Configuration Files Tom Eastep 2005-09-29 2001-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release. If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through dos2unix before you use them with Shorewall.
Files /etc/shorewall/shorewall.conf - used to set several firewall parameters. /etc/shorewall/params - use this file to set shell variables that you will expand in other files. /etc/shorewall/zones - partition the firewall's view of the world into zones. /etc/shorewall/policy - establishes firewall high-level policy. /etc/shorewall/interfaces - describes the interfaces on the firewall system. /etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks. /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT). /etc/shorewall/modules - directs the firewall to load kernel modules. /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy. /etc/shorewall/nat - defines one-to-one NAT rules. /etc/shorewall/proxyarp - defines use of Proxy ARP. /etc/shorewall/routestopped - defines hosts accessible when Shorewall is stopped. /etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping or policy routing. /etc/shorewall/tos - defines rules for setting the TOS field in packet headers. /etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on the firewall system. /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses. /etc/shorewall/init - commands that you wish to execute at the beginning of a shorewall start or shorewall restart. /etc/shorewall/start - commands that you wish to execute at the completion of a shorewall start or shorewall restart /etc/shorewall/stop - commands that you wish to execute at the beginning of a shorewall stop. /etc/shorewall/stopped - commands that you wish to execute at the completion of a shorewall stop. /etc/shorewall/ecn - disable Explicit Congestion Notification (ECN - RFC 3168) to remote hosts or networks. /etc/shorewall/accounting - define IP traffic accounting rules /etc/shorewall/actions and /usr/share/shorewall/action.template. /etc/shorewall/providers - defines an alternate routing table. /usr/share/shorewall/actions.std - Actions defined by Shorewall. /usr/share/shorewall/action.* - Details of actions defined by Shorewall. /usr/share/shorewall/macro.* - Details of macros defined by Shorewall. /usr/share/rfc1918 — Defines the behavior of the 'norfc1918' interface option in /etc/shorewall/interfaces. If you need to change this file, copy it to /etc/shorewall and modify the copy.
Comments You may place comments in configuration files by making the first non-whitespace character a pound sign (#). You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign. Comments in a Configuration File # This is a comment ACCEPT net $FW tcp www #This is an end-of-line comment
Line Continuation You may continue lines in the configuration files using the usual backslash (\) followed immediately by a new line character. Line Continuation ACCEPT net $FW tcp \ smtp,www,pop3,imap #Services running on the firewall
INCLUDE Directive Any file may contain INCLUDE directives. An INCLUDE directive consists of the word INCLUDE followed by a path name and causes the contents of the named file to be logically included into the file containing the INCLUDE. Relative path names given in an INCLUDE directive are assumed to reside in /etc/shorewall or in an alternate configuration directory if one has been specified for the command. INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives are ignored with a warning message. Use of INCLUDE shorewall/params.mgmt:    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3    TIME_SERVERS=4.4.4.4    BACKUP_SERVERS=5.5.5.5    ----- end params.mgmt -----    shorewall/params:    # Shorewall 1.3 /etc/shorewall/params    [..]    #######################################      INCLUDE params.mgmt         # params unique to this host here    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE    ----- end params -----    shorewall/rules.mgmt:    ACCEPT net:$MGMT_SERVERS   $FW    tcp    22    ACCEPT $FW          net:$TIME_SERVERS    udp    123    ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22    ----- end rules.mgmt -----    shorewall/rules:    # Shorewall version 1.3 - Rules File    [..]    #######################################      INCLUDE rules.mgmt          # rules unique to this host here    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE    ----- end rules -----
Using DNS Names I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won't start as a result of DNS problems then don't say that you were not forewarned. Host addresses in Shorewall configuration files may be specified as either IP addresses or DNS Names. DNS names in iptables rules aren't nearly as useful as they first appear. When a DNS name appears in a rule, the iptables utility resolves the name to one or more IP addresses and inserts those addresses into the rule. So changes in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall's ruleset. If your firewall rules include DNS names then: If your /etc/resolv.conf is wrong then your firewall won't start. If your /etc/nsswitch.conf is wrong then your firewall won't start. If your Name Server(s) is(are) down then your firewall won't start. If your startup scripts try to start your firewall before starting your DNS server then your firewall won't start. Factors totally outside your control (your ISP's router is down for example), can prevent your firewall from starting. You must bring up your network interfaces prior to starting your firewall. Each DNS name must be fully qualified and include a minimum of two periods (although one may be trailing). This restriction is imposed by Shorewall to insure backward compatibility with existing configuration files. Valid DNS Names mail.shorewall.net shorewall.net. (note the trailing period). Invalid DNS Names mail (not fully qualified) shorewall.net (only one period) DNS names may not be used as: The server address in a DNAT rule (/etc/shorewall/rules file) In the ADDRESS column of an entry in /etc/shorewall/masq. In the /etc/shorewall/nat file. These restrictions are imposed by Netfilter and not by Shorewall.
Comma-separated Lists Comma-separated lists are allowed in a number of contexts within the configuration files. A comma separated list: Must not have any embedded white space. Valid: routefilter,dhcp,norfc1918 Invalid: routefilter,     dhcp,     norfc1818 If you use line continuation to break a comma-separated list, the continuation line(s) must begin in column 1 (or there would be embedded white space) Entries in a comma-separated list may appear in any order.
Complementing an Address or Subnet Where specifying an IP address, a subnet or an interface, you can precede the item with ! to specify the complement of the item. For example, !192.168.1.4 means any host but 192.168.1.4. There must be no white space following the !.
