interfaces
# vi /etc/shorewall/interfaces
#[proxy]
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth1 tcpflags,nosmurfs,routefilter,logmartians
-----------------------------------------------------------------------------------
OR only mail server
# [mail]
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
----------------------------------------------------------------------
# [BlackList]
#ZONE INTERFACE BROADCAST OPTIONS
net eth2 detect routefilter,blacklist,tcpflags,nosmurfs
loc eth1 detect dhcp,blacklist,tcpflags,nosmurfs
----------------------------------------------------------------------------------------------------------------------------
Example
http://shorewall.net/manpages/shorewall-interfaces.html
Example 1:
Suppose you have eth0 connected to a DSL modem and eth1 connected to your local network and that your local subnet is 192.168.1.0/24. The interface gets its IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 using eth2. Your iptables and/or kernel do not support "Address Type Match" and you prefer to specify broadcast addresses explicitly rather than having Shorewall detect them.
Your entries for this setup would look like:
FORMAT 1 #ZONE INTERFACE BROADCAST OPTIONS net eth0 206.191.149.223 dhcp loc eth1 192.168.1.255 dmz eth2 192.168.2.255
Example 2:
The same configuration without specifying broadcast addresses is:
FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 dhcp loc eth1 dmz eth2
Example 3:
You have a simple dial-in system with no Ethernet connections.
FORMAT 2 #ZONE INTERFACE OPTIONS net ppp0 -
Example 4 (Shorewall 4.4.9 and later):
You have a bridge with no IP address and you want to allow traffic through the bridge.
FORMAT 2 #ZONE INTERFACE OPTIONS - br0 bridge
FILES
/etc/shorewall/interfaces