diff --git a/Shorewall-docs/three-interface.xml b/Shorewall-docs/three-interface.xml
index 2cefe813d..6940f2281 100644
--- a/Shorewall-docs/three-interface.xml
+++ b/Shorewall-docs/three-interface.xml
@@ -65,10 +65,10 @@
Requirements
- Shorewall requires that you have the iproute/iproute2 package
- installed (on RedHat, the package is called iproute). You can tell if
- this package is installed by the presence of an ip program on your
- firewall system. As root, you can use the 'which' command to
+ Shorewall requires that you have the iproute/iproute2 package
+ installed (on RedHat, the package is called iproute). You can tell if
+ this package is installed by the presence of an ip program on your
+ firewall system. As root, you can use the which command to
check for this program:[root@gateway root]# which ip
/sbin/ip
@@ -80,22 +80,24 @@
yourself with what's involved then go back through it again making
your configuration changes.
- If you edit your configuration files on a Windows system, you
- must save them as Unix files if your editor supports that option or
- you must run them through dos2unix before trying to use them.
- Similarly, if you copy a configuration file from your Windows hard
- drive to a floppy disk, you must run dos2unix against the copy before
+ If you edit your configuration files on a Windows system, you
+ must save them as Unix files if your editor supports that option or
+ you must run them through dos2unix before trying to use them.
+ Similarly, if you copy a configuration file from your Windows hard
+ drive to a floppy disk, you must run dos2unix against the copy before
using it with Shorewall.
-
-
- Windows
- Version of dos2unix
-
-
- Linux
- Version of dos2unix
-
-
+
+
+
+ Windows Version of dos2unix
+
+
+
+
+ Linux Version of dos2unix
+
+
+
@@ -118,11 +120,11 @@
Shorewall Concepts The
configuration files for Shorewall are contained in the directory
- /etc/shorewall -- for simple setups, you will only need to deal with a few
+ /etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have installed Shorewall,
- download the three-interface sample, un-tar it (tar -zxvf
- three-interfaces.tgz) and and copy the files to /etc/shorewall (the files
- will replace files with the same names that were placed in /etc/shorewall
+ download the three-interface sample, un-tar it (tar
+ three-interfaces.tgz) and and copy the files to /etc/shorewall (the files
+ will replace files with the same names that were placed in /etc/shorewall
when Shorewall was installed).As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
@@ -154,32 +156,32 @@
- Zone names are defined in /etc/shorewall/zones.
+ Zone names are defined in /etc/shorewall/zones.Shorewall also recognizes the firewall system as its own zone - by
- default, the firewall itself is known as fw.
+ default, the firewall itself is known as fw.Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.You express your default policy for connections from one zone to
- another zone in the /etc/shorewall/policy file.
+ another zone in the /etc/shorewall/policy file.
You define exceptions to those default policies in the
- /etc/shorewall/rules file.
+ /etc/shorewall/rules file.
For each connection request entering the firewall, the request is
- first checked against the /etc/shorewall/rules file. If no rule in that
+ first checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in
- /etc/shorewall/policy that matches the request is applied. If that policy
+ /etc/shorewall/policy that matches the request is applied. If that policy
is REJECT or DROP the request is first checked against the rules in
- /etc/shorewall/common if that file exists; otherwise the file
- /etc/shorewall/common.def is checked
- The /etc/shorewall/policy file included with the three-interface
+ /etc/shorewall/common if that file exists; otherwise the file
+ /etc/shorewall/common.def is checked
+ The /etc/shorewall/policy file included with the three-interface
sample has the following policies:
- three-interface sample /etc/shorewall/policy
+ three-interface sample <filename>/etc/shorewall/policy</filename>
@@ -220,7 +222,7 @@
commented out. If you want your firewall system to have full access to
servers on the internet, uncomment that line.
- three-interface sample /etc/shorewall/policy comment
+ three-interface sample <filename>/etc/shorewall/policy</filename> comment
@@ -262,7 +264,7 @@
At this
- point, edit your /etc/shorewall/policy file and make any changes that you
+ point, edit your /etc/shorewall/policy file and make any changes that you
wish.
@@ -276,23 +278,23 @@
The firewall has three network interfaces. Where Internet
- connectivity is through a cable or DSL "Modem", the External
+ connectivity is through a cable or DSL Modem, the External
Interface will be the ethernet adapter that is connected to that
- "Modem" (e.g., eth0) unless you connect via Point-to-Point
- Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP)
- in which case the External Interface will be a ppp interface (e.g., ppp0).
+ Modem (e.g., eth0) unless you connect via Point-to-Point
+ Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP)
+ in which case the External Interface will be a ppp interface (e.g., ppp0).
If you connect via a regular modem, your External Interface will also be
- ppp0. If you connect using ISDN, you external interface will be ippp0.
+ ppp0. If you connect using ISDN, you external interface will be ippp0.
If your
- external interface is ppp0 or ippp0 then you will want to set CLAMPMSS=yes
- in /etc/shorewall/shorewall.conf.
