Shorewall 2.0 ReferenceTomEastep2004-08-102001-2004Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.This documentation is intended primarily for reference.
Step-by-step instructions for configuring Shorewall in common setups may
be found in the QuickStart
Guides.ComponentsShorewall consists of the following components:paramsa parameter file installed in /etc/shorewall that can be used to
establish the values of shell variables for use in other
files.shorewall.confa parameter file installed in /etc/shorewall that is used to set
several firewall parameters.zonesa parameter file installed in /etc/shorewall that defines a network
partitioning into zonespolicya parameter file installed in /etc/shorewall that establishes overall
firewall policy.rulesa parameter file installed in /etc/shorewall and used to express
firewall rules that are exceptions to the high-level policies
established in /etc/shorewall/policy.blacklista parameter file installed in /etc/shorewall and used to list
blacklisted IP/subnet/MAC addresses.ecna parameter file installed in /etc/shorewall and used to selectively
disable Explicit Congestion Notification (ECN - RFC 3168).functionsa set of shell functions used by both the firewall and
shorewall shell programs. Installed in /usr/share/shorewall.modulesa parameter file installed in /etc/shorewall and that specifies
kernel modules and their parameters. Shorewall will automatically
load the modules specified in this file.tosa parameter file installed in /etc/shorewall that is used to specify
how the Type of Service (TOS) field in packets is to be set.init.sh and init.debian.sha shell script installed in /etc/init.d to automatically start
Shorewall during boot. The particular script installed depends on
which distribution you are running.interfacesa parameter file installed in /etc/shorewall and used to describe the
interfaces on the firewall system.hostsa parameter file installed in /etc/shorewall and used to describe
individual hosts or subnetworks in zones.maclista parameter file installed in /etc/shorewall and used to verify the
MAC address (and possibly also the IP address(es)) of
devices.masqThis file also describes IP masquerading under Shorewall and
is installed in /etc/shorewall.firewalla shell program that reads the configuration files in
/etc/shorewall and configures
your firewall. This file is installed in /usr/share/shorewall.nata parameter file in /etc/shorewall used to define one-to-one NAT.proxyarpa parameter file in /etc/shorewall used to define Proxy Arp.rfc1918a parameter file in /usr/share/shorewall used to define the
treatment of packets under the norfc1918
interface option.bogonsa parameter file in /usr/share/shorewall used to define the
treatment of packets under the nobogons
interface option.routestoppeda parameter file in /etc/shorewall used to define those
hosts that can access the firewall when Shorewall is stopped.tcrulesa parameter file in /etc/shorewall
used to define rules for classifying packets for Traffic Shaping/Control.tunnelsa parameter file in /etc/shorewall used to define IPSec
tunnels.shorewalla shell program (requiring a Bourne shell or derivative) used
to control and monitor the firewall. This should be placed in
/sbin or in /usr/sbin (the install.sh script and
the rpm install this file in /sbin).accountinga parameter file in /etc/shorewall used to define traffic
accounting rules. This file was added in version 1.4.7.versiona file created in /usr/share/shorewall that describes the
version of Shorewall installed on your system.actions and
action.templatefiles in /etc/shorewall
and /usr/share/shorewall
respectively that allow you to define your own actions for rules in
/etc/shorewall/rules.actions.std and action.*files in /usr/share/shorewall that define the
actions included as a standard part of Shorewall./etc/shorewall/paramsYou may use the file /etc/shorewall/params file
to set shell variables that you can then use in some of the other
configuration files.It is suggested that variable names begin with an upper case letter
to distinguish them from variables used internally within the Shorewall
programsshell variablesNET_IF=eth0 NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918/etc/shorewall/interfaces recordnet $NET_IF $NET_BCAST $NET_OPTIONSThe result will be the same as if the record had been writtennet eth0 130.252.100.255 blacklist,norfc1918Variables may be used anywhere in the other configuration
files./etc/shorewall/zonesThis file is used to define the network zones. There is one entry in
/etc/shorewall/zones for each zone; Columns in an
entry are:ZONEshort name for the zone. The name should be 5 characters or
less in length (4 characters or less if you are running Shorewall
1.4.4 or later) and consist of lower-case letters or numbers. Short
names must begin with a letter and the name assigned to the firewall
is reserved for use by Shorewall itself. Note that the output
produced by iptables is much easier to read if you select short
names that are three characters or less in length. The name
all may not be used as a zone name nor may the zone
name assigned to the firewall itself via the FW variable in .DISPLAYThe name of the zone as displayed during Shorewall
startup.COMMENTSAny comments that you want to make about the zone. Shorewall
ignores these comments.#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zoneYou may add, delete and modify entries in the
/etc/shorewall/zones file as desired so long as you
have at least one zone defined.If you rename or delete a zone, you should perform
shorewall stop; shorewall start to
install the change rather than shorewall
restart.The order of entries in the
/etc/shorewall/zones file is significant in some cases./etc/shorewall/interfacesThis file is used to tell the firewall which of your firewall's
network interfaces are connected to which zone. There will be one entry in
/etc/shorewall/interfaces for each of your interfaces. Columns in an entry
are:ZONEA zone defined in the file or
-. If you specify -, you must use the
file to define the zones accessed via this
interface.INTERFACEthe name of the interface (examples: eth0, ppp0, ipsec+). Each
interface can be listed on only one record in this file.You do not need to include the loopback interface (lo) in
this file.BROADCASTthe broadcast address(es) for the sub-network(s) attached to
the interface. This should be left empty for P-T-P interfaces (ppp*,
ippp*); if you need to specify options for such an interface, enter
- in this column. If you supply the special value
detect in this column, the firewall will
automatically determine the broadcast address. In order to use
detect:the interface must be up before you start your
firewallthe interface must only be attached to a single
sub-network (i.e., there must have a single broadcast
address).OPTIONSa comma-separated list of options. Possible options
include:arp_filter(Added in version 1.4.7) - This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter
to be set with the result that this interface will only answer
ARP who-has requests from hosts that are routed
out of that interface. Setting this option facilitates testing
of your firewall where multiple firewall interfaces are
connected to the same HUB/Switch (all interface connected to
the single HUB/Switch should have this option specified). Note
that using such a configuration in a production environment is
strongly recommended against.newnotsyn(Added in version 1.4.6) - This option overrides NEWNOTSYN=No for packets arriving on
this interface. In other words, packets coming in on this
interface are processed as if NEWNOTSYN=Yes had been specified
in .routeback(Added in version 1.4.2) - This option causes Shorewall
to set up handling for routing packets that arrive on this
interface back out the same interface. If this option is
specified, the ZONE column may not contain
-.tcpflags(added in version 1.3.11) - This option causes Shorewall
to make sanity checks on the header flags in TCP packets
arriving on this interface. Checks include Null flags,
SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are
typically used for silent port scans. Packets
failing these checks are logged according to the
TCP_FLAGS_LOG_LEVEL option in and are
disposed of according to the TCP_FLAGS_DISPOSITION
option.blacklistThis option causes incoming packets on this interface to
be checked against the blacklist.dhcpThe interface is assigned an IP address via DHCP or is
used by a DHCP server running on the firewall. The firewall
will be configured to allow DHCP traffic to and from the
interface even when the firewall is stopped. You may also wish
to use this option if you have a static IP but you are on a
LAN segment that has a lot of Laptops that use DHCP and you
select the norfc1918 option
(see below).norfc1918Packets arriving on this interface and that have a
source or destination address that is reserved in RFC 1918
will be dropped after being optionally logged.Prior to Shorewall 2.0.1, addresses blocked by the
standard rfc1918 file include
those addresses reserved by RFC1918 plus other ranges reserved
by the IANA or by other RFCs. Beginning with Shorewall 2.0.1,
these additional addresses are covered by the nobogons option below.Beware that as IPv4 addresses become in increasingly
short supply, ISPs are beginning to use RFC 1918 addresses
within their own infrastructure. Also, many cable and DSL
modems have an RFC 1918 address that can be
used through a web browser for management and monitoring
functions. If you want to specify norfc1918 on your external interface
but need to allow access to certain addresses from the above
list, see FAQ 14.nobogons (Added in Shorewall 2.0.1)Packets arriving on this interface that have a source
address reserved by the IANA or by other RFCs (other than
1918) are dropped after being optionally logged. See the
/etc/shorewall/bogons file documentation below.routefilterInvoke the Kernel's route filtering (anti-spoofing)
facility on this interface. The kernel will reject any packets
incoming on this interface that have a source address that
would be routed outbound through another interface on the
firewall.If you specify this option for an interface then the
interface must be up prior to starting the firewall.proxyarp(Added in version 1.3.5) - This option causes Shorewall
to set
/proc/sys/net/ipv4/conf/<interface>/proxy_arp
and is used when implementing Proxy ARP Sub-netting as
described at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/.
Do not set this option if you
are implementing Proxy ARP through entries in .maclist(Added in version 1.3.10) - If this option is specified,
all connection requests from this interface are subject to
MAC Verification. May
only be specified for ethernet interfaces.detectnets(Added in version 1.4.10) - If this option is specified,
the zone named in the ZONE column will contain only the hosts
routed through the interface named in the INTERFACE column.
Do not set this option on your external
(Internet) interface! The interface must be in the
UP state when Shorewall is [re]started.nosmurfs(Added in version 2.0.0) - If this option is specified,
incoming connection requests will be checked to ensure that
they do not have a broadcast or multicast address as their
source. Any such packets will be dropped after being
optionally logged according to the setting of SMURF_LOG_LEVEL
in /etc/shorewall/shorewall.conf.My recommendations concerning options:External Interface -- tcpflags,blacklist,norfc1918,routefilter,nosmurfsWireless Interface -- maclist,routefilter,tcpflags,detectnets,nosmurfsUse dhcp and proxyarp when needed.You have a conventional firewall setup in which eth0 connects to
a Cable or DSL modem and eth1 connects to your local network and eth0
gets its IP address via DHCP. You want to check all packets entering
from the internet against the black
list. Your /etc/shorewall/interfaces file would be as
follows:#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918,blacklistYou have a standalone dialup GNU/Linux System. Your
/etc/shorewall/interfaces file would be:#ZONE INTERFACE BROADCAST OPTIONS
net ppp0You have local interface eth1 with two IP addresses -
192.168.1.1/24 and 192.168.12.1/24#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 192.168.1.255,192.168.12.255/etc/shorewall/hosts ConfigurationFor most applications, specifying zones entirely in terms of network
interfaces is sufficient. There may be times though where you need to
define a zone to be a more general collection of hosts. This is the
purpose of the /etc/shorewall/hosts file.The only time that you need entries in
/etc/shorewall/hosts is where you have more than one zone connecting through a single
interface.IF YOU DON'T HAVE THIS SITUATION THEN DON'T
TOUCH THIS FILE!!Columns in this file are:ZONEA zone defined in the file.HOST(S)The name of an interface defined in the /etc/shorewall/interfaces file followed
by a colon (":") and a comma-separated list whose elements are
either:The IP address of a hostA subnetwork in the form
<subnet-address>/<mask
width>A physical port name (Shorewall version 2.0.1 and later);
only allowed when the interface names a bridge created by the
brctl addbr command. This port must not be
defined in /etc/shorewall/interfaces and
may optionally followed by a colon (":") and a host or network
IP. See the bridging
documentation for details.If you are running a version of Shorewall earlier than
1.4.6, only a single host/subnet address may be specified in an
entry in /etc/shorewall/hosts.OPTIONSA comma-separated list of optionrouteback(Added in version 1.4.2) - This option causes Shorewall
to set up handling for routing packets sent by this host group
back back to the same group.maclistAdded in version 1.3.10. If specified, connection
requests from the hosts specified in this entry are subject to
MAC Verification.
This option is only valid for ethernet interfaces.tcpflags (Added in Shorewall 2.0.1)(added in version 1.3.11) - This option causes Shorewall
to make sanity checks on the header flags in TCP packets
arriving from these hosts. Checks include Null flags, SYN+FIN,
SYN+RST and FIN+URG+PSH; these flag combinations are typically
used for silent port scans. Packets failing
these checks are logged according to the TCP_FLAGS_LOG_LEVEL
option in and are disposed of
according to the TCP_FLAGS_DISPOSITION option.blacklist (Added in Shorewall 2.0.1 -- only makes sense
for bridge ports)This option causes incoming packets on this port to be
checked against the blacklist.norfc1918 (Added in Shorewall 2.0.1 -- only makes sense
for bridge ports)Packets arriving on this port and that have a source
address that is reserved in RFC 1918 will be dropped after
being optionally logged as specified in the settion of
RFC1918_LOG_LEVEL in shorewall.conf.nobogons (Added in Shorewall 2.0.1 -- only makes sense for
bridge ports)Packets arriving on this port that have a source address
reserved by the IANA or by other RFCs (other than 1918) are
dropped after being optionally logged. See the
/etc/shorewall/bogons file documentation below.nosmurfs (Added in Shorewall 2.0.1 -- only makes sense for
bridge ports)If this option is specified, incoming connection
requests will be checked to ensure that they do not have a
broadcast or multicast address as their source. Any such
packets will be dropped after being optionally logged
according to the setting of SMURF_LOG_LEVEL in /etc/shorewall/shorewall.conf.If you don't define any hosts for a zone, the hosts in the zone
default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the
interfaces to the zone.You probably DON'T want to specify any hosts for your internet
zone since the hosts that you specify will be the only ones that you
will be able to access without adding additional rules.Your local interface is eth1 and you have two groups of local
hosts that you want to make into separate zones:192.168.1.0/25 192.168.1.128/25Your /etc/shorewall/interfaces file might look like:#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918
- eth1 192.168.1.127,192.168.1.255The - in the ZONE column for eth1 tells Shorewall
that eth1 interfaces to multiple zones.#ZONE HOST(S) OPTIONS
loc1 eth1:192.168.1.0/25
loc2 eth1:192.168.1.128/25You have local interface eth1 with two IP addresses -
192.168.1.1/24 and 192.168.12.1/24Your /etc/shorewall/interfaces file might look like:#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918
- eth1 192.168.1.255,192.168.12.255Your /etc/shorewall/hosts file might look like:#ZONE HOST(S) OPTIONS
loc eth1:192.168.1.0/24
loc eth1:192.168.12.0/24If you are running Shorewall 1.4.6 or later, your hosts file may
look like:#ZONE HOST(S) OPTIONS
loc eth1:192.168.1.0/24,192.168.12.0/24Nested and Overlapping ZonesThe /etc/shorewall/interfaces and
/etc/shorewall/hosts file allow you to define
nested or overlapping zones. Such overlapping/nested zones are allowed
and Shorewall processes zones in the order that they appear in the
/etc/shorewall/zones file. So if you have nested
zones, you want the sub-zone to appear before the super-zone and in the
case of overlapping zones, the rules that will apply to hosts that
belong to both zones is determined by which zone appears first in
/etc/shorewall/zones.Hosts that belong to more than one zone may be managed by the
rules of all of those zones. This is done through use of the special
CONTINUE policy described below./etc/shorewall/policy ConfigurationThis file is used to describe the firewall policy regarding
establishment of connections. Connection establishment is described in
terms of clients who initiate connections and
servers who receive those connection requests.
Policies defined in /etc/shorewall/policy describe
which zones are allowed to establish connections with other zones.Policies established in /etc/shorewall/policy
can be viewed as default policies. If no rule in
/etc/shorewall/rules applies to a particular connection request then the
policy from /etc/shorewall/policy is applied.Five policies are defined:ACCEPTThe connection is allowed.DROPThe connection request is ignored.REJECTThe connection request is rejected with an RST (TCP) or an
ICMP destination-unreachable packet being returned to the
client.CONTINUEThe connection is neither ACCEPTed, DROPped nor REJECTed.
CONTINUE may be used when one or both of the zones named in the
entry are sub-zones of or intersect with another zone. For more
information, see below.NONE(Added in version 1.4.1) - Shorewall should not set up any
infrastructure for handling traffic from the SOURCE zone to the DEST
zone. When this policy is specified, the LOG
LEVEL and BURST:LIMIT
columns must be left blank.For each policy specified in /etc/shorewall/policy, you can indicate
that you want a message sent to your system log each time that the policy
is applied.Entries in /etc/shorewall/policy have four columns as
follows:SOURCEThe name of a client zone (a zone defined in the file , the name of the
firewall zone or all).DESTThe name of a destination zone (a zone defined in the file , the name of the
firewall zone or all). Shorewall automatically
allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in
both the SOURCE and DEST columns.POLICYThe default policy for connection requests from the SOURCE
zone to the DESTINATION zone.LOG LEVELOptional. If left empty, no log message is generated when the
policy is applied. Otherwise, this column should contain an integer
or name indicating a syslog
level.LIMIT:BURST - optionalIf left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited.
Otherwise, this column specifies the maximum rate at which TCP
connection requests will be accepted followed by a colon
(:) followed by the maximum burst size that will be
tolerated. Example: 10/sec:40
specifies that the maximum rate of TCP connection requests allowed
will be 10 per second and a burst of 40 connections will be
tolerated. Connection requests in excess of these limits will be
dropped. See the rules file
documentation for an explaination of how rate limiting
works.In the SOURCE and DEST columns, you can enter all to
indicate all zones.The default /etc/shorewall/policy file is as
follows.#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT infoThis table may be interpreted as follows:All connection requests from the local network to hosts on the
internet are accepted.All connection requests originating from the internet are
ignored and logged at level KERNEL.INFO.All other connection requests are rejected and logged.The firewall script processes the
/etc/shorewall/policy file from top to bottom and
uses the first applicable policy that it
finds. For example, in the following policy file, the policy
for (loc, loc) connections would be ACCEPT as specified in the first
entry even though the third entry in the file specifies REJECT.#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc all ACCEPT
net all DROP info
loc loc REJECT infoIntra-Zone TrafficShorewall allows a zone to be associated with more than one
interface or with multiple networks that interface through a single
interface. Beginning with Shorewall 1.4.1, Shorewall will ACCEPT all
traffic from a zone to itself provided that there is no explicit policy
governing traffic from that zone to itself (an explicit policy does not
specify all in either the SOURCE or DEST column) and that
there are no rules concerning connections from that zone to itself. If
there is an explicit policy or if there are one or more rules, then
traffic within the zone is handled just like traffic between zones
is.Any time that you have multiple interfaces associated with a
single zone, you should ask yourself if you really want traffic routed
between those interfaces. Cases where you might not want that behavior
are:Multiple net interfaces to different ISPs. You
don't want to route traffic from one ISP to the other through your
firewall.Multiple VPN clients. You don't necessarily want them to all
be able to communicate between themselves using your
gateway/router.Beginning with Shorewall 2.0.0, you can control the traffic from
the firewall to itself. As with any zone, fw->fw traffic is enabled
by default. It is not necessary to define the loopback interface (lo) in
/etc/shorewall/interfaces in order to
define fw->fw rules or a fw->fw policy.So long as there are no intra-zone rules for a zone, all
intra-zone traffic for that zone is accepted. As soon as you add a
single rule from the zone to itself, then ALL traffic from that zone
to itself is controlled by the rules and the first policy in
/etc/shorewall/policy that matches the zone to
itself.The CONTINUE policyWhere zones are nested or
overlapping, the CONTINUE policy allows hosts that are within
multiple zones to be managed under the rules of all of these zones.
Let's look at an example:/etc/shorewall/zones:#ZONE DISPLAY COMMENTS
sam Sam Sam's system at home
net Internet The Internet
loc Local Local Network/etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,norfc1918
loc eth1 detect/etc/shorewall/hosts:#ZONE HOST(S) OPTIONS
net eth0:0.0.0.0/0
sam eth0:206.191.149.197Sam's home system is a member of both the sam zone and the net zone and as
described above , that means that sam must be listed before net in
/etc/shorewall/zones./etc/shorewall/policy:#SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
sam all CONTINUE
net all DROP info
all all REJECT infoThe second entry above says that when Sam is the client,
connection requests should first be process under rules where the source
zone is sam and if there is no match
then the connection request should be treated under rules where the
source zone is net. It is important
that this policy be listed BEFORE the next policy (net to all).Partial /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam loc:192.168.1.3 tcp ssh
DNAT net loc:192.168.1.5 tcp www
...Given these two rules, Sam can connect to the firewall's internet
interface with ssh and the connection request will be forwarded to
192.168.1.3. Like all hosts in the net
zone, Sam can connect to the firewall's internet interface on TCP port
80 and the connection request will be forwarded to 192.168.1.5. The
order of the rules is not significant.Sometimes it is necessary to suppress port forwarding
for a sub-zone. For example, suppose that all hosts can SSH to the
firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects
to the firewall's external IP, he should be connected to the firewall
itself. Because of the way that Netfilter is constructed, this requires
two rules as follows:#ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam fw tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
in the sam zone should have their connection port
forwarded to 192.168.1.3. If you need to exclude more than one zone in
this way, you can list the zones separated by commas (e.g.,
net!sam,joe,fred). This technique also may be used when the ACTION is
REDIRECT./etc/shorewall/rulesThe /etc/shorewall/rules file defines
exceptions to the policies established in the
/etc/shorewall/policy file. There is one entry in
/etc/shorewall/rules for each of these rules. Entries in this file only
govern the establishment of new connections — packets that are part of an
existing connection or that establish a connection that is related to an
existing connection are automatically accepted.Rules for each pair of zones (source zone, destination zone) are
evaluated in the order that they appear in the file — the first match
determines the disposition of the connection request with a couple of
caveats:LOG rules cause the connection request to be logged then
processing continues with the next rule in the file.QUEUE rules cause the connection request to be passed to
user-space -- the user-space application can later insert them back
into the stream for further processing by following rules.CONTINUE rules may cause the connection request to be
reprocessed using a different (source zone, destination zone)
pair.Entries in the file have the following columns:ACTIONACCEPT, DROP, REJECT, CONTINUEThese have the same meaning here as in the policy file
above.ACCEPT+Added in Shorewall 2.0.2 Beta 2. Works like ACCEPT but
also exempts the connection from matching DNAT and REDIRECT
rules later in the file.NONATAdded in Shorewall 2.0.2 Beta 2. Exempts matching
connections from DNAT and REDIRECT rules later in the
file.DNATCauses the connection request to be forwarded to the
system specified in the DEST column (port forwarding).
DNAT stands for Destination Network Address TranslationDNAT-The above ACTION (DNAT) generates two iptables
rules:a header-rewriting rule in the Netfilter
nat tablean ACCEPT rule in the Netfilter
filter table.DNAT- works like DNAT but only generates the
header-rewriting rule.REDIRECTCauses the connection request to be redirected to a port
on the local (firewall) system.REDIRECT-The above ACTION (REDIRECT) generates two iptables
rules:a header-rewriting rule in the Netfilter
nat tablean ACCEPT rule in the Netfilter
filter table.REDIRECT- works like REDIRECT but only generates the
header-rewriting rule.LOGLog the packet -- requires a syslog level (see
below).QUEUEForward the packet to a user-space application. This
facility is provided to allow interfacing to ftwall for Kazaa filtering.When the protocol specified in the PROTO column is TCP
(tcp, TCP or
6), Shorewall will only pass connection
requests (SYN packets) to user space. This is for
compatibility with ftwall.<defined
action>(Shorewall 1.4.9 and later) - An action defined in the
/etc/shorewall/actions
or /usr/share/shorewall/actions.std
files.The ACTION may optionally be followed by : and
a syslog level (example:
REJECT:info or ACCEPT:debug). This causes the packet to be logged at
the specified level prior to being processed according to the
specified ACTION. Note: if the ACTION is LOG then you MUST specify a
syslog level. Beginning with Shorewall version 2.0.2 Beta 1, a
log tag may be specified. A log tag is a
string of alphanumeric characters and is specified by following the
log level with ":" and the log tag. Example:ACCEPT:info:ftp net dmz tcp 21
The log tag is appended to the log prefix generated by the
LOGPREFIX variable in /etc/shorewall/conf. If
"ACCEPT:info" generates the log prefix "Shorewall:net2dmz:ACCEPT:"
then "ACCEPT:info:ftp" will generate "Shorewall:net2dmz:ACCEPT:ftp "
(note the trailing blank). The maximum length of a log prefix
supported by iptables is 29 characters; if a larger prefix is
generated, Shorewall will issue a warning message and will truncate
the prefix to 29 characters.Specifying a log level for a <defined
action> will log all invocations of the action. For
example:AllowFTP:info net dmzwill log all net->dmz traffic that has not been handled by
earlier rules. That's probably not what you want. If you want to log
the FTP connections that are actually accepted, you need to log
within the action itself. One way to do that would be to copy
/usr/share/shorewall/action.AllowFTP to
/etc/shorewall and modify the
copy as follows:#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT:info - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEThe use of DNAT or REDIRECT requires that you have NAT enabled
in your kernel configuration.SOURCEDescribes the source hosts to which the rule applies.. The
contents of this field must begin with the name of a zone defined in
/etc/shorewall/zones, $FW or all. If the ACTION is
DNAT or REDIRECT, sub-zones may be excluded from the rule by
following the initial zone name with ! and a
comma-separated list of those sub-zones to be excluded. There is an
example above.If the source is not all then the source may be
further restricted by adding a colon (:) followed by
a comma-separated list of qualifiers. Qualifiers are may
include:interface namerefers to any connection requests arriving on the
specified interface (example loc:eth4). Beginning with
Shorwall 1.3.9, the interface name may optionally be followed
by a colon (:) and an IP address or subnet
(examples: loc:eth4:192.168.4.22,
net:eth0:192.0.2.0/24).IP addressrefers to a connection request from the host with the
specified address (example net:155.186.235.151). If the ACTION
is DNAT, this must not be a DNS name.MAC Addressin Shorewall
format.subnetrefers to a connection request from any host in the
specified subnet (example net:155.186.235.0/24).DESTDescribes the destination host(s) to which the rule applies.
