Universal Configuration Tom Eastep 2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
What it does This document describes a way to install Shorewall on a GNU/Linux system and protect that system. The resulting firewall will: Allow all outgoing traffic. Block all incoming connections except: Secure Shell Ping Allow forwarding of traffic, provided that the system has more than one interface or is set up to route between networks on a single interface.
How to Install it The location of the configuration files is dependent on your distribution and how you installed Shorewall. If you installed using an RPM, the samples will be in the Samples/Universal subdirectory of the Shorewall documentation directory. If you don't know where the Shorewall documentation directory is, you can find the samples using this command: ~# rpm -ql shorewall-common | fgrep Universal /usr/share/doc/packages/shorewall/Samples/Universal /usr/share/doc/packages/shorewall/Samples/Universal/interfaces /usr/share/doc/packages/shorewall/Samples/Universal/policy /usr/share/doc/packages/shorewall/Samples/Universal/rules /usr/share/doc/packages/shorewall/Samples/Universal/zones ~# If you installed using the tarball, the samples are in the Samples/Universal directory in the tarball. If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall-common/examples/Universal.. You do not need the shorewall-doc package to have access to the samples. Simple copy the files from the Universal directory to /etc/shorewall.
How to Start the firewall Before starting Shorewall for the first time, it's a good idea to stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt type:
service iptables stop
If you are running SuSE, use Yast or Yast2 to stop SuSEFirewall. Once you have Shorewall running to your satisfaction, you should totally disable your existing firewall. On /Redhat/CentOS/Fedora:
chkconfig --del iptables
At a root prompt, type:
/sbin/shorewall start
That's it. Shorewall will automatically start again when you reboot.
Now that it is running, ...
How do I stop the firewall? At a root prompt, type:
/sbin/shorewall clear
The system is now 'wide open'.
How do I prevent it from responding to ping? Edit /etc/shorewall/rules and remove the line that reads:
Ping(ACCEPT) net $FW
and at a root prompt, type:
/sbin/shorewall restart
How do I allow other kinds of incoming connections? Shorewall includes a collection of macros that can be used to quickly allow or deny services. You can find a list of the macros included in your version of Shorewall using the command ls /usr/share/shorewall/macro.* or at a shell prompt type:
/sbin/shorewall show macros
If you wish to enable connections from the Internet to your firewall and you find an appropriate macro in /etc/shorewall/macro.*, the general format of a rule in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) <macro>(ACCEPT) net $FW Be sure to add your rules after the line that reads SECTION NEW. You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW You may also choose to code your rules directly without using the pre-defined macros. This will be necessary in the event that there is not a pre-defined macro that meets your requirements. In that case the general format of a rule in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW <protocol> <port> You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 143 If you don't know what port and protocol a particular application uses, see here.
How do I make the firewall log a message when it disallows an incoming connection? Shorewall does not maintain a log itself but rather relies on your system's logging configuration. The following commands rely on knowing where Netfilter messages are logged: shorewall show log (Displays the last 20 Netfilter log messages) shorewall logwatch (Polls the log at a settable interval shorewall dump (Produces an extensive report for inclusion in Shorewall problem reports) It is important that these commands work properly because when you encounter connection problems when Shorewall is running, the first thing that you should do is to look at the Netfilter log; with the help of Shorewall FAQ 17, you can usually resolve the problem quickly. The Netfilter log location is distribution-dependent: Debian and its derivatives log Netfilter messages to /var/log/kern.log. Recent SuSE/OpenSuSE releases come preconfigured with syslog-ng and log netfilter messages to /var/log/firewall. For other distributions, Netfilter messages are most commonly logged to /var/log/messages. Modify the LOGFILE setting in /etc/shorewall/shorewall.conf to specify the name of your log. The LOGFILE setting does not control where the Netfilter log is maintained -- it simply tells the /sbin/shorewall utility where to find the log. Now, edit /etc/shorewall/policy and modify the line that reads:
net all DROP
to
net all DROP info
Then at a root prompt, type:
/sbin/shorewall restart
How do I prevent the firewall from forwarding connection requests? Edit /etc/shorewall/interfaces, and change the line that read:
net all - dhcp,physical=+,routeback
to
net all - dhcp,physical=+
Then at a root prompt, type:
/sbin/shorewall restart