Shorewall Configuration in Debian

What is Shorewall?

The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Download, Features and Documentation Shorewall

Note:- Before installing shorewall we need to uninstall "ipchains" if you installed in your machine by running this command

# apt-get remove ipchains

Install shorewall in Debian

#apt-get install shorewall

At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything.

You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file.You can do this in following way

# vi /etc/default/shorewall

Now simply change

startup = 0


startup = 1

save, and exit.

Shorewall configuration files are stored in two separate places

/etc/shorewall stores all the program configuration files.

/usr/share/shorewall stores supporting files and action files.

Configuring Shorewall in Debian

If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall/default-config.You can do this by the following command

#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/

Now you have configuration files located at /etc/shorewall

Zones Configuration

First edit the zones file to specify the different network zones, these are just labels that you will use in the other files. Consider the Internet as one zone, and a private network as another zone. If you have this then the zones file would look like this:

net Net Internet
loc Local Private net

There is another zone that is not put in this zones file, called the "firewall zone" or "fw". This is already defined in /etc/shorewall.conf

If you want more information about Zones check here

Interfaces Configuration

The next file to edit is the interfaces file to specify the interfaces on your machine. Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point,

net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth1 detect tcpflags

If you want more information about interfaces check here

Policy Configuration

The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy. An example policy (based on the zones and interfaces we used above) would be:

fw net ACCEPT
fw loc ACCEPT
net all DROP info
all all REJECT info

This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level "info". The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know they've been rejected.

If you want more information about policy check here 

Rules Configuration

The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:

ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw udp https
ACCEPT net: fw tcp munin

This example can be written in long-hand as, "Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services
ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443). While you are at it, accept only tcp connections from the IP coming from the internet to the munin port (1040).

If you want more information about rules check here

Now you need to restart your shorewall to take your new changes effect by running this command

#/etc/init.d/shorewall start

If there was a syntax error in your configuration you will get an error saying so and you should have a read of
/var/log/shorewall-init.log to figure out why.

If everything does start up, you should make sure that you aren't blocking something that you don't mean to, you can do that by looking at your firewall logs.

If you want to know more about the shorewall log files click here

Shorewall Web interface or GUI tool

We have a webmin interface for shorewall to configure through GUI.You can download from here.

If you want to configure shorewall through webmin interface click here