May take most of the forms described above for SOURCE plus the
following two additional forms:An IP address followed by a colon and the port number that the server is listening on
(service names from /etc/services are not allowed - example
loc:192.168.1.3:80).A single port number (again, service names are not
allowed) -- this form is only allowed if the ACTION is REDIRECT
and refers to a server running on the firewall itself and
listening on the specified port.Restrictions:MAC addresses may not be specified.In DNAT rules, only IP addresses may be given -- DNS names
are not permitted.You may not specify both an IP address and an interface
name in the DEST column.Unlike in the SOURCE column, a range of IP addresses may be
specified in the DEST column as <first
address>-<last address>.
When the ACTION is DNAT or DNAT-, connections will be assigned to
the addresses in the range in a round-robin fashion
(load-balancing). This feature is available
with DNAT rules only with Shorewall 1.4.6 and later versions; it is
available with DNAT- rules in all versions that support
DNAT-.PROTOProtocol. Must be a protocol name from /etc/protocols, a
number or all. Specifies the protocol of the
connection request.DEST PORT(S)Port or port range (<low port>:<high port>) being
connected to. May only be specified if the protocol is tcp, udp or
icmp. For icmp, this column's contents are interpreted as an icmp
type. If you don't want to specify DEST PORT(S) but need to include
information in one of the columns to the right, enter
- in this column. You may give a list of ports and/or
port ranges separated by commas. Port numbers may be either integers
or service names from /etc/services.SOURCE PORTS(S)May be used to restrict the rule to a particular client port
or port range (a port range is specified as <low port
number>:<high port number>). If you don't want to restrict
client ports but want to specify something in the next column, enter
- in this column. If you wish to specify a list of
port number or ranges, separate the list elements with commas (with
no embedded white space). Port numbers may be either integers or
service names from /etc/services.ORIGINAL DESTThis column may only be non-empty if the ACTION is DNAT or
REDIRECT.If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column
is left empty, any connection request arriving at the firewall from
the SOURCE that matches the rule will be forwarded or redirected.
This works fine for connection requests arriving from the internet
where the firewall has only a single external IP address. When the
firewall has multiple external IP addresses or when the SOURCE is
other than the internet, there will usually be a desire for the rule
to only apply to those connection requests directed to particular IP
addresses (see Example 2 below for another usage). Those IP
addresses are specified in the ORIGINAL DEST column as a
comma-separated list.If this list begins with ! then the rule will
only apply if the original destination address matches none of the
addresses listed.The IP address(es) may be optionally followed by
: and a second IP address. This latter address, if
present, is used as the source address for packets forwarded to the
server (This is called Source NAT or SNAT.Specifying SNAT in a DNAT rule is deprecated and this
feature will be removed from Shorewall in version 2.1.0. An entry
in /etc/shorewall/masq can serve the
same purpose and is the preferred method of performing SNAT with
Shorewall. See FAQ 2 for an
example.When using SNAT, it is a good idea to qualify the source
with an IP address or subnet. Otherwise, it is likely that SNAT
will occur on connections other than those described in the rule.
The reason for this is that SNAT occurs in the Netfilter
POSTROUTING hook where it is not possible to restrict the scope of
a rule by incoming interface.#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3If SNAT is not used (no : and second IP
address), the original source address is used. If you want any
destination address to match the rule but want to specify SNAT,
simply use a colon followed by the SNAT address.RATE LIMITBeginning with Shorewall version 1.4.7, you may rate-limit
ACCEPT, DNAT[-], REDIRECT[-] or LOG rules with an entry in this
column. Entries have the form<rate>/<interval>[:<burst>]where <rate> is the number of connections per
<interval> (sec or min) and
<burst> is the largest burst permitted. If no burst value is
given, a value of 5 is assumed.There may be no whitespace embedded in the
specification.Let's takeACCEPT<2/sec:4> net dmz tcp 80The first time this rule is reached, the packet will be
accepted; in fact, since the burst is 4, the first four packets
will be accepted. After this, it will be 500ms (1 second divided
by the rate of 2) before a packet will be accepted from this rule,
regardless of how many packets reach it. Also, every 500ms which
passes without matching a packet, one of the bursts will be
regained; if no packets hit the rule for 2 second, the burst will
be fully recharged; back where we started.When rate limiting is specified on a rule with
all in the SOURCE or DEST fields below, the limit
will apply to each pair of zones individually rather than as a
single limit for all pairs of zones covered by the rule.If you want to specify any following columns but no rate
limit, place - in this column.USER/GROUPBeginning with Shorewall release 1.4.7, output rules from the
firewall itself may be restricted to a particular set of users
and/or user groups. See the User Set
Documentation for details.You wish to forward all ssh connection requests from the internet
to local system 192.168.1.3. You wish to limit the number of connections
to 4/minute with a burst of 8 (Shorewall 1.4.7 and later only):#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT<4/min:8> net loc:192.168.1.3 tcp sshYou want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers. This example shows yet
another use for the ORIGINAL DEST column; here, connection requests that
were NOT (notice the !) originally destined to
206.124.146.177 are redirected to local port 3128.#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177
ACCEPT fw net tcp wwwYou want to run a web server at 155.186.235.222 in your DMZ and
have it accessible remotely and locally. the DMZ is managed by Proxy ARP
or by classical sub-netting.#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net dmz:155.186.235.222 tcp www
ACCEPT loc dmz:155.186.235.222 tcp wwwYou want to run wu-ftpd on 192.168.2.2 in your masqueraded DMZ.
Your internet interface address is 155.186.235.151 and you want the FTP
server to be accessible from the internet in addition to the local
192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks.since the server is in the 192.168.2.0/24 subnetwork, we can
assume that access to the server from that subnet will not involve
the firewall (but see FAQ
2)unless you have more than one external IP address, you can
leave the ORIGINAL DEST column blank in the first rule. You cannot
leave it blank in the second rule though because then all ftp
connections originating in the local subnet 192.168.1.0/24 would be
sent to 192.168.2.2 regardless of the site that the user was trying
to connect to. That is clearly not what you want.#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT net dmz:192.168.2.2 tcp ftp
DNAT loc:192.168.1.0/24 dmz:192.168.2.2 tcp ftp - 155.186.235.151If you are running wu-ftpd, you should restrict the range of
passive in your /etc/ftpaccess file. I only need a few simultaneous FTP
sessions so I use port range 65500-65535. In /etc/ftpaccess, this entry
is appropriate:passive ports 0.0.0.0/0 65500 65534If you are running pure-ftpd, you would include -p
65500:65534 on the pure-ftpd runline.The important point here is to ensure that the port range used for
FTP passive connections is unique and will not overlap with any usage on
the firewall system.You wish to allow unlimited DMZ access to the host with MAC
address 02:00:08:E3:FA:55.#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:~02-00-08-E3-FA-55 dmz allYou wish to allow access to the SMTP server in your DMZ from all
zones.#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT all dmz tcp 25When all is used as a source or destination,
intra-zone traffic is not affected. In this example, if there were
two DMZ interfaces then the above rule would NOT enable SMTP traffic
between hosts on these interfaces.Your firewall's external interface has several IP addresses but
you only want to accept SSH connections on address
206.124.146.176.#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net fw:206.124.146.176 tcp 22(For advanced users running Shorewall version 1.3.13 or later).
