mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 15:13:10 +01:00
c93817f30b
The invariant sections clause doesn't quite match the official text. It should read: with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts not: with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
727 lines
30 KiB
XML
727 lines
30 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="standalone">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Standalone Firewall</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2002-2009</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<para><emphasis role="bold">This article applies to Shorewall 4.4 and
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
|
4.4.0 then please see the documentation for that
|
|
release.</emphasis></para>
|
|
</caution>
|
|
|
|
<section id="Introduction">
|
|
<title>Introduction</title>
|
|
|
|
<para>Setting up Shorewall on a standalone Linux system is very easy if
|
|
you understand the basics and follow the documentation.</para>
|
|
|
|
<para>This guide doesn't attempt to acquaint you with all of the features
|
|
of Shorewall. It rather focuses on what is required to configure Shorewall
|
|
in one of its most common configurations:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Linux system</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Single external <acronym>IP</acronym> address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Connection through Cable Modem, <acronym>DSL</acronym>,
|
|
<acronym>ISDN</acronym>, Frame Relay, dial-up... or connected to a
|
|
<acronym>LAN</acronym> and you simply wish to protect your Linux
|
|
system from other systems on that <acronym>LAN</acronym>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<section id="System">
|
|
<title>System Requirements</title>
|
|
|
|
<para>Shorewall requires that you have the
|
|
<command>iproute</command>/<command>iproute2</command> package installed
|
|
(on<trademark> RedHat</trademark>, the package is called
|
|
<command>iproute</command>). You can tell if this package is installed
|
|
by the presence of an <command>ip</command> program on your firewall
|
|
system. As root, you can use the <command>which</command> command to
|
|
check for this program:</para>
|
|
|
|
<programlisting>[root@gateway root]# <command>which ip</command>
|
|
/sbin/ip
|
|
[root@gateway root]#</programlisting>
|
|
</section>
|
|
|
|
<section id="Before">
|
|
<title>Before you start</title>
|
|
|
|
<para>I recommend that you read through the guide first to familiarize
|
|
yourself with what's involved then go back through it again making your
|
|
configuration changes.</para>
|
|
|
|
<caution>
|
|
<para>If you edit your configuration files on a
|
|
<trademark>Windows</trademark> system, you must save them as
|
|
<trademark>Unix</trademark> files if your editor supports that option
|
|
or you must run them through <command>dos2unix</command> before trying
|
|
to use them. Similarly, if you copy a configuration file from your
|
|
<trademark>Windows</trademark> hard drive to a floppy disk, you must
|
|
run <command>dos2unix</command> against the copy before using it with
|
|
Shorewall. <itemizedlist>
|
|
<listitem>
|
|
<para><ulink
|
|
url="http://www.sourceforge.net/projects/dos2unix"><trademark>Windows</trademark>
|
|
Version of <command>dos2unix</command></ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink
|
|
url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
|
Version of <command>dos2unix</command></ulink></para>
|
|
</listitem>
|
|
</itemizedlist></para>
|
|
</caution>
|
|
</section>
|
|
|
|
<section id="Conventions">
|
|
<title>Conventions</title>
|
|
|
|
<para>Points at which configuration changes are recommended are flagged
|
|
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
|
|
|
<para>Configuration notes that are unique to Debian and it's derivatives
|
|
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
|
format="GIF"/>.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="PPTP">
|
|
<title>PPTP/ADSL</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>If you have an <acronym>ADSL</acronym> Modem and you use
|
|
<acronym>PPTP</acronym> to communicate with a server in that modem, you
|
|
must make the changes recommended <ulink
|
|
url="PPTP.htm#PPTP_ADSL">here</ulink> in addition to those detailed below.
