"Fossies" - the Fresh Open Source Software Archive

Member "shorewall6-5.2.8/configfiles/interfaces.annotated" (24 Sep 2020, 26622 Bytes) of package /linux/misc/shorewall/shorewall6-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "interfaces.annotated": 5.2.7_vs_5.2.8.

    1 #
    2 # Shorewall6 -- /etc/shorewall6/interfaces
    3 #
    4 # For information about entries in this file, type "man shorewall6-interfaces"
    5 #
    6 # The manpage is also online at
    7 # https://shorewall.org/manpages/shorewall-interfaces.html
    8 #
    9 ?FORMAT 2
   10 ###############################################################################
   11 # 
   12 # The interfaces file serves to define the firewall's network interfaces to
   13 # Shorewall. The order of entries in this file is not significant in determining
   14 # zone composition.
   15 # 
   16 # Beginning with Shorewall 4.5.3, the interfaces file supports two different
   17 # formats:
   18 # 
   19 # FORMAT 1 (default - deprecated)
   20 # 
   21 #     There is a BROADCAST column which can be used to specify the broadcast
   22 #     address associated with the interface.
   23 # 
   24 # FORMAT 2
   25 # 
   26 #     The BROADCAST column is omitted.
   27 # 
   28 # The format is specified by a line as follows:
   29 # 
   30 #     ?FORMAT {1|2}
   31 # 
   32 # The columns in the file are as follows.
   33 # 
   34 # ZONE - zone-name
   35 # 
   36 #     Zone for this interface. Must match the name of a zone declared in /etc/
   37 #     shorewall/zones. You may not list the firewall zone in this column.
   38 # 
   39 #     If the interface serves multiple zones that will be defined in the
   40 #     shorewall-hosts(5) file, you should place "-" in this column.
   41 # 
   42 #     If there are multiple interfaces to the same zone, you must list them in
   43 #     separate entries.
   44 # 
   45 #     Example:
   46 # 
   47 #         #ZONE   INTERFACE       BROADCAST
   48 #         loc     eth1            -
   49 #         loc     eth2            -
   50 # 
   51 # INTERFACE - interface[:port]
   52 # 
   53 #     Logical name of interface. Each interface may be listed only once in this
   54 #     file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0)
   55 #     here; see https://shorewall.org/FAQ.htm#faq18. If the physical option is
   56 #     not specified, then the logical name is also the name of the actual
   57 #     interface.
   58 # 
   59 #     You may use wildcards here by specifying a prefix followed by the plus sign
   60 #     ("+"). For example, if you want to make an entry that applies to all PPP
   61 #     interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …
   62 # 
   63 #     When using Shorewall versions before 4.1.4, care must be exercised when
   64 #     using wildcards where there is another zone that uses a matching specific
   65 #     interface. See shorewall-nesting(5) for a discussion of this problem.
   66 # 
   67 #     Shorewall allows '+' as an interface name, but that usage is deprecated. A
   68 #     better approach is to specify 'physical=+' in the OPTIONS column (see
   69 #     below).
   70 # 
   71 #     There is no need to define the loopback interface (lo) in this file.
   72 # 
   73 #     If a port is given, then the interface must have been defined previously
   74 #     with the bridge option. The OPTIONS column may not contain the following
   75 #     options when a port is given.
   76 # 
   77 #     arp_filter
   78 #     arp_ignore
   79 #     bridge
   80 #     log_martians
   81 #     mss
   82 #     optional
   83 #     proxyarp
   84 #     required
   85 #     routefilter
   86 #     sourceroute
   87 #     upnp
   88 #     wait
   89 # 
   90 #     Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo'
   91 #     interface, then that zone must be defined as type local in shorewall6-zones
   92 #     (5).
   93 # 
   94 # BROADCAST (Optional) - {-|detect|address[,address]...}
   95 # 
   96 #     Only available if FORMAT 1.
   97 # 
   98 #     If you use the special value detect, Shorewall will detect the broadcast
   99 #     address(es) for you if your iptables and kernel include Address Type Match
  100 #     support.
