"Fossies" - the Fresh Open Source Software Archive

Member "shorewall6-5.2.8/Samples6/one-interface/interfaces.annotated" (24 Sep 2020, 27114 Bytes) of package /linux/misc/shorewall/shorewall6-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "interfaces.annotated": 5.2.7_vs_5.2.8.

    1 #
    2 # Shorewall6 - Sample Interfaces File for one-interface configuration.
    3 # Copyright (C) 2006-2017 by the Shorewall Team
    4 #
    5 # This library is free software; you can redistribute it and/or
    6 # modify it under the terms of the GNU Lesser General Public
    7 # License as published by the Free Software Foundation; either
    8 # version 2.1 of the License, or (at your option) any later version.
    9 #
   10 # See the file README.txt for further details.
   11 #------------------------------------------------------------------------------
   12 # For information about entries in this file, type "man shorewall6-interfaces"
   13 ###############################################################################
   14 # 
   15 # The interfaces file serves to define the firewall's network interfaces to
   16 # Shorewall. The order of entries in this file is not significant in determining
   17 # zone composition.
   18 # 
   19 # Beginning with Shorewall 4.5.3, the interfaces file supports two different
   20 # formats:
   21 # 
   22 # FORMAT 1 (default - deprecated)
   23 # 
   24 #     There is a BROADCAST column which can be used to specify the broadcast
   25 #     address associated with the interface.
   26 # 
   27 # FORMAT 2
   28 # 
   29 #     The BROADCAST column is omitted.
   30 # 
   31 # The format is specified by a line as follows:
   32 # 
   33 #     ?FORMAT {1|2}
   34 # 
   35 # The columns in the file are as follows.
   36 # 
   37 # ZONE - zone-name
   38 # 
   39 #     Zone for this interface. Must match the name of a zone declared in /etc/
   40 #     shorewall/zones. You may not list the firewall zone in this column.
   41 # 
   42 #     If the interface serves multiple zones that will be defined in the
   43 #     shorewall-hosts(5) file, you should place "-" in this column.
   44 # 
   45 #     If there are multiple interfaces to the same zone, you must list them in
   46 #     separate entries.
   47 # 
   48 #     Example:
   49 # 
   50 #         #ZONE   INTERFACE       BROADCAST
   51 #         loc     eth1            -
   52 #         loc     eth2            -
   53 # 
   54 # INTERFACE - interface[:port]
   55 # 
   56 #     Logical name of interface. Each interface may be listed only once in this
   57 #     file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0)
   58 #     here; see https://shorewall.org/FAQ.htm#faq18. If the physical option is
   59 #     not specified, then the logical name is also the name of the actual
   60 #     interface.
   61 # 
   62 #     You may use wildcards here by specifying a prefix followed by the plus sign
   63 #     ("+"). For example, if you want to make an entry that applies to all PPP
   64 #     interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …
   65 # 
   66 #     When using Shorewall versions before 4.1.4, care must be exercised when
   67 #     using wildcards where there is another zone that uses a matching specific
   68 #     interface. See shorewall-nesting(5) for a discussion of this problem.
   69 # 
   70 #     Shorewall allows '+' as an interface name, but that usage is deprecated. A
   71 #     better approach is to specify 'physical=+' in the OPTIONS column (see
   72 #     below).
   73 # 
   74 #     There is no need to define the loopback interface (lo) in this file.
   75 # 
   76 #     If a port is given, then the interface must have been defined previously
   77 #     with the bridge option. The OPTIONS column may not contain the following
   78 #     options when a port is given.
   79 # 
   80 #     arp_filter
   81 #     arp_ignore
   82 #     bridge
   83 #     log_martians
   84 #     mss
   85 #     optional
   86 #     proxyarp
   87 #     required
   88 #     routefilter
   89 #     sourceroute
   90 #     upnp
   91 #     wait
   92 # 
   93 #     Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
   94 #     interface, then that zone must be defined as type local in shorewall6-zones
   95 #     (5).
