- .| - - + |
+
+
Shorewall 1.4 Reference- |
-
Shorewall consists of the following components:
- +You may use the file /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration - files.
- -It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs
- -Example:
- -NET_IF=eth0- -
NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918
Example (/etc/shorewall/interfaces record):
- -net $NET_IF $NET_BCAST $NET_OPTIONS- -
The result will be the same as if the record had been written
- -net eth0 130.252.100.255 blacklist,norfc1918- -
Variables may be used anywhere in the other configuration - files.
- -This file is used to define the network zones. There is one entry - in /etc/shorewall/zones for each zone; Columns - in an entry are:
- -The /etc/shorewall/zones file released with Shorewall is as follows:
- -| ZONE | -DISPLAY | -COMMENTS | -
| net | -Net | -Internet | -
| loc | -Local | -Local networks | -
| dmz | -DMZ | -Demilitarized - zone | -
You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone - defined.
- -Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change -rather than "shorewall restart".
- -Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.
- -This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There -will be one entry in /etc/shorewall/interfaces for each -of your interfaces. Columns in an entry are:
- - tcpflags (added in version 1.3.11) - This option causes Shorewall
-to make sanity checks on the header flags in TCP packets arriving on this
-interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these
-flag combinations are typically used for "silent" port scans. Packets failing
-these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according
- to the TCP_FLAGS_DISPOSITION option.
-
- blacklist - This option causes
- incoming packets on this interface to be
-checked against the blacklist.
-
- dhcp - The interface
- is assigned an IP address via DHCP or is used by
- a DHCP server running on the firewall. The firewall will
- be configured to allow DHCP traffic to and from the interface
- even when the firewall is stopped. You may also wish to use
- this option if you have a static IP but you are on a LAN segment
- that has a lot of Laptops that use DHCP and you select the
- norfc1918 option (see below).
norfc1918 - Packets arriving on this interface and that
- have a source address that is reserved in RFC 1918 or in other
- RFCs will be dropped after being optionally logged.
- If packet mangling is enabled in /etc/shorewall/shorewall.conf
- , then packets arriving on this interface that
- have a destination address that is reserved by one of
-these RFCs will also be logged and dropped.
-
- Addresses blocked by
-the standard rfc1918 file
- include those addresses reserved by RFC1918 plus other
- ranges reserved by the IANA or by other RFCs.
Beware that as IPv4 addresses become in increasingly short supply, - ISPs are beginning to use RFC 1918 addresses -within their own infrastructure. Also, many cable -and DSL "modems" have an RFC 1918 address that can be used -through a web browser for management and monitoring functions. - If you want to specify norfc1918 on your external -interface but need to allow access to certain addresses - from the above list, see FAQ 14.
- - -routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The -kernel will reject any packets incoming on this interface - that have a source address that would be routed outbound - through another interface on the firewall. - Warning: If you specify this -option for an interface then the interface must be up prior -to starting the firewall.
- - - dropunclean - Packets from this interface that
-are selected by the 'unclean' match target in iptables will
- be optionally logged and then dropped.
- Warning: This feature requires
- that UNCLEAN match support be configured in your
- kernel, either in the kernel itself or as a module. UNCLEAN
- support is broken in some versions of the kernel but
- appears to work ok in 2.4.17-rc1.
-
- Update
- 12/17/2001: The unclean match patch
- from 2.4.17-rc1 is available
- for download. I am currently
- running this patch applied to kernel
- 2.4.16.
Update 12/20/2001: I've - seen a number of tcp connection - requests with OPT (020405B40000080A...) - being dropped in the badpkt chain. This - appears to be a bug in the remote TCP stack whereby -it is 8-byte aligning a timestamp (TCP option -8) but rather than padding with 0x01 it is padding -with 0x00. It's a tough call whether to deny people -access to your servers because of this rather minor - bug in their networking software. If you wish to disable -the check that causes these connections to be -dropped, here's - a kernel patch against 2.4.17-rc2.
- - -logunclean - This option works like dropunclean - with the exception that packets - selected by the 'unclean' match -target in iptables are logged but not dropped. - The level at which the packets are logged -is determined by the setting of LOGUNCLEAN and if LOGUNCLEAN - has not been set, "info" is assumed.
- - -proxyarp (Added in version 1.3.5) - This option causes
- Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
- and is used when implementing
- Proxy ARP Sub-netting as described
- at
- http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do
- not set this option if you are implementing
- Proxy ARP through entries in
- /etc/shorewall/proxyarp.
-
- maclist (Added in
- version 1.3.10) - If this option is specified, all connection
- requests from this interface are subject to MAC Verification. May only be specified
- for ethernet interfaces.
My recommendations concerning options:
-
You may use the file /etc/shorewall/params file to set shell variables + that you can then use in some of the other configuration + files.
+ +It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally + within the Shorewall programs
+ +Example:
+ +NET_IF=eth0+ +
NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918
Example (/etc/shorewall/interfaces record):
+ +net $NET_IF $NET_BCAST $NET_OPTIONS+ +
The result will be the same as if the record had been written
+ +net eth0 130.252.100.255 blacklist,norfc1918+ +
Variables may be used anywhere in the other configuration + files.
+ +This file is used to define the network zones. There is one entry + in /etc/shorewall/zones for each zone; Columns + in an entry are:
+- -
Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to -your local network and eth0 gets its IP address via -DHCP. You want to check all packets entering from the internet - against the black list. Your /etc/shorewall/interfaces - file would be as follows:
- --+ +You may add, delete and modify entries in the /etc/shorewall/zones file + as desired so long as you have at least one zone + defined.
+ +Warning 1: If you rename or delete a zone, you should perform "shorewall + stop; shorewall start" to install the change +rather than "shorewall restart".
+ +Warning 2: The order of entries in the /etc/shorewall/zones file is + significant in some cases.
+ +/etc/shorewall/interfaces
+ +This file is used to tell the firewall which of your firewall's network + interfaces are connected to which zone. There + will be one entry in /etc/shorewall/interfaces for each + of your interfaces. Columns in an entry are:
+-
- -- ZONE -- A zone defined in the /etc/shorewall/zones - file.
-- HOST(S) - - The name of a network interface followed by a colon - (":") followed by either:
- --- --
- - -- An - IP address (example - eth1:192.168.1.3)
-- A - subnet in CIDR notation (example - - eth2:192.168.2.0/24)
- - -The interface name much match an entry in /etc/shorewall/interfaces.
--
- -- OPTIONS - - A comma-separated list of option
- --- -routeback (Added in version 1.4.2) - This option causes Shorewall - to set up handling for routing packets sent by this host group back - back to the same group.
-
-
- maclist - Added in version 1.3.10. If specified, connection - requests from the hosts specified in this entry are subject - to MAC Verification. This option - is only valid for ethernet interfaces.
-If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, - i1, ... are the interfaces to the zone.
- -Note: You probably DON'T - want to specify any hosts for your internet zone since the -hosts that you specify will be the only ones that you will be -able to access without adding additional rules.
- -Example 1:
- -Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:
- --
- -- 192.168.1.0/25 -
-- 192.168.1.128/
- -Your /etc/shorewall/interfaces file might look like:
- --- -- - -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - - -- -eth1 -192.168.1.127,192.168.1.255 -
--
-The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.
- -Your /etc/shorewall/hosts file might look like:
- -- - -- -- - -
-- -ZONE -HOST(S) -OPTIONS -- -loc1 -eth1:192.168.1.0/25 --
-- - - - -loc2 -eth1:192.168.1.128/25 --
-Example 2:
- -Your local interface is eth1 and you have two groups of local hosts that - you want to consider as one zone and you want Shorewall to route -between them:
- --
- -- 192.168.1.0/25
-- 192.168.1.128/25
- -Your /etc/shorewall/interfaces file might look like:
- --- -- - -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - - -loc -
-eth1 -192.168.1.127,192.168.1.255 -
--
-Your /etc/shorewall/hosts file might look like:
- -- - -- -- - -
-- -ZONE -HOST(S) -OPTIONS -- -loc -eth1:192.168.1.0/25 --
-- - - - -loc -eth1:192.168.1.128/25 --
-Nested and Overlapping -Zones
- -The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you - to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that - they appear in the /etc/shorewall/zones file. So if you have - nested zones, you want the sub-zone to appear before the -super-zone and in the case of overlapping zones, the rules - that will apply to hosts that belong to both zones is determined - by which zone appears first in /etc/shorewall/zones.
- -Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use -of the special CONTINUE policy described - below.
- -/etc/shorewall/policy - Configuration.
- -This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described - in terms of clients who initiate connections -and servers who receive those connection requests. - Policies defined in /etc/shorewall/policy describe which - zones are allowed to establish connections with other zones.
- -Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies - to a particular connection request then the policy -from /etc/shorewall/policy is applied.
- -Four policies are defined:
- --
- -- ACCEPT - - The connection is allowed.
-- DROP -- The connection request is ignored.
-- REJECT - - The connection request is rejected with an RST (TCP) - or an ICMP destination-unreachable packet being returned - to the client.
-- CONTINUE - - The connection is neither ACCEPTed, DROPped - nor REJECTed. CONTINUE may be used when one or both of -the zones named in the entry are sub-zones of or intersect -with another zone. For more information, see below.
-- NONE - (Added in version 1.4.1) - Shorewall - should not set up any infrastructure for handling traffic from the - SOURCE zone to the DEST zone. When this policy is specified, the LOG - LEVEL and BURST:LIMIT columns must be left - blank.
- -
-For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log - each time that the policy is applied.
- -Entries in /etc/shorewall/policy have four columns as follows:
- -- -
- -- SOURCE - The name of a client - zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall - zone or "all").
- -- DEST - The name of a destination - zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall -zone or "all"). Shorewall automatically allows all traffic -from the firewall to itself so the name of the -firewall zone cannot appear in both the SOURCE and DEST columns.
- -- POLICY - The default policy -for connection requests from the SOURCE zone to the DESTINATION - zone.