  101 # 
  102 #     If your iptables and/or kernel lack Address Type Match support then you may
  103 #     list the broadcast address(es) for the network(s) to which the interface
  104 #     belongs. For P-T-P interfaces, this column is left blank. If the interface
  105 #     has multiple addresses on multiple subnets then list the broadcast
  106 #     addresses as a comma-separated list.
  107 # 
  108 #     If you don't want to give a value for this column but you want to enter a
  109 #     value in the OPTIONS column, enter - in this column.
  110 # 
  111 # OPTIONS (Optional) - [option[,option]...]
  112 # 
  113 #     A comma-separated list of options from the following list. The order in
  114 #     which you list the options is not significant but the list should have no
  115 #     embedded white-space.
  116 # 
  117 #     accept_ra[={0|1|2}]
  118 # 
  119 #         IPv6 only; added in Shorewall 4.5.16. Values are:
  120 # 
  121 #         0
  122 # 
  123 #             Do not accept Router Advertisements.
  124 # 
  125 #         1
  126 # 
  127 #             Accept Route Advertisements if forwarding is disabled.
  128 # 
  129 #         2
  130 # 
  131 #             Overrule forwarding behavior. Accept Route Advertisements even if
  132 #             forwarding is enabled.
  133 # 
  134 #         If the option is specified without a value, then the value 1 is
  135 #         assumed.
  136 # 
  137 #         Note
  138 # 
  139 #         This option does not work with a wild-card physical name (e.g.,
  140 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  141 #         a warning is issued and the option is ignored.
  142 # 
  143 #     arp_filter[={0|1}]
  144 # 
  145 #         IPv4 only. If specified, this interface will only respond to ARP
  146 #         who-has requests for IP addresses configured on the interface. If not
  147 #         specified, the interface can respond to ARP who-has requests for IP
  148 #         addresses on any of the firewall's interface. The interface must be up
  149 #         when Shorewall is started.
  150 # 
  151 #         Only those interfaces with the arp_filter option will have their
  152 #         setting changed; the value assigned to the setting will be the value
  153 #         specified (if any) or 1 if no value is given.
  154 # 
  155 #         Note
  156 # 
  157 #         This option does not work with a wild-card physical name (e.g.,
  158 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  159 #         a warning is issued and the option is ignored.
  160 # 
  161 #     arp_ignore[=number]
  162 # 
  163 #         IPv4 only. If specified, this interface will respond to arp requests
  164 #         based on the value of number (defaults to 1).
  165 # 
  166 #         1 - reply only if the target IP address is local address configured on
  167 #         the incoming interface
  168 # 
  169 #         2 - reply only if the target IP address is local address configured on
  170 #         the incoming interface and the sender's IP address is part from same
  171 #         subnet on this interface's address
  172 # 
  173 #         3 - do not reply for local addresses configured with scope host, only
  174 #         resolutions for global and link
  175 # 
  176 #         4-7 - reserved
  177 # 
  178 #         8 - do not reply for all local addresses
  179 # 
  180 #         Note
  181 # 
  182 #         This option does not work with a wild-card physical name (e.g.,
  183 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  184 #         a warning is issued and the option is ignored.
  185 # 
  186 #         Warning
  187 # 
  188 #         Do not specify arp_ignore for any interface involved in Proxy ARP.
  189 # 
  190 #     blacklist
  191 # 
  192 #         Checks packets arriving on this interface against the
  193 #         shorewall-blacklist(5) file.
  194 # 
  195 #         Beginning with Shorewall 4.4.13:
  196 # 
  197 #           ☆ If a zone is given in the ZONES column, then the behavior is as if 
  198 #             blacklist had been specified in the IN_OPTIONS column of
  199 #             shorewall-zones(5).
  200 # 
  201 #           ☆ Otherwise, the option is ignored with a warning:
  202 # 
  203 #                 WARNING: The 'blacklist' option is ignored on multi-zone
  204 #                 interfaces
  205 # 
  206 #     bridge
  207 # 
  208 #         Designates the interface as a bridge. Beginning with Shorewall 4.4.7,
  209 #         setting this option also sets routeback.