   96 # 
   97 # BROADCAST (Optional) - {-|detect|address[,address]...}
   98 # 
   99 #     Only available if FORMAT 1.
  100 # 
  101 #     If you use the special value detect, Shorewall will detect the broadcast
  102 #     address(es) for you if your iptables and kernel include Address Type Match
  103 #     support.
  104 # 
  105 #     If your iptables and/or kernel lack Address Type Match support then you may
  106 #     list the broadcast address(es) for the network(s) to which the interface
  107 #     belongs. For P-T-P interfaces, this column is left blank. If the interface
  108 #     has multiple addresses on multiple subnets then list the broadcast
  109 #     addresses as a comma-separated list.
  110 # 
  111 #     If you don't want to give a value for this column but you want to enter a
  112 #     value in the OPTIONS column, enter - in this column.
  113 # 
  114 # OPTIONS (Optional) - [option[,option]...]
  115 # 
  116 #     A comma-separated list of options from the following list. The order in
  117 #     which you list the options is not significant but the list should have no
  118 #     embedded white-space.
  119 # 
  120 #     accept_ra[={0|1|2}]
  121 # 
  122 #         IPv6 only; added in Shorewall 4.5.16. Values are:
  123 # 
  124 #         0
  125 # 
  126 #             Do not accept Router Advertisements.
  127 # 
  128 #         1
  129 # 
  130 #             Accept Route Advertisements if forwarding is disabled.
  131 # 
  132 #         2
  133 # 
  134 #             Overrule forwarding behavior. Accept Route Advertisements even if
  135 #             forwarding is enabled.
  136 # 
  137 #         If the option is specified without a value, then the value 1 is
  138 #         assumed.
  139 # 
  140 #         Note
  141 # 
  142 #         This option does not work with a wild-card physical name (e.g.,
  143 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  144 #         a warning is issued and the option is ignored.
  145 # 
  146 #     arp_filter[={0|1}]
  147 # 
  148 #         IPv4 only. If specified, this interface will only respond to ARP
  149 #         who-has requests for IP addresses configured on the interface. If not
  150 #         specified, the interface can respond to ARP who-has requests for IP
  151 #         addresses on any of the firewall's interface. The interface must be up
  152 #         when Shorewall is started.
  153 # 
  154 #         Only those interfaces with the arp_filter option will have their
  155 #         setting changed; the value assigned to the setting will be the value
  156 #         specified (if any) or 1 if no value is given.
  157 # 
  158 #         Note
  159 # 
  160 #         This option does not work with a wild-card physical name (e.g.,
  161 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  162 #         a warning is issued and the option is ignored.
  163 # 
  164 #     arp_ignore[=number]
  165 # 
  166 #         IPv4 only. If specified, this interface will respond to arp requests
  167 #         based on the value of number (defaults to 1).
  168 # 
  169 #         1 - reply only if the target IP address is local address configured on
  170 #         the incoming interface
  171 # 
  172 #         2 - reply only if the target IP address is local address configured on
  173 #         the incoming interface and the sender's IP address is part from same
  174 #         subnet on this interface's address
  175 # 
  176 #         3 - do not reply for local addresses configured with scope host, only
  177 #         resolutions for global and link
  178 # 
  179 #         4-7 - reserved
  180 # 
  181 #         8 - do not reply for all local addresses
  182 # 
  183 #         Note
  184 # 
  185 #         This option does not work with a wild-card physical name (e.g.,
  186 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  187 #         a warning is issued and the option is ignored.
  188 # 
  189 #         Warning
  190 # 
  191 #         Do not specify arp_ignore for any interface involved in Proxy ARP.
  192 # 
  193 #     blacklist
  194 # 
  195 #         Checks packets arriving on this interface against the
  196 #         shorewall-blacklist(5) file.
  197 # 
  198 #         Beginning with Shorewall 4.4.13:
  199 # 
  200 #           ☆ If a zone is given in the ZONES column, then the behavior is as if 
  201 #             blacklist had been specified in the IN_OPTIONS column of
  202 #             shorewall-zones(5).