- -- LOG LEVEL - Optional. If left - empty, no log message is generated when the policy is applied. - Otherwise, this column should contain an integer or - name indicating a syslog level.
- -- LIMIT:BURST - Optional. If - left empty, TCP connection requests from the SOURCE - zone to the DEST zone will not be rate-limited. -Otherwise, this column specifies the maximum rate at -which TCP connection requests will be accepted followed by a -colon (":") followed by the maximum burst size that will be - tolerated. Example: 10/sec:40 specifies that the - maximum rate of TCP connection requests allowed will be 10 per - second and a burst of 40 connections will be tolerated. Connection - requests in excess of these limits will be dropped.
- -In the SOURCE and DEST columns, you can enter "all" to indicate all - zones.
- -The policy file installed by default is as follows:
- -- - -- -- - -
-- -SOURCE -DEST -POLICY -LOG -LEVEL -LIMIT:BURST -- -loc -net -ACCEPT --
--
-- -net -all -DROP -info --
-- - - - -all -all -REJECT -info --
-This table may be interpreted as follows:
- --
- -- All connection -requests from the local network to hosts on the - internet are accepted.
-- All connection -requests originating from the internet are ignored -and logged at level KERNEL.INFO.
-- All other connection - requests are rejected and logged.
- -WARNING:
- -The firewall script processes the - /etc/shorewall/policy file from top to bottom and - uses the first applicable policy that it finds. - For example, in the following policy file, the policy - for (loc, loc) connections would be ACCEPT as specified -in the first entry even though the third entry in the file specifies - REJECT.
- -- -- -- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -all -ACCEPT --
--
-- -net -all -DROP -info --
-- - - - -loc -loc -REJECT -info --
-IntraZone Traffic
- Shorewall allows a zone to be associated with more than -one interface or with multiple networks that interface through a single - interface. Beginning with Shorewall 1.4.1, Shorewall will ACCEPT all - traffic from a zone to itself provided that there is no explicit policy - governing traffic from that zone to itself (an explicit policy does -not specify "all" in either the SOURCE or DEST column) and that there -are no rules concerning connections from that zone to itself. If there -is an explicit policy or if there are one or more rules, then traffic within - the zone is handled just like traffic between zones is.
- -Any time that you have multiple interfaces associated with a single zone, - you should ask yourself if you really want traffic routed between - those interfaces. Cases where you might not want that behavior are:
- -
--
- -- Multiple 'net' interfaces to different ISPs. You -don't want to route traffic from one ISP to the other through your -firewall.
-- Multiple VPN clients. You don't necessarily want -them to all be able to communicate between themselves using your gateway/router.
- -
-The CONTINUE - policy
- -Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple - zones to be managed under the rules of all of these -zones. Let's look at an example:
- -/etc/shorewall/zones:
- --- -- -
-- -ZONE -DISPLAY -COMMENTS -- -sam -Sam -Sam's system - at home -- -net -Internet -The Internet -- - - - -loc -Loc -Local Network -/etc/shorewall/interfaces:
- --- -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -- -eth0 -detect -dhcp,norfc1918 -- - - - -loc -eth1 -detect --
-/etc/shorewall/hosts:
- -- -- -- -
-- -ZONE -HOST(S) -OPTIONS -- -net -eth0:0.0.0.0/0 --
-- - - - -sam -eth0:206.191.149.197 --
-Note that Sam's home system is a member of both the sam zone - and the - net zone and as described above - , that means that sam must be listed before net - in /etc/shorewall/zones.
- -/etc/shorewall/policy:
- -- -- -- -
-- -- SOURCE -- DEST -POLICY -LOG -LEVEL -- -loc -net -ACCEPT --
-- -sam -all -CONTINUE --
-- -net -all -DROP -info -- - - - -all -all -REJECT -info -The second entry above says that when Sam is the client, connection - requests should first be process under rules where - the source zone is sam and if there is no match - then the connection request should be treated under rules - where the source zone is net. It is important that -this policy be listed BEFORE the next policy (net to all).
- -Partial /etc/shorewall/rules:
- -- -- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -... --
--
--
--
--
--
-- -DNAT -sam -loc:192.168.1.3 -tcp -ssh -- --
-- -DNAT -net -loc:192.168.1.5 -tcp -www -- --
-- - - - -... --
--
--
--
--
--
-Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded - to 192.168.1.3. Like all hosts in the net zone, - Sam can connect to the firewall's internet interface - on TCP port 80 and the connection request will be forwarded - to 192.168.1.5. The order of the rules is not significant.
- -Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all -hosts can SSH to the firewall and be forwarded to 192.168.1.5 - EXCEPT Sam. When Sam connects to the firewall's external - IP, he should be connected to the firewall itself. Because - of the way that Netfilter is constructed, this requires two - rules as follows:
- --- -- - -
- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- --
--
--
--
--
--
--
-- -... --
--
--
--
--
--
-- -DNAT -sam -fw -tcp -ssh -- --
-- -DNAT -net!sam -loc:192.168.1.3 -tcp -ssh -- --
-- - - - -... --
--
--
--
--
--
-The first rule allows Sam SSH access to the firewall. The second - rule says that any clients from the net zone - with the exception of those in the 'sam' - zone should have their connection - port forwarded to 192.168.1.3. - If you need to exclude more - than one zone in this way, you - can list the zones separated by - commas (e.g., net!sam,joe,fred). This - technique also may be used when - the ACTION is REDIRECT.
- -/etc/shorewall/rules
- -The /etc/shorewall/rules file defines exceptions to the policies established - in the /etc/shorewall/policy file. There is one -entry in /etc/shorewall/rules for each of these rules. -
- -
-Shorewall automatically enables firewall->firewall traffic over the - loopback interface (lo) -- that traffic cannot be regulated - using rules and any rule that tries to regulate such traffic - will generate a warning and will be ignored.
- -
-Entries in the file have the following columns:
- --
+ +- ACTION - - -
--
- - -- ACCEPT, DROP, -REJECT, CONTINUE. These have the same meaning here as -in the policy file above.
-- DNAT -- Causes - the connection request to be forwarded to the system - specified in the DEST column (port forwarding). "DNAT" - stands for "Destination Network - Address Translation"
-- DNAT- -- The above ACTION -(DNAT) generates two iptables rules: 1) and header-rewriting -rule in the Netfilter 'nat' table and; 2) an ACCEPT rule in -the Netfilter 'filter' table. DNAT- works like DNAT but only generates - the header-rewriting rule.
-
-- REDIRECT -- Causes - the connection request to be redirected to a port on - the local (firewall) system.
-- REDIRECT- -- The above ACTION (REDIRECT) generates - two iptables rules: 1) and header-rewriting rule in the Netfilter - 'nat' table and; 2) an ACCEPT rule in the Netfilter 'filter' -table. REDIRECT- works like REDIRECT but only generates the header-rewriting - rule.
-
-- LOG - Log the packet -- requires a syslog - level (see below).
- - -The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). -This causes the packet to be logged at the specified level prior -to being processed according to the specified ACTION. Note: if the -ACTION is LOG then you MUST specify a syslog level.
-
-
- The use of DNAT or -REDIRECT requires that you have NAT - enabled.
-- SOURCE - Describes - the source hosts to which the rule applies.. The contents - of this field must begin with the name of a zone defined - in /etc/shorewall/zones, $FW or "all". If the ACTION -is DNAT or REDIRECT, sub-zones may be excluded from the rule -by following the initial zone name with "!' and a comma-separated - list of those sub-zones to be excluded. There is an example above.
-
- If the source is not - 'all' then the source may be further restricted by adding - a colon (":") followed by a comma-separated list of qualifiers. - Qualifiers are may include: +- ZONE + - A zone defined in the /etc/shorewall/zones + file or "-". If you specify "-", you must +use the /etc/shorewall/hosts + file to define the zones accessed via this interface.
+- INTERFACE + - the name of the interface (examples: eth0, ppp0, + ipsec+). Each interface can be listed on only one record + in this file. DO NOT INCLUDE + THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!
+- BROADCAST + - the broadcast address(es) for the sub-network(s) + attached to the interface. This should be left empty + for P-T-P interfaces (ppp*, ippp*); if you need to specify + options for such an interface, enter "-" in this column. If + you supply the special value "detect" in this column, the firewall + will automatically determine the broadcast address. + In order to use "detect":
--
-- An interface -name - refers to any connection requests arriving on - the specified interface (example loc:eth4). Beginning - with Shorwall 1.3.9, the interface name may optionally be followed -by a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, - net:eth0:192.0.2.0/24).
-- An IP address -- refers to a connection request from the host with - the specified address (example net:155.186.235.151). - If the ACTION is DNAT, this must not be a DNS name.
-- A MAC Address -in Shorewall format.
-- A subnet - refers - to a connection request from any host in the specified - subnet (example net:155.186.235.0/24).
- +- the interface must be up before you start +your firewall
+- the interface + must only be attached to a single sub-network (i.e., + there must have a single broadcast address).
+ +- DEST - Describes - the destination host(s) to which the rule applies. -May take most of the forms described above for SOURCE -plus the following two additional forms: - +
+- OPTIONS + - a comma-separated list of options. Possible options + include:
+ +
+
+ newnotsyn (Added in version 1.4.6) - This option + overrides NEWNOTSYN=No for packets arriving on + this interface. In other words, packets coming in on this interface are + processed as if NEWNOTSYN=Yes had been specified in /etc/shorewall/shorewall.conf.
+
+ routeback (Added in version 1.4.2) - This option causes Shorewall + to set up handling for routing packets that arrive on this interface + back out the same interface. If this option is specified, the ZONE column + may not contain "-".
+ + +tcpflags (added in version 1.3.11) - This option causes +Shorewall to make sanity checks on the header flags in TCP packets arriving +on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; +these flag combinations are typically used for "silent" port scans. Packets + failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option + in /etc/shorewall/shorewall.conf and are disposed of +according to the TCP_FLAGS_DISPOSITION option.