  210 # 
  211 #         Note
  212 # 
  213 #         If you have a bridge that you don't intend to define bport zones on,
  214 #         then it is best to omit this option and simply specify routeback.
  215 # 
  216 #     dbl={none|src|dst|src-dst}
  217 # 
  218 #         Added in Shorewall 5.0.10. This option defined whether or not dynamic
  219 #         blacklisting is applied to packets entering the firewall through this
  220 #         interface and whether the source address and/or destination address is
  221 #         to be compared against the ipset-based dynamic blacklist
  222 #         (DYNAMIC_BLACKLIST=ipset... in shorewall.conf(5)). The default is
  223 #         determine by the setting of DYNAMIC_BLACKLIST:
  224 # 
  225 #         DYNAMIC_BLACKLIST=No
  226 # 
  227 #             Default is none (e.g., no dynamic blacklist checking).
  228 # 
  229 #         DYNAMIC_BLACKLIST=Yes
  230 # 
  231 #             Default is src (e.g., the source IP address is checked).
  232 # 
  233 #         DYNAMIC_BLACKLIST=ipset[-only]
  234 # 
  235 #             Default is src.
  236 # 
  237 #         DYNAMIC_BLACKLIST=ipset[-only],src-dst...
  238 # 
  239 #             Default is src-dst (e.g., the source IP addresses in checked
  240 #             against the ipset on input and the destination IP address is
  241 #             checked against the ipset on packets originating from the firewall
  242 #             and leaving through this interface).
  243 # 
  244 #         The normal setting for this option will be dst or none for internal
  245 #         interfaces and src or src-dst for Internet-facing interfaces.
  246 # 
  247 #     destonly
  248 # 
  249 #         Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle
  250 #         traffic from this interface.
  251 # 
  252 #     dhcp
  253 # 
  254 #         Specify this option when any of the following are true:
  255 # 
  256 #          1. the interface gets its IP address via DHCP
  257 # 
  258 #          2. the interface is used by a DHCP server running on the firewall
  259 # 
  260 #          3. the interface has a static IP but is on a LAN segment with lots of
  261 #             DHCP clients.
  262 # 
  263 #          4. the interface is a simple bridge with a DHCP server on one port and
  264 #             DHCP clients on another port.
  265 # 
  266 #             Note
  267 # 
  268 #             If you use Shorewall-perl for firewall/bridging, then you need to
  269 #             include DHCP-specific rules in shorewall-rules(5). DHCP uses UDP
  270 #             ports 67 and 68.
  271 # 
  272 #         This option allows DHCP datagrams to enter and leave the interface.
  273 # 
  274 #     forward[={0|1}]
  275 # 
  276 #         IPv6 only Sets the /proc/sys/net/ipv6/conf/interface/forwarding option
  277 #         to the specified value. If no value is supplied, then 1 is assumed.
  278 # 
  279 #         Note
  280 # 
  281 #         This option does not work with a wild-card physical name (e.g.,
  282 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  283 #         a warning is issued and the option is ignored.
  284 # 
  285 #     ignore[=1]
  286 # 
  287 #         When specified, causes the generated script to ignore up/down events
  288 #         from Shorewall-init for this device. Additionally, the option exempts
  289 #         the interface from hairpin filtering. When '=1' is omitted, the ZONE
  290 #         column must contain '-' and ignore must be the only OPTION.
  291 # 
  292 #         Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which
  293 #         only causes the generated script to ignore up/down events from
  294 #         Shorewall-init; hairpin filtering is still applied. In this case, the
  295 #         above restrictions on the ZONE and OPTIONS columns are lifted.
  296 # 
  297 #     loopback
  298 # 
  299 #         Added in Shorewall 4.6.6. Designates the interface as the loopback
  300 #         interface. This option is assumed if the interface's physical name is
  301 #         'lo'. Only one interface man have the loopback option specified.