|
|
<acronym>ADSL</acronym> with <acronym>PPTP</acronym> is most commonly
|
|
found in Europe, notably in Austria.</para>
|
|
</section>
|
|
|
|
<section id="Concepts">
|
|
<title>Shorewall Concepts</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>The configuration files for Shorewall are contained in the directory
|
|
<filename class="directory">/etc/shorewall</filename> -- for simple
|
|
setups, you only need to deal with a few of these as described in this
|
|
guide. After you have <ulink url="Install.htm">installed
|
|
Shorewall</ulink>, you can find the Samples as follows:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>If you installed using an <acronym>RPM</acronym>, the samples
|
|
will be in the <filename
|
|
class="directory">Samples/one-interface</filename> subdirectory of the
|
|
Shorewall documentation directory. If you don't know where the
|
|
Shorewall documentation directory is, you can find the samples using
|
|
this command:</para>
|
|
|
|
<programlisting>~# rpm -ql shorewall | fgrep one-interface
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/rules
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/zones
|
|
~#</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you installed using the tarball, the samples are in the
|
|
<filename class="directory">Samples/one-interface</filename> directory
|
|
in the tarball.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
|
|
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
|
|
role="bold"><filename
|
|
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis>
|
|
You do not need the shorewall-doc package to have access to the
|
|
samples.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<warning>
|
|
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
|
|
|
<para>You will find that your <filename
|
|
class="directory">/etc/shorewall</filename> directory is empty. This is
|
|
intentional. If you need configuration files other than those found in
|
|
<emphasis role="bold"><filename
|
|
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>,
|
|
</emphasis> they may be found on your system in the directory <filename
|
|
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
|
Simply copy the files you need from that directory to <filename
|
|
class="directory">/etc/shorewall</filename> and modify the
|
|
copies.</para>
|
|
</warning>
|
|
|
|
<para>As each file is introduced, I suggest that you look at the actual
|
|
file on your system and that you look at the <ulink
|
|
url="configuration_file_basics.htm#Manpages">man page</ulink> for that
|
|
file. For example, to look at the man page for the
|
|
<filename>/etc/shorewall/zones</filename> file, type <command>man
|
|
shorewall-zones</command> at a shell prompt.</para>
|
|
|
|
<para>Note: Beginning with Shorewall 4.4.20.1, there are versions of the
|
|
sample files that are annotated with the corresponding manpage contents.
|
|
These files have names ending in '.annotated'. You might choose to look at
|
|
those files instead.</para>
|
|
|
|
<para>Shorewall views the network where it is running as being composed of
|
|
a set of <emphasis>zones</emphasis>. In the one-interface sample
|
|
configuration, only two zones are defined:</para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
|
# OPTIONS OPTIONS
|
|
fw firewall
|
|
net ipv4</programlisting>
|
|
|
|
<para>Shorewall zones are defined in <ulink
|
|
url="manpages/shorewall-zones.html"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
|
|
|
<para>Note that Shorewall recognizes the firewall system as its own zone.
|
|
When the <filename>/etc/shorewall/zones</filename> file is processed, the
|
|
name of the firewall zone (<quote>fw</quote> in the above example) is
|
|
stored in the shell variable <firstterm>$FW</firstterm> which may be used
|
|
to refer to the firewall zone throughout the Shorewall
|
|
configuration.</para>
|
|
|
|
<para>Rules about what traffic to allow and what traffic to deny are
|
|
expressed in terms of zones.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>You express your default policy for connections from one zone to
|
|
another zone in the <ulink
|
|
url="manpages/shorewall-policy.html"><filename>/etc/shorewall/policy</filename></ulink>
|
|
file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You define exceptions to those default policies in the <ulink
|
|
url="manpages/shorewall-rules.html"><filename>/etc/shorewall/rules</filename></ulink>
|
|
file.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>For each connection request entering the firewall, the request is
|
|
first checked against the
|
|
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
|
|
rule in that file matches the connection request then the first policy in
|
|
