arprules — Shorewall ARP rules file
/etc/shorewall/arprules 
IPv4 only.
This file was added in Shorewall 4.5.12 and is used to describe low-level rules managed by arptables (8). These rules only affect Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and Dynamic Reverse Address Resolution Protocol (DRARP) frames.
The columns in the file are as shown below. MAC addresses are specified normally (6 hexadecimal numbers separated by colons).
Describes the action to take when a frame matches the criteria in the other columns. Possible values are:
This is the default action if no rules matches a frame; it lets the frame go through.
Causes the frame to be dropped.
ip-addressModifies the source IP address to the specified
                ip-address.
ip-addressModifies the destination IP address to the specified
                ip-address.
mac-addressModifies the source MAC address to the specified
                mac-address.
mac-addressModifies the destination MAC address to the specified
                mac-address.
ip-addressLike SNAT except that the frame is then passed to the next rule.
ip-addressLike DNAT except that the frame is then passed to the next rule.
mac-addressLike SMAT except that the frame is then passed to the next rule.
mac-addressLike DMAT except that the frame is then passed to the next rule.
interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]Where
interfaceIs an interface defined in shorewall-interfaces(5).
ipaddressis an IPv4 address. DNS names are not allowed.
ipmaskspecifies a mask to be applied to
                ipaddress.
macaddressThe source MAC address.
macmaskMask for MAC address; must be specified as 6 hexadecimal numbers separated by colons.
When '!' is specified, the test is inverted.
If not specified, matches only frames originating on the firewall itself.
Either SOURCE or DEST must be specified.
interface[:[!]ipaddress[/ipmask][:[!]macaddress[/macmask]]]]Where
interfaceIs an interface defined in shorewall-interfaces(5).
ipaddressis an IPv4 address. DNS Names are not allowed.
ipmaskspecifies a mask to be applied to frame addresses.
macaddressThe destination MAC address.
macmaskMask for MAC address; must be specified as 6 hexadecimal numbers separated by colons.
When '!' is specified, the test is inverted and the rule matches frames which do not match the specified address/mask.
If not specified, matches only frames originating on the firewall itself.
If both SOURCE and DEST are specified, then both interfaces must be bridge ports on the same bridge.
Either SOURCE or DEST must be specified.
opcode]Optional. Describes the type of frame. Possible
          opcode values are:
ARP Request
ARP Reply
RARP Request
RARP Reply
Dynamic RARP Request
Dynamic RARP Reply
Dynamic RARP Error
InARP Request
ARP NAK
When '!' is specified, the test is inverted and the rule
          matches frames which do not match the specified
          opcode.