Name

arprules — Shorewall ARP rules file

Synopsis

/etc/shorewall/arprules

Description

This file was added in Shorewall 4.5.12 and is used to describe low-level rules managed by arptables (8). These rules only affect Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and Dynamic Reverse Address Resolution Protocol (DRARP) frames.

The columns in the file are as shown below. MAC addresses are specified normally (6 hexadecimal numbers separated by colons).

ACTION

Describes the action to take when a frame matches the criteria in the other columns. Possible values are:

ACCEPT

This is the default action if no rules matches a frame; it lets the frame go through.

DROP

Causes the frame to be dropped.

SNAT:ip-address

Modifies the source IP address to the specified ip-address.

DNAT:ip-address

Modifies the destination IP address to the specified ip-address.

SMAT:mac-address

Modifies the source MAC address to the specified mac-address.

DMAT:mac-address

Modifies the destination MAC address to the specified mac-address.

SNATC:ip-address

Like SNAT except that the frame is then passed to the next rule.

DNATC:ip-address

Like DNAT except that the frame is then passed to the next rule.

SMATC:mac-address

Like SMAT except that the frame is then passed to the next rule.

DMATC:mac-address

Like DMAT except that the frame is then passed to the next rule.

SOURCE - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]

Where

interface

Is an interface defined in shorewall-interfaces(5).

ipaddress

is an IPv4 address. DNS names are not allowed.

ipmask

specifies a mask to be applied to ipaddress.

macaddress

The source MAC address.

macmask

Mask for MAC address; must be specified as 6 hexadecimal numbers separated by colons.

When '!' is specified, the test is inverted.

If not specified, matches only frames originating on the firewall itself.

Caution

Either SOURCE or DEST must be specified.

DEST - [interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]

Where

interface

Is an interface defined in shorewall-interfaces(5).

ipaddress

is an IPv4 address. DNS Names are not allowed.

ipmask

specifies a mask to be applied to frame addresses.

macaddress

The destination MAC address.

macmask

Mask for MAC address; must be specified as 6 hexadecimal numbers separated by colons.

When '!' is specified, the test is inverted and the rule matches frames which do not match the specified address/mask.

If not specified, matches only frames originating on the firewall itself.

If both SOURCE and DEST are specified, then both interfaces must be bridge ports on the same bridge.

Caution

Either SOURCE or DEST must be specified.

ARP OPCODE - [[!]opcode]

Optional. Describes the type of frame. Possible opcode values are:

1

ARP Request

2

ARP Reply

3

RARP Request

4

RARP Reply

5

Dynamic RARP Request

6

Dynamic RARP Reply

7

Dynamic RARP Error

8

InARP Request

9

ARP NAK

When '!' is specified, the test is inverted and the rule matches frames which do not match the specified opcode.

Example

The eth1 interface has both a public IP address and a private address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use the private address as the IP source:

#ACTION                SOURCE                  DEST                ARP OPCODE
SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1

FILES

/etc/shorewall/arprules

Documentation

Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation

Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page