Tom Eastep 2004-07-10 2003-2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

The information in this document applies only to 2.0.x releases of Shorewall.

Netfilter - the packet filter facility built into the 2.4 and later Linux kernels. ipchains - the packet filter facility built into the 2.2 Linux kernels. Also the name of the utility program used to configure and control that facility. Netfilter can be used in ipchains compatibility mode. iptables - the utility program used to configure and control Netfilter. The term iptables is often used to refer to the combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).

The Shoreline Firewall, more commonly known as Shorewall, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities. Shorewall is not a daemon. Once Shorewall has configured Netfilter, it's job is complete and there is no Shorewall process left running in your system. The /sbin/shorewall program can be used at any time to monitor the Netfilter firewall.

The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of them. Shorewall views the network where it is running as being composed of a set of zones. In the three-interface sample configuration for example, the following zone names are used: NameDescriptionnetThe InternetlocYour Local NetworkdmzDemilitarized ZoneZones are defined in the /etc/shorewall/zones file. Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy file. The choices for policy are:ACCEPT - Accept the connection.DROP - Ignore the connection request.REJECT - Return an appropriate error to the connection request.Connection request logging may be specified as part of a policy and it is conventional to log DROP and REJECT policies.You define exceptions to those default policies in the /etc/shorewall/rules file.You only need concern yourself with connection requests. You don't need to define rules for how traffic that is part of an established connection is handled and in most cases you don't have to worry about how related connections are handled (ICMP error packets and related TCP connection requests such as used by FTP).For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If there is a common action defined for the policy in /etc/shorewall/actions (or /usr/share/shorewall/actions.std) then that action is invoked before the policy is enforces. In the standard Shorewall distribution, the DROP policy has a common action called Drop and the REJECT policy has a common action called Reject. Common actions are used primarily to discard The /etc/shorewall/policy file included with the three-interface sample has the following policies: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT infoIn the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the internet, uncomment that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT The above policy will: Allow all connection requests from your local network to the internetDrop (ignore) all connection requests from the internet to your firewall or local network; these ignored connection requests will be logged using the info syslog priority (log level).Optionally accept all connection requests from the firewall to the internet (if you uncomment the additional policy)reject all other connection requests; these rejected connection requests will be logged using the info syslog priority (log level). The simplest way to define a zone is to associate the zone with a network interface using the /etc/shorewall/interfaces file. In the three-interface sample, the three zones are defined using that file as follows: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dmz eth2 detect The above file defines the net zone as all hosts interfacing to the firewall through eth0, the loc zone as all hosts interfacing through eth1 and the dmz as all hosts interfacing through eth2. To illustrate how rules provide exceptions to policies, suppose that you have the polcies listed above but you want to be able to connect to your firewall from the internet using Secure Shell (SSH). Recall that SSH connects uses TCP port 22. #ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net fw tcp 22 So although you have a policy of ignoring all connection attempts from the net zone (from the internet), the above exception to that policy allows you to connect to the SSH server running on your firewall. Because Shorewall makes no assumptions about what traffic you want accepted, there are certain rules (exceptions) that need to be added to almost any configuration. The QuickStart guildes provide links to download pre-populated files for use in common setups and the Shorewall Setup Guide shows you examples for use with other more complex setups. To keep your firewall log from filling up with useless noise, Shorewall provides common actions that silently discard or reject such noise before it can be logged. As with everything in Shorewall, you can alter the behavior of these common actions (or do away with them entirely) as you see fit.

This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more detail. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA