SHOREWALL-ARPRULES(5) [FIXME: manual] SHOREWALL-ARPRULES(5)NAME
arprules - Shorewall ARP rules file
SYNOPSIS
/etc/shorewall/arprules
DESCRIPTION
This file was added in Shorewall 4.5.12 and is used to describe
low-level rules managed by arptables (8). These rules only affect
Address Resolution Protocol (ARP), Reverse Address Resolution Protocol
(RARP) and Dynamic Reverse Address Resolution Protocol (DRARP) frames.
The columns in the file are as shown below. MAC addresses are specified
normally (6 hexadecimal numbers separated by colons).
ACTION
Describes the action to take when a frame matches the criteria in
the other columns. Possible values are:
ACCEPT
This is the default action if no rules matches a frame; it lets
the frame go through.
DROP
Causes the frame to be dropped.
SNAT:ip-address
Modifies the source IP address to the specified ip-address.
DNAT:ip-address
Modifies the destination IP address to the specified
ip-address.
SMAT:mac-address
Modifies the source MAC address to the specified mac-address.
DMAT:mac-address
Modifies the destination MAC address to the specified
mac-address.
SNATC:ip-address
Like SNAT except that the frame is then passed to the next
rule.
DNATC:ip-address
Like DNAT except that the frame is then passed to the next
rule.
SMATC:mac-address
Like SMAT except that the frame is then passed to the next
rule.
DMATC:mac-address
Like DMAT except that the frame is then passed to the next
rule.
SOURCE - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
Where
interface
Is an interface defined in shorewall-interfaces(5).
ipaddress
is an IPv4 address. DNS names are not allowed.
ipmask
specifies a mask to be applied to ipaddress.
macaddress
The source MAC address.
macmask
Mask for MAC address; must be specified as 6 hexadecimal
numbers separated by colons.
When '!' is specified, the test is inverted.
If not specified, matches only frames originating on the firewall
itself.
Caution
Either SOURCE or DEST must be specified.
DEST - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]
Where
interface
Is an interface defined in shorewall-interfaces(5).
ipaddress
is an IPv4 address. DNS Names are not allowed.
ipmask
specifies a mask to be applied to frame addresses.
macaddress
The destination MAC address.
macmask
Mask for MAC address; must be specified as 6 hexadecimal
numbers separated by colons.
When '!' is specified, the test is inverted and the rule matches
frames which do not match the specified address/mask.
If not specified, matches only frames originating on the firewall
itself.
If both SOURCE and DEST are specified, then both interfaces must be
bridge ports on the same bridge.
Caution
Either SOURCE or DEST must be specified.
ARP OPCODE - [[!]opcode]
Optional. Describes the type of frame. Possible opcode values are:
1
ARP Request
2
ARP Reply
3
RARP Request
4
RARP Reply
5
Dynamic RARP Request
6
Dynamic RARP Reply
7
Dynamic RARP Error
8
InARP Request
9
ARP NAK
When '!' is specified, the test is inverted and the rule matches
frames which do not match the specified opcode.
EXAMPLE
The eth1 interface has both a public IP address and a private address
(10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use the
private address as the IP source:
#ACTION SOURCE DEST ARP OPCODE
SNAT:10.1.10.11 - eth1:10.1.10.0/24 1
FILES
/etc/shorewall/arprules
[FIXME: source] 12/19/2013 SHOREWALL-ARPRULES(5)