  302 # 
  303 #     logmartians[={0|1}]
  304 # 
  305 #         IPv4 only. Turn on kernel martian logging (logging of packets with
  306 #         impossible source addresses. It is strongly suggested that if you set 
  307 #         routefilter on an interface that you also set logmartians. Even if you
  308 #         do not specify the routefilter option, it is a good idea to specify
  309 #         logmartians because your distribution may have enabled route filtering
  310 #         without you knowing it.
  311 # 
  312 #         Only those interfaces with the logmartians option will have their
  313 #         setting changed; the value assigned to the setting will be the value
  314 #         specified (if any) or 1 if no value is given.
  315 # 
  316 #         To find out if route filtering is set on a given interface, check the
  317 #         contents of /proc/sys/net/ipv4/conf/interface/rp_filter - a non-zero
  318 #         value indicates that route filtering is enabled.
  319 # 
  320 #         Example:
  321 # 
  322 #                 teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter 
  323 #                 1
  324 #                 teastep@lists:~$
  325 # 
  326 #         Note
  327 # 
  328 #         This option does not work with a wild-card physical name (e.g.,
  329 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  330 #         a warning is issued and the option is ignored.
  331 # 
  332 #             This option may also be enabled globally in the shorewall.conf(5)
  333 #             file.
  334 # 
  335 #     maclist
  336 # 
  337 #         Connection requests from this interface are compared against the
  338 #         contents of shorewall-maclist(5). If this option is specified, the
  339 #         interface must be an Ethernet NIC and must be up before Shorewall is
  340 #         started.
  341 # 
  342 #     mss=number
  343 # 
  344 #         Added in Shorewall 4.0.3. Causes forwarded TCP SYN packets entering or
  345 #         leaving on this interface to have their MSS field set to the specified
  346 #         number.
  347 # 
  348 #     nets=(net[,...])
  349 # 
  350 #         Limit the zone named in the ZONE column to only the listed networks.
  351 #         The parentheses may be omitted if only a single net is given (e.g.,
  352 #         nets=192.168.1.0/24). Limited broadcast to the zone is supported.
  353 #         Beginning with Shorewall 4.4.1, multicast traffic to the zone is also
  354 #         supported.
  355 # 
  356 #     nets=dynamic
  357 # 
  358 #         Defines the zone as dynamic. Requires ipset match support in your
  359 #         iptables and kernel. See https://shorewall.org/Dynamic.html for further
  360 #         information.
  361 # 
  362 #     nodbl
  363 # 
  364 #         Added in Shorewall 5.0.8. When specified, dynamic blacklisting is
  365 #         disabled on the interface. Beginning with Shorewall 5.0.10, nodbl is
  366 #         equivalent to dbl=none.
  367 # 
  368 #     nosmurfs
  369 # 
  370 #         IPv4 only. Filter packets for smurfs (packets with a broadcast address
  371 #         as the source).
  372 # 
  373 #         Smurfs will be optionally logged based on the setting of
  374 #         SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the packets are
  375 #         dropped.
  376 # 
  377 #     omitanycast
  378 # 
  379 #         IPv6 only. Added in Shorewall 5.2.8.
  380 # 
  381 #         Shorewall6 has traditionally generated rules for IPv6 anycast
  382 #         addresses. These rules include:
  383 # 
  384 #          a. Packets with these destination IP addresses are dropped by REJECT
  385 #             rules.
  386 # 
  387 #          b. Packets with these source IP addresses are dropped by the
  388 #             'nosmurfs' interface option and by the 'dropSmurfs' action.
  389 # 
  390 #          c. Packets with these destination IP addresses are not logged during
  391 #             policy enforcement.
  392 # 
  393 #          d. Packets with these destination IP addresses are processes by the
  394 #             'Broadcast' action.
  395 # 
  396 #         This can be inhibited for individual interfaces by specifying noanycast
  397 #         for those interfaces.
  398 # 
  399 #         Note
  400 # 
  401 #         RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a
  402 #         distinction between subnets with "IPv6 address types required to have
  403 #         64-bit interface identifiers in EUI-64 format" and all other subnets.