+ + +
+
+ blacklist - This option +causes incoming packets on this interface +to be checked against the blacklist.
+
+ dhcp - The interface + is assigned an IP address via DHCP or is used + by a DHCP server running on the firewall. The firewall + will be configured to allow DHCP traffic to and from the + interface even when the firewall is stopped. You may + also wish to use this option if you have a static IP but you +are on a LAN segment that has a lot of Laptops that use DHCP and +you select the norfc1918 option (see below).norfc1918 - Packets arriving on this interface and that + have a source address that is reserved in RFC 1918 or in other + RFCs will be dropped after being optionally logged. + If packet mangling is enabled in /etc/shorewall/shorewall.conf + , then packets arriving on this interface that + have a destination address that is reserved by one of +these RFCs will also be logged and dropped.
+ + +
+
+ Addresses blocked +by the standard rfc1918 file + include those addresses reserved by RFC1918 plus + other ranges reserved by the IANA or by other RFCs.Beware that as IPv4 addresses become in increasingly short supply, + ISPs are beginning to use RFC 1918 addresses +within their own infrastructure. Also, many cable +and DSL "modems" have an RFC 1918 address that can be used +through a web browser for management and monitoring functions. + If you want to specify norfc1918 on your external + interface but need to allow access to certain addresses + from the above list, see FAQ 14.
+ + +routefilter - Invoke the Kernel's route filtering + (anti-spoofing) facility on this interface. The + kernel will reject any packets incoming on this interface + that have a source address that would be routed outbound + through another interface on the firewall. + Warning: If you specify this + option for an interface then the interface must be up prior +to starting the firewall.
+ + +dropunclean - Packets from this interface that + are selected by the 'unclean' match target in iptables will + be optionally logged and then dropped. + Warning: This feature requires + that UNCLEAN match support be configured in your + kernel, either in the kernel itself or as a module. UNCLEAN + support is broken in some versions of the kernel + but appears to work ok in 2.4.17-rc1.
+ + +
+ +
+ + Update 12/17/2001: The unclean match + patch from 2.4.17-rc1 is available + for download. I am currently + running this patch applied to kernel + 2.4.16.Update 12/20/2001: I've + seen a number of tcp connection + requests with OPT (020405B40000080A...) + being dropped in the badpkt chain. This + appears to be a bug in the remote TCP stack whereby +it is 8-byte aligning a timestamp (TCP option +8) but rather than padding with 0x01 it is padding + with 0x00. It's a tough call whether to deny people + access to your servers because of this rather minor + bug in their networking software. If you wish to disable +the check that causes these connections to be +dropped, here's + a kernel patch against 2.4.17-rc2.
+ + +logunclean - This option works like dropunclean + with the exception that packets + selected by the 'unclean' match +target in iptables are logged but not dropped. + The level at which the packets are logged +is determined by the setting of LOGUNCLEAN and if LOGUNCLEAN + has not been set, "info" is assumed.
+ + +proxyarp (Added in version 1.3.5) - This option causes + Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp + and is used when implementing + Proxy ARP Sub-netting as described + at + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do + not set this option if you are implementing +Proxy ARP through entries in + /etc/shorewall/proxyarp.
+
+
+ maclist (Added + in version 1.3.10) - If this option is specified, all + connection requests from this interface are subject to + MAC Verification. May only +be specified for ethernet interfaces.My recommendations concerning options:
+ +
++
+ +- External Interface -- + tcpflags,blacklist,norfc1918,routefilter
+- Wireless Interface -- + maclist,routefilter,tcpflags
+
+- Don't use dropunclean + -- It's broken in my opinion
+- Use logunclean +only when you are trying to debug a problem
+- Use dhcp and proxyarp + when needed.
+ +
++ +
Example 1: You have a conventional firewall setup in which eth0 connects + to a Cable or DSL modem and eth1 connects to +your local network and eth0 gets its IP address via +DHCP. You want to check all packets entering from the internet + against the black list. Your /etc/shorewall/interfaces + file would be as follows:
+ ++ ++ ++ + +
++ ++ZONE ++INTERFACE ++BROADCAST ++OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918,blacklist ++ + + + + +loc +eth1 +detect ++
+Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:
+ ++ ++ ++ + +
++ ++ZONE ++INTERFACE ++BROADCAST ++OPTIONS ++ + + + + +net +ppp0 ++
++
+Example 3: You have local interface eth1 with two IP addresses - + 192.168.1.1/24 and 192.168.12.1/24
+ ++ ++ ++ + +
++ ++ZONE ++INTERFACE ++BROADCAST ++OPTIONS ++ + + + + +loc +eth1 +192.168.1.255,192.168.12.255 ++
+/etc/shorewall/hosts + Configuration
+ +For most applications, specifying zones entirely in terms of network + interfaces is sufficient. There may be times though where you need to define +a zone to be a more general collection of hosts. This is the purpose of +the /etc/shorewall/hosts file.
+ +WARNING: The only times that you need entries +in /etc/shorewall/hosts are:
+ +
++
+ IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN +DON'T TOUCH THIS FILE!! +- You have more than one zone connecting through + a single interface; or
+- You have a zone that has multiple subnetworks + that connect through a single interface and you want the Shorewall + box to route traffic between those subnetworks.
+ +
+Columns in this file are:
+ ++
+ +- ZONE + - A zone defined in the /etc/shorewall/zones + file.
+- HOST(S) + - The name of a network interface followed by a colon + (":") followed by a comma-separated list either:
+ ++ ++ ++
+ + +- An + IP address (example - eth1:192.168.1.3)
+- A + subnet in CIDR notation (example + - eth2:192.168.2.0/24)
+ + +The interface name much match an entry in /etc/shorewall/interfaces.
+
+Warning: If you are running a +version of Shorewall earlier than 1.4.6, only a single host/subnet address +may be specified in an entry in /etc/shorewall/hosts.
+
++
+ +- OPTIONS + - A comma-separated list of option
+ ++ ++ +routeback (Added in version 1.4.2) - This option causes Shorewall + to set up handling for routing packets sent by this host group +back back to the same group.
+
+
+ maclist - Added in version 1.3.10. If specified, + connection requests from the hosts specified in this entry + are subject to MAC Verification. + This option is only valid for ethernet interfaces.
+If you don't define any hosts for a zone, the hosts in the zone default + to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, + i1, ... are the interfaces to the zone.
+ +Note: You probably DON'T + want to specify any hosts for your internet zone since the +hosts that you specify will be the only ones that you will be able +to access without adding additional rules.
+ +Example 1:
+ +Your local interface is eth1 and you have two groups of local hosts that + you want to make into separate zones:
+ ++
+ +- 192.168.1.0/25 +
+- 192.168.1.128/
+ +Your /etc/shorewall/interfaces file might look like:
+ ++ ++ ++ + +
++ ++ZONE ++INTERFACE ++BROADCAST ++OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ + + + + +- +eth1 +192.168.1.127,192.168.1.255 +
++
+The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.
+ +Your /etc/shorewall/hosts file might look like:
+ ++ + ++ ++ + +
++ ++ZONE ++HOST(S) ++OPTIONS ++ +loc1 +eth1:192.168.1.0/25 ++
++ + + + + +loc2 +eth1:192.168.1.128/25 ++
+Example 2:
+ +Your local interface is eth1 and you have two groups of local hosts that + you want to consider as one zone and you want Shorewall to route + between them:
+ ++
+ +- 192.168.1.0/25
+- 192.168.1.128/25
+ +Your /etc/shorewall/interfaces file might look like:
+ ++ ++ ++ + +
++ ++ZONE ++INTERFACE ++BROADCAST ++OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ + + + + +loc +
+eth1 +192.168.1.127,192.168.1.255 +
++
+Your /etc/shorewall/hosts file might look like:
+ ++ + ++ If you are running Shorewall +1.4.6 or later, your hosts file may look like:+ + +
++ ++ZONE ++HOST(S) ++OPTIONS ++ +loc +eth1:192.168.1.0/25 ++
++ + + + + +loc +eth1:192.168.1.128/25 ++
+
++++ + +
++ ++ZONE ++HOST(S) ++OPTIONS ++ + + + + + +loc +eth1:192.168.1.0/25,192.168.1.128/25 ++
+
+Nested and Overlapping Zones
+ +The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow +you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order +that they appear in the /etc/shorewall/zones file. So if +you have nested zones, you want the sub-zone to appear before +the super-zone and in the case of overlapping zones, the rules + that will apply to hosts that belong to both zones is + determined by which zone appears first in /etc/shorewall/zones.
+ +Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use + of the special CONTINUE policy described + below.
+ +/etc/shorewall/policy + Configuration.
+ +This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described + in terms of clients who initiate connections +and servers who receive those connection requests. + Policies defined in /etc/shorewall/policy describe which + zones are allowed to establish connections with other zones.
+ +Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies + to a particular connection request then the policy +from /etc/shorewall/policy is applied.
+ +Four policies are defined:
+ ++
+ +- ACCEPT + - The connection is allowed.
+- DROP + - The connection request is ignored.
+- REJECT + - The connection request is rejected with an RST (TCP) + or an ICMP destination-unreachable packet being returned + to the client.
+- CONTINUE + - The connection is neither ACCEPTed, DROPped + nor REJECTed. CONTINUE may be used when one or both of +the zones named in the entry are sub-zones of or intersect +with another zone. For more information, see below.
+- NONE - (Added in version 1.4.1) - Shorewall + should not set up any infrastructure for handling traffic from the + SOURCE zone to the DEST zone. When this policy is specified, the LOG + LEVEL and BURST:LIMIT columns must be left + blank.
+ +
+For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log + each time that the policy is applied.
+ +Entries in /etc/shorewall/policy have four columns as follows:
+ ++ +
+ +- SOURCE - The name of a client + zone (a zone defined in the /etc/shorewall/zones + file , the name of the firewall + zone or "all").
+ +- DEST - The name of a destination + zone (a zone defined in the /etc/shorewall/zones + file , the name of the firewall + zone or "all"). Shorewall automatically allows all traffic + from the firewall to itself so the name of the +firewall zone cannot appear in both the SOURCE and DEST columns.
