diff --git a/Shorewall-docs/standalone.xml b/Shorewall-docs/standalone.xml new file mode 100644 index 000000000..c9bf7e11e --- /dev/null +++ b/Shorewall-docs/standalone.xml @@ -0,0 +1,491 @@ + + +
+ + + + Standalone Firewall + + + + Tom + + Eastep + + + + 2003-11-15 + + + 2002 + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + +
+ Introduction + + Setting up Shorewall on a standalone Linux system is very easy if + you understand the basics and follow the documentation. + + This guide doesn't attempt to acquaint you with all of the + features of Shorewall. It rather focuses on what is required to configure + Shorewall in one of its most common configurations: + + + + Linux system + + + + Single external IP address + + + + Connection through Cable Modem, DSL, ISDN, Frame Relay, + dial-up... + + + +
+ Requirements + + Shorewall requires that you have the iproute/iproute2 package + installed (on RedHat, the package is called iproute). + You can tell if this package is installed by the presence of an + ip program on your firewall system. As + root, you can use the which command to check for this + program: + + [root@gateway root]# which ip +/sbin/ip +[root@gateway root]# +
+ +
+ Before you start + + I recommend that you read through the guide first to familiarize + yourself with what's involved then go back through it again making + your configuration changes. + + + If you edit your configuration files on a Windows system, you + must save them as Unix files if your editor supports that option or + you must run them through dos2unix before trying to use them. + Similarly, if you copy a configuration file from your Windows hard + drive to a floppy disk, you must run dos2unix against the copy before + using it with Shorewall. + + + Windows Version of dos2unix + + Linux Version of dos2unix + + +
+ +
+ Conventions + + Points at which configuration changes are recommended are flagged + with . +
+
+ +
+ PPTP/ADSL + + If you + have an ADSL Modem and you use PPTP to communicate with a server in that + modem, you must make the changes + recommended here in addition to those described in the steps + below. ADSL with PPTP is most commonly found in Europe, notably in + Austria. +
+ +
+ Shorewall Concepts + + The + configuration files for Shorewall are contained in the directory + /etc/shorewall -- for simple setups, you only need to deal with a few of + these as described in this guide. After you have installed + Shorewall, download the one-interface + sample, un-tar it (tar -zxvf one-interface.tgz) and and copy the + files to /etc/shorewall (they will replace files with the same names that + were placed in /etc/shorewall during Shorewall installation). + + As each file is introduced, I suggest that you look through the + actual file on your system -- each file contains detailed configuration + instructions and default entries. + + Shorewall views the network where it is running as being composed of + a set of zones. In the one-interface sample + configuration, only one zone is defined: + + + + + + Name + + Description + + + + + + net + + The Internet + + + + + + Shorewall zones are defined in /etc/shorewall/zones. + + Shorewall also recognizes the firewall system as its own zone - by + default, the firewall itself is known as fw. + + Rules about what traffic to allow and what traffic to deny are + expressed in terms of zones. + + + + You express your default policy for connections from one zone to + another zone in the /etc/shorewall/policy + file. + + + + You define exceptions to those default policies in the /etc/shorewall/rules file. + + + + For each connection request entering the firewall, the request is + first checked against the /etc/shorewall/rules file. If no rule in that + file matches the connection request then the first policy in + /etc/shorewall/policy that matches the request is applied. If that policy + is REJECT or DROP the request is first checked against the rules in + /etc/shorewall/common if that file exists; otherwise the rules in + /etc/shorewall/common.def are checked. + + The /etc/shorewall/policy file included with the one-interface + sample has the following policies: + + + one-interface sample /etc/shorewall/policy + + + + + SOURCE ZONE + + DESTINATION ZONE + + POLICY + + LOG LEVEL + + LIMIT:BURST + + + + + + fw + + net + + ACCEPT + + + + + + + + net + + all + + DROP + + info + + + + + + all + + all + + REJECT + + info + + + + + +
