Shorewall configuration
Sunday, 21. December 2008, 14:33:11How to install and configure shorewall in Ubuntu / Debian
What is Shorewall?
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level
tool for configuring Netfilter. You describe your firewall/gateway
requirements using entries in a set of configuration files. Shorewall
reads those configuration files and with the help of the iptables
utility, Shorewall configures Netfilter to match your requirements.
Shorewall can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system. Shorewall
does not use Netfilter's ipchains compatibility mode and can thus take
advantage of Netfilter's connection state tracking capabilities.
Install Shorewall
# sudo apt-get install shorewall
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
openbsd-inetd
Use 'apt-get autoremove' to remove them.
Suggested packages:
shorewall-doc
The following NEW packages will be installed:
shorewall
0 upgraded, 1 newly installed, 0 to remove and 26 not upgraded.
Need to get 0B/250kB of archives.
After unpacking 1241kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package shorewall.
(Reading database ... 16390 files and directories currently installed.)
Unpacking shorewall (from .../shorewall_3.2.6-2_all.deb) ...
Setting up shorewall (3.2.6-2) ...
#### WARNING ####
The firewall won't be started/stopped unless it is configured
Please read about Debian specific customization in
/usr/share/doc/shorewall/README.Debian.gz.
#################
Configure Shorewall Startup Service
# pico /etc/default/shorewall
#Now simply change the line below from 0 to 1
startup = 0
to
startup = 1
#save, and exit.
Shorewall configuration files are stored in two separate places
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
Configuring Shorewall
First you must define which configuration that fit with your network plan.
There are 3 types of examples configuration: One interface, Two
interface, and Three Interface. For more detail you may refer to http://www.shorewall.net/two-interface.htm.
Or we can use a default configuration sample. We need to copy all samples
configuration file from /usr/share/doc/shorewall/default-config to
/etc/shorewall
# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now you have configuration files located at /etc/shorewall
Zones Configuration
First edit the zones file to specify the different network zones, these are
just labels that you will use in the other files. Consider the Internet
as one zone, and a private network as another zone. If you have this
then the zones file would look like this:
# pico /etc/shorewall/zones
# add 2 lines below into your zones file
net ipv4
loc ipv4
#save and exit
Interfaces Configuration
The
next file to edit is the interfaces file to specify the interfaces on
your machine. Here you will connect the zones that you defined in the
previous step with an actual interface. The third field is the
broadcast address for the network attached to the interface ("detect"
will figure this out for you). Finally the last fields are options for
the interface. The options listed below are a good starting point,
# pico /etc/shorewall/interfaces
# add 2 lines below into interfaces file
net wlan0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
#save and exit
Policy Configuration
The
next file defines your firewall default policy. The default policy is
used if no other rules apply. Often you will set the default policy to
REJECT or DROP as the default, and then configure specifically what
ports/services are allowed in the next step, and any that you do not
configure are by default rejected or dropped according to this policy.
An example policy (based on the zones and interfaces we used above)
would be:
# pico /etc/shorewall/policy
# sample from my shorewall policy configuration
loc net DROP info
loc $FW DROP info
loc all DROP info
$FW net ACCEPT info
$FW loc DROP info
$FW all DROP info
net $FW DROP info
net loc DROP info
net all DROP info
all all DROP info
# save and exit
This policy says: by default accept any traffic originating from the machine
(fw) to the internet and to the local network. Anything that comes in
from the internet destined to either the machine or the local network
should be dropped and logged to the syslog level "info". The last line
closes everything else off, and probably wont ever be touched. Note:
DROP rules are dropped quietly, and REJECTs send something back letting
the originator know they've been rejected.
Rules Configuration
The most important file is the rules. This is where you set what is allowed
or not. Any new connection that comes into your firewall passes over
these rules, if none of these apply, then the default policy will
apply. Note: This is only for new connections, existing connections are
automatically accepted. The comments in the file give you a good idea
of how things work, but the following will provided an example that can
give you a head-start:
# /$nano /etc/shorewall/rules
# add few lines below into rules file
DNS/ACCEPT $FW net
SSH/ACCEPT loc $FW
Ping/ACCEPT loc $FW
Ping/ACCEPT loc net
Ping/ACCEPT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#WEB SERVICE PORT
ACCEPT loc net tcp 80
ACCEPT loc net tcp 443
ACCEPT loc $FW tcp 10000
# save and exit
This example can be written in long-hand as, "Accept any pings (icmp) from
the internet to the machine, accept any tcp connections from the
internet that are on any of the ports referenced in /etc/services for
the services ssh(22),www(80),https(443),webmin(10000), etc.
Final step is start shorewall firewall
# sudo /etc/init.d/shorewall start
password :
If there was a syntax error in your configuration you will get an error
saying so and you should have a read of /var/log/shorewall-init.log to
figure out why.
If everything does start up, you should make
sure that you aren't blocking something that you don't mean to, you can
do that by looking at your firewall logs.