<filename>/etc/shorewall/policy</filename> that matches the request is
|
|
applied. If there is a <ulink url="shorewall_extension_scripts.htm">common
|
|
action</ulink> defined for the policy in
|
|
<filename>/etc/shorewall/actions</filename> or
|
|
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
|
performed before the policy is applied. The purpose of the common action
|
|
is two-fold:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>It silently drops or rejects harmless common traffic that would
|
|
otherwise clutter up your log — Broadcasts for example.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If ensures that traffic critical to correct operation is allowed
|
|
through the firewall — ICMP <emphasis>fragmentation-needed</emphasis>
|
|
for example.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
|
the one-interface sample has the following policies:</para>
|
|
|
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
|
$FW net ACCEPT
|
|
net all DROP info
|
|
all all REJECT info</programlisting>
|
|
|
|
<para>The above policy will:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>allow all connection requests from the firewall to the
|
|
Internet</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>drop (ignore) all connection requests from the Internet to your
|
|
firewall</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>reject all other connection requests (Shorewall requires this
|
|
catchall policy).</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
|
last two policies indicates that packets dropped or rejected under those
|
|
policies should be <ulink url="shorewall_logging.html">logged at that
|
|
level</ulink>.</para>
|
|
|
|
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
|
and make any changes that you wish.</para>
|
|
</section>
|
|
|
|
<section id="External">
|
|
<title>External Interface</title>
|
|
|
|
<para>The firewall has a single network interface. Where Internet
|
|
connectivity is through a cable or <acronym>DSL</acronym>
|
|
<quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
|
|
the Ethernet adapter (<filename class="devicefile">eth0</filename>) that
|
|
is connected to that <quote>Modem</quote> <emphasis
|
|
role="underline">unless</emphasis> you connect via
|
|
<emphasis>Point-to-Point Protocol over Ethernet</emphasis>
|
|
(<acronym>PPPoE</acronym>) or <emphasis>Point-to-Point Tunneling
|
|
Protocol</emphasis> (<acronym>PPTP</acronym>) in which case the External
|
|
Interface will be a <acronym>PPP</acronym> interface (e.g., <filename
|
|
class="devicefile">ppp0</filename>). If you connect via a regular modem,
|
|
your External Interface will also be <filename
|
|
class="devicefile">ppp0</filename>. If you connect using
|
|
<acronym>ISDN</acronym>, your external interface will be <filename
|
|
class="devicefile">ippp0</filename>.</para>
|
|
|
|
<caution>
|
|
<para>Be sure you know which interface is your external interface. Many
|
|
hours have been spent floundering by users who have configured the wrong
|
|
interface. If you are unsure, then as root type <command>ip route
|
|
ls</command> at the command line. The device listed in the last
|
|
(default) route should be your external interface.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<programlisting>root@lists:~# ip route ls
|
|
192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1
|
|
10.13.10.0/24 dev tun1 scope link
|
|
192.168.2.0/24 via 192.168.2.2 dev tun0
|
|
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
|
|
10.10.10.0/24 dev tun1 scope link
|
|
default via 206.124.146.254 dev <emphasis role="bold">eth0</emphasis>
|
|
root@lists:~# </programlisting>
|
|
|
|
<para>In that example, <filename class="devicefile">eth0</filename> is
|
|
the external interface.</para>
|
|
</caution>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>The Shorewall one-interface sample configuration assumes that the
|
|
external interface is <filename class="devicefile">eth0</filename>. If
|
|
your configuration is different, you will have to modify the sample
|
|
<filename>/etc/shorewall/interfaces</filename> file accordingly. While you
|
|
are there, you may wish to review the list of options that are specified
|
|
for the interface. Some hints:</para>
|
|
|
|
<tip>
|
|
<para>If your external interface is <filename
|
|
class="devicefile">ppp0</filename> or <filename
|
|
class="devicefile">ippp0</filename> or if you have a static IP address,
|
|
you can remove <quote>dhcp</quote> from the option list.</para>
|
|
</tip>
|
|
</section>
|
|
|
|
<section id="Addresses">
|
|
<title>IP Addresses</title>
|
|
|
|
<para>Before going further, we should say a few words about
|
|
<emphasis>Internet Protocol</emphasis> (<acronym>IP</acronym>) addresses.