+ + The above policy will: + + + + allow all connection requests from the firewall to the internet + + + + drop (ignore) all connection requests from the internet to your + firewall + + + + reject all other connection requests (Shorewall requires this + catchall policy). + + + + At this point, edit your /etc/shorewall/policy and make any changes + that you wish. +
+ +
+ External Interface + + The firewall has a single network interface. Where Internet + connectivity is through a cable or DSL Modem, the + External Interface will be the ethernet adapter (eth0) that is connected to that Modem + unless you connect via + Point-to-Point Protocol over Ethernet (PPPoE) or + Point-to-Point Tunneling Protocol (PPTP) in which + case the External Interface will be a ppp0. + If you connect via a regular modem, your External Interface will also be + ppp0. If you connect using ISDN, your + external interface will be ippp0. + + The + Shorewall one-interface sample configuration assumes that the external + interface is eth0. If your configuration + is different, you will have to modify the sample /etc/shorewall/interfaces + file accordingly. While you are there, you may wish to review the list of + options that are specified for the interface. Some hints: + + + If your external interface is ppp0 + or ippp0, you can replace the + detect in the second column with -. + + + + If your external interface is ppp0 + or ippp0 or if you have a static IP + address, you can remove dhcp from the option list. + +
+ +
+ IP Addresses + + RFC 1918 reserves several Private IP address + ranges for use in private networks: + + 10.0.0.0 - 10.255.255.255 +172.16.0.0 - 172.31.255.255 +192.168.0.0 - 192.168.255.255 + + These addresses are sometimes referred to as non-routable + because the Internet backbone routers will not forward a packet whose + destination address is reserved by RFC 1918. In some cases though, ISPs + are assigning these addresses then using Network Address + Translation to rewrite packet headers when forwarding to/from + the internet. + + Before + starting Shorewall, you should look at the IP address of your external + interface and if it is one of the above ranges, you should remove the + norfc1918 option from the entry in + /etc/shorewall/interfaces. +
+ +
+ Enabling other Connections + + If you wish to enable connections from the internet to your + firewall, the general format is: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT + + SOURCE PORT + + ORIGINAL ADDRESS + + + + + + ACCEPT + + net + + fw + + <protocol> + + <port> + + + + + + + +
+ + + You want to run a Web Server and a POP3 Server on your firewall + system: + + /etc/shorewall/rulesACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACCEPTnetfwtcp80ACCEPTnetfwtcp110
+
+ + If you don't know what port and protocol a particular + application uses, see here. + + + I don't recommend enabling telnet to/from the internet because + it uses clear text (even for login!). If you want shell access to your + firewall from the internet, use SSH: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT + + SOURCE PORT + + ORIGINAL ADDRESS + + + + + + ACCEPT + + net + + fw + + tcp + + 22 + + + + + + + +
+
+ + At this + point, edit /etc/shorewall/rules to add other connections as desired. +
+ +
+ Starting and Stopping Your Firewall + + The + installation procedure configures your + system to start Shorewall at system boot but beginning with Shorewall + version 1.3.9 startup is disabled so that your system won't try to + start Shorewall before configuration is complete. Once you have completed + configuration of your firewall, you can enable Shorewall startup by + removing the file /etc/shorewall/startup_disabled. + + + Users of the .deb package must edit + /etc/default/shorewall and set startup=1. + + + The firewall is started using the shorewall start + command and stopped using shorewall stop. When the firewall + is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. + A running firewall may be restarted using the shorewall restart + command. If you want to totally remove any trace of Shorewall from your + Netfilter configuration, use shorewall clear. + + + If you are connected to your firewall from the internet, do not + issue a shorewall stop command unless you have added an + entry for the IP address that you are connected from to /etc/shorewall/routestopped. + Also, I don't recommend using shorewall restart; it + is better to create an alternate configuration + and test it using the shorewall + try command. + +
+ +
+ Additional Recommended Reading + + I highly recommend that you review the Common Configuration File Features + page -- it contains helpful tips about Shorewall features than + make administering your firewall easier. +
+
\ No newline at end of file