'. Only one interface man have the loopback option specified.
  301 # 
  302 #     logmartians[={0|1}]
  303 # 
  304 #         IPv4 only. Turn on kernel martian logging (logging of packets with
  305 #         impossible source addresses. It is strongly suggested that if you set 
  306 #         routefilter on an interface that you also set logmartians. Even if you
  307 #         do not specify the routefilter option, it is a good idea to specify
  308 #         logmartians because your distribution may have enabled route filtering
  309 #         without you knowing it.
  310 # 
  311 #         Only those interfaces with the logmartians option will have their
  312 #         setting changed; the value assigned to the setting will be the value
  313 #         specified (if any) or 1 if no value is given.
  314 # 
  315 #         To find out if route filtering is set on a given interface, check the
  316 #         contents of /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero
  317 #         value indicates that route filtering is enabled.
  318 # 
  319 #         Example:
  320 # 
  321 #                 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter 
  322 #                 1
  323 #                 teastep@lists:~$
  324 # 
  325 #         Note
  326 # 
  327 #         This option does not work with a wild-card physical name (e.g.,
  328 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  329 #         a warning is issued and the option is ignored.
  330 # 
  331 #             This option may also be enabled globally in the shorewall.conf(5)
  332 #             file.
  333 # 
  334 #     maclist
  335 # 
  336 #         Connection requests from this interface are compared against the
  337 #         contents of shorewall-maclist(5). If this option is specified, the
  338 #         interface must be an Ethernet NIC and must be up before Shorewall is
  339 #         started.
  340 # 
  341 #     mss=number
  342 # 
  343 #         Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets entering or
  344 #         leaving on this interface to have their MSS field set to the specified
  345 #         number.
  346 # 
  347 #     nets=(net[,...])
  348 # 
  349 #         Limit the zone named in the ZONE column to only the listed networks.
  350 #         The parentheses may be omitted if only a single net is given (e.g.,
  351 #         nets=192.168.1.0/24). Limited broadcast to the zone is supported.
  352 #         Beginning with Shorewall 4.4.1, multicast traffic to the zone is also
  353 #         supported.
  354 # 
  355 #     nets=dynamic
  356 # 
  357 #         Defines the zone as dynamic. Requires ipset match support in your
  358 #         iptables and kernel. See https://shorewall.org/Dynamic.html for further
  359 #         information.
  360 # 
  361 #     nodbl
  362 # 
  363 #         Added in Shorewall 5.0.8. When specified, dynamic blacklisting is
  364 #         disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is
  365 #         equivalent to dbl=none.
  366 # 
  367 #     nosmurfs
  368 # 
  369 #         IPv4 only. Filter packets for smurfs (packets with a broadcast address
  370 #         as the source).
  371 # 
  372 #         Smurfs will be optionally logged based on the setting of
  373 #         SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the packets are
  374 #         dropped.
  375 # 
  376 #     omitanycast
  377 # 
  378 #         IPv6 only. Added in Shorewall 5.2.8.
  379 # 
  380 #         Shorewall6 has traditionally generated rules for IPv6 anycast
  381 #         addresses. These rules include:
  382 # 
  383 #          a. Packets with these destination IP addresses are dropped by REJECT
  384 #             rules.
  385 # 
  386 #          b. Packets with these source IP addresses are dropped by the
  387 #             'nosmurfs' interface option and by the 'dropSmurfs' action.
  388 # 
  389 #          c. Packets with these destination IP addresses are not logged during
  390 #             policy enforcement.
  391 # 
  392 #          d. Packets with these destination IP addresses are processes by the
  393 #             'Broadcast' action.
  394 # 
  395 #         This can be inhibited for individual interfaces by specifying noanycast
  396 #         for those interfaces.
  397 # 
  398 #         Note
  399 # 
  400 #         RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a
  401 #         distinction between subnets with "IPv6 address types required to have
  402 #         64-bit interface identifiers in EUI-64 format" and all other subnets.