|
|
Normally, your <emphasis>Internet Service Provider</emphasis>
|
|
(<acronym>ISP</acronym>) will assign you a single <acronym>IP</acronym>
|
|
address. That address can be assigned statically, by the <emphasis>Dynamic
|
|
Host Configuration Protocol</emphasis> (<acronym>DHCP</acronym>), through
|
|
the establishment of your dial-up connection, or during establishment of
|
|
your other type of <acronym>PPP</acronym> (<acronym>PPPoA</acronym>,
|
|
<acronym>PPPoE</acronym>, etc.) connection.</para>
|
|
|
|
<para><emphasis role="bold">RFC-1918</emphasis> reserves several
|
|
<emphasis>Private</emphasis> <acronym>IP</acronym> address ranges for use
|
|
in private networks:</para>
|
|
|
|
<programlisting>10.0.0.0 - 10.255.255.255
|
|
172.16.0.0 - 172.31.255.255
|
|
192.168.0.0 - 192.168.255.255</programlisting>
|
|
|
|
<para>These addresses are sometimes referred to as
|
|
<emphasis>non-routable</emphasis> because the Internet backbone routers
|
|
will not forward a packet whose destination address is reserved by
|
|
<emphasis role="bold">RFC-1918</emphasis>. In some cases though,
|
|
<acronym>ISP</acronym>s are assigning these addresses then using
|
|
<emphasis>Network Address Translation</emphasis> <emphasis>-
|
|
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when
|
|
forwarding to/from the Internet.</para>
|
|
</section>
|
|
|
|
<section id="Logging">
|
|
<title>Logging</title>
|
|
|
|
<para>Shorewall does not maintain a log itself but rather relies on your
|
|
<ulink url="shorewall_logging.html">system's logging
|
|
configuration</ulink>. The following <ulink
|
|
url="manpages/shorewall.html">commands</ulink> rely on knowing where
|
|
Netfilter messages are logged:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>shorewall show log</command> (Displays the last 20
|
|
Netfilter log messages)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall logwatch</command> (Polls the log at a
|
|
settable interval</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall dump</command> (Produces an extensive report
|
|
for inclusion in Shorewall problem reports)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>It is important that these commands work properly because when you
|
|
encounter connection problems when Shorewall is running, the first thing
|
|
that you should do is to look at the Netfilter log; with the help of
|
|
<ulink url="FAQ.htm#faq17">Shorewall FAQ 17</ulink>, you can usually
|
|
resolve the problem quickly.</para>
|
|
|
|
<para>The Netfilter log location is distribution-dependent:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Debian and its derivatives log Netfilter messages to
|
|
<filename>/var/log/kern.log</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Recent <trademark>SuSE/OpenSuSE</trademark> releases come
|
|
preconfigured with syslog-ng and log netfilter messages to
|
|
<filename>/var/log/firewall</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>For other distributions, Netfilter messages are most commonly
|
|
logged to <filename>/var/log/messages</filename>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>If you are running a distribution that logs Netfilter messages to a
|
|
log other than <filename>/var/log/messages</filename>, then modify the
|
|
LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to
|
|
specify the name of your log.</para>
|
|
|
|
<important>
|
|
<para>The LOGFILE setting does not control where the Netfilter log is
|
|
maintained -- it simply tells the /sbin/<filename>shorewall</filename>
|
|
utility where to find the log.</para>
|
|
</important>
|
|
</section>
|
|
|
|
<section id="Modules">
|
|
<title>Kernel Module Loading</title>
|
|
|
|
<para>Beginning in Shorewall 4.4.7,
|
|
<filename>/etc/shorewall/shorewall.conf</filename> contains a
|
|
LOAD_HELPERS_ONLY option which is set to <option>Yes</option> in the
|
|
samples. This causes Shorewall to attempt to load the modules listed in
|
|
<filename>/usr/share/shorewall/helpers</filename>. In addition, it sets
|
|
<emphasis role="bold">sip_direct_media=0</emphasis> when loading the
|
|
nf_conntrack_sip module. That setting is somewhat less secure than
|
|
<emphasis role="bold">sip_direct_media=1</emphasis>, but it generally
|
|
makes VOIP through the firewall work much better.</para>
|
|
|
|
<para>The modules in <filename>/usr/share/shorewall/helpers</filename> are
|
|
those that are not autoloaded. If your kernel does not support module
