Chapter 11 – Configuring The Firewall
This menu allows you to add, delete and configure network interfaces. Add a new
interface by selecting the “Add a new network interface” link or by clicking on the
add-above or add-below images in the Add field. Reorder the interfaces by clicking
on the arrows under the Move field.
Clicking on a link under the Interface field will allow you to edit or delete the
interface. Note that if you delete an interface you should remove any rules that
reference it.
You may also make changes by manually editing the interfaces file.
Note: I f you use a WAN int erface in the firew all, the i nterface will be re ferred to by its name. S ome WAN c hanges ( such as c hanging t he numbe r of chan nels use d by a T1 /E1
logical interfac e) will change th e name. Ensure th at the e ntries in this me nu reflec t the
correct interface names.
Figure 93: Edit ing a Firewall Networ k Inter faces
The dhcp option should be selected if interface is assigned an IP address via DHCP or
is used by a DHCP server running on the firewall. The firewall will be configured to
allow DHCP traffic to and from the interface even when the firewall is stopped. You
may also wish to use this option if you have a static IP but you are on a LAN segment
that has a lot of laptops that use DHCP and you select the norfc1918 option (see
below).
The arp_filter option causes this interface to only answer ARP “who-has” requests
from hosts that are routed out of that interface. Setting this option facilitates testing
of your firewall where multiple firewall interfaces are connected to the same
HUB/Switch (all interfaces connected to the single HUB/Switch should have this
option specified). Note that using such a configuration is strongly recommended
against.
The routeback option causes Shorewall to set up handling for routing packets that
arrive on this interface back out the same interface.
The tcpflags option causes Shorewall to make sanity checks on the header flags in
TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN
+RST and FIN+URG+PSH; these flag combinations are typically used for “silent”
port scans. Packets failing these checks are logged according to the
TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed
of according to the TCP_FLAGS_DISPOSITION option.
RuggedCom 115