  203 # 
  204 #           ☆ Otherwise, the option is ignored with a warning:
  205 # 
  206 #                 WARNING: The 'blacklist' option is ignored on multi-zone
  207 #                 interfaces
  208 # 
  209 #     bridge
  210 # 
  211 #         Designates the interface as a bridge. Beginning with Shorewall 4.4.7,
  212 #         setting this option also sets routeback.
  213 # 
  214 #         Note
  215 # 
  216 #         If you have a bridge that you don't intend to define bport zones on,
  217 #         then it is best to omit this option and simply specify routeback.
  218 # 
  219 #     dbl={none|src|dst|src-dst}
  220 # 
  221 #         Added in Shorewall 5.0.10. This option defined whether or not dynamic
  222 #         blacklisting is applied to packets entering the firewall through this
  223 #         interface and whether the source address and/or destination address is
  224 #         to be compared against the ipset-based dynamic blacklist
  225 #         (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is
  226 #         determine by the setting of DYNAMIC_BLACKLIST:
  227 # 
  228 #         DYNAMIC_BLACKLIST=No
  229 # 
  230 #             Default is none (e.g., no dynamic blacklist checking).
  231 # 
  232 #         DYNAMIC_BLACKLIST=Yes
  233 # 
  234 #             Default is src (e.g., the source IP address is checked).
  235 # 
  236 #         DYNAMIC_BLACKLIST=ipset[-only]
  237 # 
  238 #             Default is src.
  239 # 
  240 #         DYNAMIC_BLACKLIST=ipset[-only],src-dst...
  241 # 
  242 #             Default is src-dst (e.g., the source IP addresses in checked
  243 #             against the ipset on input and the destination IP address is
  244 #             checked against the ipset on packets originating from the firewall
  245 #             and leaving through this interface).
  246 # 
  247 #         The normal setting for this option will be dst or none for internal
  248 #         interfaces and src or src-dst for Internet-facing interfaces.
  249 # 
  250 #     destonly
  251 # 
  252 #         Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle
  253 #         traffic from this interface.
  254 # 
  255 #     dhcp
  256 # 
  257 #         Specify this option when any of the following are true:
  258 # 
  259 #          1. the interface gets its IP address via DHCP
  260 # 
  261 #          2. the interface is used by a DHCP server running on the firewall
  262 # 
  263 #          3. the interface has a static IP but is on a LAN segment with lots of
  264 #             DHCP clients.
  265 # 
  266 #          4. the interface is a simple bridge with a DHCP server on one port and
  267 #             DHCP clients on another port.
  268 # 
  269 #             Note
  270 # 
  271 #             If you use Shorewall-perl for firewall/bridging, then you need to
  272 #             include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP
  273 #             ports 67 and 68.
  274 # 
  275 #         This option allows DHCP datagrams to enter and leave the interface.
  276 # 
  277 #     forward[={0|1}]
  278 # 
  279 #         IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding option
  280 #         to the specified value. If no value is supplied, then 1 is assumed.
  281 # 
  282 #         Note
  283 # 
  284 #         This option does not work with a wild-card physical name (e.g.,
  285 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  286 #         a warning is issued and the option is ignored.
  287 # 
  288 #     ignore[=1]
  289 # 
  290 #         When specified, causes the generated script to ignore up/down events
  291 #         from Shorewall-init for this device. Additionally, the option exempts
  292 #         the interface from hairpin filtering. When '=1' is omitted, the ZONE
  293 #         column must contain '-' and ignore must be the only OPTION.
  294 # 
  295 #         Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which
  296 #         only causes the generated script to ignore up/down events from
  297 #         Shorewall-init; hairpin filtering is still applied. In this case, the
  298 #         above restrictions on the ZONE and OPTIONS columns are lifted.
  299 # 
  300 #     loopback
  301 # 
  302 #         Added in Shorewall 4.6.6. Designates the interface as the loopback
  303 #         interface. This option is assumed if the interface's physical name is
  304 #         'lo'. Only one interface man have the loopback option specified.