|
|
autoloading and you want Shorewall to attempt to load all netfilter
|
|
modules that it might require, then set LOAD_HELPERS_ONLY=No. That will
|
|
cause Shorewall to try to load the modules listed in
|
|
<filename>/usr/share/shorewall/modules</filename>. That file does not set
|
|
<emphasis role="bold">sip_direct_media=0</emphasis>.</para>
|
|
|
|
<important>
|
|
<para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and
|
|
the behavior is the same as if LOAD_HELPERS_ONLY=Yes.</para>
|
|
</important>
|
|
|
|
<para>If you need to modify either
|
|
<filename>/usr/share/shorewall/helpers</filename> or
|
|
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
|
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
|
</section>
|
|
|
|
<section id="Open">
|
|
<title>Enabling other Connections</title>
|
|
|
|
<para>Shorewall includes a collection of macros that can be used to
|
|
quickly allow or deny services. You can find a list of the macros included
|
|
in your version of Shorewall using the command <command>ls
|
|
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
|
|
|
|
<para>If you wish to enable connections from the Internet to your firewall
|
|
and you find an appropriate macro in
|
|
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a
|
|
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
|
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
|
|
|
<important>
|
|
<para>Be sure to add your rules after the line that reads <emphasis
|
|
role="bold">?SECTION NEW</emphasis>.</para>
|
|
</important>
|
|
|
|
<example id="Example1">
|
|
<title>You want to run a Web Server and a IMAP Server on your firewall
|
|
system:</title>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
|
Web(ACCEPT) net $FW
|
|
IMAP(ACCEPT)net $FW</programlisting>
|
|
</example>
|
|
|
|
<caution>
|
|
<para>The Shorewall-provided macros assume that the associated service
|
|
is using it's standard port and will not work with services listening on
|
|
a non-standard port.</para>
|
|
</caution>
|
|
|
|
<para>You may also choose to code your rules directly without using the
|
|
pre-defined macros. This will be necessary in the event that there is not
|
|
a pre-defined macro that meets your requirements. In that case the general
|
|
format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
|
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
|
|
|
<example id="Example2">
|
|
<title>You want to run a Web Server and a IMAP Server on your firewall
|
|
system:</title>
|
|
|
|
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
|
ACCEPT net $FW tcp 80
|
|
ACCEPT net $FW tcp 143</programlisting></para>
|
|
</example>
|
|
|
|
<para>If you don't know what port and protocol a particular application
|
|
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
|
|
|
<important>
|
|
<para>I don't recommend enabling telnet to/from the Internet because it
|
|
uses clear text (even for login!). If you want shell access to your
|
|
firewall from the Internet, use <acronym>SSH</acronym>:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
|
SSH(ACCEPT) net $FW </programlisting>
|
|
</important>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
|
|
other connections as desired.</para>
|
|
</section>
|
|
|
|
<section id="Starting">
|
|
<title>Starting and Stopping Your Firewall</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
|
|
|
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
|
configures your system to start Shorewall at system boot but startup is
|
|
disabled so that your system won't try to start Shorewall before
|
|
configuration is complete. Once you have completed configuration of your
|
|
firewall, you must edit /etc/shorewall/shorewall.conf and set
|
|
STARTUP_ENABLED=Yes.<graphic align="left"
|
|
fileref="images/openlogo-nd-25.png"/></para>
|
|
|
|
<important>
|
|
<para>Users of the .deb package must edit
|
|
<filename>/etc/default/shorewall</filename> and set
|
|
<varname>startup=1.</varname></para>
|
|
</important>
|
|
|
|
<important>
|
|
<para>You must enable startup by editing
|
|
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
|
<varname>STARTUP_ENABLED=Yes.</varname></para>
|
|
</important>
|
|
|
|
<para>While you are editing <filename>shorewall.conf</filename>, it is a
|
|
good idea to check the value of the SUBSYSLOCK option. You can find a
|
|
description of this option by typing 'man shorewall.conf' at a shell
