Universal Configuration
Tom
Eastep
2010
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
What it does
This document describes a way to install Shorewall on a GNU/Linux
system and protect that system. The resulting firewall will:
Allow all outgoing traffic.
Block all incoming connections except:
Secure Shell
Ping
Allow forwarding of traffic, provided that the system has more
than one interface or is set up to route between networks on a single
interface.
How to Install it
The location of the configuration files is dependent on your
distribution and how you installed
Shorewall.
If you installed using an RPM, the samples
will be in the Samples/Universal subdirectory of the
Shorewall documentation directory. If you don't know where the
Shorewall documentation directory is, you can find the samples using
this command:
~# rpm -ql shorewall-common | fgrep Universal
/usr/share/doc/packages/shorewall/Samples/Universal
/usr/share/doc/packages/shorewall/Samples/Universal/interfaces
/usr/share/doc/packages/shorewall/Samples/Universal/policy
/usr/share/doc/packages/shorewall/Samples/Universal/rules
/usr/share/doc/packages/shorewall/Samples/Universal/zones
~#
If you installed using the tarball, the samples are in the
Samples/Universal directory in
the tarball.
If you installed using a Shorewall 4.x .deb, the samples are in
/usr/share/doc/shorewall-common/examples/Universal..
You do not need the shorewall-doc package to have access to the
samples.
Simple copy the files from the Universal directory to
/etc/shorewall.
How to Start the firewall
Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt
type:
service iptables stop
If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.
Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On /Redhat/CentOS/Fedora:
chkconfig --del iptables
At a root prompt, type:
/sbin/shorewall start
That's it. Shorewall will automatically start again when you
reboot.
Now that it is running, ...
How do I stop the firewall?
At a root prompt, type:
/sbin/shorewall clear
The system is now 'wide open'.
How do I prevent it from responding to ping?
Edit /etc/shorewall/rules and remove the line
that reads:
Ping(ACCEPT) net $FW
and at a root prompt, type:
/sbin/shorewall restart
How do I allow other kinds of incoming connections?
Shorewall includes a collection of macros
that can be used to quickly allow or deny services. You can find a list
of the macros included in your version of Shorewall using the command
ls /usr/share/shorewall/macro.*
or at a shell prompt type:
/sbin/shorewall show macros
If you wish to enable connections from the Internet to your
firewall and you find an appropriate macro in
/etc/shorewall/macro.*, the general format of a
rule in /etc/shorewall/rules is:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<macro>(ACCEPT) net $FW
Be sure to add your rules after the line that reads SECTION NEW.
You want to run a Web Server and a IMAP Server on your firewall
system:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web(ACCEPT) net $FW
IMAP(ACCEPT)net $FW
You may also choose to code your rules directly without using the
pre-defined macros. This will be necessary in the event that there is
not a pre-defined macro that meets your requirements. In that case the
general format of a rule in /etc/shorewall/rules
is:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW <protocol> <port>
You want to run a Web Server and a IMAP Server on your firewall
system:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143
If you don't know what port and protocol a particular application
uses, see here.
How do I make the firewall log a message when it disallows an
incoming connection?
Shorewall does not maintain a log itself but rather relies on your
system's logging
configuration. The following commands rely on knowing where
Netfilter messages are logged:
shorewall show log (Displays the last 20
Netfilter log messages)
shorewall logwatch (Polls the log at a
settable interval
shorewall dump (Produces an extensive
report for inclusion in Shorewall problem reports)
It is important that these commands work properly because when you
encounter connection problems when Shorewall is running, the first thing
that you should do is to look at the Netfilter log; with the help of
Shorewall FAQ 17, you can usually
resolve the problem quickly.
The Netfilter log location is distribution-dependent:
Debian and its derivatives log Netfilter messages to
/var/log/kern.log.
Recent SuSE/OpenSuSE releases come
preconfigured with syslog-ng and log netfilter messages to
/var/log/firewall.
For other distributions, Netfilter messages are most commonly
logged to /var/log/messages.
Modify the LOGFILE setting in
/etc/shorewall/shorewall.conf to specify the name
of your log.
The LOGFILE setting does not control where the Netfilter log is
maintained -- it simply tells the /sbin/shorewall
utility where to find the log.
Now, edit /etc/shorewall/policy and modify
the line that reads:
net all DROP
to
net all DROP info
Then at a root prompt, type:
/sbin/shorewall restart
How do I prevent the firewall from forwarding connection
requests?
Edit /etc/shorewall/interfaces, and change the line that
read:
net all - dhcp,physical=+,routeback
to
net all - dhcp,physical=+
Then at a root prompt, type:
/sbin/shorewall restart