+ +- POLICY - The default policy + for connection requests from the SOURCE zone to the DESTINATION + zone.
+ +- LOG LEVEL - Optional. If left + empty, no log message is generated when the policy is +applied. Otherwise, this column should contain an integer + or name indicating a syslog +level.
+ +- LIMIT:BURST - Optional. +If left empty, TCP connection requests from the SOURCE + zone to the DEST zone will not be rate-limited. + Otherwise, this column specifies the maximum rate at + which TCP connection requests will be accepted followed by +a colon (":") followed by the maximum burst size that will +be tolerated. Example: 10/sec:40 specifies that +the maximum rate of TCP connection requests allowed will be 10 + per second and a burst of 40 connections will be tolerated. Connection + requests in excess of these limits will be dropped.
+ +In the SOURCE and DEST columns, you can enter "all" to indicate all + zones.
+ +The policy file installed by default is as follows:
+ ++ + ++ ++ + +
++ +SOURCE +DEST ++POLICY ++LOG LEVEL +LIMIT:BURST ++ +loc +net +ACCEPT ++
++
++ +net +all +DROP +info ++
++ + + + + +all +all +REJECT +info ++
+This table may be interpreted as follows:
+ ++
+ +- All connection + requests from the local network to hosts on the + internet are accepted.
+- All connection + requests originating from the internet are ignored +and logged at level KERNEL.INFO.
+- All other connection + requests are rejected and logged.
+ +WARNING:
+ +The firewall script processes the + /etc/shorewall/policy file from top to bottom and + uses the first applicable policy that it finds. + For example, in the following policy file, the policy + for (loc, loc) connections would be ACCEPT as specified + in the first entry even though the third entry in the file specifies + REJECT.
+ ++ ++ ++ +
++ +SOURCE +DEST +POLICY +LOG +LEVEL +LIMIT:BURST ++ +loc +all +ACCEPT ++
++
++ +net +all +DROP +info ++
++ + + + + +loc +loc +REJECT +info ++
+IntraZone Traffic
+ Shorewall allows a zone to be associated with more than + one interface or with multiple networks that interface through +a single interface. Beginning with Shorewall 1.4.1, Shorewall will +ACCEPT all traffic from a zone to itself provided that there is no +explicit policy governing traffic from that zone to itself (an explicit +policy does not specify "all" in either the SOURCE or DEST column) +and that there are no rules concerning connections from that zone to +itself. If there is an explicit policy or if there are one or more rules, +then traffic within the zone is handled just like traffic between zones +is.
+ +Any time that you have multiple interfaces associated with a single zone, + you should ask yourself if you really want traffic routed between + those interfaces. Cases where you might not want that behavior are:
+ +
++
+ +- Multiple 'net' interfaces to different ISPs. You + don't want to route traffic from one ISP to the other through your + firewall.
+- Multiple VPN clients. You don't necessarily want + them to all be able to communicate between themselves using your gateway/router.
+ +
+The CONTINUE + policy
+ +Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple + zones to be managed under the rules of all of these +zones. Let's look at an example:
+ +/etc/shorewall/zones:
+ ++ ++ ++ +
++ ++ZONE ++DISPLAY ++COMMENTS ++ +sam +Sam +Sam's + system at home ++ +net +Internet +The Internet ++ + + + + +loc +Loc +Local + Network +/etc/shorewall/interfaces:
+ ++ ++ ++ +
++ ++ZONE ++INTERFACE ++BROADCAST ++OPTIONS ++ +- +eth0 +detect +dhcp,norfc1918 ++ + + + + +loc +eth1 +detect ++
+/etc/shorewall/hosts:
+ ++ ++ ++ +
++ ++ZONE ++HOST(S) ++OPTIONS ++ +net +eth0:0.0.0.0/0 ++
++ + + + + +sam +eth0:206.191.149.197 ++
+Note that Sam's home system is a member of both the sam zone + and the + net zone and as described above + , that means that sam must be listed before net + in /etc/shorewall/zones.
+ +/etc/shorewall/policy:
+ ++ ++ ++ +
++ ++ SOURCE ++ DEST ++POLICY ++LOG LEVEL ++ +loc +net +ACCEPT ++
++ +sam +all +CONTINUE ++
++ +net +all +DROP +info ++ + + + + +all +all +REJECT +info +The second entry above says that when Sam is the client, connection + requests should first be process under rules where + the source zone is sam and if there is no match + then the connection request should be treated under rules + where the source zone is net. It is important that +this policy be listed BEFORE the next policy (net to all).
+ +Partial /etc/shorewall/rules:
+ ++ ++ ++ +
++ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +... ++
++
++
++
++
++
++ +DNAT +sam +loc:192.168.1.3 +tcp +ssh +- ++
++ +DNAT +net +loc:192.168.1.5 +tcp +www +- ++
++ + + + + +... ++
++
++
++
++
++
+Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded + to 192.168.1.3. Like all hosts in the net zone, + Sam can connect to the firewall's internet interface + on TCP port 80 and the connection request will be forwarded + to 192.168.1.5. The order of the rules is not significant.
+ +Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all + hosts can SSH to the firewall and be forwarded to 192.168.1.5 + EXCEPT Sam. When Sam connects to the firewall's external + IP, he should be connected to the firewall itself. Because + of the way that Netfilter is constructed, this requires two + rules as follows:
+ ++ ++ ++ + +
+ +
++ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ ++
++
++
++
++
++
++
++ +... ++
++
++
++
++
++
++ +DNAT +sam +fw +tcp +ssh +- ++
++ +DNAT +net!sam +loc:192.168.1.3 +tcp +ssh +- ++
++ + + + + +... ++
++
++
++
++
++
+The first rule allows Sam SSH access to the firewall. The second + rule says that any clients from the net zone + with the exception of those in the +'sam' zone should have their + connection port forwarded to + 192.168.1.3. If you need to exclude + more than one zone in this way, you + can list the zones separated + by commas (e.g., net!sam,joe,fred). + This technique also may be used when + the ACTION is REDIRECT.
+ +/etc/shorewall/rules
+ +The /etc/shorewall/rules file defines exceptions to the policies established + in the /etc/shorewall/policy file. There is one + entry in /etc/shorewall/rules for each of these rules. +
+ +
+Shorewall automatically enables firewall->firewall traffic over the + loopback interface (lo) -- that traffic cannot be regulated + using rules and any rule that tries to regulate such traffic + will generate a warning and will be ignored.
+ +
+Entries in the file have the following columns:
+ ++
- +- ACTION + +
+-
- Restrictions:- An IP address -followed by a colon and the port number - that the server is listening on (service names from /etc/services - are not allowed - example loc:192.168.1.3:80). -
-
-- A single port -number (again, service names are not allowed) -- this -form is only allowed if the ACTION is REDIRECT and refers - to a server running on the firewall itself and listening - on the specified port.
+- ACCEPT, DROP, + REJECT, CONTINUE. These have the same meaning here as + in the policy file above.
+- DNAT -- Causes + the connection request to be forwarded to the system + specified in the DEST column (port forwarding). "DNAT" + stands for "Destination Network + Address Translation"
+- DNAT- -- The above ACTION + (DNAT) generates two iptables rules: 1) and header-rewriting + rule in the Netfilter 'nat' table and; 2) an ACCEPT rule +in the Netfilter 'filter' table. DNAT- works like DNAT but only +generates the header-rewriting rule.
+
+- REDIRECT -- + Causes the connection request to be redirected to +a port on the local (firewall) system.
+- REDIRECT- -- The above ACTION (REDIRECT) generates + two iptables rules: 1) and header-rewriting rule in the Netfilter + 'nat' table and; 2) an ACCEPT rule in the Netfilter 'filter' + table. REDIRECT- works like REDIRECT but only generates the header-rewriting + rule.
+
+- LOG - Log the packet -- requires a syslog + level (see below).
- +
- + +The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). This +causes the packet to be logged at the specified level prior to being +processed according to the specified ACTION. Note: if the ACTION +is LOG then you MUST specify a syslog level.
+
+
+ The use of DNAT +or REDIRECT requires that you have NAT enabled.
+- SOURCE +- Describes the source hosts to which the rule applies.. + The contents of this field must begin with the +name of a zone defined in /etc/shorewall/zones, $FW or "all". + If the ACTION is DNAT or REDIRECT, sub-zones may be excluded + from the rule by following the initial zone name with "!' + and a comma-separated list of those sub-zones to be excluded. + There is an example above.
-
+
+ If the source is +not 'all' then the source may be further restricted by +adding a colon (":") followed by a comma-separated list +of qualifiers. Qualifiers are may include: + +-
- Unlike in the SOURCE column, a range of up to 256 IP addresses may be -specified in the DEST column as <first address>-<last address>. - When the ACTION is DNAT or DNAT-, connections will be assigned to -the addresses in the range in a round-robin fashion (load-balancing).- MAC addresses may not be specified.
-- In DNAT rules, only an IP address may be given - -- DNS names are not permitted.
-- You may not specify both an IP address and -an interface name in the DEST column.
+- An interface + name - refers to any connection requests arriving on + the specified interface (example loc:eth4). Beginning + with Shorwall 1.3.9, the interface name may optionally be followed + by a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, + net:eth0:192.0.2.0/24).
+- An IP address + - refers to a connection request from the host with + the specified address (example net:155.186.235.151). + If the ACTION is DNAT, this must not be a DNS name.
+- A MAC Address + in Shorewall +format.
+- A subnet - +refers to a connection request from any host in the + specified subnet (example net:155.186.235.0/24).
- +
-- PROTO -- Protocol. Must be a protocol name from /etc/protocols, - a number or "all". Specifies the protocol of the connection - request.