From the internet, you with to forward tcp port 25 directed to
192.0.2.178 and 192.0.2.179 to host 192.0.2.177 in your DMZ. You also
want to allow access from the internet directly to tcp port 25 on
192.0.2.177.#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT- net dmz:192.0.2.177 tcp 25 - 192.0.2.178
DNAT- net dmz:192.0.2.177 tcp 25 - 192.0.2.179
ACCEPT net dmz:192.0.2.177 tcp 25Using DNAT- rather than DNAT avoids
two extra copies of the third rule from being generated.(Shorewall version 1.4.6 or later). You have 9 http servers
behind a Shorewall firewall and you want connection requests to be
distributed among your servers. The servers are
192.168.1.101-192.168.1.109.#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:192.168.1.101-192.168.1.109 tcp 80(Shorewall 2.0.2 Beta 2 and Later). You want to redirect all
local www connection requests EXCEPT those from 192.168.1.4 and
192.168.1.199 to a Squid transparent proxy running on the firewall and
listening on port 3128.#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
NONAT loc:192.168.1.4,192.168.1.199 \
net tcp www
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp wwwThe reason that NONAT is used in the above example rather than
ACCEPT+ is that the example is assuming the usual ACCEPT loc->net
policy. Since traffic from the local zone to the internet zone is
accepted anyway, adding an additional ACCEPT rule is unnecessary and all
that is required is to avoid the REDIRECT rule for HTTP connection
requests from the two listed IP addresses.Look here for information on other
services./etc/shorewall/masqThe /etc/shorewall/masq file is used to define classical IP
Masquerading and Source Network Address Translation (SNAT). There is one
entry in the file for each subnet that you want to masquerade. In order to
make use of this feature, you must have NAT enabled.Columns are:INTERFACEThe interface that will masquerade the subnet; this is
normally your internet interface. This interface name can be
optionally qualified by adding : and a subnet or host
IP. When this qualification is added, only packets addressed to that
host or subnet will be masqueraded. Beginning with Shorewall version
1.4.10, the interface name can be qualified with ":" followed by a
comma separated list of hosts and/or subnets. If this list begins
with ! (e.g.,
eth0:!192.0.2.8/29,192.0.2.32/29) then only packets
addressed to destinations not
listed will be masqueraded; otherwise (e.g.,
eth0:192.0.2.8/29,192.0.2.32/29), traffic will be
masqueraded if it does match one of
the listed addresses.Beginning with Shorewall version 1.3.14, if you have set
ADD_SNAT_ALIASES=Yes in , you can cause
Shorewall to create an alias label of the form
interfacename:digit (e.g., eth0:0) by placing
that label in this column. See example 5 below. Alias labels created
in this way allow the alias to be visible to the ipconfig utility.
THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
CONFIGURATION.SUBNETThe subnet that you want to have masqueraded through the
INTERFACE. This may be expressed as a single IP address, a subnet or
an interface name. In the latter instance, the interface must be
configured and started before Shorewall is started as Shorewall will
determine the subnet based on information obtained from the
ip utility.When using Shorewall 1.3.13 or earlier, when an interface
name is specified, Shorewall will only masquerade traffic from the
first subnetwork on the named interface; if the interface
interfaces to more that one subnetwork, you will need to add
additional entries to this file for each of those other
subnetworks. Beginning with Shorewall 1.3.14, shorewall will
masquerade/SNAT traffic from any host that is routed through the
named interface.The subnet may be optionally followed by ! and
a comma-separated list of addresses and/or subnets that are to be
excluded from masquerading.ADDRESSThe source address to be used for outgoing packets. This
column is optional and if left blank, the current primary IP address
of the interface in the first column is used. If you have a static
IP on that interface, listing it here makes processing of output
packets a little less expensive for the firewall. If you specify an
address in this column, it must be an IP address configured on the
INTERFACE or you must have ADD_SNAT_ALIASES enabled in . Beginning with Shorewall version 1.4.6, you may
include a range of IP addresses in this column to indicate that
Netfilter should use the addresses in the range in round-robin
fashion. Beginning with Shorewall version 1.4.7, you may include a
list of ranges and/or addresses in this column; again, Netfilter
will use all listed ranges/addresses in rounde-robin fashion.PROTO (Added in Shorewall version 2.0.2 Beta 1)If specified, must be a protocol number of a protocol name
from /etc/protocols. Restricts the SNAT or Masquerade to that
protocol.PORT(S) (Added in Shorewall version 2.0.2 Beta 1)If the PROTO column specifies TCP (6) or UDP (17) then this
column may be used to restrict to SNAT or Masquerade to traffic with
a certain destination port or a set of destination ports. The column
may contain:A port number or a port name from /etc/services.A comma-separated list of port numbers and/or port names.
Your kernel must have Multiport match support. You can tell if
your kernel has this support by issuing a shorewall
check command and looking at the output under
Shorewall has detected the following iptables/netfilter
capabilities:.A range of port numbers of the form <low
port>:<high
port>You have eth0 connected to a cable modem and eth1 connected to
your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq file
would look like:#INTERFACE SUBNET ADDRESS
eth0 192.168.9.0/24You have a number of IPSEC tunnels through ipsec0 and you want to
masquerade traffic from your 192.168.9.0/24 subnet to the remote subnet
10.1.0.0/16 only.#INTERFACE SUBNET ADDRESS
ipsec0:10.1.0.0/16 192.168.9.0/24You have a DSL line connected on eth0 and a local network
(192.168.10.0/24) connected to eth1. You want all local->net
connections to use source address 206.124.146.176.#INTERFACE SUBNET ADDRESS
eth0 192.168.10.0/24 206.124.146.176Same as example 3 except that you wish to exclude 192.168.10.44
and 192.168.10.45 from the SNAT rule.#INTERFACE SUBNET ADDRESS
eth0 192.168.10.0/24!192.168.10.44,192.168.10.45 206.124.146.176(Shorewall version >=
1.3.14): You have a second IP address (206.124.146.177)
assigned to you and wish to use it for SNAT of the subnet
192.168.12.0/24. You want to give that address the name eth0:0. You must
have ADD_SNAT_ALIASES=Yes in .#INTERFACE SUBNET ADDRESS
eth0:0 192.168.12.0/24 206.124.146.177(Shorewall version >= 1.4.7):
You want to use both 206.124.146.177 and 206.124.146.179 for SNAT of the
subnet 192.168.12.0/24. Each address will be used on alternate outbound
connections.#INTERFACE SUBNET ADDRESS
eth0 192.168.12.0/24 206.124.146.177,206.124.146.179(Shorewall version >= 2.0.2 Beta
1): You want all outgoing SMTP traffic entering the firewall
on eth1 to be sent from eth0 with source IP address 206.124.146.177. You
want all other outgoing traffic from eth1 to be sent from eth0 with
source IP address 206.124.146.176.#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 eth1 206.124.146.177 tcp 25
eth0 eth1 206.124.146.176Note that the order of the entries in the above example is
important./etc/shorewall/proxyarpIf you want to use proxy ARP on an entire sub-network, I suggest
that you look at the Proxy ARP Subnet
Mini HOWTO. If you decide to use the technique described in that
HOWTO, you can set the proxy_arp flag for an interface
(/proc/sys/net/ipv4/conf/<interface>/proxy_arp)
by including the proxyarp option in the
interface's record in . When using Proxy ARP
sub-netting, you do NOT include any
entries in /etc/shorewall/proxyarp.The /etc/shorewall/proxyarp file is used to
define Proxy ARP. The file is typically
used for enabling Proxy ARP on a small set of systems since you need one
entry in this file for each system using proxy ARP. Columns are:ADDRESSaddress of the system.INTERFACEthe interface that connects to the system. If the interface is
obvious from the subnetting, you may enter - in this
column.EXTERNALthe external interface that you want to honor ARP requests for
the ADDRESS specified in the first column.HAVEROUTEIf you already have a route through INTERFACE to ADDRESS, this
column should contain Yes or yes. If
you want Shorewall to add the route, the column should contain
No or no.PERSISTENTIf you specify "No" or "no" in the HAVEROUTE column, Shorewall
will automatically add a route to the host in the ADDRESS column
through the interface in the INTERFACE column. If you enter
No or no in the PERSISTENT column or
if you leave the column empty, that route will be deleted if you
issue a shorewall stop or shorewall
clear command. If you place Yes or
yes in the PERSISTENT column, then those commands
will not cause the route to be deleted.After you have made a change to the
/etc/shorewall/proxyarp file, you may need to flush
the ARP cache of all routers on the LAN segment connected to the
interface specified in the EXTERNAL column of the change/added entry(s).