  403 #         When generating these anycast addresses, the Shorewall compiler does
  404 #         not make this distinction and unconditionally assumes that the last 128
  405 #         addresses in the subnet are reserved as anycast addresses.
  406 # 
  407 #     optional
  408 # 
  409 #         This option indicates that the firewall should be able to start, even
  410 #         if the interface is not usable for handling traffic. It allows use of
  411 #         the enable and disable commands on the interface.
  412 # 
  413 #         When optional is specified for an interface, Shorewall will be silent
  414 #         when:
  415 # 
  416 #           ☆ a /proc/sys/net/ipv[46]/conf/ entry for the interface cannot be
  417 #             modified (including for proxy ARP or proxy NDP).
  418 # 
  419 #           ☆ The first address of the interface cannot be obtained.
  420 # 
  421 #           ☆ The gateway of the interface can not be obtained (provider
  422 #             interface).
  423 # 
  424 #           ☆ The interface has been disabled using the disable command.
  425 # 
  426 #         May not be specified with required.
  427 # 
  428 #     physical=name
  429 # 
  430 #         Added in Shorewall 4.4.4. When specified, the interface or port name in
  431 #         the INTERFACE column is a logical name that refers to the name given in
  432 #         this option. It is useful when you want to specify the same wildcard
  433 #         port name on two or more bridges. See https://shorewall.org/
  434 #         bridge-Shorewall-perl.html#Multiple.
  435 # 
  436 #         If the interface name is a wildcard name (ends with '+'), then the
  437 #         physical name must also end in '+'. The physical name may end in '+'
  438 #         (or be exactly '+') when the interface name is not a wildcard name.
  439 # 
  440 #         If physical is not specified, then it's value defaults to the interface
  441 #         name.
  442 # 
  443 #     proxyarp[={0|1}]
  444 # 
  445 #         IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use
  446 #         this option if you are employing Proxy ARP through entries in
  447 #         shorewall-proxyarp(5). This option is intended solely for use with
  448 #         Proxy ARP sub-networking as described at: http://tldp.org/HOWTO/
  449 #         Proxy-ARP-Subnet/index.html.
  450 # 
  451 #         Note
  452 # 
  453 #         This option does not work with a wild-card physical name (e.g.,
  454 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  455 #         a warning is issued and the option is ignored.
  456 # 
  457 #         Only those interfaces with the proxyarp option will have their setting
  458 #         changed; the value assigned to the setting will be the value specified
  459 #         (if any) or 1 if no value is given.
  460 # 
  461 #     proxyndp[={0|1}]
  462 # 
  463 #         IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
  464 # 
  465 #         Note
  466 # 
  467 #         This option does not work with a wild-card physical name (e.g.,
  468 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  469 #         a warning is issued and the option is ignored.
  470 # 
  471 #         Only those interfaces with the proxyndp option will have their setting
  472 #         changed; the value assigned to the setting will be the value specified
  473 #         (if any) or 1 if no value is given.
  474 # 
  475 #     required
  476 # 
  477 #         Added in Shorewall 4.4.10. If this option is set, the firewall will
  478 #         fail to start if the interface is not usable. May not be specified
  479 #         together with optional.
  480 # 
  481 #     routeback[={0|1}]
  482 # 
  483 #         If specified, indicates that Shorewall should include rules that allow
  484 #         traffic arriving on this interface to be routed back out that same
  485 #         interface. This option is also required when you have used a wildcard
  486 #         in the INTERFACE column if you want to allow traffic between the
  487 #         interfaces that match the wildcard.
  488 # 
  489 #         Beginning with Shorewall 4.4.20, if you specify this option, then you
  490 #         should also specify either sfilter (see below) or routefilter on all
  491 #         interfaces (see below).
  492 # 
  493 #         Beginning with Shorewall 4.5.18, you may specify this option to
  494 #         explicitly reset (e.g., routeback=0). This can be used to override
  495 #         Shorewall's default setting for bridge devices which is routeback=1.
  496 # 
  497 #     routefilter[={0|1|2}]
  498 # 
  499 #         IPv4 only. Turn on kernel route filtering for this interface
  500 #         (anti-spoofing measure).