-- DEST PORT(S) - - Port or port range (<low port>:<high port>) - being connected to. May only be specified if the protocol - is tcp, udp or icmp. For icmp, this column's contents - are interpreted as an icmp type. If you don't want to specify - DEST PORT(S) but need to include information in one of the columns - to the right, enter "-" in this column. You may give a list - of ports and/or port ranges separated by commas. Port numbers -may be either integers or service names from /etc/services.
-- SOURCE - PORTS(S) - May be used to restrict the - rule to a particular client port or port range (a port range - is specified as <low port number>:<high port - number>). If you don't want to restrict client ports but want -to specify something in the next column, enter "-" in this column. - If you wish to specify a list of port number or ranges, separate - the list elements with commas (with no embedded white space). - Port numbers may be either integers or service names from +
+- DEST +- Describes the destination host(s) to which the rule + applies. May take most of the forms described above for + SOURCE plus the following two additional forms: + + +
++
+ Restrictions:- An IP address + followed by a colon and the port number + that the server is listening on (service names from +/etc/services are not allowed - example loc:192.168.1.3:80). +
+
+- A single port + number (again, service names are not allowed) -- + this form is only allowed if the ACTION is REDIRECT and refers + to a server running on the firewall itself and listening + on the specified port.
+ + +
+ + ++
+ Unlike in the SOURCE column, a range of IP addresses may be specified + in the DEST column as <first address>-<last address>. + When the ACTION is DNAT or DNAT-, connections will be assigned +to the addresses in the range in a round-robin fashion (load-balancing).- MAC addresses may not be specified.
+- In DNAT rules, only IP addresses may be +given -- DNS names are not permitted.
+- You may not specify both an IP address and + an interface name in the DEST column.
+ + +
+- PROTO + - Protocol. Must be a protocol name from /etc/protocols, + a number or "all". Specifies the protocol of the connection + request.
+- DEST + PORT(S) - Port or port range (<low port>:<high + port>) being connected to. May only be specified + if the protocol is tcp, udp or icmp. For icmp, this +column's contents are interpreted as an icmp type. If you + don't want to specify DEST PORT(S) but need to include information + in one of the columns to the right, enter "-" in this column. + You may give a list of ports and/or port ranges separated by +commas. Port numbers may be either integers or service names from /etc/services.
-- ORIGINAL DEST - - This column may only be non-empty if the ACTION is - DNAT or REDIRECT.
-
- If DNAT or REDIRECT -is the ACTION and the ORIGINAL DEST column is left empty, - any connection request arriving at the firewall from - the SOURCE that matches the rule will be forwarded or redirected. - This works fine for connection requests arriving from - the internet where the firewall has only a single external - IP address. When the firewall has multiple external IP addresses - or when the SOURCE is other than the internet, there will - usually be a desire for the rule to only apply to those connection - requests directed to particular IP addresses (see Example -2 below for another usage). Those IP addresses are specified in the - ORIGINAL DEST column as a comma-separated list.
-
- The IP address(es) -may be optionally followed by ":" and a second IP - address. This latter address, if present, is used as the +- SOURCE + PORTS(S) - May be used to restrict the + rule to a particular client port or port range (a port +range is specified as <low port number>:<high + port number>). If you don't want to restrict client ports but + want to specify something in the next column, enter "-" in +this column. If you wish to specify a list of port number + or ranges, separate the list elements with commas (with +no embedded white space). Port numbers may be either integers + or service names from /etc/services.
+- ORIGINAL +DEST - This column may only be non-empty if the + ACTION is DNAT or REDIRECT.
- +
+
+ If DNAT or REDIRECT + is the ACTION and the ORIGINAL DEST column is left +empty, any connection request arriving at the firewall + from the SOURCE that matches the rule will be forwarded + or redirected. This works fine for connection requests +arriving from the internet where the firewall has only a +single external IP address. When the firewall has multiple + external IP addresses or when the SOURCE is other than the +internet, there will usually be a desire for the rule to only +apply to those connection requests directed to particular + IP addresses (see Example 2 below for another usage). Those IP +addresses are specified in the ORIGINAL DEST column as a comma-separated +list.
+
+ The IP address(es) + may be optionally followed by ":" and a second IP + address. This latter address, if present, is used as the source address for packets forwarded to the server (This is called "Source NAT" or SNAT.
-
- If this list begins with "!" then the rule will only apply if the original - destination address matches none of the addresses listed.
-
- Note: - When using SNAT, it is a good idea to qualify the source with -an IP address or subnet. Otherwise, it is likely that SNAT will -occur on connections other than those described in the rule. -The reason for this is that SNAT occurs in the Netfilter POSTROUTING -hook where it is not possible to restrict the scope of a rule -by incoming interface.
-
- Example: -DNAT loc:192.168.1.0/24 loc:192.168.1.3 +
+ If this list begins with "!" then the rule will only apply if the + original destination address matches none of the addresses listed.
+
+ Note: + When using SNAT, it is a good idea to qualify the source with + an IP address or subnet. Otherwise, it is likely that SNAT will + occur on connections other than those described in the rule. + The reason for this is that SNAT occurs in the Netfilter POSTROUTING + hook where it is not possible to restrict the scope of a rule + by incoming interface.
+
+ Example: + DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
-
- If SNAT is - not used (no ":" and second IP address), the original - source address is used. If you want any destination address - to match the rule but want to specify SNAT, simply use -a colon followed by the SNAT address.
+ If SNAT + is not used (no ":" and second IP address), the + original source address is used. If you want any destination + address to match the rule but want to specify SNAT, + simply use a colon followed by the SNAT address. +Example 1. You wish to forward all - ssh connection requests from the internet to + name="PortForward"> Example 1. You wish to forward all + ssh connection requests from the internet to local system 192.168.1.3.
- +- + face="Century Gothic, Arial, Helvetica"> +- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- + +DNAT -net -loc:192.168.1.3 -tcp -ssh --
--
-+ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ - - + + +DNAT +net +loc:192.168.1.3 +tcp +ssh ++
++
+Example 2. You want to redirect all local www connection requests - EXCEPT - those to your own http server (206.124.146.177) - to a Squid transparent proxy - running on the firewall and listening on port 3128. Squid will - of course require access to remote web servers. This example - shows yet another use for the ORIGINAL - DEST column; here, connection - requests that were NOT - (notice the +
Example 2. You want to redirect all local www connection requests + EXCEPT + those to your own http server (206.124.146.177) + to a Squid transparent proxy + running on the firewall and listening on port 3128. Squid will + of course require access to remote web servers. This example + shows yet another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + (notice the "!") originally destined to 206.124.146.177 are redirected to local port 3128.
- +- + face="Century Gothic, Arial, Helvetica"> +- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -REDIRECT -loc -3128 -tcp -www -- -
-!206.124.146.177 -- + +ACCEPT -fw -net -tcp -www --
--
-+ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +REDIRECT +loc +3128 +tcp +www +- +
+!206.124.146.177 ++ - - + + +ACCEPT +fw +net +tcp +www ++
++
+
Example 3. You want to run a web server at 155.186.235.222 in -your DMZ and have it accessible remotely and locally. the DMZ is managed - by Proxy ARP or by classical sub-netting.
- + + +Example 3. You want to run a web server at 155.186.235.222 in your + DMZ and have it accessible remotely and locally. the DMZ is managed + by Proxy ARP or by classical sub-netting.
+- + face="Century Gothic, Arial, Helvetica"> +- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -ACCEPT -net -dmz:155.186.235.222 -tcp -www -- --
-- + +ACCEPT -loc -dmz:155.186.235.222 -tcp -www --
--
-+ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +ACCEPT +net +dmz:155.186.235.222 +tcp +www +- ++
++ - - + + +ACCEPT +loc +dmz:155.186.235.222 +tcp +www ++
++
+
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded - DMZ. Your internet interface address is 155.186.235.151 - and you want the FTP server to be accessible from -the internet in addition to the local 192.168.1.0/24 and -dmz 192.168.2.0/24 subnetworks. Note that since the server -is in the 192.168.2.0/24 subnetwork, we can assume that access - to the server from that subnet will not involve the firewall - (but see FAQ 2). Note that unless you - have more than one external IP -address, you can leave the ORIGINAL + + +
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
+ DMZ. Your internet interface address is 155.186.235.151
+ and you want the FTP server to be accessible from
+ the internet in addition to the local 192.168.1.0/24 and
+ dmz 192.168.2.0/24 subnetworks. Note that since the server
+ is in the 192.168.2.0/24 subnetwork, we can assume that access
+ to the server from that subnet will not involve the firewall
+ (but see FAQ 2). Note that unless you
+ have more than one external IP
+ address, you can leave the ORIGINAL
DEST column blank in the first
rule. You cannot leave
it blank in the second
@@ -1734,1617 +1861,1605 @@ rule though because
clearly not what you
want
- .
- + face="Century Gothic, Arial, Helvetica"> +- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -DNAT -net -dmz:192.168.2.2 -tcp -ftp --
--
-- + +DNAT -loc:192.168.1.0/24 -dmz:192.168.2.2 -tcp -ftp -- -155.186.235.151 -+ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +DNAT +net +dmz:192.168.2.2 +tcp +ftp ++
++
++ +DNAT +loc:192.168.1.0/24 +dmz:192.168.2.2 +tcp +ftp +- - -155.186.235.151 + + + + +
If you are running wu-ftpd, you should restrict the range of passive - in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, - this entry is appropriate:
- -++ +
If you are running wu-ftpd, you should restrict the range of passive + in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions + so I use port range 65500-65535. In /etc/ftpaccess, + this entry is appropriate:
+ ++- -passive ports 0.0.0.0/0 65500 65534
-
If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.
- -The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap - with any usage on the firewall system.
- -Example 5. You wish to allow unlimited - DMZ access to the host with MAC address - 02:00:08:E3:FA:55.
- + + +If you are running pure-ftpd, you would include "-p 65500:65534" on + the pure-ftpd runline.
+ +The important point here is to ensure that the port range used for FTP + passive connections is unique and will not overlap + with any usage on the firewall system.
+ +Example 5. You wish to allow unlimited + DMZ access to the host with MAC address + 02:00:08:E3:FA:55.