- Your Local Interface will be an ethernet adapter (eth0, eth1 or
- eth2) and will be connected to a hub or switch. Your local computers will
+ external interface is ppp0 or ippp0 then you will want to set CLAMPMSS=yes
+ in /etc/shorewall/shorewall.conf.
+ Your Local Interface will be an ethernet adapter (eth0, eth1 or
+ eth2) and will be connected to a hub or switch. Your local computers will
be connected to the same switch (note: If you have only a single local
system, you can connect the firewall directly to the computer using a
cross-over cable).
- Your DMZ Interface will also be an ethernet adapter (eth0, eth1 or
- eth2) and will be connected to a hub or switch. Your DMZ computers will be
+ Your DMZ Interface will also be an ethernet adapter (eth0, eth1 or
+ eth2) and will be connected to a hub or switch. Your DMZ computers will be
connected to the same switch (note: If you have only a single DMZ system,
you can connect the firewall directly to the computer using a cross-over
cable).
@@ -301,24 +303,24 @@
or switch except for testing AND you are running Shorewall version 1.4.7
or later. When using these recent versions, you can test using this kind
of configuration if you specify the arp_filter option in
- /etc/shorewall/interfaces for all interfaces connected to the common
+ /etc/shorewall/interfaces for all interfaces connected to the common
hub/switch. Using such a setup with a production firewall is strongly
recommended against. The
Shorewall three-interface sample configuration assumes that the external
- interface is eth0, the local interface is eth1 and the DMZ interface is
- eth2. If your configuration is different, you will have to modify the
- sample /etc/shorewall/interfaces file accordingly. While you are there,
+ interface is eth0, the local interface is eth1 and the DMZ interface is
+ eth2. If your configuration is different, you will have to modify the
+ sample /etc/shorewall/interfaces file accordingly. While you are there,
you may wish to review the list of options that are specified for the
interfaces. Some hints:
- If your external interface is ppp0 or ippp0, you can replace the
- "detect" in the second column with "-".
+ If your external interface is ppp0 or ippp0, you can replace the
+ detect in the second column with - (without the quotes).
- If your external interface is ppp0 or ippp0 or if you have a
- static IP address, you can remove "dhcp" from the option list.
+ If your external interface is ppp0 or ippp0 or if you have a
+ static IP address, you can remove dhcp from the option list.
@@ -341,17 +343,17 @@
Before
starting Shorewall, you should look at the IP address of your external
interface and if it is one of the above ranges, you should remove the
- 'norfc1918' option from the external interface's entry in
- /etc/shorewall/interfaces.
+ norfc1918 option from the external interface's entry in
+ /etc/shorewall/interfaces.
You will want to assign your local addresses from one sub-network or
subnet and your DMZ addresses from another subnet. For our purposes, we
- can consider a subnet to consists of a range of addresses x.y.z.0 -
- x.y.z.255. Such a subnet will have a Subnet Mask of 255.255.255.0. The
- address x.y.z.0 is reserved as the Subnet Address and x.y.z.255 is
+ can consider a subnet to consists of a range of addresses x.y.z.0 -
+ x.y.z.255. Such a subnet will have a Subnet Mask of 255.255.255.0. The
+ address x.y.z.0 is reserved as the Subnet Address and x.y.z.255 is
reserved as the Subnet Broadcast Address. In Shorewall, a subnet is
described using Classless InterDomain Routing (CIDR) notation with
- consists of the subnet address followed by "/24". The "24"
- refers to the number of consecutive "1" bits from the left of the
+ consists of the subnet address followed by /24. The 24
+ refers to the number of consecutive 1 bits from the left of the
subnet mask.
It is conventional to assign the internal interface either the first
- usable address in the subnet (10.10.10.1 in the above example) or the last
- usable address (10.10.10.254).
+ usable address in the subnet (10.10.10.1 in the above example) or the last
+ usable address (10.10.10.254).
One of the purposes of subnetting is to allow all computers in the
subnet to understand which other computers can be communicated with
directly. To communicate with systems outside of the subnetwork, systems
@@ -387,13 +395,13 @@
Your
local computers (Local Computers 1 & 2) should be configured with
their default gateway set to the IP address of the firewall's internal
- interface and your DMZ computers ( DMZ Computers 1 & 2) should be
+ interface and your DMZ computers (DMZ Computers 1 & 2) should be
configured with their default gateway set to the IP address of the
firewall's DMZ interface.The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
- about IP addressing and routing, I highly recommend "IP Fundamentals:
- What Everyone Needs to Know about Addressing & Routing", Thomas A.
+ about IP addressing and routing, I highly recommend IP Fundamentals:
+ What Everyone Needs to Know about Addressing & Routing, Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.The remainder of this quide will assume that you have configured
your network as shown here:
@@ -405,13 +413,13 @@
The default gateway for the DMZ computers would be
- 10.10.11.254 and the default gateway for the Local computers would
- be 10.10.10.254.
+ 10.10.11.254 and the default gateway for the Local computers would
+ be 10.10.10.254.
