From ee5d2a56dae3302b292780aed9fb26b113e98963 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Jul 2010 13:52:09 -0700 Subject: [PATCH] Add Universal doc --- docs/Universal.xml | 334 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 334 insertions(+) create mode 100644 docs/Universal.xml diff --git a/docs/Universal.xml b/docs/Universal.xml new file mode 100644 index 000000000..3928a87b6 --- /dev/null +++ b/docs/Universal.xml @@ -0,0 +1,334 @@ + + +
+ + + + Universal Configuration + + + + Tom + + Eastep + + + + + + + 2010 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ What it does + + This document describes a way to install Shorewall on a GNU/Linux + system and protect that system. The resulting firewall will: + + + + Allow all outgoing traffic. + + + + Block all incoming connections except: + + + + Secure Shell + + + + Ping + + + + + + Allow forwarding of traffic, provided that the system has more + than one interface or is set up to route between networks on a single + interface. + + +
+ +
+ How to Install it + + The location of the configuration files is dependent on your + distribution and how you installed + Shorewall. + + + + If you installed using an RPM, the samples + will be in the Samples/Universal subdirectory of the + Shorewall documentation directory. If you don't know where the + Shorewall documentation directory is, you can find the samples using + this command: + + ~# rpm -ql shorewall-common | fgrep Universal +/usr/share/doc/packages/shorewall/Samples/Universal +/usr/share/doc/packages/shorewall/Samples/Universal/interfaces +/usr/share/doc/packages/shorewall/Samples/Universal/policy +/usr/share/doc/packages/shorewall/Samples/Universal/rules +/usr/share/doc/packages/shorewall/Samples/Universal/zones +~# + + + + If you installed using the tarball, the samples are in the + Samples/Universal directory in + the tarball. + + + + If you installed using a Shorewall 4.x .deb, the samples are in + /usr/share/doc/shorewall-common/examples/Universal.. + You do not need the shorewall-doc package to have access to the + samples. + + + + Simple copy the files from the Universal directory to + /etc/shorewall. +
+ +
+ How to Start the firewall + + Before starting Shorewall for the first time, it's a good idea to + stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt + type: + +
+ service iptables stop +
+ + If you are running SuSE, use Yast or Yast2 to stop + SuSEFirewall. + + Once you have Shorewall running to your satisfaction, you should + totally disable your existing firewall. On /Redhat/CentOS/Fedora: + +
+ chkconfig --del iptables +
+ + At a root prompt, type: + +
+ /sbin/shorewall start +
+ + That's it. Shorewall will automatically start again when you + reboot. +
+ +
+ Now that it is running, ... + +
+ How do I stop the firewall? + + At a root prompt, type: + +
+ /sbin/shorewall clear +
+ + The system is now 'wide open'. +
+ +
+ How do I prevent it from responding to ping? + + Edit /etc/shorewall/rules and remove the line + that reads: + +
+ Ping(ACCEPT) net $FW +
+ + and at a root prompt, type: + +
+ /sbin/shorewall restart +
+
+ +
+ How do I allow other kinds of incoming connections? + + Shorewall includes a collection of macros + that can be used to quickly allow or deny services. You can find a list + of the macros included in your version of Shorewall using the command + ls /usr/share/shorewall/macro.* + or at a shell prompt type: + +
+ /sbin/shorewall show macros +
+ + If you wish to enable connections from the Internet to your + firewall and you find an appropriate macro in + /etc/shorewall/macro.*, the general format of a + rule in /etc/shorewall/rules is: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +<macro>(ACCEPT) net $FW + + + Be sure to add your rules after the line that reads SECTION NEW. + + + + You want to run a Web Server and a IMAP Server on your firewall + system: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +Web(ACCEPT) net $FW +IMAP(ACCEPT)net $FW + + + You may also choose to code your rules directly without using the + pre-defined macros. This will be necessary in the event that there is + not a pre-defined macro that meets your requirements. In that case the + general format of a rule in /etc/shorewall/rules + is: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT net $FW <protocol> <port> + + + You want to run a Web Server and a IMAP Server on your firewall + system: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT net $FW tcp 80 +ACCEPT net $FW tcp 143 + + + If you don't know what port and protocol a particular application + uses, see here. +
+ +
+ How do I make the firewall log a message when it disallows an + incoming connection? + + Shorewall does not maintain a log itself but rather relies on your + system's logging + configuration. The following commands rely on knowing where + Netfilter messages are logged: + + + + shorewall show log (Displays the last 20 + Netfilter log messages) + + + + shorewall logwatch (Polls the log at a + settable interval + + + + shorewall dump (Produces an extensive + report for inclusion in Shorewall problem reports) + + + + It is important that these commands work properly because when you + encounter connection problems when Shorewall is running, the first thing + that you should do is to look at the Netfilter log; with the help of + Shorewall FAQ 17, you can usually + resolve the problem quickly. + + The Netfilter log location is distribution-dependent: + + + + Debian and its derivatives log Netfilter messages to + /var/log/kern.log. + + + + Recent SuSE/OpenSuSE releases come + preconfigured with syslog-ng and log netfilter messages to + /var/log/firewall. + + + + For other distributions, Netfilter messages are most commonly + logged to /var/log/messages. + + + + Modify the LOGFILE setting in + /etc/shorewall/shorewall.conf to specify the name + of your log. + + + The LOGFILE setting does not control where the Netfilter log is + maintained -- it simply tells the /sbin/shorewall + utility where to find the log. + + + Now, edit /etc/shorewall/policy and modify + the line that reads: + +
+ net all DROP +
+ + to + +
+ net all DROP info +
+
+ +
+ How do I stop the firewall from forwarding packets? + + Edit /etc/shorewall/interfaces, and change the line that + read: + +
+ net all - dhcp,physical=+,routeback +
+ + to + +
+ net all - dhcp,physical=+ +
+ + Then at a root prompt, type: + +
+ /sbin/shorewall restart +
+
+
+