+- + face="Century Gothic, Arial, Helvetica"> ++ - Example 6. You wish to allow access to -the SMTP server in your DMZ from all zones.- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- + +ACCEPT -loc:~02-00-08-E3-FA-55 -dmz -all --
--
--
-+ +ACTION +SOURCE +DEST ++PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ - - + + +ACCEPT +loc:~02-00-08-E3-FA-55 +dmz +all ++
++
++
+
+ Example 6. You wish to allow access +to the SMTP server in your DMZ from all zones.+ +
+ ++- Example 7. Your firewall's external - interface has several IP addresses but you only want to accept SSH connections - on address 206.124.146.176.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- + +ACCEPT -
-all -
-dmz -
-tcp -
-25 -
--
--
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ - - + + +ACCEPT +
+all +
+dmz +
+tcp +
+25 +
++
++
+
- Note: When 'all' is used as a -source or destination, intra-zone traffic is not affected. -In this example, if there were two DMZ interfaces then the - above rule would NOT enable SMTP traffic between hosts on these - interfaces.
-
- -++ Example 7. Your firewall's + external interface has several IP addresses but you only want to accept + SSH connections on address 206.124.146.176.
+ Note: When 'all' is used as +a source or destination, intra-zone traffic is not affected. + In this example, if there were two DMZ interfaces then the + above rule would NOT enable SMTP traffic between hosts on these + interfaces.
+
+ ++- Example 8 (For advanced users running Shorewall version - 1.3.13 or later). From the internet, you with to forward - tcp port 25 directed to 192.0.2.178 and 192.0.2.179 to host - 192.0.2.177 in your DMZ. You also want to allow access from the - internet directly to tcp port 25 on 192.0.2.177.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- + +ACCEPT -
-net -
-fw:206.124.146.176 -
-tcp -
-22 -
--
--
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ - - + + +ACCEPT +
+net +
+fw:206.124.146.176 +
+tcp +
+22 +
++
++
+
- -++ Example 8 (For advanced users running Shorewall version + 1.3.13 or later). From the internet, you with to forward + tcp port 25 directed to 192.0.2.178 and 192.0.2.179 to host + 192.0.2.177 in your DMZ. You also want to allow access from the + internet directly to tcp port 25 on 192.0.2.177.
+ ++- Using "DNAT-" rather than "DNAT" avoids - two extra copies of the third rule from being generated.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.178 -
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.179 -
-- + +ACCEPT -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
--
--
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.178 +
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.179 +
++ - - + + +ACCEPT +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
++
++
+
-
- Example 9a (Shorewall version 1.4.6 or later). You have 9 http servers - behind a Shorewall firewall and you want connection requests to be distributed - among your servers. The servers are 192.168.1.101-192.168.1.109.
-
- -++ Using "DNAT-" rather than "DNAT" +avoids two extra copies of the third rule from being generated.
+
+ Example 9 (Shorewall version 1.4.6 or later). You have 9 http +servers behind a Shorewall firewall and you want connection requests to +be distributed among your servers. The servers are 192.168.1.101-192.168.1.109.
+
+ ++- Note that Shorewall limits the use of IP - ranges in DNAT rules to 256 addresses. For even a moderate number of addresses - (> 16), it is better to split the single DNAT rule into a DNAT- rule -that specifies the range of addresses (no limit on the number of addresses -in the range) and one or more ACCEPT rules that use CIDR in the destination -to cover the range. For example, if the range of addresses was 192.168.1.32 -- 192.168.1.63:- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- + +DNAT -
-net -
-loc:192.168.1.101-192.168.1.109 -
-tcp -
-80 -
--
--
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ - - + + +DNAT +
+net +
+loc:192.168.1.101-192.168.1.109 +
+tcp +
+80 +
++
++
+
-
- Example 9b:
- --- The above generates a much more efficient ruleset than the one in Example - 9a.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- -DNAT- -
-net -
-loc:192.168.1.32-192.168.1.63 -
-tcp -
-80 -
--
--
-- - - - -ACCEPT -
-net -
-loc:192.168.1.32/27 -
-tcp -
-80 -
--
--
-
-
- - - +
Look here for information on other services. +
+Shorewall allows definition of rules that apply between - all zones. By default, these rules - are defined in the file - /etc/shorewall/common.def - but may be modified to - suit individual - requirements. Rather than modify /etc/shorewall/common.def, - you should copy that - file to + +
Shorewall allows definition of rules that apply between + all zones. By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather than modify /etc/shorewall/common.def, + you should copy that + file to /etc/shorewall/common and modify that file.
- -The /etc/shorewall/common - file is expected to contain iptables - commands; rather than - running iptables - directly, you should run - it indirectly using the - Shorewall function 'run_iptables'. - That way, if iptables encounters - an error, the firewall will be - safely stopped.
- + +The /etc/shorewall/common + file is expected to contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using the + Shorewall function 'run_iptables'. + That way, if iptables encounters + an error, the firewall will +be safely stopped.
+The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation (SNAT). -There is one entry in the file for each subnet that - you want to masquerade. In order to make use of this feature, + +
The /etc/shorewall/masq file is used to define classical IP Masquerading + and Source Network Address Translation (SNAT). +There is one entry in the file for each subnet that +you want to masquerade. In order to make use of this feature, you must have NAT enabled .
- +Columns are:
- +Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. - Your /etc/shorewall/masq file would look like: + +
Example 1: You have eth0 connected to a cable modem and eth1 + connected to your local subnetwork 192.168.9.0/24. + Your /etc/shorewall/masq file would look like:
- -+ ++ ++- -- -
-- -INTERFACE -SUBNET -ADDRESS -- + +eth0 -192.168.9.0/24 --
-+ ++INTERFACE ++SUBNET +ADDRESS ++ - - + + +eth0 +192.168.9.0/24 ++
+Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your -192.168.9.0/24 subnet to the remote subnet 10.1.0.0/16 +
Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your +192.168.9.0/24 subnet to the remote subnet 10.1.0.0/16 only.
- -+ ++ ++- -- -
-- -INTERFACE -SUBNET -ADDRESS -- + +ipsec0:10.1.0.0/16 -192.168.9.0/24 --
-+ ++INTERFACE ++SUBNET +ADDRESS ++ - - + + +ipsec0:10.1.0.0/16 +192.168.9.0/24 ++
+Example 3: You have a DSL line connected on eth0 and a local - network (192.168.10.0/24) +
Example 3: You have a DSL line connected on eth0 and a local + network (192.168.10.0/24) connected to eth1. You want -all local->net connections - to use source address +all local->net connections + to use source address 206.124.146.176.
- -+ ++ ++- -- -
-- -INTERFACE -SUBNET -ADDRESS -- + +eth0 -192.168.10.0/24 -206.124.146.176 -+ ++INTERFACE ++SUBNET +ADDRESS ++ - - + + +eth0 +192.168.10.0/24 +206.124.146.176 +Example 4: Same as example 3 except that - you wish to exclude - 192.168.10.44 and 192.168.10.45 from - the SNAT rule.
- -++ +Example 4: Same as example 3 except that + you wish to exclude + 192.168.10.44 and 192.168.10.45 from + the SNAT rule.
+ ++- Example 5 (Shorewall version >= 1.3.14): -You have a second IP address (206.124.146.177) assigned -to you and wish to use it for SNAT of the subnet 192.168.12.0/24. - You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes - in /etc/shorewall/shorewall.conf.- -
-- -INTERFACE -SUBNET -ADDRESS -- + +eth0 -192.168.10.0/24!192.168.10.44,192.168.10.45 -206.124.146.176 -+ ++INTERFACE ++SUBNET +ADDRESS ++ - - + + +eth0 +192.168.10.0/24!192.168.10.44,192.168.10.45 +206.124.146.176 +
- -++ Example 5 (Shorewall version >= 1.3.14): + You have a second IP address (206.124.146.177) assigned +to you and wish to use it for SNAT of the subnet 192.168.12.0/24. + You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes + in /etc/shorewall/shorewall.conf.
+ ++- -- -
-- -INTERFACE -SUBNET -ADDRESS -- + +eth0:0 -192.168.12.0/24 -206.124.146.177 -+ ++INTERFACE ++SUBNET +ADDRESS ++ - - + + +eth0:0 +192.168.12.0/24 +206.124.146.177 +- /etc/shorewall/proxyarp
- -If you want to use proxy ARP on an entire sub-network, - I suggest that you +
If you want to use proxy ARP on an entire sub-network, + I suggest that you look at - http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide to use the + href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/"> + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. + If you decide to use the technique described in that HOWTO, you can set the proxy_arp flag for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - by including the proxyarp - option in the interface's - record in - - /etc/shorewall/interfaces. - When using Proxy - ARP sub-netting, you do NOT include - any entries in + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including the proxyarp + option in the interface's + record in + + /etc/shorewall/interfaces. + When using Proxy +ARP sub-netting, you do NOT include + any entries in /etc/shorewall/proxyarp.
- +The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is - typically used for enabling -Proxy ARP on a small set -of systems since -you need one -entry in this file for each - system using proxy ARP. Columns - are:
- + href="ProxyARP.htm">Proxy ARP. The file is + typically used for +enabling Proxy ARP on a +small set of systems +since you need +one entry in this file for each + system using proxy ARP. Columns + are: +Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all - routers on the LAN segment connected to the interface -specified in the EXTERNAL column of the change/added entry(s). -If you are having problems communicating between an individual - host (A) on that segment and a system whose entry has changed, - you may need to flush the ARP cache on host A as well.
- -ISPs typically have ARP configured with long -TTL (hours!) so if your ISPs router has a stale cache entry (as seen using -"tcpdump -nei <external interface> host <IP addr>"), it may -take a long while to time out. I personally have had to contact my ISP -and ask them to delete a stale entry in order to restore a system to working -order after changing my proxy ARP settings.