  404 #         When generating these anycast addresses, the Shorewall compiler does
  405 #         not make this distinction and unconditionally assumes that the last 128
  406 #         addresses in the subnet are reserved as anycast addresses.
  407 # 
  408 #     optional
  409 # 
  410 #         This option indicates that the firewall should be able to start, even
  411 #         if the interface is not usable for handling traffic. It allows use of
  412 #         the enable and disable commands on the interface.
  413 # 
  414 #         When optional is specified for an interface, Shorewall will be silent
  415 #         when:
  416 # 
  417 #           ☆ a /proc/sys/net/ipv[46]/conf/ entry for the interface cannot be
  418 #             modified (including for proxy ARP or proxy NDP).
  419 # 
  420 #           ☆ The first address of the interface cannot be obtained.
  421 # 
  422 #           ☆ The gateway of the interface can not be obtained (provider
  423 #             interface).
  424 # 
  425 #           ☆ The interface has been disabled using the disable command.
  426 # 
  427 #         May not be specified with required.
  428 # 
  429 #     physical=name
  430 # 
  431 #         Added in Shorewall 4.4.4. When specified, the interface or port name in
  432 #         the INTERFACE column is a logical name that refers to the name given in
  433 #         this option. It is useful when you want to specify the same wildcard
  434 #         port name on two or more bridges. See https://shorewall.org/
  435 #         bridge-Shorewall-perl.html#Multiple.
  436 # 
  437 #         If the interface name is a wildcard name (ends with '+'), then the
  438 #         physical name must also end in '+'. The physical name may end in '+'
  439 #         (or be exactly '+') when the interface name is not a wildcard name.
  440 # 
  441 #         If physical is not specified, then it's value defaults to the interface
  442 #         name.
  443 # 
  444 #     proxyarp[={0|1}]
  445 # 
  446 #         IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use
  447 #         this option if you are employing Proxy ARP through entries in
  448 #         shorewall-proxyarp(5). This option is intended solely for use with
  449 #         Proxy ARP sub-networking as described at: http://tldp.org/HOWTO/
  450 #         Proxy-ARP-Subnet/index.html.
  451 # 
  452 #         Note
  453 # 
  454 #         This option does not work with a wild-card physical name (e.g.,
  455 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  456 #         a warning is issued and the option is ignored.
  457 # 
  458 #         Only those interfaces with the proxyarp option will have their setting
  459 #         changed; the value assigned to the setting will be the value specified
  460 #         (if any) or 1 if no value is given.
  461 # 
  462 #     proxyndp[={0|1}]
  463 # 
  464 #         IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp.
  465 # 
  466 #         Note
  467 # 
  468 #         This option does not work with a wild-card physical name (e.g.,
  469 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  470 #         a warning is issued and the option is ignored.
  471 # 
  472 #         Only those interfaces with the proxyndp option will have their setting
  473 #         changed; the value assigned to the setting will be the value specified
  474 #         (if any) or 1 if no value is given.
  475 # 
  476 #     required
  477 # 
  478 #         Added in Shorewall 4.4.10. If this option is set, the firewall will
  479 #         fail to start if the interface is not usable. May not be specified
  480 #         together with optional.
  481 # 
  482 #     routeback[={0|1}]
  483 # 
  484 #         If specified, indicates that Shorewall should include rules that allow
  485 #         traffic arriving on this interface to be routed back out that same
  486 #         interface. This option is also required when you have used a wildcard
  487 #         in the INTERFACE column if you want to allow traffic between the
  488 #         interfaces that match the wildcard.
  489 # 
  490 #         Beginning with Shorewall 4.4.20, if you specify this option, then you
  491 #         should also specify either sfilter (see below) or routefilter on all
  492 #         interfaces (see below).
  493 # 
  494 #         Beginning with Shorewall 4.5.18, you may specify this option to
  495 #         explicitly reset (e.g., routeback=0). This can be used to override
  496 #         Shorewall's default setting for bridge devices which is routeback=1.