  305 # 
  306 #     logmartians[={0|1}]
  307 # 
  308 #         IPv4 only. Turn on kernel martian logging (logging of packets with
  309 #         impossible source addresses. It is strongly suggested that if you set 
  310 #         routefilter on an interface that you also set logmartians. Even if you
  311 #         do not specify the routefilter option, it is a good idea to specify
  312 #         logmartians because your distribution may have enabled route filtering
  313 #         without you knowing it.
  314 # 
  315 #         Only those interfaces with the logmartians option will have their
  316 #         setting changed; the value assigned to the setting will be the value
  317 #         specified (if any) or 1 if no value is given.
  318 # 
  319 #         To find out if route filtering is set on a given interface, check the
  320 #         contents of /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero
  321 #         value indicates that route filtering is enabled.
  322 # 
  323 #         Example:
  324 # 
  325 #                 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter 
  326 #                 1
  327 #                 teastep@lists:~$
  328 # 
  329 #         Note
  330 # 
  331 #         This option does not work with a wild-card physical name (e.g.,
  332 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  333 #         a warning is issued and the option is ignored.
  334 # 
  335 #             This option may also be enabled globally in the shorewall.conf(5)
  336 #             file.
  337 # 
  338 #     maclist
  339 # 
  340 #         Connection requests from this interface are compared against the
  341 #         contents of shorewall-maclist(5). If this option is specified, the
  342 #         interface must be an Ethernet NIC and must be up before Shorewall is
  343 #         started.
  344 # 
  345 #     mss=number
  346 # 
  347 #         Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets entering or
  348 #         leaving on this interface to have their MSS field set to the specified
  349 #         number.
  350 # 
  351 #     nets=(net[,...])
  352 # 
  353 #         Limit the zone named in the ZONE column to only the listed networks.
  354 #         The parentheses may be omitted if only a single net is given (e.g.,
  355 #         nets=192.168.1.0/24). Limited broadcast to the zone is supported.
  356 #         Beginning with Shorewall 4.4.1, multicast traffic to the zone is also
  357 #         supported.
  358 # 
  359 #     nets=dynamic
  360 # 
  361 #         Defines the zone as dynamic. Requires ipset match support in your
  362 #         iptables and kernel. See https://shorewall.org/Dynamic.html for further
  363 #         information.
  364 # 
  365 #     nodbl
  366 # 
  367 #         Added in Shorewall 5.0.8. When specified, dynamic blacklisting is
  368 #         disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is
  369 #         equivalent to dbl=none.
  370 # 
  371 #     nosmurfs
  372 # 
  373 #         IPv4 only. Filter packets for smurfs (packets with a broadcast address
  374 #         as the source).
  375 # 
  376 #         Smurfs will be optionally logged based on the setting of
  377 #         SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the packets are
  378 #         dropped.
  379 # 
  380 #     omitanycast
  381 # 
  382 #         IPv6 only. Added in Shorewall 5.2.8.
  383 # 
  384 #         Shorewall6 has traditionally generated rules for IPv6 anycast
  385 #         addresses. These rules include:
  386 # 
  387 #          a. Packets with these destination IP addresses are dropped by REJECT
  388 #             rules.
  389 # 
  390 #          b. Packets with these source IP addresses are dropped by the
  391 #             'nosmurfs' interface option and by the 'dropSmurfs' action.
  392 # 
  393 #          c. Packets with these destination IP addresses are not logged during
  394 #             policy enforcement.
  395 # 
  396 #          d. Packets with these destination IP addresses are processes by the
  397 #             'Broadcast' action.
  398 # 
  399 #         This can be inhibited for individual interfaces by specifying noanycast
  400 #         for those interfaces.
  401 # 
  402 #         Note
  403 # 
  404 #         RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a
  405 #         distinction between subnets with "IPv6 address types required to have
  406 #         64-bit interface identifiers in EUI-64 format" and all other subnets.
  407 #         When generating these anycast addresses, the Shorewall compiler does
  408 #         not make this distinction and unconditionally assumes that the last 128
  409 #         addresses in the subnet are reserved as anycast addresses.