If you are having problems communicating between an individual host (A)
on that segment and a system whose entry has changed, you may need to
flush the ARP cache on host A as well.ISPs typically have ARP configured with long TTL (hours!) so if
your ISPs router has a stale cache entry (as seen using tcpdump
-nei <external interface> host <IP addr>), it may
take a long while to time out. I personally have had to contact my ISP
and ask them to delete a stale entry in order to restore a system to
working order after changing my proxy ARP settings.You have public IP addresses 155.182.235.0/28. You configure your
firewall as follows:eth0 - 155.186.235.1 (internet connection) eth1 -
192.168.9.0/24 (masqueraded local systems) eth2 - 192.168.10.1
(interface to your DMZ)In your DMZ, you want to install a Web/FTP server with public
address 155.186.235.4. On the Web server, you subnet just like the
firewall's eth0 and you configure 155.186.235.1 as the default gateway.
In your /etc/shorewall/proxyarp file, you will
have:#ADDRESS INTERFACE EXTERNAL HAVEROUTE
155.186.235.4 eth2 eth0 NOYou may want to configure the servers in your DMZ with a
subnet that is smaller than the subnet of your internet interface.
See the Proxy ARP
Subnet Mini HOWTO for details. In this case you will want to
place Yes in the HAVEROUTE column.Do not use Proxy ARP and FreeS/Wan on the same system unless you
are prepared to suffer the consequences. If you start or restart
Shorewall with an IPSEC tunnel active, the proxied IP addresses are
mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to
debug this problem so I can't say if it is a bug in the Kernel or in
FreeS/Wan.You might be able to work around
this problem using the following (I haven't tried it):In /etc/shorewall/init, include:qt /etc/init.d/ipsec stopIn /etc/shorewall/start, include:qt /etc/init.d/ipsec start/etc/shorewall/natThe /etc/shorewall/nat file is used to define
one-to-one NAT. There is one entry in the file for each one-to-one NAT
relationship that you wish to define. In order to make use of this
feature, you must have NAT enabled.If all you want to do is forward ports to servers behind your
firewall, you do NOT want to use one-to-one NAT. Port forwarding can be
accomplished with simple entries in the rules
file. Also, in most cases Proxy
ARP provides a superior solution to one-to-one NAT because the
internal systems are accessed using the same IP address internally and
externally.Columns in an entry are:EXTERNALExternal IP addressThis should NOT be the primary IP address of the interface
named in the next column.INTERFACEInterface that you want the EXTERNAL IP address to appear on.
Beginning with Shorewall version 1.3.14, if you have set
ADD_IP_ALIASES=Yes in , you can specify an
alias label of the form interfacename:digit
(e.g., eth0:0) and Shorewall will create the alias with that label.
Alias labels created in this way allow the alias to be visible to
the ipconfig utility. THAT IS THE ONLY THING
THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN
YOUR SHOREWALL CONFIGURATION.INTERNALInternal IP address.ALL INTERFACESIf Yes or yes, NAT will be
effective from all hosts. If No or no
(or if left empty) then NAT will be effective only through the
interface named in the INTERFACE column.LOCALIf Yes or yes, NAT will be effective from the firewall system.
Note that with Shorewall 2.0.1 and earlier versions, this column was
ignored if the ALL INTERFACES column did not contain "Yes" or "yes".
Beginning with Shorewall 2.0.2 Beta 1, this column's contents are
independent of the value in ALL INTERFACES.For this to work, you must be running kernel 2.4.19 or later
and iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL in your
kernel.Look here for additional information and an
example./etc/shorewall/tunnelsThe /etc/shorewall/tunnels file allows you to define IPSec, GRE,
IPIP, OpenVPN, PPTP
and 6to4.tunnels with end-points on your firewall. To use ipsec, you must
install version 1.9, 1.91 or the current FreeS/WAN development
snapshot.For kernels 2.4.4 and above, you will need to use version 1.91 or
a development snapshot as patching with version 1.9 results in kernel
compilation errors.Instructions for setting up IPSEC
tunnels may be found here, instructions for IPIP and GRE tunnels are here, instructions for
OpenVPN tunnels are here, instructions
for PPTP tunnels are here, instructions for
6to4 tunnels are here, and instructions for
integrating Shorewall with other types of
tunnels are here./etc/shorewall/shorewall.confThis file is used to set the following firewall parameters:DYNAMIC_ZONES(Added at version 2.0.2) - When set to Yes or yes, enables
dynamic zones.CONFIG_PATH(Added at version 2.0.2) - Specifies where configuration files
other than shorewall.conf may be found.
CONFIG_PATH is specifies as a list of directory names separated by
colons (":"). When looking for a configuration file other than
shorewall.conf:If the command is "try" or if "-c <configuration
directory>" was specified in the command then the directory
given in the command is searched first.Next, each directory in the CONFIG_PATH setting is
searched in sequence.If CONFIG_PATH is not given or if it is set to the empty value
then the contents of
/usr/share/shorewall/configpath are used. As
released from shorewall.net, that file sets the CONFIG_PATH to
/etc/shorewall:/usr/share/shorewall
but your particular distribution may set it
differently.Note that the setting in
/usr/share/shorewall/configpath is always used
to locate shorewall.conf.PKTTYPE(Added at Version 2.0.6) - Normally Shorewall attempts to use
the iptables packet type match extension to determine broadcast and
multicast packets.This can cause a message to appear during
shorewall start (modprobe: cant locate module
ipt_pkttype).Some users have found problems with the packet match
extension with the result that their firewall log is flooded
with messages relating to broadcast packets.If you are experiencing either of these problems, setting
PKTTYPE=No will prevent Shorewall from trying to use the packet type
match extension and to use IP address matching to determine which
packets are broadcasts or multicasts.RESTOREFILE(Added at version 2.0.3 Beta 1) - The simple name of a file
in /var/lib/shorewall to be used as the default
restore script in the shorewall save, shorewall restore, shorewall
forget and shorewall -f start commands. See the Saved Configuration
documentation for details.BRIDGING(Added at version 2.0.1) - When set to Yes or yes, enables
Shorewall Bridging support.SMURF_LOG_LEVEL(Added at version 2.0.0) - Specifies the logging level for
smurf packets (see the nosmurfs
option in /etc/shorewall/interfaces). If set to
the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
logged.MODULE_SUFFIX(Added at version 1.4.9) - The value of this variable
determines the possible file extensions of kernel modules. The
default value is "o gz ko and o.gz". See
for more details.ADMINISABSENTMINDED(Added at version 1.4.7) - The value of this variable affects
Shorewall's stopped
state. When ADMINISABSENTMINDES=No, only traffic to/from
those addresses listed in /etc/shorewall/routestopped is accepted
when Shorewall is stopped.When ADMINISABSENTMINDED=Yes, in addition
to traffic to/from addresses in /etc/shorewall/routestopped,
connections that were active when Shorewall stopped continue to work
and all new connections from the firewall system itself are allowed.