Your ISP might assign your external interface an RFC 1918
- address. If that address is in the 10.10.10.0/24 subnet then you
+ address. If that address is in the 10.10.10.0/24 subnet then you
will need to select a DIFFERENT RFC 1918 subnet for your local
- network and if it is in the 10.10.11.0/24 subnet then you will
+ network and if it is in the 10.10.11.0/24 subnet then you will
need to select a different RFC 1918 subnet for your DMZ.
@@ -483,23 +491,70 @@
Domain Name Server (DNS)
- Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service (DNS) resolver will be automatically configured (e.g., the /etc/resolv.conf file will be written). Alternatively, your ISP may have given you the IP address of a pair of DNS name servers for you to manually configure as your primary and secondary name servers. It is your responsibility to configure the resolver in your internal systems. You can take one of two approaches:
+ Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service (DNS) resolver will be automatically configured (e.g., the /etc/resolv.conf file will be written). Alternatively, your ISP may have given you the IP address of a pair of DNS name servers for you to manually configure as your primary and secondary name servers. It is your responsibility to configure the resolver in your internal systems. You can take one of two approaches:
- You can configure your internal systems to use your ISP's name servers. If you ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall system -- the name servers are given in "nameserver" records in that file.
- You can configure a Caching Name Server on your firewall or in your DMZ. Red Hat has an RPM for a caching name server (which also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take this approach, you configure your internal systems to use the caching name server as their primary (and only) name server. You use the internal IP address of the firewall (10.10.10.254 in the example above) for the name server address if you choose to run the name server on your firewall. To allow your local systems to talk to your caching name server, you must open port 53 (both UDP and TCP) from the local network to the server; you do that by adding the rules in /etc/shorewall/rules.
+ You can configure your internal systems to use your ISP's name servers. If you ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall system -- the name servers are given in nameserver records in that file.
+ You can configure a Caching Name Server on your firewall or in your DMZ. Red Hat has an RPM for a caching name server (which also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take this approach, you configure your internal systems to use the caching name server as their primary (and only) name server. You use the internal IP address of the firewall (10.10.10.254 in the example above) for the name server address if you choose to run the name server on your firewall. To allow your local systems to talk to your caching name server, you must open port 53 (both UDP and TCP) from the local network to the server; you do that by adding the rules in /etc/shorewall/rules.
+ If you run the name server on the firewall:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTlocfwtcp53ACCEPTlocfwudp53ACCEPTdmzfwtcp53ACCEPTdmzfwudp53
+ Run name server on DMZ computer 1:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTlocdmz:10.10.11.1tcp53ACCEPTlocdmz:10.10.11.1udp53ACCEPTdmzdmz:10.10.11.1tcp53ACCEPTdmzdmz:10.10.11.1udp53Other Connections
-
+
+ The three-interface sample includes the following rules:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTfwnetudp53ACCEPTfwnettcp53
+ Those rules allow DNS access from your firewall and may be removed if you commented out the line in /etc/shorewall/policy allowing all connections from the firewall to the internet.
+
+
+ The sample also includes:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTlocfwtcp22ACCEPTlocdmztcp22
+ That rule allows you to run an SSH server on your firewall and in each of your DMZ systems and to connect to those servers from your local systems.
+
+
+ If you wish to enable other connections between your systems, the general format is:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPT<source zone><destination zone><protocol><port>
+ Example - You want to run a publicly-available DNS server on your firewall system:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTnetfwtcp53ACCEPTnetfwudp53
+ Those two rules would of course be in addition to the rules listed above under "If you run the name server on your firewall".
+
+
+ If you don't know what port and protocol a particular application uses, look here.
+
+
+
+ I don't recommend enabling telnet to/from the internet because it uses clear text (even for login!). If you want shell access to your firewall from the internet, use SSH:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTnetfwtcp22
+
+
+ Bering users will want to add the following two rules to be compatible with Jacques's Shorewall configuration:
+ ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTlocfwudp53ACCEPTlocfwtcp80
+ Entry 1 allows the DNS Cache to be used.
+
+ Entry 2 allows the weblet to work.
+ Now modify /etc/shorewall/rules to add or remove other connections as required.
+ Starting and Stopping Your Firewall
-
+ The installation procedure configures your system to start Shorewall at system boot but beginning with Shorewall version 1.3.9 startup is disabled so that your system won't try to start Shorewall before configuration is complete. Once you have completed configuration of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.
+
+ Users of the .deb package must edit /etc/default/shorewall and set startup=1.
+
+ The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A running firewall may be restarted using the shorewall restart command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear.
+
+ The three-interface sample assumes that you want to enable routing to/from eth1 (your local network) and eth2 (DMZ) when Shorewall is stopped. If these two interfaces don't connect to your local network and DMZ or if you want to enable a different set of hosts, modify /etc/shorewall/routestopped accordingly.
+
+ If you are connected to your firewall from the internet, do not issue a shorewall stop command unless you have added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. Also, I don't recommend using shorewall restart; it is better to create an alternate configuration and test it using the shorewall try command.
+ Additional Recommended Reading
-
+
+ I highly recommend that you review the Common Configuration File Features page -- it contains helpful tips about Shorewall features than make administering your firewall easier.
+