  497 # 
  498 #     routefilter[={0|1|2}]
  499 # 
  500 #         IPv4 only. Turn on kernel route filtering for this interface
  501 #         (anti-spoofing measure).
  502 # 
  503 #         Only those interfaces with the routefilter option will have their
  504 #         setting changes; the value assigned to the setting will be the value
  505 #         specified (if any) or 1 if no value is given.
  506 # 
  507 #         The value 2 is only available with Shorewall 4.4.5.1 and later when the
  508 #         kernel version is 2.6.31 or later. It specifies a loose form of reverse
  509 #         path filtering.
  510 # 
  511 #         Note
  512 # 
  513 #         This option does not work with a wild-card physical name (e.g.,
  514 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  515 #         a warning is issued and the option is ignored.
  516 # 
  517 #         This option can also be enabled globally via the ROUTE_FILTER option in
  518 #         the shorewall.conf(5) file.
  519 # 
  520 #         Important
  521 # 
  522 #         If ROUTE_FILTER=Yes in shorewall.conf(5), or if your distribution sets
  523 #         net.ipv4.conf.all.rp_filter=1 in /etc/sysctl.conf, then setting 
  524 #         routefilter=0 in an interface entry will not disable route filtering on
  525 #         that interface! The effective setting for an interface is the maximum
  526 #         of the contents of /proc/sys/net/ipv4/conf/all/rp_filter and the
  527 #         routefilter setting specified in this file (/proc/sys/net/ipv4/conf/
  528 #         interface/rp_filter).
  529 # 
  530 #         Note
  531 # 
  532 #         There are certain cases where routefilter cannot be used on an
  533 #         interface:
  534 # 
  535 #           ☆ If USE_DEFAULT_RT=Yes in shorewall.conf(5) and the interface is
  536 #             listed in shorewall-providers(5).
  537 # 
  538 #           ☆ If there is an entry for the interface in shorewall-providers(5)
  539 #             that doesn't specify the balance option.
  540 # 
  541 #           ☆ If IPSEC is used to allow a road-warrior to have a local address,
  542 #             then any interface through which the road-warrior might connect
  543 #             cannot specify routefilter.
  544 # 
  545 #         Beginning with Shorewall 5.1.1, when routefilter is set to a non-zero
  546 #         value, the logmartians option is also implicitly set. If you actually
  547 #         want route filtering without logging, then you must also specify
  548 #         logmartians=0 after routefilter.
  549 # 
  550 #     rpfilter
  551 # 
  552 #         Added in Shorewall 4.5.7. This is an anti-spoofing measure that
  553 #         requires the 'RPFilter Match' capability in your iptables and kernel.
  554 #         It provides a more efficient alternative to the sfilter option below.
  555 #         It performs a function similar to routefilter (see above) but works
  556 #         with Multi-ISP configurations that do not use balanced routes.
  557 # 
  558 #     sfilter=(net[,...])
  559 # 
  560 #         Added in Shorewall 4.4.20. This option provides an anti-spoofing
  561 #         alternative to routefilter on interfaces where that option cannot be
  562 #         used, but where the routeback option is required (on a bridge, for
  563 #         example). On these interfaces, sfilter should list those local networks
  564 #         that are connected to the firewall through other interfaces.
  565 # 
  566 #     sourceroute[={0|1}]
  567 # 
  568 #         If this option is not specified for an interface, then source-routed
  569 #         packets will not be accepted from that interface unless it has been
  570 #         explicitly enabled via sysconf. Only set this option to 1 (enable
  571 #         source routing) if you know what you are doing. This might represent a
  572 #         security risk and is usually unneeded.
  573 # 
  574 #         Only those interfaces with the sourceroute option will have their
  575 #         setting changed; the value assigned to the setting will be the value
  576 #         specified (if any) or 1 if no value is given.
  577 # 
  578 #         Note
  579 # 
  580 #         This option does not work with a wild-card physical name (e.g.,
  581 #         eth0.+). Beginning with Shorewall 5.1.10, If this option is specified,
  582 #         a warning is issued and the option is ignored.