|
|
prompt and searching for SUBSYSLOCK.</para>
|
|
|
|
<para>The firewall is started using the <quote><command>shorewall
|
|
start</command></quote> command and stopped using
|
|
<quote><command>shorewall stop</command></quote>. When the firewall is
|
|
stopped, traffic is enabled on those hosts that have an entry in
|
|
<filename><ulink
|
|
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
|
|
(<filename><ulink
|
|
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
|
|
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
|
the <quote><command>shorewall reload</command></quote> command. If you
|
|
want to totally remove any trace of Shorewall from your Netfilter
|
|
configuration, use <quote><command>shorewall
|
|
clear</command></quote>.</para>
|
|
|
|
<warning>
|
|
<para>If you are connected to your firewall from the Internet, do not
|
|
issue a <quote><command>shorewall stop</command></quote> command unless
|
|
you have either:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Used ADMINISABSENTMINDED=Yes in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> or</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>added an entry for the IP address that you are connected from
|
|
to <ulink
|
|
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>Also, I don't recommend using <quote><command>shorewall
|
|
reload</command></quote>; it is better to create an <emphasis><ulink
|
|
url="configuration_file_basics.htm#Configs">alternate
|
|
configuration</ulink></emphasis> and test it using the <ulink
|
|
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
|
try</command></quote></ulink> command.</para>
|
|
</warning>
|
|
|
|
<para>The firewall will start after your network interface has been
|
|
brought up. This leaves a small window between the time that the network
|
|
interface is working and when the firewall is controlling connections
|
|
through that interface. If this is a concern, you can close that window by
|
|
installing the <ulink url="Shorewall-init.html">Shorewall Init
|
|
Package</ulink>.</para>
|
|
</section>
|
|
|
|
<section id="Problems">
|
|
<title>If it Doesn't Work</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Re-check each of the items flagged with a red arrow
|
|
above.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Check your <ulink
|
|
url="shorewall_logging.html">log</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Check the <ulink url="troubleshoot.htm">Troubleshooting
|
|
Guide</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Check the <ulink url="FAQ.htm">FAQ</ulink>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Disabling your existing Firewall</title>
|
|
|
|
<para>Before starting Shorewall for the first time, it's a good idea to
|
|
stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
|
|
|
|
<programlisting><command>service iptables stop</command></programlisting>
|
|
|
|
<para>On recent Fedora systems that run systemd, the command is:</para>
|
|
|
|
<programlisting><command>systemctl stop iptables.service</command></programlisting>
|
|
|
|
<para>If you are running SuSE, use Yast or Yast2 to stop
|
|
SuSEFirewall.</para>
|
|
|
|
<para>On other systems that use a classic SysV init system:</para>
|
|
|
|
<programlisting><command>/etc/init.d/iptables stop</command></programlisting>
|
|
|
|
<para>Once you have Shorewall running to your satisfaction, you should
|
|
totally disable your existing firewall. On older
|
|
Redhat/CentOS/Fedora:</para>
|
|
|
|
<programlisting><command>chkconfig --del iptables</command></programlisting>
|
|
|
|
<para>On Debian systems:</para>
|
|
|
|
<programlisting><command>update-rc.d iptables disable</command></programlisting>
|
|
|
|
<para>On recent Fedora system running systemd:</para>
|
|
|
|
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
|
|
|
<para>At this point, disable your existing firewall service.</para>
|
|
</section>
|
|
|
|
<section id="Other">
|
|
<title>Additional Recommended Reading</title>
|
|
|
|
<para>I highly recommend that you review the <ulink
|
|
url="configuration_file_basics.htm">Common Configuration File Features
|
|
page</ulink> -- it contains helpful tips about Shorewall features than
|
|
make administering your firewall easier. Also, <ulink
|
|
url="starting_and_stopping_shorewall.htm">Operating Shorewall and
|
|
Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
|
|
</section>
|
|
</article>
|