  410 # 
  411 #     optional
  412 # 
  413 #         This option indicates that the firewall should be able to start, even
  414 #         if the interface is not usable for handling traffic. It allows use of
  415 #         the enable and disable commands on the interface.
  416 # 
  417 #         When optional is specified for an interface, Shorewall will be silent
  418 #         when:
  419 # 
  420 #           ☆ a /proc/sys/net/ipv[46]/conf/ entry for the interface cannot be
  421 #             modified (including for proxy ARP or proxy NDP).
  422 # 
  423 #           ☆ The first address of the interface cannot be obtained.
  424 # 
  425 #           ☆ The gateway of the interface can not be obtained (provider
  426 #             interface).
  427 # 
  428 #           ☆ The interface has been disabled using the disable command.
  429 # 
  430 #         May not be specified with required.
  431 # 
  432 #     physical=name
  433 # 
  434 #         Added in Shorewall 4.4.4. When specified, the interface or port name in
  435 #         the INTERFACE column is a logical name that refers to the name given in
  436 #         this option. It is useful when you want to specify the same wildcard
  437 #         port name on two or more bridges. See https://shorewall.org/
  438 #         bridge-Shorewall-perl.html#Multiple.
  439 # 
  440 #         If the interface name is a wildcard name (ends with '+'), then the
  441 #         physical name must also end in '+'. The physical name may end in '+'
  442 #         (or be exactly '+') when the interface name is not a wildcard name.
  443 # 
  444 #         If physical is not specified, then it's value defaults to the interface
  445 #         name.
  446 # 
  447 #     proxyarp[={0|1}]
  448 # 
  449 #         IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use
  450 #         this option if you are employing Proxy ARP through entries in
  451 #         shorewall-proxyarp(5). This option is intended solely for use with
  452 #         Proxy ARP sub-networking as described at: http://tldp.org/HOWTO/
  453 #         Proxy-ARP-Subnet/index.html.
  454 # 
  455 #         Note
  456 # 
  457 #         This option does not work with a wild-card physical name (e.g.,
  458 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  459 #         a warning is issued and the option is ignored.
  460 # 
  461 #         Only those interfaces with the proxyarp option will have their setting
  462 #         changed; the value assigned to the setting will be the value specified
  463 #         (if any) or 1 if no value is given.
  464 # 
  465 #     proxyndp[={0|1}]
  466 # 
  467 #         IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
  468 # 
  469 #         Note
  470 # 
  471 #         This option does not work with a wild-card physical name (e.g.,
  472 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  473 #         a warning is issued and the option is ignored.
  474 # 
  475 #         Only those interfaces with the proxyndp option will have their setting
  476 #         changed; the value assigned to the setting will be the value specified
  477 #         (if any) or 1 if no value is given.
  478 # 
  479 #     required
  480 # 
  481 #         Added in Shorewall 4.4.10. If this option is set, the firewall will
  482 #         fail to start if the interface is not usable. May not be specified
  483 #         together with optional.
  484 # 
  485 #     routeback[={0|1}]
  486 # 
  487 #         If specified, indicates that Shorewall should include rules that allow
  488 #         traffic arriving on this interface to be routed back out that same
  489 #         interface. This option is also required when you have used a wildcard
  490 #         in the INTERFACE column if you want to allow traffic between the
  491 #         interfaces that match the wildcard.
  492 # 
  493 #         Beginning with Shorewall 4.4.20, if you specify this option, then you
  494 #         should also specify either sfilter (see below) or routefilter on all
  495 #         interfaces (see below).
  496 # 
  497 #         Beginning with Shorewall 4.5.18, you may specify this option to
  498 #         explicitly reset (e.g., routeback=0). This can be used to override
  499 #         Shorewall's default setting for bridge devices which is routeback=1.
  500 # 
  501 #     routefilter[={0|1|2}]
  502 # 
  503 #         IPv4 only. Turn on kernel route filtering for this interface
  504 #         (anti-spoofing measure).