If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.SHOREWALL_SHELL(Added at version 1.4.6) - This parameter is used to specify
the shell program to be used to interpret the firewall script
(/usr/share/shorewall/firewall). If not specified or specified as a
null value, /bin/sh is assumed.LOGFORMAT(Added at version 1.4.4) - The value of this variable generate
the --log-prefix setting for Shorewall logging rules. It contains a
printf formatting template which accepts three
arguments (the chain name, logging rule number (optional) and the
disposition). To use LOGFORMAT with fireparse, set it as:LOGFORMAT="fp=%s:%d a=%s "If the LOGFORMAT value contains the substring
%d then the logging rule number is calculated and
formatted in that position; if that substring is not included then
the rule number is not included. If not supplied or supplied as
empty (LOGFORMAT="") then Shorewall:%s:%s: is
assumed./sbin/shorewall uses the leading part of
the LOGFORMAT string (up to but not including the first
%) to find log messages in the show
log, status and hits
commands. This part should not be omitted (the LOGFORMAT should
not begin with %) and the leading part should be
sufficiently unique for /sbin/shorewall to
identify Shorewall messages.CLEAR_TC(Added at version 1.3.13) - If this option is set to
No then Shorewall won't clear the current traffic
control rules during [re]start. This setting is intended for use by
people that prefer to configure traffic shaping when the network
interfaces come up rather than when the firewall is started. If that
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
not supply an /etc/shorewall/tcstart file. That
way, your traffic shaping rules can still use the
fwmark classifier based on packet marking defined in
/etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is
assumed.MARK_IN_FORWARD_CHAIN(Added at version 1.3.12) - If your kernel has a FORWARD chain
in the mangle table, you may set MARK_IN_FORWARD_CHAIN=Yes to cause
the marking specified in the tcrules file to occur in
that chain rather than in the PREROUTING chain. This permits you to
mark inbound traffic based on its destination address when SNAT or
Masquerading are in use. To determine if your kernel has a FORWARD
chain in the mangle table, use the /sbin/shorewall
show mangle command; if a FORWARD chain is
displayed then your kernel will support this option. If this option
is not specified or if it is given the empty value (e.g.,
MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
assumed.RFC1918_LOG_LEVEL(Added at version 1.3.12) - This parameter determines the
level at which packets logged under the norfc1918 mechanism are
logged. The value must be a valid syslog level and if no level is
given, then info is assumed. Prior to Shorewall version 1.3.12,
these packets are always logged at the info level.BOGON_LOG_LEVEL(Added at version 2.0.1) - This parameter determines the level
at which packets logged under the nobogons mechanism are
logged. The value must be a valid syslog level and if no level is
given, then info is assumed.TCP_FLAGS_DISPOSITION(Added in Version 1.3.11) - Determines the disposition of TCP
packets that fail the checks enabled by the tcpflags interface option and must have
a value of ACCEPT (accept the packet), REJECT (send an RST response)
or DROP (ignore the packet). If not set or if set to the empty value
(e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is
assumed.TCP_FLAGS_LOG_LEVEL(Added in Version 1.3.11) - Determines the syslog level for logging
packets that fail the checks enabled by the tcpflags interface option.The value must
be a valid syslogd log level. If you don't want to log these
packets, set to the empty value (e.g.,
TCP_FLAGS_LOG_LEVEL="").MACLIST_DISPOSITION(Added in Version 1.3.10) - Determines the disposition of
connections requests that fail MAC
Verification and must have the value ACCEPT (accept the
connection request anyway), REJECT (reject the connection request)
or DROP (ignore the connection request). If not set or if set to the
empty value (e.g., MACLIST_DISPOSITION="") then
MACLIST_DISPOSITION=REJECT is assumed.MACLIST_LOG_LEVEL(Added in Version 1.3.10) - Determines the syslog level for logging
connection requests that fail MAC
Verification. The value must be a valid syslogd log level.
If you don't want to log these connection requests, set to the empty
value (e.g., MACLIST_LOG_LEVEL="").NEWNOTSYN(Added in Version 1.3.8) - When set to Yes or
yes, Shorewall will filter TCP packets that are not
part of an established connention and that are not SYN packets (SYN
flag on - ACK flag off). If set to No, Shorewall will
silently drop such packets. If not set or set to the empty value
(e.g., NEWNOTSYN=), NEWNOTSYN=No is assumed.If you have a HA setup with failover to another firewall, you
should have NEWNOTSYN=Yes on both firewalls. You should also select
NEWNOTSYN=Yes if you have asymmetric routing.LOGNEWNOTSYN(Added in Version 1.3.6) - Beginning with version 1.3.6,
Shorewall drops non-SYN TCP packets that are not part of an existing
connection. If you would like to log these packets, set LOGNEWNOTSYN
to the syslog level at
which you want the packets logged. Example:
LOGNEWNOTSYN=ULOG|Packets logged under this option are usually the result of
broken remote IP stacks rather than the result of any sort of
attempt to breach your firewall.DETECT_DNAT_ADDRS(Added in Version 1.3.4) - If set to Yes or
yes, Shorewall will detect the first IP address of
the interface to the source zone and will include this address in
DNAT rules as the original destination IP address. If set to
No or no, Shorewall will not detect
this address and any destination IP address will match the DNAT
rule. If not specified or empty,
DETECT_DNAT_ADDRS=Yes is assumed.NAT_BEFORE_RULESIf set to No or no, port
forwarding rules can override the contents of the file. If set to Yes or
yes, port forwarding rules cannot override one-to-one
NAT. If not set or set to an empty value, Yes is
assumed.FWThis parameter specifies the name of the firewall zone. If not
set or if set to an empty string, the value fw is
assumed.SUBSYSLOCKThis parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when it
stops. Creating and removing this file allows Shorewall to work with
your distribution's initscripts. For RedHat, this should be set to
/var/lock/subsys/shorewall. For Debian, the value is
/var/state/shorewall and in LEAF it is /var/run/shorwall. Example:
SUBSYSLOCK=/var/lock/subsys/shorewall.STATEDIRThis parameter specifies the name of a directory where
Shorewall stores state information. If the directory doesn't exist
when Shorewall starts, it will create the directory. Example:
STATEDIR=/tmp/shorewall.If you change the STATEDIR variable while the firewall is
running, create the new directory if necessary then copy the
contents of the old directory to the new directory.MODULESDIRThis parameter specifies the directory where your kernel
netfilter modules may be found. If you leave the variable empty,
Shorewall will supply the value "/lib/modules/`uname
-r`/kernel/net/ipv4/netfilter.LOGRATE and LOGBURSTThese parameters set the match rate and initial burst size for
logged packets. Please see the iptables man page for a description
of the behavior of these parameters (the iptables option --limit is
set by LOGRATE and --limit-burst is set by LOGBURST). If both
parameters are set empty, no rate-limiting will occur.LOGRATE=10/minute
LOGBURST=5For each logging rule, the first time the rule is reached,
the packet will be logged; in fact, since the burst is 5, the
first five packets will be logged. After this, it will be 6
seconds (1 minute divided by the rate of 10) before a message will
be logged from the rule, regardless of how many packets reach it.
Also, every 6 seconds which passes without matching a packet, one
of the bursts will be regained; if no packets hit the rule for 30
seconds, the burst will be fully recharged; back where we
started.LOGFILEThis parameter tells the /sbin/shorewall program where to look
for Shorewall messages when processing the show log,
monitor, status and
hits commands. If not assigned or if assigned an
empty value, /var/log/messages is assumed.IP_FORWARDINGThis parameter determines whether Shorewall enables or
disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
Possible values are:On or onpacket forwarding will be enabled.Off or offpacket forwarding will be disabled.Keep or keepShorewall will neither enable nor disable packet
forwarding.If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.ADD_IP_ALIASESThis parameter determines whether Shorewall automatically adds
the external address(es) in . If the variable is set to Yes or
yes then Shorewall automatically adds these aliases.
