To each Ethernet interface that counts the firewall must be associated at least one zone. Associating multiple zones to a single interface is made possible through "host" zones. This form also allows to finely configure the options associated to the interface.
Interface ID: | This ID number will be used everywhere needed to uniquely identify the interface. It is recommended not to modify the proposed default value. |
Zone: | Choose the zone you want to associate with the interface in the pull-down list. The special zone "-" means that various "host" zones will be associated to that interface. |
Interface: | Choose the interface you want to configure in the pull-down list. If the desired interface is not shown, you need to declare it first in the "System setup" section. |
Broadcast: | The broadcast address for the sub-network attached to the interface. This should be left empty for P-T-P interfaces (ppp*, ippp*); if you need to specify options for such an interface, enter "-" in this column. If you supply the special value "detect" in this column, the firewall will automatically determine the broadcast address. |
Options: | Nine checkable options to specialize the interface behavior. See the table below. |
Below are details about each of the options available for the interfaces. Review them all carefully for each interface, for some particular interfaces, some options are highly recommended.
arp_filter | (Added in version 1.4.7) This option causes /proc/sys/net/ipv4/conf/(interface)/arp_filter to be set with the result that this interface will only answer ARP 'who-has' requests from hosts that are routed out of that interface. Setting this option facilitates testing of your firewall where multiple firewall interfaces are connected to the same HUB/Switch (all interface connected to the single HUB/Switch should have this option specified). Note that using such a configuration in a production environment is strongly recommended against. |
newnotsyn | (Added in version 1.4.6) This option overrides NEWNOTSYN=No for packets arriving on this interface. In other words, packets coming in on this interface are processed as if NEWNOTSYN=Yes had been specified in /etc/shorewall/shorewall.conf. |
routeback | (Added in version 1.4.2) This option causes Shorewall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is specified, the ZONE column may not contain "-". |
tcpflags | (added in version 1.3.11) This option causes Shorewall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are typically used for "silent" port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according to the TCP_FLAGS_DISPOSITION option. |
blacklist | This option causes incoming packets on this interface to be checked against the blacklist. See the "blacklist" sub-section. |
dhcp | The interface is assigned an IP address via DHCP or is used by a DHCP server running on the firewall. The firewall will be configured to allow DHCP traffic to and from the interface even when the firewall is stopped. |
norfc1918 | Packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 (Private network addresses) will be logged and dropped. This option is generally used for Internet Interfaces. |
routefilter | Invoke the Kernel's route filtering facility on this interface. The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the firewall. Warning: If you specify this option for an interface then the interface must be up prior to starting the firewall. |
dropunclean | Packets from this interface that are selected by the 'unclean' match target in iptables will be optionally logged and then dropped. |
logunclean | This option works like dropunclean with the exception that packets selected by the 'unclean' match target in iptables are logged but not dropped. |
proxyarp | (Added in version 1.3.5) This option causes Shorewall to set /proc/sys/net/ipv4/conf/(interface)/proxy_arp and is used when implementing Proxy ARP Sub-netting as described at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do not set this option if you are implementing Proxy ARP through entries in /etc/shorewall/proxyarp. |
maclist | (Added in version 1.3.10) If this option is specified, all connection requests from this interface are subject to MAC Verification. May only be specified for ethernet interfaces. |
Recommendations concerning options:
External Interface -- tcpflags,blacklist,norfc1918,routefilter
Wireless Interface -- maclist,routefilter,tcpflags
Don't use dropunclean -- It's broken in my opinion
Use logunclean only when you are trying to debug a problem
Use dhcp and proxyarp when needed.
Example: with the same example of web servers farm, we will indicate now that the zone "www" is attributed the subnetwork connected on interface "eth3".
Zone: | www |
Interface: | eth3 |
Broadcast: | detect |