  501 # 
  502 #         Only those interfaces with the routefilter option will have their
  503 #         setting changes; the value assigned to the setting will be the value
  504 #         specified (if any) or 1 if no value is given.
  505 # 
  506 #         The value 2 is only available with Shorewall 4.4.5.1 and later when the
  507 #         kernel version is 2.6.31 or later. It specifies a loose form of reverse
  508 #         path filtering.
  509 # 
  510 #         Note
  511 # 
  512 #         This option does not work with a wild-card physical name (e.g.,
  513 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  514 #         a warning is issued and the option is ignored.
  515 # 
  516 #         This option can also be enabled globally via the ROUTE_FILTER option in
  517 #         the shorewall.conf(5) file.
  518 # 
  519 #         Important
  520 # 
  521 #         If ROUTE_FILTER=Yes in shorewall.conf(5), or if your distribution sets
  522 #         net.ipv4.conf.all.rp_filter=1 in /etc/sysctl.conf, then setting 
  523 #         routefilter=0 in an interface entry will not disable route filtering on
  524 #         that interface! The effective setting for an interface is the maximum
  525 #         of the contents of /proc/sys/net/ipv4/conf/all/rp_filter and the
  526 #         routefilter setting specified in this file (/proc/sys/net/ipv4/conf/
  527 #         interface/rp_filter).
  528 # 
  529 #         Note
  530 # 
  531 #         There are certain cases where routefilter cannot be used on an
  532 #         interface:
  533 # 
  534 #           ☆ If USE_DEFAULT_RT=Yes in shorewall.conf(5) and the interface is
  535 #             listed in shorewall-providers(5).
  536 # 
  537 #           ☆ If there is an entry for the interface in shorewall-providers(5)
  538 #             that doesn't specify the balance option.
  539 # 
  540 #           ☆ If IPSEC is used to allow a road-warrior to have a local address,
  541 #             then any interface through which the road-warrior might connect
  542 #             cannot specify routefilter.
  543 # 
  544 #         Beginning with Shorewall 5.1.1, when routefilter is set to a non-zero
  545 #         value, the logmartians option is also implicitly set. If you actually
  546 #         want route filtering without logging, then you must also specify
  547 #         logmartians=0 after routefilter.
  548 # 
  549 #     rpfilter
  550 # 
  551 #         Added in Shorewall 4.5.7. This is an anti-spoofing measure that
  552 #         requires the 'RPFilter Match' capability in your iptables and kernel.
  553 #         It provides a more efficient alternative to the sfilter option below.
  554 #         It performs a function similar to routefilter (see above) but works
  555 #         with Multi-ISP configurations that do not use balanced routes.
  556 # 
  557 #     sfilter=(net[,...])
  558 # 
  559 #         Added in Shorewall 4.4.20. This option provides an anti-spoofing
  560 #         alternative to routefilter on interfaces where that option cannot be
  561 #         used, but where the routeback option is required (on a bridge, for
  562 #         example). On these interfaces, sfilter should list those local networks
  563 #         that are connected to the firewall through other interfaces.
  564 # 
  565 #     sourceroute[={0|1}]
  566 # 
  567 #         If this option is not specified for an interface, then source-routed
  568 #         packets will not be accepted from that interface unless it has been
  569 #         explicitly enabled via sysconf. Only set this option to 1 (enable
  570 #         source routing) if you know what you are doing. This might represent a
  571 #         security risk and is usually unneeded.
  572 # 
  573 #         Only those interfaces with the sourceroute option will have their
  574 #         setting changed; the value assigned to the setting will be the value
  575 #         specified (if any) or 1 if no value is given.
  576 # 
  577 #         Note
  578 # 
  579 #         This option does not work with a wild-card physical name (e.g.,
  580 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  581 #         a warning is issued and the option is ignored.
  582 # 
  583 #     tcpflags[={0|1}]
  584 # 
  585 #         Packets arriving on this interface are checked for certain illegal
  586 #         combinations of TCP flags. Packets found to have such a combination of
  587 #         flags are handled according to the setting of TCP_FLAGS_DISPOSITION
  588 #         after having been logged according to the setting of
  589 #         TCP_FLAGS_LOG_LEVEL.
