RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

130

RX1000/RX1100™

The arp_filter option causes this interface to only answer ARP "who-has" requests from hosts that are
routed out of that interface. Setting this option facilitates testing of your firewall where multiple firewall
interfaces are connected to the same HUB/Switch (all interfaces connected to the single HUB/Switch
should have this option specified). Note that using such a configuration is strongly recommended
against.

The routeback option causes Shorewall to set up handling for routing packets that arrive on this
interface back out the same interface.

The tcpflags option causes Shorewall to make sanity checks on the header flags in TCP packets
arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these
flag combinations are typically used for "silent" port scans. Packets failing these checks are logged
according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed
of according to the TCP_FLAGS_DISPOSITION option.

The norfc1918 option causes packets arriving on this interface and that have a source or destination
address that is reserved in RFC 1918 to be dropped after being optionally logged.

The nobogons option causes packets arriving on this interface that have a source address reserved
by the IANA or by other RFCs (other than 1918) to be dropped after being optionally logged.

The routefilter option invokes the Kernel's route filtering (anti-spoofing) facility on this interface. The
kernel will reject any packets incoming on this interface that have a source address that would be
routed outbound through another interface on the firewall.

Note

The routefilter option should not be enabled on interfaces that are part of a multipath routing
configuration.

The proxyarp option causes Shorewall to set proxy arp for the interface. Do not set this option if
implementing Proxy ARP through entries in /etc/shorewall/proxarp.

The maclist option causes all connection requests received on this interface to be subject to MAC
address verification. May only be specified for Ethernet interfaces.

The nosmurfs option causes incoming connection requests to be checked to ensure that they do not
have a broadcast or multicast address as their source. Any such packets will be dropped after being
optionally logged according to the setting of SMURF_LOG_LEVEL in /etc/shorewall/shorewall.conf.

The logmartians option causes the martian logging facility will be enabled on this interface. See also
the LOG_MARTIANS option in /etc/shorewall/shorewall.conf.