Compiled Firewall Programs Tom Eastep 2006-02-28 2006 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Overview Beginning with Shorewall version 3.1, Shorewall has the capability to compile a Shorewall configuration and produce a runnable firewall program script. The script is a complete program which can be placed in the /etc/init.d/ directory on a system without Shorewall installed and can serve as the firewall creation script for that system. Compiled programs can also be created to instantiate special configurations during parts of the day; for example, to disallow web browsing between the hours of 9pm and 7AM. The program can be run as a cron job at 9PM and another program run at 6AM to restore normal operation.
The "shorewall compile" command A compiled script is produced using the compile command:
shorewall compile [ -e ] [ -d <distro> ] [ <directory name> ] <path name>
where
-e Indicates that the program is to be "exported" to another system. When this flag is set, the "detectnets" interface is not allowed but the created program may be run on a system that doesn't even have Shorewall installed. When this flag is given, Shorewall does not probe the current system to determine the kernel/iptables features that it supports. It rather reads those capabilities from /etc/shorewall/capabilities. See below for details. -d <distro> is normally used with "-e" and specifies the Linux distribution that is running on the remote system. The program will be taylored so that it integrates with the intialization script system (init) on that system. Distributions currently supported are: suse <directory name> specifies a directory to be searched for configuration files before those directories listed in the CONFIG_PATH variable in shorewall.conf. <path name> specifies the name of the script to be created.
The /etc/shorewall/capabilities file and the shorecap program As mentioned above, the /etc/shorewall/capabilities file specifies that kernel/iptables capabilities of the target system. Here is a sample file:
NAT_ENABLED=Yes # NAT MANGLE_ENABLED=Yes # Packet Mangling CONNTRACK_MATCH=Yes # Connection Tracking Match USEPKTTYPE= # Packet Type Match MULTIPORT=Yes # Multi-port Match XMULTIPORT=Yes # Extended Multi-port Match POLICY_MATCH=Yes # Policy Match PHYSDEV_MATCH=Yes # Physdev Match LENGTH_MATCH=Yes # Packet Length Match IPRANGE_MATCH=Yes # IP range Match RECENT_MATCH=Yes # Recent Match OWNER_MATCH=Yes # Owner match IPSET_MATCH= # Ipset Match CONNMARK=Yes # CONNMARK Target CONNMARK_MATCH=Yes # Connmark Match RAW_TABLE=Yes # Raw Table IPP2P_MATCH= # IPP2P Match CLASSIFY_TARGET=Yes # CLASSIFY Target ENHANCED_REJECT=Yes # Extended REJECT
As you can see, the file contains a simple list of shell variable assignments -- the variables correspond to the capabilities listed by the shorewall show capabilities command appear in the same order as the output of that command. To aid in creating this file, Shorewall 3.1 and later include a shorecap program. The program is installed in the documentation directory by the .rpm and is in the directory created when you untar the tarball. It may be copied to /usr/bin on a remote system then run as follows:
[ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
The IPTABLES and MODULESDIR options have their usual Shorewall default values. The capabilities file may then be copied to a system with Shorewall installed and used when compiling firewall programs to run on the remote system.
Running compiled programs Compiled firewall programs are complete programs that support the following run-line commands:
<program> [ -q ] [ -v ] [ -n ] start <program> [ -q ] [ -v ] [ -n ] stop <program> [ -q ] [ -v ] [ -n ] clear <program> [ -q ] [ -v ] [ -n ] restart <program> [ -q ] [ -v ] [ -n ] status <program> [ -q ] [ -v ] [ -n ] version
The options have their same meaning is when they are passed to /sbin/shorewall itself. The default VERBOSITY level is the level specified in the shorewall.conf file used when then program was compiled.