Help

Associating Zones to Interfaces

To each Ethernet interface that counts the firewall must be associated at least one zone. Associating multiple zones to a single interface is made possible through "host" zones. This form also allows to finely configure the options associated to the interface.

Interface ID: This ID number will be used everywhere needed to uniquely identify the interface. It is recommended not to modify the proposed default value.
Zone: Choose the zone you want to associate with the interface in the pull-down list. The special zone "-" means that various "host" zones will be associated to that interface.
Interface: Choose the interface you want to configure in the pull-down list. If the desired interface is not shown, you need to declare it first in the "System setup" section.
Broadcast: The broadcast address for the sub-network attached to the interface. This should be left empty for P-T-P interfaces (ppp*, ippp*); if you need to specify options for such an interface, enter "-" in this column. If you supply the special value "detect" in this column, the firewall will automatically determine the broadcast address.
options: Nine checkable options to specialize the interface behavior. See the table below.

Below are details about each of the options available for the interfaces. Review them all carefully for each interface, for some particular interfaces, some options are highly recommended.

dhcp The interface is assigned an IP address via DHCP or is used by a DHCP server running on the firewall. The firewall will be configured to allow DHCP traffic to and from the interface even when the firewall is stopped.
noping ICMP echo-request (ping) packets will be ignored by this interface.
routestopped When the firewall is stopped, traffic to and from this interface will be accepted and routing will occur between this interface and other routestopped interfaces.
norfc1918 Packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 (Private network addresses) will be logged and dropped. This option is generally used for Internet Interfaces.
routefilter Invoke the Kernel's route filtering facility on this interface. The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the firewall. Warning: If you specify this option for an interface then the interface must be up prior to starting the firewall.
multi The interface has multiple addresses and you want to be able to route between them. Example: you have two addresses on your single local interface eth1, one each in subnets 192.168.1.0/24 and 192.168.2.0/24 and you want to route between these subnets. Because you only have one interface in the local zone, Shorewall won't normally create a rule to forward packets from eth1 to eth1. Adding "multi" to the entry for eth1 will cause Shorewall to create the loc2loc chain and the appropriate forwarding rule. It is recommended to choose this option for the ppp interfaces.
dropunclean Packets from this interface that are selected by the 'unclean' match target in iptables will be optionally logged and then dropped.
logunclean This option works like dropunclean with the exception that packets selected by the 'unclean' match target in iptables are logged but not dropped.
blacklist This option causes incoming packets on this interface to be checked against the blacklist. See the "blacklist" sub-section.

Example: with the same example of web servers farm, we will indicate now that the zone "www" is attributed the subnetwork connected on interface "eth3".

Zone: www
Interface: eth3
Broadcast: detect