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level
tool for configuring Netfilter. You describe your firewall/gateway
requirements using entries in a set of configuration files. Shorewall
reads those configuration files and with the help of the iptables
utility, Shorewall configures Netfilter to match your requirements.
Shorewall can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system. Shorewall
does not use Netfilter's ipchains compatibility mode and can thus take
advantage of Netfilter's connection state tracking capabilities.
Install Shorewall
# sudo apt-get install shorewall
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
openbsd-inetd
Use 'apt-get autoremove' to remove them.
Suggested packages:
shorewall-doc
The following NEW packages will be installed:
shorewall
0 upgraded, 1 newly installed, 0 to remove and 26 not upgraded.
Need to get 0B/250kB of archives.
After unpacking 1241kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package shorewall.
(Reading database ... 16390 files and directories currently installed.)
Unpacking shorewall (from .../shorewall_3.2.6-2_all.deb) ...
Setting up shorewall (3.2.6-2) ...
#### WARNING ####
The firewall won't be started/stopped unless it is configured
Please read about Debian specific customization in
/usr/share/doc/shorewall/README.Debian.gz.
#################
Configure Shorewall Startup Service
# pico /etc/default/shorewall
#Now simply change the line below from 0 to 1
startup = 0
to
startup = 1
#save, and exit.
Shorewall configuration files are stored in two separate places
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
Configuring Shorewall
First you must define which configuration that fit with your network plan.
There are 3 types of examples configuration: One interface, Two
interface, and Three Interface. For more detail you may refer to http://www.shorewall.net/two-interface.htm.
Or we can use a default configuration sample. We need to copy all samples
configuration file from /usr/share/doc/shorewall/default-config to
/etc/shorewall
# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now you have configuration files located at /etc/shorewall
Zones Configuration
First edit the zones file to specify the different network zones, these are
just labels that you will use in the other files. Consider the Internet
as one zone, and a private network as another zone. If you have this
then the zones file would look like this:
# pico /etc/shorewall/zones
# add 2 lines below into your zones file
net ipv4
loc ipv4
#save and exit
Interfaces Configuration
The
next file to edit is the interfaces file to specify the interfaces on
your machine. Here you will connect the zones that you defined in the
previous step with an actual interface. The third field is the
broadcast address for the network attached to the interface ("detect"
will figure this out for you). Finally the last fields are options for
the interface. The options listed below are a good starting point,
# pico /etc/shorewall/interfaces
# add 2 lines below into interfaces file
net wlan0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
#save and exit
Policy Configuration
The
next file defines your firewall default policy. The default policy is
used if no other rules apply. Often you will set the default policy to
REJECT or DROP as the default, and then configure specifically what
ports/services are allowed in the next step, and any that you do not
configure are by default rejected or dropped according to this policy.
An example policy (based on the zones and interfaces we used above)
would be:
# pico /etc/shorewall/policy
# sample from my shorewall policy configuration
loc net DROP info
loc $FW DROP info
loc all DROP info
$FW net ACCEPT info
$FW loc DROP info
$FW all DROP info
net $FW DROP info
net loc DROP info
net all DROP info
all all DROP info
# save and exit
This policy says: by default accept any traffic originating from the machine
(fw) to the internet and to the local network. Anything that comes in
from the internet destined to either the machine or the local network
should be dropped and logged to the syslog level "info". The last line
closes everything else off, and probably wont ever be touched. Note:
DROP rules are dropped quietly, and REJECTs send something back letting
the originator know they've been rejected.
Rules Configuration
The most important file is the rules. This is where you set what is allowed
or not. Any new connection that comes into your firewall passes over
these rules, if none of these apply, then the default policy will
apply. Note: This is only for new connections, existing connections are
automatically accepted. The comments in the file give you a good idea
of how things work, but the following will provided an example that can
give you a head-start:
# /$nano /etc/shorewall/rules
# add few lines below into rules file
DNS/ACCEPT $FW net
SSH/ACCEPT loc $FW
Ping/ACCEPT loc $FW
Ping/ACCEPT loc net
Ping/ACCEPT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#WEB SERVICE PORT
ACCEPT loc net tcp 80
ACCEPT loc net tcp 443
ACCEPT loc $FW tcp 10000
# save and exit
This example can be written in long-hand as, "Accept any pings (icmp) from
the internet to the machine, accept any tcp connections from the
internet that are on any of the ports referenced in /etc/services for
the services ssh(22),www(80),https(443),webmin(10000), etc.
Final step is start shorewall firewall
# sudo /etc/init.d/shorewall start
password :
If there was a syntax error in your configuration you will get an error
saying so and you should have a read of /var/log/shorewall-init.log to
figure out why.
If everything does start up, you should make
sure that you aren't blocking something that you don't mean to, you can
do that by looking at your firewall logs.
Powered by ScribeFire.
Powered by ScribeFire.
