Shorewall
Configuration in Debian
What is Shorewall?
The Shoreline Firewall, more commonly known as "Shorewall", is a
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of
configuration files. Shorewall reads those configuration files
and with the help of the iptables utility, Shorewall configures
Netfilter to match your requirements. Shorewall can be used on a
dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.
Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's connection state
tracking capabilities.
Download, Features and Documentation
Shorewall
http://www.shorewall.net/
Note:-
Before installing shorewall we need to uninstall "ipchains" if
you installed in your machine by running this command
# apt-get remove ipchains
Install shorewall in Debian
#apt-get install shorewall
At this point apt may tell you it has to install a couple extra
supporting package along with shorewall. This is normal and you
should accept the prompt to allow it to install everything.
You probably noticed a warning message at the end of the
Shorewall installation telling you the program will not start
unless you change the /etc/default/shorewall file.You can do
this in following way
# vi /etc/default/shorewall
Now simply change
startup = 0
to
startup = 1
save, and exit.
Shorewall configuration files are stored in two separate places
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
Configuring Shorewall in Debian
If you want to configure shorewall you need to copy the sample
configuration file from
/usr/share/doc/shorewall/default-config.You can do this by the
following command
#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now you have configuration files located at /etc/shorewall
Zones Configuration
First edit the zones file to specify the different network
zones, these are just labels that you will use in the other
files. Consider the Internet as one zone, and a private network
as another zone. If you have this then the zones file would look
like this:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Private net
There is another zone that is not put in this zones file, called
the "firewall zone" or "fw". This is already defined in /etc/shorewall.conf
If you want more information about Zones check
here
Interfaces Configuration
The next file to edit is the interfaces file to specify the
interfaces on your machine. Here you will connect the zones that
you defined in the previous step with an actual interface. The
third field is the broadcast address for the network attached to
the interface ("detect" will figure this out for you). Finally
the last fields are options for the interface. The options
listed below are a good starting point,
net eth0 detect
routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth1 detect tcpflags
If you want more information about interfaces check
here
Policy Configuration
The next file defines your firewall default policy. The default
policy is used if no other rules apply. Often you will set the
default policy to REJECT or DROP as the default, and then
configure specifically what ports/services are allowed in the
next step, and any that you do not configure are by default
rejected or dropped according to this policy. An example policy
(based on the zones and interfaces we used above) would be:
fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
This policy says: by default accept any traffic originating from
the machine (fw) to the internet and to the local network.
Anything that comes in from the internet destined to either the
machine or the local network should be dropped and logged to the
syslog level "info". The last line closes everything else off,
and probably wont ever be touched. Note: DROP rules are dropped
quietly, and REJECTs send something back letting the originator
know they've been rejected.
If you want more information about policy check
here
Rules Configuration
The most important file is the rules. This is where you set what
is allowed or not. Any new connection that comes into your
firewall passes over these rules, if none of these apply, then
the default policy will apply. Note: This is only for new
connections, existing connections are automatically accepted.
The comments in the file give you a good idea of how things
work, but the following will provided an example that can give
you a head-start:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp
ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw udp https
ACCEPT net:216.162.217.194 fw tcp munin
This example can be written in long-hand as, "Accept any pings (icmp)
from the internet to the machine, accept any tcp connections
from the internet that are on any of the ports referenced in
/etc/services for the services
ssh(22),www(80),https(443), etc. Also accept from the internet
the udp connections to https(443). While you are at it, accept
only tcp connections from the IP 216.162.217.194 coming from the
internet to the munin port (1040).
If you want more information about rules check
here
Now you need to restart your shorewall to take
your new changes effect by running this command
#/etc/init.d/shorewall start
If there was a syntax error in your configuration you will get
an error saying so and you should have a read of
/var/log/shorewall-init.log to figure out why.
If everything does start up, you should make sure that you
aren't blocking something that you don't mean to, you can do
that by looking at your firewall logs.
If you want to know more about the shorewall log files click
here
Shorewall Web interface or GUI tool
We have a webmin interface for shorewall to configure through
GUI.You can download from here.
http://www.webmin.com/download/modules/shorewall.wbm.gz
If you want to configure shorewall through
webmin interface click
here
References
http://www.cyberdogtech.com/firewalls/firewall/