  505 # 
  506 #         Only those interfaces with the routefilter option will have their
  507 #         setting changes; the value assigned to the setting will be the value
  508 #         specified (if any) or 1 if no value is given.
  509 # 
  510 #         The value 2 is only available with Shorewall 4.4.5.1 and later when the
  511 #         kernel version is 2.6.31 or later. It specifies a loose form of reverse
  512 #         path filtering.
  513 # 
  514 #         Note
  515 # 
  516 #         This option does not work with a wild-card physical name (e.g.,
  517 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  518 #         a warning is issued and the option is ignored.
  519 # 
  520 #         This option can also be enabled globally via the ROUTE_FILTER option in
  521 #         the shorewall.conf(5) file.
  522 # 
  523 #         Important
  524 # 
  525 #         If ROUTE_FILTER=Yes in shorewall.conf(5), or if your distribution sets
  526 #         net.ipv4.conf.all.rp_filter=1 in /etc/sysctl.conf, then setting 
  527 #         routefilter=0 in an interface entry will not disable route filtering on
  528 #         that interface! The effective setting for an interface is the maximum
  529 #         of the contents of /proc/sys/net/ipv4/conf/all/rp_filter and the
  530 #         routefilter setting specified in this file (/proc/sys/net/ipv4/conf/
  531 #         interface/rp_filter).
  532 # 
  533 #         Note
  534 # 
  535 #         There are certain cases where routefilter cannot be used on an
  536 #         interface:
  537 # 
  538 #           ☆ If USE_DEFAULT_RT=Yes in shorewall.conf(5) and the interface is
  539 #             listed in shorewall-providers(5).
  540 # 
  541 #           ☆ If there is an entry for the interface in shorewall-providers(5)
  542 #             that doesn't specify the balance option.
  543 # 
  544 #           ☆ If IPSEC is used to allow a road-warrior to have a local address,
  545 #             then any interface through which the road-warrior might connect
  546 #             cannot specify routefilter.
  547 # 
  548 #         Beginning with Shorewall 5.1.1, when routefilter is set to a non-zero
  549 #         value, the logmartians option is also implicitly set. If you actually
  550 #         want route filtering without logging, then you must also specify
  551 #         logmartians=0 after routefilter.
  552 # 
  553 #     rpfilter
  554 # 
  555 #         Added in Shorewall 4.5.7. This is an anti-spoofing measure that
  556 #         requires the 'RPFilter Match' capability in your iptables and kernel.
  557 #         It provides a more efficient alternative to the sfilter option below.
  558 #         It performs a function similar to routefilter (see above) but works
  559 #         with Multi-ISP configurations that do not use balanced routes.
  560 # 
  561 #     sfilter=(net[,...])
  562 # 
  563 #         Added in Shorewall 4.4.20. This option provides an anti-spoofing
  564 #         alternative to routefilter on interfaces where that option cannot be
  565 #         used, but where the routeback option is required (on a bridge, for
  566 #         example). On these interfaces, sfilter should list those local networks
  567 #         that are connected to the firewall through other interfaces.
  568 # 
  569 #     sourceroute[={0|1}]
  570 # 
  571 #         If this option is not specified for an interface, then source-routed
  572 #         packets will not be accepted from that interface unless it has been
  573 #         explicitly enabled via sysconf. Only set this option to 1 (enable
  574 #         source routing) if you know what you are doing. This might represent a
  575 #         security risk and is usually unneeded.
  576 # 
  577 #         Only those interfaces with the sourceroute option will have their
  578 #         setting changed; the value assigned to the setting will be the value
  579 #         specified (if any) or 1 if no value is given.
  580 # 
  581 #         Note
  582 # 
  583 #         This option does not work with a wild-card physical name (e.g.,
  584 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  585 #         a warning is issued and the option is ignored.
  586 # 
  587 #     tcpflags[={0|1}]
  588 # 
  589 #         Packets arriving on this interface are checked for certain illegal
  590 #         combinations of TCP flags. Packets found to have such a combination of
  591 #         flags are handled according to the setting of TCP_FLAGS_DISPOSITION
  592 #         after having been logged according to the setting of
  593 #         TCP_FLAGS_LOG_LEVEL.