If it is set to No or no, you must add
these aliases yourself using your distribution's network
configuration tools.If this variable is not set or is given an empty value
(ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.ADD_SNAT_ALIASESThis parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in . If
the variable is set to Yes or yes then
Shorewall automatically adds these addresses. If it is set to
No or no, you must add these addresses
yourself using your distribution's network configuration
tools.If this variable is not set or is given an empty value
(ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.LOGUNCLEANThis parameter determines the logging level of mangled/invalid
packets controlled by the dropunclean and logunclean
interface options. If LOGUNCLEAN is empty (LOGUNCLEAN=) then packets
selected by dropclean are dropped silently
(logunclean packets are logged under the
info log level). Otherwise, these packets are logged
at the specified level (Example: LOGUNCLEAN=debug).BLACKLIST_DISPOSITIONThis parameter determines the disposition of packets from
blacklisted hosts. It may have the value DROP if the packets are to
be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.BLACKLIST_LOGLEVELThis paremter determines if packets from blacklisted hosts are
logged and it determines the syslog level that they are to be logged
at. Its value is a syslog
level (Example: BLACKLIST_LOGLEVEL=debug). If you do not
assign a value or if you assign an empty value then packets from
blacklisted hosts are not logged.CLAMPMSSThis parameter enables the TCP Clamp MSS to PMTU feature of
Netfilter and is usually required when your internet connection is
through PPPoE or PPTP. If set to Yes or
yes, the feature is enabled. If left blank or set to
No or no, the feature is not
enabled.This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel.ROUTE_FILTERIf this parameter is given the value Yes or
yes then route filtering (anti-spoofing) is enabled
on all network interfaces which are brought up while Shorewall is in
the started state. The default value is no./etc/shorewall/modules ConfigurationThe file /etc/shorewall/modules contains
commands for loading the kernel modules required by Shorewall-defined
firewall rules. Shorewall will source this file during start/restart
provided that it exists and that the directory specified by the MODULESDIR
parameter exists (see above).The file that is released with Shorewall calls the Shorewall
function loadmodule for the set of modules that I
load.The loadmodule function is called as
follows:loadmodule <modulename> [ <module parameters> ]where<modulename>is the name of the modules without the trailing
.o (example ip_conntrack).<module parameters>Optional parameters to the insmod utility.The function determines if the module named by
<modulename> is already loaded and if not then
the function determines if the .o file corresponding to the
module exists in the <moduledirectory>; if so,
then the following command is executed:insmod <moduledirectory>/<modulename>.o <module parameters>If the file doesn't exist, the function determines of the
.o.gz file corresponding to the module exists in the
moduledirectory. If it does, the function assumes
that the running configuration supports compressed modules and execute the
following command:insmod <moduledirectory>/<modulename>.o.gz <module parameters>Beginning with the 1.4.9 Shorewall release, the value of the
MODULE_SUFFIX option in determines which files the loadmodule function
looks for if the named module doesn't exist. For each file
<extension> listed in MODULE_SUFFIX (default "o
gz ko o.gz"), the function will append a period (".") and the extension
and if the resulting file exists then the following command will be
executed:insmod moduledirectory/<modulename>.<extension> <module parameters>/etc/shorewall/tos ConfigurationThe /etc/shorewall/tos file allows you to set
the Type of Service field in packet headers based on packet source, packet
destination, protocol, source port and destination port. In order for this
file to be processed by Shorewall, you must have mangle support
enabled.Entries in the file have the following columns:SOURCEThe source zone. May be qualified by following the zone name
with a colon (:) and either an IP address, an IP
subnet, a MAC address in Shorewall Format
or the name of an interface. This column may also contain the name
of the firewall zone to indicate packets originating on the firewall
itself or all to indicate any source.DESTThe destination zone. May be qualified by following the zone
name with a colon (:) and either an IP address or an
IP subnet. Because packets are marked prior to routing, you may not
specify the name of an interface. This column may also contain
all to indicate any destination.PROTOCOLThe name of a protocol in /etc/protocols
or the protocol's number.SOURCE PORT(S)The source port or a port range. For all ports, place a hyphen
(-) in this column.DEST PORT(S)The destination port or a port range. To indicate all ports,
place a hyphen (-) in this column.TOSThe type of service. Must be one of the following:Minimize-Delay (16)Maximize-Throughput (8)Maximize-Reliability (4)Minimize-Cost (2)Normal-Service (0)/etc/shorewall/tos file that is included with
Shorewall#SOURCE DEST PROTOCOL SOURCE PORTS(S) DEST PORTS(S) TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp - ftp-data 8
all all tcp ftp-data - 8Users have reported that odd routing problems result from adding
the ESP and AH protocols to the /etc/shorewall/tos
file./etc/shorewall/blacklistEach line in /etc/shorewall/blacklist contains
an IP address, a MAC address in Shorewall Format or subnet address.130.252.100.69
206.124.146.0/24Packets from hosts listed in the
blacklist file will be disposed of according to the value assigned to the
BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
/etc/shorewall/shorewall.conf. Only packets arriving on interfaces that
have the blacklist option
in /etc/shorewall/interfaces are checked against the
blacklist. The black list is designed to prevent listed hosts/subnets from
accessing services on your
network.Beginning with Shorewall 1.3.8, the blacklist file has three
columns:ADDRESS/SUBNETAs described above.PROTOCOLOptional. If specified, only packets specifying this protocol
will be blocked.PORTSOptional; may only be given if PROTOCOL is tcp, udp or icmp.
Expressed as a comma-separated list of port numbers or service names
(from /etc/services). If present, only packets destined for the
specified protocol and one of the listed ports are blocked. When the
PROTOCOL is icmp, the PORTS column contains a comma-separated list
of ICMP type numbers or names (see iptables -h
icmp).Shorewall also has a dynamic
blacklist capability.The Shorewall blacklist file is NOT designed to police your users' web browsing
-- to do that, I suggest that you install and configure Squid with SquidGuard./etc/shorewall/rfc1918 — Moved to /usr/share/shorewall in Version
2.0.0This file lists the subnets affected by the norfc1918 interface option. Columns in the
file are:SUBNETThe subnet using VLSM notation (e.g., 192.168.0.0/16).TARGETWhat to do with packets to/from the SUBNET:RETURNProcess the packet normally thru the rules and
policies.DROPSilently drop the packet.logdropLog then drop the packet -- see the RFC1918_LOG_LEVEL parameter
above.If you want to modify this file, DO NOT MODIFY
/usr/share/shorewall/rfc1918. Rather copy that file
to /etc/shorewall/rfc1918 and modify the copy./usr/share//shorewall/bogons — Added in Version 2.0.1This file lists the subnets affected by the nobogons interface option and nobogons hosts option. Columns in the file
are:SUBNETThe subnet using VLSM notation (e.g., 192.168.0.0/16).TARGETWhat to do with packets to/from the SUBNET:RETURNProcess the packet normally thru the rules and
policies.DROPSilently drop the packet.logdropLog then drop the packet -- see the BOGONS_LOG_LEVEL parameter above.If you want to modify this file, DO NOT MODIFY
/usr/share/shorewall/bogons. Rather copy that file to
/etc/shorewall/bogons and modify the copy./etc/shorewall/netmap (Added in Version 2.0.1)Network mapping is defined using the
/etc/shorewall/netmap file. Columns in this file
are:TYPEMust be DNAT or SNAT.If DNAT, traffic entering INTERFACE and addressed to NET1 has
it's destination address rewritten to the corresponding address in
NET2.If SNAT, traffic leaving INTERFACE with a source address in
NET1 has it's source address rewritten to the corresponding address
in NET2.NET1Must be expressed in CIDR format (e.g.,
192.168.1.0/24).INTERFACEA firewall interface. This interface must have been defined in
/etc/shorewall/interfaces.NET2A second network expressed in CIDR format.For more information, see the Network
Mapping documentation./etc/shorewall/routestopped (Added in Version 1.3.4)This file defines the hosts that are accessible from the firewall
when the firewall is stopped. Columns in the file are:INTERFACEThe firewall interface through which the host(s) comminicate
with the firewall.HOST(S) - (Optional)A comma-separated list of IP/Subnet addresses. If not supplied
or supplied as - then 0.0.0.0/0 is assumed.When your firewall is stopped, you want firewall accessibility
from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces
through eth1 and your local hosts through eth2.#INTERFACE HOST(S)
eth2 192.168.1.0/24
eth1 -/etc/shorewall/maclist (Added in Version 1.3.10)This file is described in the MAC
Validation Documentation./etc/shorewall/ecn (Added in Version 1.4.0)This file is described in the ECN Control
Documentation./etc/shorewall/accountingThis file is described in the Traffic
Accounting Documentation./etc/shorewall/ipsec (Added in Version 2.1.6)This file is used to identify the Security Associations used to
encrypt traffic to hosts in a zone and to decrypt traffic from hosts in a
zone. Columns are:ZONEThe name of a zone defined in /etc/shorewall/zones.IPSECYes - All traffic to/from this zone is encrypted.No - Only traffic to/from some of the hosts in this zone
is encrypted. Those encrypted hosts are designated using the
ipsec option in /etc/shorewall/hosts. OPTIONS, IN OPTIONS, OUT OPTIONSOptional parameters that identify the security policy and
security associations used in communication with hosts in this zone.
A comma-separated list of the following:proto=ah|esp|ipcompmode=transport|tunnelreqid=<number> —
A number assiged to a security policy using the
unique:<number> as the SPD level. See setkey(8).tunnel-src=<address>[/<mask>]
— Tunnel Source; may only be included with mode=tunnel. Since
tunnel source and destination are dependent on the direction of
the traffic, this option and the following one should only be
included in the IN OPTIONS and OUT OPTIONS columns.tunnel-dst=<address>[/<mask>]
— Tunnel Destination; may only be included with
mode=tunnel.spi=<number> —
The security parameter index of the Security Association. Since a
different SA is used for incoming and outgoing traffic, this
option should only be listed in the IN OPTIONS and OUT OPTIONS
columns.strict — Must be
specified when SPD rules are used (e.g., esp encapsulated with
ah).next — Separates rules
when strict is used.See the IPSEC with 2.6 Kernel
documentation for further information.Revision History1.182004-08-22TEAdd /etc/shorewall/ipsec documentation.1.172004-04-05TEUpdate for Shorewall 2.0.21.162004-03-17TEClarified LOGBURST and LOGLIMIT.1.152004-02-16TEMove the rfc1918 file to
/usr/share/shorewall.1.142004-02-13TEAdd a note about the order of rules.1.132004-02-03TEUpdate for Shorewall 2.0.1.122004-01-21TEAdd masquerade destination list.1.122004-01-18TECorrect typo.1.112004-01-05TEStandards Compliance1.102004-01-05TEImproved formatting of DNAT- and REDIRECT- for
clarity1.92003-12-25MNInitial Docbook Conversion Complete