  583 # 
  584 #     tcpflags[={0|1}]
  585 # 
  586 #         Packets arriving on this interface are checked for certain illegal
  587 #         combinations of TCP flags. Packets found to have such a combination of
  588 #         flags are handled according to the setting of TCP_FLAGS_DISPOSITION
  589 #         after having been logged according to the setting of
  590 #         TCP_FLAGS_LOG_LEVEL.
  591 # 
  592 #         Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable
  593 #         this option, specify tcpflags=0.
  594 # 
  595 #     unmanaged
  596 # 
  597 #         Added in Shorewall 4.5.18. Causes all traffic between the firewall and
  598 #         hosts on the interface to be accepted. When this option is given:
  599 # 
  600 #           ☆ The ZONE column must contain '-'.
  601 # 
  602 #           ☆ Only the following other options are allowed with unmanaged:
  603 # 
  604 #             arp_filter
  605 #             arp_ignore
  606 #             ignore
  607 #             routefilter
  608 #             optional
  609 #             physical
  610 #             routefilter
  611 #             proxyarp
  612 #             proxyudp
  613 #             sourceroute
  614 # 
  615 #     upnp
  616 # 
  617 #         Incoming requests from this interface may be remapped via UPNP (upnpd).
  618 #         See https://shorewall.org/UPnP.html. Supported in IPv4 and in IPv6 in
  619 #         Shorewall 5.1.4 and later.
  620 # 
  621 #     upnpclient
  622 # 
  623 #         This option is intended for laptop users who always run Shorewall on
  624 #         their system yet need to run UPnP-enabled client apps such as
  625 #         Transmission (BitTorrent client). The option causes Shorewall to detect
  626 #         the default gateway through the interface and to accept UDP packets
  627 #         from that gateway. Note that, like all aspects of UPnP, this is a
  628 #         security hole so use this option at your own risk. Supported in IPv4
  629 #         and in IPv6 in Shorewall 5.1.4 and later.
  630 # 
  631 #     wait=seconds
  632 # 
  633 #         Added in Shorewall 4.4.10. Causes the generated script to wait up to 
  634 #         seconds seconds for the interface to become usable before applying the 
  635 #         required or optional options.
  636 # 
  637 # Example
  638 # 
  639 # IPv4 Example 1:
  640 # 
  641 #     Suppose you have eth0 connected to a DSL modem and eth1 connected to your
  642 #     local network and that your local subnet is 192.168.1.0/24. The interface
  643 #     gets its IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ
  644 #     with subnet 192.168.2.0/24 using eth2. Your iptables and/or kernel do not
  645 #     support "Address Type Match" and you prefer to specify broadcast addresses
  646 #     explicitly rather than having Shorewall detect them.
  647 # 
  648 #     Your entries for this setup would look like:
  649 # 
  650 #     ?FORMAT 1
  651 #     #ZONE   INTERFACE BROADCAST        OPTIONS
  652 #     net     eth0      206.191.149.223  dhcp
  653 #     loc     eth1      192.168.1.255
  654 #     dmz     eth2      192.168.2.255
  655 # 
  656 # Example 2:
  657 # 
  658 #     The same configuration without specifying broadcast addresses is:
  659 # 
  660 #     ?FORMAT 2
  661 #     #ZONE   INTERFACE OPTIONS
  662 #     net     eth0      dhcp
  663 #     loc     eth1
  664 #     dmz     eth2
  665 # 
  666 # Example 3:
  667 # 
  668 #     You have a simple dial-in system with no Ethernet connections.
  669 # 
  670 #     ?FORMAT 2
  671 #     #ZONE   INTERFACE OPTIONS
  672 #     net     ppp0      -
  673 # 
  674 # Example 4 (Shorewall 4.4.9 and later):
  675 # 
  676 #     You have a bridge with no IP address and you want to allow traffic through
  677 #     the bridge.
  678 # 
  679 #     ?FORMAT 2
  680 #     #ZONE   INTERFACE OPTIONS
  681 #     -       br0       bridge
  682 # 
  683 ###############################################################################
  684 #ZONE		INTERFACE		OPTIONS