  594 # 
  595 #         Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable
  596 #         this option, specify tcpflags=0.
  597 # 
  598 #     unmanaged
  599 # 
  600 #         Added in Shorewall 4.5.18. Causes all traffic between the firewall and
  601 #         hosts on the interface to be accepted. When this option is given:
  602 # 
  603 #           ☆ The ZONE column must contain '-'.
  604 # 
  605 #           ☆ Only the following other options are allowed with unmanaged:
  606 # 
  607 #             arp_filter
  608 #             arp_ignore
  609 #             ignore
  610 #             routefilter
  611 #             optional
  612 #             physical
  613 #             routefilter
  614 #             proxyarp
  615 #             proxyudp
  616 #             sourceroute
  617 # 
  618 #     upnp
  619 # 
  620 #         Incoming requests from this interface may be remapped via UPNP (upnpd).
  621 #         See https://shorewall.org/UPnP.html. Supported in IPv4 and in IPv6 in
  622 #         Shorewall 5.1.4 and later.
  623 # 
  624 #     upnpclient
  625 # 
  626 #         This option is intended for laptop users who always run Shorewall on
  627 #         their system yet need to run UPnP-enabled client apps such as
  628 #         Transmission (BitTorrent client). The option causes Shorewall to detect
  629 #         the default gateway through the interface and to accept UDP packets
  630 #         from that gateway. Note that, like all aspects of UPnP, this is a
  631 #         security hole so use this option at your own risk. Supported in IPv4
  632 #         and in IPv6 in Shorewall 5.1.4 and later.
  633 # 
  634 #     wait=seconds
  635 # 
  636 #         Added in Shorewall 4.4.10. Causes the generated script to wait up to 
  637 #         seconds seconds for the interface to become usable before applying the 
  638 #         required or optional options.
  639 # 
  640 # Example
  641 # 
  642 # IPv4 Example 1:
  643 # 
  644 #     Suppose you have eth0 connected to a DSL modem and eth1 connected to your
  645 #     local network and that your local subnet is 192.168.1.0/24. The interface
  646 #     gets its IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ
  647 #     with subnet 192.168.2.0/24 using eth2. Your iptables and/or kernel do not
  648 #     support "Address Type Match" and you prefer to specify broadcast addresses
  649 #     explicitly rather than having Shorewall detect them.
  650 # 
  651 #     Your entries for this setup would look like:
  652 # 
  653 #     ?FORMAT 1
  654 #     #ZONE   INTERFACE BROADCAST        OPTIONS
  655 #     net     eth0      206.191.149.223  dhcp
  656 #     loc     eth1      192.168.1.255
  657 #     dmz     eth2      192.168.2.255
  658 # 
  659 # Example 2:
  660 # 
  661 #     The same configuration without specifying broadcast addresses is:
  662 # 
  663 #     ?FORMAT 2
  664 #     #ZONE   INTERFACE OPTIONS
  665 #     net     eth0      dhcp
  666 #     loc     eth1
  667 #     dmz     eth2
  668 # 
  669 # Example 3:
  670 # 
  671 #     You have a simple dial-in system with no Ethernet connections.
  672 # 
  673 #     ?FORMAT 2
  674 #     #ZONE   INTERFACE OPTIONS
  675 #     net     ppp0      -
  676 # 
  677 # Example 4 (Shorewall 4.4.9 and later):
  678 # 
  679 #     You have a bridge with no IP address and you want to allow traffic through
  680 #     the bridge.
  681 # 
  682 #     ?FORMAT 2
  683 #     #ZONE   INTERFACE OPTIONS
  684 #     -       br0       bridge
  685 # 
  686 ###############################################################################
  687 ?FORMAT 2
  688 ###############################################################################
  689 #ZONE	INTERFACE	OPTIONS
  690 net     NET_IF          tcpflags,physical=eth0