shorewall-arprules (5) - Linux Manuals
shorewall-arprules: Shorewall ARP rules file
NAME
arprules - Shorewall ARP rules file
SYNOPSIS
- /etc/shorewall/arprules
DESCRIPTION
The columns in the file are as shown below. MAC addresses are specified normally (6 hexadecimal numbers separated by colons).
ACTION
-
Describes the action to take when a frame matches the criteria in the other columns. Possible values are:
ACCEPT
- This is the default action if no rules matches a frame; it lets the frame go through.
DROP
- Causes the frame to be dropped.
SNAT:ip-address
- Modifies the source IP address to the specified ip-address.
DNAT:ip-address
- Modifies the destination IP address to the specified ip-address.
SMAT:mac-address
- Modifies the source MAC address to the specified mac-address.
DMAT:mac-address
- Modifies the destination MAC address to the specified mac-address.
SNATC:ip-address
- Like SNAT except that the frame is then passed to the next rule.
DNATC:ip-address
- Like DNAT except that the frame is then passed to the next rule.
SMATC:mac-address
- Like SMAT except that the frame is then passed to the next rule.
DMATC:mac-address
- Like DMAT except that the frame is then passed to the next rule.
SOURCE - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
-
Where
interface
- Is an interface defined in shorewall-interfaces(5).
ipaddress
- is an IPv4 address. DNS names are not allowed.
ipmask
- specifies a mask to be applied to ipaddress.
macaddress
- The source MAC address.
macmask
- Mask for MAC address; must be specified as 6 hexadecimal numbers separated by colons.
When '!' is specified, the test is inverted.
If not specified, matches only frames originating on the firewall itself.
-
Caution
Either SOURCE or DEST must be specified.
DEST - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
-
Where
interface
- Is an interface defined in shorewall-interfaces(5).
ipaddress
- is an IPv4 address. DNS Names are not allowed.
ipmask
- specifies a mask to be applied to frame addresses.
macaddress
- The destination MAC address.
macmask
- Mask for MAC address; must be specified as 6 hexadecimal numbers separated by colons.
When '!' is specified, the test is inverted and the rule matches frames which do not match the specified address/mask.
If not specified, matches only frames originating on the firewall itself.
If both SOURCE and DEST are specified, then both interfaces must be bridge ports on the same bridge.
-
Caution
Either SOURCE or DEST must be specified.
OPCODE - [[!]opcode]
-
Optional. Describes the type of frame. Possible
opcode
values are:
1
- ARP Request
2
- ARP Reply
3
- RARP Request
4
- RARP Reply
5
- Dynamic RARP Request
6
- Dynamic RARP Reply
7
- Dynamic RARP Error
8
- InARP Request
9
- ARP NAK
When '!' is specified, the test is inverted and the rule matches frames which do not match the specified opcode.
EXAMPLE
The eth1 interface has both a public IP address and a private address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use the private address as the IP source:
-
#ACTION SOURCE DEST ARP OPCODE SNAT:10.1.10.11 - eth1:10.1.10.0/24 1
FILES
/etc/shorewall/arprules