  590 # 
  591 #         Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable
  592 #         this option, specify tcpflags=0.
  593 # 
  594 #     unmanaged
  595 # 
  596 #         Added in Shorewall 4.5.18. Causes all traffic between the firewall and
  597 #         hosts on the interface to be accepted. When this option is given:
  598 # 
  599 #           ☆ The ZONE column must contain '-'.
  600 # 
  601 #           ☆ Only the following other options are allowed with unmanaged:
  602 # 
  603 #             arp_filter
  604 #             arp_ignore
  605 #             ignore
  606 #             routefilter
  607 #             optional
  608 #             physical
  609 #             routefilter
  610 #             proxyarp
  611 #             proxyudp
  612 #             sourceroute
  613 # 
  614 #     upnp
  615 # 
  616 #         Incoming requests from this interface may be remapped via UPNP (upnpd).
  617 #         See https://shorewall.org/UPnP.html. Supported in IPv4 and in IPv6 in
  618 #         Shorewall 5.1.4 and later.
  619 # 
  620 #     upnpclient
  621 # 
  622 #         This option is intended for laptop users who always run Shorewall on
  623 #         their system yet need to run UPnP-enabled client apps such as
  624 #         Transmission (BitTorrent client). The option causes Shorewall to detect
  625 #         the default gateway through the interface and to accept UDP packets
  626 #         from that gateway. Note that, like all aspects of UPnP, this is a
  627 #         security hole so use this option at your own risk. Supported in IPv4
  628 #         and in IPv6 in Shorewall 5.1.4 and later.
  629 # 
  630 #     wait=seconds
  631 # 
  632 #         Added in Shorewall 4.4.10. Causes the generated script to wait up to 
  633 #         seconds seconds for the interface to become usable before applying the 
  634 #         required or optional options.
  635 # 
  636 # Example
  637 # 
  638 # IPv4 Example 1:
  639 # 
  640 #     Suppose you have eth0 connected to a DSL modem and eth1 connected to your
  641 #     local network and that your local subnet is 192.168.1.0/24. The interface
  642 #     gets its IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ
  643 #     with subnet 192.168.2.0/24 using eth2. Your iptables and/or kernel do not
  644 #     support "Address Type Match" and you prefer to specify broadcast addresses
  645 #     explicitly rather than having Shorewall detect them.
  646 # 
  647 #     Your entries for this setup would look like:
  648 # 
  649 #     ?FORMAT 1
  650 #     #ZONE   INTERFACE BROADCAST        OPTIONS
  651 #     net     eth0      206.191.149.223  dhcp
  652 #     loc     eth1      192.168.1.255
  653 #     dmz     eth2      192.168.2.255
  654 # 
  655 # Example 2:
  656 # 
  657 #     The same configuration without specifying broadcast addresses is:
  658 # 
  659 #     ?FORMAT 2
  660 #     #ZONE   INTERFACE OPTIONS
  661 #     net     eth0      dhcp
  662 #     loc     eth1
  663 #     dmz     eth2
  664 # 
  665 # Example 3:
  666 # 
  667 #     You have a simple dial-in system with no Ethernet connections.
  668 # 
  669 #     ?FORMAT 2
  670 #     #ZONE   INTERFACE OPTIONS
  671 #     net     ppp0      -
  672 # 
  673 # Example 4 (Shorewall 4.4.9 and later):
  674 # 
  675 #     You have a bridge with no IP address and you want to allow traffic through
  676 #     the bridge.
  677 # 
  678 #     ?FORMAT 2
  679 #     #ZONE   INTERFACE OPTIONS
  680 #     -       br0       bridge
  681 # 
  682 ###############################################################################
  683 ?FORMAT 2
  684 ###############################################################################
  685 #ZONE	INTERFACE	OPTIONS
  686 -	lo		ignore
  687 net	all		dhcp,physical=+,routeback