Warning: If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through dos2unix before you use them with Shorewall.
Shorewall's configuration files are in the directory /etc/shorewall.
You may place comments in configuration files by making the first non-whitespace character a pound sign ("#"). You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign.
Examples:
# This is a comment
ACCEPT net fw tcp www #This is an end-of-line comment
You may continue lines in the configuration files using the usual backslash ("\") followed immediately by a new line character.
Example:
ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3----- end params.mgmt -----
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
WARNING: I personally recommend strongly against
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not
forewarned.
-Tom
Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
or DNS Names.
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts those
addresses into the rule. So changes in the DNS->IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset.
If your firewall rules include DNS names then:
Each DNS name much be fully qualified and include a
minumum of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.
Examples of valid DNS names:
Where specifying an IP address, a subnet or an interface, you can precede the item with "!" to specify the complement of the item. For example, !192.168.1.4 means "any host but 192.168.1.4". There must be no white space following the "!".
Comma-separated lists are allowed in a number of contexts within the configuration files. A comma separated list:
Unless otherwise specified, when giving a port number you can use either an integer or a service name from /etc/services.
If you need to specify a range of ports, the proper syntax is <low
port number>:<high port number>. For example, if
you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:
DNAT net loc:192.168.1.3 tcp 4000:4100If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed.
You may use the /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.
It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs
Example:
/etc/shorewall/params
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918
/etc/shorewall/interfaces record:
net $NET_IF $NET_BCAST $NET_OPTIONS
The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,norfc1918
Variables may be used anywhere in the other configuration files.
Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. To use this feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included.
MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.
In GNU/Linux, MAC addresses are usually written as a series of 6 hex
numbers separated by colons. Example:
[root@gateway root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
inet addr:206.124.146.176
Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:2398102 errors:0 dropped:0
overruns:0 frame:0
TX packets:3044698 errors:0 dropped:0
overruns:0 carrier:0
collisions:30394 txqueuelen:100
RX bytes:419871805 (400.4 Mb) TX
bytes:1659782221 (1582.8 Mb)
Interrupt:11 Base address:0x1800
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
numbers separated by hyphens. In Shorewall, the MAC address in the
example above would be written "~02-00-08-E3-FA-55".
Note: It is not necessary to use the special Shorewall
notation in the /etc/shorewall/maclist
file.
Shorewall allows you to have configuration directories other than /etc/shorewall. The shorewall check, start and restart commands allow you to specify an alternate configuration directory and Shorewall will use the files in the alternate directory rather than the corresponding files in /etc/shorewall. The alternate directory need not contain a complete configuration; those files not in the alternate directory will be read from /etc/shorewall.
This facility permits you to easily create a test or temporary configuration by:
Updated 8/22/2003 - Tom Eastep
Copyright
© 2001, 2002, 2003 Thomas M. Eastep.