Exclusion Lists Shorewall 3.0 differs from earlier versions in that in most contexts where a comma-separated list of addresses is accepted, an exclusion list may also be included. An exclusion list is a comma-separated list of addresses that begins with "!". Example: !192.168.1.3,192.168.1.12,192.168.1.32/27 The above list refers to "All addresses except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63. Exclusion lists can also be added after a network address. Example: 192.168.1.0/24!192.168.1.3,192.168.1.12,192.168.1.32/27 The above list refers to "All addresses in 192.168.1.0-192.168.1.255 except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63.
IP Address Ranges If you kernel and iptables have iprange match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12. To see if your kernel and iptables have the required support, use the shorewall show capabilities command: >~ shorewall show capabilities ... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Not available Policy Match: Available Physdev Match: Available IP range Match: Available <--------------
Port Numbers/Service Names Unless otherwise specified, when giving a port number you can use either an integer or a service name from /etc/services.
Port Ranges If you need to specify a range of ports, the proper syntax is <low port number>:<high port number>. For example, if you want to forward the range of tcp ports 4000 through 4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORTS(S) DNAT net loc:192.168.1.3 tcp 4000:4100 If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed.
Port Lists In most cases where a port or port range may appear, a comma-separated list of ports or port ranges may also be entered. Shorewall will use the Netfilter multiport match capability if it is available (see the output of "shorewall show capabilities") and if its use is appropriate. Shorewall can use multiport match if: The list contains 15 or fewer port number; and There are no port ranges listed OR your iptables/kernel support the Extended multiport match (again see the output of "shorewall show capabilities"). Where the Extended multiport match is available, each port range counts as two ports toward the maximum of 15.
Using Shell Variables You may use the /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files. It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs Example:
    /etc/shorewall/params NET_IF=eth0 NET_BCAST=130.252.100.255 NET_OPTIONS=routefilter,norfc1918     /etc/shorewall/interfaces record: net $NET_IF $NET_BCAST $NET_OPTIONS     The result will be the same as if the record had been written net eth0 130.252.100.255 routefilter,norfc1918
Variables may be used anywhere in the other configuration files. Because the /etc/shorewall/params file is simply sourced into the shell, you can place arbitrary shell code in the file and it will be executed each time that the file is read. Any code included should follow these guidelines: The code should not have side effects, especially on other shorewall configuration files. The code should be safe to execute multiple times without producing different results. Should not depend on where the code is called from (the params file is sourced by both /sbin/shorewall and /usr/lib/shorewall/firewall). Should not assume anything about the state of Shorewall. The names of any functions or variables declared should begin with an upper case letter. One possible use of this feature is to compensate for recent Linux behavior in which the identity of network interfaces varies from boot to boot (what is eth0 after one boot may be eth1 after the next). SuSE users, for example, can take the following approach: wookie:~ # lspci 0000:00:00.0 Host bridge: VIA Technologies, Inc. VT82C598 [Apollo MVP3] (rev 04) 0000:00:01.0 PCI bridge: VIA Technologies, Inc. VT82C598/694x [Apollo MVP3/Pro133x AGP] 0000:00:03.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet Pro 100] (rev 01) 0000:00:04.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20) 0000:00:05.0 Ethernet controller: Digital Equipment Corporation DECchip 21142/43 (rev 41) 0000:00:14.0 ISA bridge: VIA Technologies, Inc. VT82C586/A/B PCI-to-ISA [Apollo VP] (rev 45) 0000:00:14.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06) 0000:00:14.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 02) 0000:00:14.3 Bridge: VIA Technologies, Inc. VT82C586B ACPI (rev 10) 0000:01:00.0 VGA compatible controller: ATI Technologies Inc 3D Rage LT Pro AGP-133 (rev dc) wookie:~ # If the firewall's external interface is the DECchip controllor at 0000:00:05.0 and the internal interface is the Ethernet Pro 100 at 0000:00:03.0, then the following entries in /etc/shorewall/params will set EXT_IF and INT_IF to the names of these two controllers respectively: EXT_IF=$(getcfg-interface bus-pci-0000:00:05.0) INT_IF=$(getcfg-interface bus-pci-0000:00:03.0) The shorewall save and shorewall restore commands should be used carefully if you use the above workaround for unstable interface names. In particular, you should set OPTIONS="" in /etc/default/shorewall or /etc/sysconfig/shorewall so that the "-f" option will not be specified on startup at boot time.
Using MAC Addresses Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. In order to control traffic to/from a host by its MAC address, the host must be on the same network as the firewall. To use this feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included. MAC addresses are 48 bits wide and each Ethernet Controller has a unique MAC address. In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers separated by colons. MAC Address of an Ethernet Controller      [root@gateway root]# ifconfig eth0      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0      collisions:30394 txqueuelen:100      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)      Interrupt:11 Base address:0x1800 Because Shorewall uses colons as a separator for address fields, Shorewall requires MAC addresses to be written in another way. In Shorewall, MAC addresses begin with a tilde (~) and consist of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in the example above would be written ~02-00-08-E3-FA-55. It is not necessary to use the special Shorewall notation in the /etc/shorewall/maclist file.
Shorewall Configurations Shorewall allows you to have configuration directories other than /etc/shorewall. The shorewall check, start and restart commands allow you to specify an alternate configuration directory and Shorewall will use the files in the alternate directory rather than the corresponding files in /etc/shorewall. The alternate directory need not contain a complete configuration; those files not in the alternate directory will be read from /etc/shorewall. This facility permits you to easily create a test or temporary configuration by copying the files that need modification from /etc/shorewall to a separate directory; modify those files in the separate directory; and specifying the separate directory in a shorewall start or shorewall restart command (e.g., shorewall restart /etc/testconfig ) The try command allows you to attempt to restart using an alternate configuration and if an error occurs to automatically restart the standard configuration.