- -Example: You have public IP addresses 155.182.235.0/28. You - configure your firewall as follows:
- + +Note: After you have made a change to the /etc/shorewall/proxyarp + file, you may need to flush the ARP cache of all + routers on the LAN segment connected to the interface + specified in the EXTERNAL column of the change/added entry(s). + If you are having problems communicating between an individual + host (A) on that segment and a system whose entry has changed, + you may need to flush the ARP cache on host A as well.
+ +ISPs typically have ARP configured with long TTL + (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump + -nei <external interface> host <IP addr>"), it may take a long +while to time out. I personally have had to contact my ISP and ask them +to delete a stale entry in order to restore a system to working order after +changing my proxy ARP settings.
+ +Example: You have public IP addresses 155.182.235.0/28. You + configure your firewall as follows:
+In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just - like the firewall's eth0 and you configure 155.186.235.1 - as the default gateway. In your /etc/shorewall/proxyarp - file, you will have:
- -+ ++ +In your DMZ, you want to install a Web/FTP server with public address + 155.186.235.4. On the Web server, you subnet just + like the firewall's eth0 and you configure 155.186.235.1 + as the default gateway. In your /etc/shorewall/proxyarp + file, you will have:
+ ++- -- -
-- -ADDRESS -INTERFACE -EXTERNAL -HAVEROUTE -- + +155.186.235.4 -eth2 -eth0 -No -+ ++ADDRESS ++INTERFACE ++EXTERNAL +HAVEROUTE ++ - - + + +155.186.235.4 +eth2 +eth0 +No +Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet - interface. See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place - "Yes" in the HAVEROUTE column.
- -Warning: Do not use Proxy ARP and -FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, - the proxied IP addresses are mistakenly assigned to - the IPSEC tunnel device (ipsecX) rather than to the +
Note: You may want to configure the servers in your DMZ with a subnet + that is smaller than the subnet of your internet + interface. See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) + for details. In this case you will want to place + "Yes" in the HAVEROUTE column.
+ +Warning: Do not use Proxy ARP and FreeS/Wan +on the same system unless you are prepared to suffer the consequences. + If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to + the IPSEC tunnel device (ipsecX) rather than to the interface that you specify in the INTERFACE column of /etc/shorewall/proxyarp. - I haven't had the time to debug this problem so I can't say - if it is a bug in the Kernel or in FreeS/Wan.
- -You might be able to work around this problem using the following - (I haven't tried it):
- + I haven't had the time to debug this problem so I can't +say if it is a bug in the Kernel or in FreeS/Wan. + +You might be able to work around this problem using the following + (I haven't tried it):
+In /etc/shorewall/init, include:
- +qt service ipsec stop
- +In /etc/shorewall/start, include:
- +qt service ipsec start
- -The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship - that you wish to define. In order to make use of this - feature, you must have NAT enabled - .
- + +The /etc/shorewall/nat file is used to define static NAT. There is one + entry in the file for each static NAT relationship + that you wish to define. In order to make use of this + feature, you must have NAT enabled + .
+IMPORTANT: If all you want to do - is forward ports - to servers behind your firewall, - you do NOT want to use - static NAT. Port - forwarding -can be accomplished - with simple entries in + color="#ff0000"> IMPORTANT: If all you want to do + is forward ports + to servers behind your firewall, + you do NOT want to use + static NAT. Port + forwarding +can be accomplished + with simple entries in the rules file. Also, in most cases Proxy ARP - provides a - superior solution - to static NAT - because the - internal systems - are accessed using the same IP - address internally and externally.
- + href="#ProxyArp"> Proxy ARP + provides a + superior solution + to static NAT + because the + internal systems + are accessed using the same IP + address internally and externally. +Columns in an entry are:
- +Look here for additional information and an example. -
- -The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, - OpenVPN, PPTP - and 6to4.tunnels with end-points on your firewall. To use ipsec, - you must install version 1.9, 1.91 or the current FreeS/WAN development -snapshot.
- -Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version - 1.9 results in kernel compilation errors.
- -Instructions for setting up IPSEC tunnels may - be found here, instructions - for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, - instructions for PPTP tunnels are here - and instructions for 6to4 tunnels are here.
- + +Look here for additional information and an example. +
+ +The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, + OpenVPN, PPTP + and 6to4.tunnels with end-points on your firewall. To use ipsec, + you must install version 1.9, 1.91 or the current FreeS/WAN development snapshot. +
+ +Note: For kernels 2.4.4 and above, you will need to use version 1.91 + or a development snapshot as patching with version + 1.9 results in kernel compilation errors.
+ +Instructions for setting up IPSEC tunnels may + be found here, instructions + for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, + instructions for PPTP tunnels are here + and instructions for 6to4 tunnels are here.
+This file is used to set the following firewall parameters:
- +Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range. + +
Rules not meeting those criteria will continue to generate an individual + rule for each listed port or port range.
-The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall - rules. Shorewall will source this file during start/restart - provided that it exists and that the directory specified - by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf - above).
- -The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.
- + +The file /etc/shorewall/modules contains commands for loading the kernel + modules required by Shorewall-defined firewall + rules. Shorewall will source this file during start/restart + provided that it exists and that the directory specified + by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf + above).
+ +The file that is released with Shorewall calls the Shorewall function + "loadmodule" for the set of modules that I load.
+The loadmodule function is called as follows:
- --- + +loadmodule <modulename> [ - <module parameters> ]
-
+ ++loadmodule <modulename> [ + <module parameters> ]
+
where
- -+ ++++ +<modulename>
- -- -+ +is the name of the modules without the trailing ".o" (example ip_conntrack).
-+ +- +is the name of the modules without the trailing ".o" (example +ip_conntrack).
+<module parameters>
- -- + +- -+-Optional parameters to the insmod utility.
-The function determines if the module named by <modulename> - is already loaded and if not then the function - determines if the ".o" file corresponding to the -module exists in the moduledirectory; if so, - then the following command is executed:
- --+insmod moduledirectory/<modulename>.o <module +
The function determines if the module named by <modulename> + is already loaded and if not then the function + determines if the ".o" file corresponding to the + module exists in the moduledirectory; if so, + then the following command is executed:
+ ++ ++ +insmod moduledirectory/<modulename>.o <module + parameters>
+If the file doesn't exist, the function determines of the ".o.gz" +file corresponding to the module exists in the moduledirectory. If +it does, the function assumes that the running configuration supports compressed + modules and execute the following command:
+ ++ +- -insmod moduledirectory/<modulename>.o.gz <module parameters>
-If the file doesn't exist, the function determines of the ".o.gz" file - corresponding to the module exists in the moduledirectory. If it - does, the function assumes that the running configuration supports compressed - modules and execute the following command:
- --- +insmod moduledirectory/<modulename>.o.gz <module - parameters>
-
The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet - destination, protocol, source port and destination - port. In order for this file to be processed by Shorewall, - you must have mangle support enabled - .
- + +The /etc/shorewall/tos file allows you to set the Type of Service field + in packet headers based on packet source, packet + destination, protocol, source port and destination + port. In order for this file to be processed by Shorewall, + you must have mangle support enabled + .
+Entries in the file have the following columns:
- +-+ +- + ++ ++ +- -+-Minimize-Delay (16)
-
- Maximize-Throughput - (8)
- Maximize-Reliability - (4)
- Minimize-Cost -(2)
- Normal-Service - (0)The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.
- -+ Maximize-Throughput + (8)+
+ Maximize-Reliability + (4)
+ Minimize-Cost + (2)
+ Normal-Service + (0) +The /etc/shorewall/tos file that is included with Shorewall contains + the following entries.
+ ++- -- -
-- -SOURCE -DEST -PROTOCOL -SOURCE -
- PORT(S)DEST -PORT(S) -TOS -- -all -all -tcp -- -ssh -16 -- -all -all -tcp -ssh -- -16 -- -all -all -tcp -- -ftp -16 -- -all -all -tcp -ftp -- -16 -- -all -all -tcp -- -ftp-data -8 -- + +all -all -tcp -ftp-data -- -8 -+ +SOURCE +DEST +PROTOCOL +SOURCE +
+ PORT(S)DEST + PORT(S) +TOS ++ +all +all +tcp +- +ssh +16 ++ +all +all +tcp +ssh +- +16 ++ +all +all +tcp +- +ftp +16 ++ +all +all +tcp +ftp +- +16 ++ +all +all +tcp +- +ftp-data +8 ++ - - + + +all +all +tcp +ftp-data +- +8 +WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos - file.
- +
WARNING: Users have reported that odd routing problems result from + adding the ESP and AH protocols to the /etc/shorewall/tos + file.
+Each line in - /etc/shorewall/blacklist - contains - an IP - address, a MAC address in Shorewall Format - or - subnet - address. Example:
- + +Each line in + /etc/shorewall/blacklist + contains + an IP + address, a MAC address in Shorewall Format + or + subnet + address. Example:
+130.252.100.69- -
206.124.146.0/24
Packets from
- hosts
- listed
- in the
- blacklist file
- will be
- disposed of
- according
- to
- the value assigned
- to
- the BLACKLIST_DISPOSITION
- and BLACKLIST_LOGLEVEL variables in
- /etc/shorewall/shorewall.conf.
- Only
- packets arriving
- on interfaces
- that
- have the
- 'blacklist'
- option in
- /etc/shorewall/interfaces
- are
- checked against the
- blacklist. The black list is designed to prevent listed
- hosts/subnets from accessing services on your
- network.
-
Packets from
+ hosts
+ listed
+ in the
+ blacklist file
+ will be
+ disposed of
+ according
+ to
+ the value assigned
+ to
+ the BLACKLIST_DISPOSITION
+ and BLACKLIST_LOGLEVEL variables in
+ /etc/shorewall/shorewall.conf.
+ Only
+ packets arriving
+ on interfaces
+ that
+ have the
+ 'blacklist'
+ option in
+ /etc/shorewall/interfaces
+ are
+ checked against the
+ blacklist. The black list is designed to prevent listed
+ hosts/subnets from accessing services on your
+ network.
+
Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-
Shorewall also has a dynamic blacklist - capability.
- -IMPORTANT: The Shorewall blacklist file is NOT
- designed to police your users' web browsing -- to
- do that, I suggest that you install and configure Squid
- (http://www.squid-cache.org).
+
+ Shorewall also has a dynamic blacklist
+ capability. IMPORTANT: The Shorewall blacklist file is NOT
+ designed to police your users' web browsing -- to
+ do that, I suggest that you install and configure Squid
+ (http://www.squid-cache.org).
This file lists the subnets affected by the norfc1918
- interface option. Columns in the file are: This file lists the subnets affected by the norfc1918
+ interface option. Columns in the file are: This file defines the hosts that are accessible from the firewall when
- the firewall is stopped. Columns in the file are: This file defines the hosts that are accessible from the firewall when
+ the firewall is stopped. Columns in the file are: Example: When your firewall is stopped, you want firewall accessibility
- from local hosts 192.168.1.0/24 and from your DMZ.
- Your DMZ interfaces through eth1 and your local hosts
- through eth2. Example: When your firewall is stopped, you want firewall accessibility
+ from local hosts 192.168.1.0/24 and from your DMZ.
+ Your DMZ interfaces through eth1 and your local hosts
+ through eth2. Updated 6/28/2003 - Tom Eastep
- Updated 6/28/2003 - Tom Eastep
+ /etc/shorewall/rfc1918 (Added in Version 1.3.1)
-
-
-
-
-
-
- /etc/shorewall/routestopped (Added in Version
- 1.3.4)
-
-/etc/shorewall/routestopped (Added in Version
+ 1.3.4)
+
+
-
-
-
+
+
+
+
-
+
-
-
-
-
- INTERFACE
- HOST(S)
-
-
- eth2
- 192.168.1.0/24
-
-
+
+ eth1
- -
-
+
+ INTERFACE
+ HOST(S)
+
+
+ eth2
+ 192.168.1.0/24
+
+
-
-
+
+
+
eth1
+ -
+ /etc/shorewall/maclist (Added in Version 1.3.10)
- This file is described in the
- MAC Validation Documentation.
-
+ This file is described in
+ the MAC Validation Documentation.
+
/etc/shorewall/ecn (Added in Version 1.4.0)
- This file is described in the
- ECN Control Documentation.
-
-
+
+
| - + |
+
Shorewall FAQs- |
-
1a. Ok -- I followed those instructions
- but it doesn't work.
-
1b. I'm still having problems with - port forwarding
- - - -3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. - What do I do?
- -4a. I just ran an nmap UDP scan
- of my firewall and it showed 100s of ports
-as open!!!!
-
5. I've installed Shorewall and now
- I can't ping through the firewall
-
- 15. My local systems can't see
- out to the net
6. Where are the log messages - written and how do I change the destination?
- -6a. Are there any log parsers - that work with Shorewall?
- -6b. DROP messages on port 10619 are flooding the logs with their connect
- requests. Can i exclude these error messages for this port
-temporarily from logging in Shorewall?
-
16. Shorewall is writing log messages
- all over my console making it unusable!
-
8. When I try to start Shorewall
- on RedHat I get messages about insmod failing
- -- what's wrong?
-
8a. When I try to start Shorewall
- on RedHat I get a message referring me to FAQ #8
-
9. Why can't Shorewall detect - my interfaces properly at startup?
- 22. I -have some iptables commands that I want to run when -Shorewall starts. Which file do I put them in?10. What distributions does - it work with?
- -11. What features does it -support?
- -12. Is there a GUI?
- -13. Why do you call it "Shorewall"?
- 23. Why do you - use such ugly fonts on your web site?1a. Ok -- I followed those instructions
+ but it doesn't work.
+
1b. I'm still having problems with + port forwarding
+ + + +3. I want to use Netmeeting + or MSN Instant Messenger with Shorewall. + What do I do?
+ +4a. I just ran an nmap UDP scan
+ of my firewall and it showed 100s of ports as
+ open!!!!
+
5. I've installed Shorewall and now
+ I can't ping through the firewall
+
+ 15. My local systems can't see
+ out to the net
6. Where are the log messages + written and how do I change the destination?
+ +6a. Are there any log parsers + that work with Shorewall?
+ +6b. DROP messages on port 10619 are flooding the logs with their connect
+ requests. Can i exclude these error messages for this port temporarily
+ from logging in Shorewall?
+
16. Shorewall is writing log messages
+ all over my console making it unusable!
+
8. When I try to start Shorewall
+ on RedHat I get messages about insmod failing
+ -- what's wrong?
+
8a. When I try to start Shorewall
+ on RedHat I get a message referring me to FAQ #8
+
9. Why can't Shorewall detect + my interfaces properly at startup?
+ 22. I + have some iptables commands that I want to run +when Shorewall starts. Which file do I put them in?10. What distributions does + it work with?
+ +11. What features does it support?
+ +12. Is there a GUI?
+ +13. Why do you call it "Shorewall"?
+ 23. Why do you + use such ugly fonts on your web site?Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format + href="Documentation.htm#Rules">rules file documentation
shows how to + do port forwarding under Shorewall. The format of a port-forwarding rule to a local system is as follows: - -+ ++ +- -- -
-- + +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- +DNAT -net -loc:<local + + - - +DNAT +net +loc:<local IP address>[:<local port>] -<protocol> -<port + <protocol> +<port #> --
--
-+
++
+So to forward UDP port 7777 to internal system 192.168.1.5, +
So to forward UDP port 7777 to internal system 192.168.1.5, the rule is:
- -+ ++ Finally, if you need to forward a range of ports, + in the PORT column specify the range as low-port:high-port.- -- -
-- +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- - - +DNAT -net -loc:192.168.1.5 -udp -7777 --
--
-+ + +DNAT +net +loc:192.168.1.5 +udp +7777 ++
++
+If - you want to forward requests directed to a particular -address ( <external IP> ) on your firewall -to an internal system:- -++ +If + you want to forward requests directed to a particular address + ( <external IP> ) on your firewall to an internal + system:+ +- Finally, if you need to forward a range of ports, -in the PORT column specify the range as low-port:high-port.- -
-- + +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- +DNAT -net -loc:<local + + - - +DNAT +net +loc:<local IP address>[:<local port>] -<protocol> -<port + <protocol> +<port #> -- -<external + - +<external IP> -
- -1a. Ok -- I followed those instructions - but it doesn't work
- -Answer: That is usually the result of one of three - things:
- --
- -- You are -trying to test from inside your firewall (no, that won't - work -- see FAQ #2).
-- You have - a more basic problem with your local system such as - an incorrect default gateway configured (it should be -set to the IP address of your firewall's internal interface).
-- Your ISP is blocking that particular port inbound.
- -
-1b. I'm still having problems with port - forwarding
- Answer: To further - diagnose this problem:
- --
- -- As root, type "iptables - -t nat -Z". This clears the NetFilter counters in the - nat table.
-- Try to connect to -the redirected port from an external host.
-- As root type "shorewall - show nat"
-- Locate the appropriate - DNAT rule. It will be in a chain called <source - zone>_dnat ('net_dnat' in the above examples).
-- Is the packet count - in the first column non-zero? If so, the connection - request is reaching the firewall and is being redirected -to the server. In this case, the problem is usually a missing - or incorrect default gateway setting on the server (the server's - default gateway should be the IP address of the firewall's - interface to the server).
-- If the packet count - is zero:
- --
- -- the connection -request is not reaching your server (possibly it is -being blocked by your ISP); or
-- you are trying -to connect to a secondary IP address on your firewall - and your rule is only redirecting the primary IP address -(You need to specify the secondary IP address in the "ORIG. - DEST." column in your DNAT rule); or
-- your DNAT rule -doesn't match the connection request in some other - way. In that case, you may have to use a packet sniffer such - as tcpdump or ethereal to further diagnose the problem.
- -
-1c. From the internet, I want - to connect to port 1022 on my firewall and have the firewall forward -the connection to port 22 on local system 192.168.1.3. How do I do that?
- --- ---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - -DNAT -net -
-loc:192.168.1.3:22 -tcp -1022 -
--
--
-2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in -my local network. External clients can browse http://www.mydomain.com - but internal clients can't.
- -Answer: I have two objections to this setup.
- --
+- Having -an internet-accessible server in your local network - is like raising foxes in the corner of your hen house. - If the server is compromised, there's nothing between - that server and your other internal systems. For the -cost of another NIC and a cross-over cable, you can put -your server in a DMZ such that it is isolated from your local systems - - assuming that the Server can be located near the Firewall, - of course :-)
-- The accessibility - problem is best solved using Bind Version 9 "views" - (or using a separate DNS server for local clients) such that www.mydomain.com - resolves to 130.141.100.69 externally and 192.168.1.5 - internally. That's what I do here at shorewall.net for -my local systems that use static NAT.
- -
If you insist on an IP solution to the accessibility problem
- rather than a DNS solution, then assuming that
- your external interface is eth0 and your internal
- interface is eth1 and that eth1 has IP address 192.168.1.254
- with subnet 192.168.1.0/24.
-
If you are running Shorewall 1.4.0 or earlier see the 1.3 FAQ for instructions suitable for
-those releases.
-
If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
- upgrade to Shorewall 1.4.2 or later.
-
Otherwise:
-
Answer: That is usually the result of one of three + things:
+-- -- -
-- -ZONE -
-INTERFACE -
-BROADCAST -
-OPTIONS -
-- - - -loc -
-eth1 -
-detect -
-routeback -
-
-- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - -DNAT -
-loc -web:192.168.1.5 -
-tcp -www -- -
-130.151.100.69:192.168.1.254 -
-
That rule only works of course if you have a static external - IP address. If you have a dynamic IP address - and are running Shorewall 1.3.4 or later then include - this in /etc/shorewall/init:
-ETH0_IP=`find_interface_address eth0`-
and make your DNAT rule:
-
- 
- 
- A couple
- of recent configuration changes at www.shorewall.net
- broke the Search facility:
-