Compiled Firewall Programs
Tom
Eastep
2006-03-29
2006
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
Overview
Beginning with Shorewall version 3.1, Shorewall has the capability
to compile a Shorewall configuration and produce a runnable firewall
program script. The script is a complete program which can be placed in
the /etc/init.d/ directory on a system without Shorewall installed and can
serve as the firewall creation script for that system.
Compiled programs can also be created to instantiate special
configurations during parts of the day; for example, to disallow web
browsing between the hours of 9pm and 7AM. The program can be run as a
cron job at 9PM and another program run at 6AM to restore normal
operation.
Restrictions
While compiled Shorewall programs are useful in many cases, there
are some important restrictions that you should be aware of before
attempting to use them.
The detectnets interface
option is not supported.
All extension scripts used are copied into the program. The
ramifications of this are:
If you update an extension script, the compiled program
will not use the updated script.
The /etc/shorewall/params extension
script is executed at compile time as well as at run
time.
Running the script at compile time allows variable
expansion (expanding $variable to it's defined value) of
variables used in Shorewall configuration files to occur at
compile time. Running it at run-time allows your extension
scripts to use the variables that it creates. BUT -- for any
given variable, the value at compile time may be different from
the value at run-time unless you only assign constant
values.
For example, if you have:
EXT_IP=$(fiind_first_interface_address eth0)
in /etc/shorewall/params then all
occurrences of $EXT_IP in Shorewall configuration files will be
replaced with eth0's IP address when the program is being
compiled. On the other hand, if you use $EXT_IP in your
/etc/shorewall/start script, the value will be the IP address of
eth0 when the program is run.
Bottom line: You probably want to use only constant values
for variables set in
/etc/shorewall/params.
The "shorewall compile" command
A compiled script is produced using the compile
command:
shorewall compile [ -e ] [ -d <distro> ] [
<directory name> ] <path name>
where
-e
Indicates that the program is to be "exported" to another
system. When this flag is set, the "detectnets" interface is not
allowed but the created program may be run on a system that
doesn't even have Shorewall installed.
When this flag is given, Shorewall does not probe the
current system to determine the kernel/iptables features that it
supports. It rather reads those capabilities from
/etc/shorewall/capabilities. See below for
details.
-d <distro>
is normally used with "-e" and specifies the Linux
distribution that is running on the remote system. The program
will be tailored so that it integrates with the initialization
script system (init) on that system. Distributions currently
supported are:
suse
redhat
debian (Note that Debian compiled programs may not be
installed directly into /etc/init.d — they require the
soon-to-be-released Shorewall-minimal Debian package.
If -d is not specified, the
compiled program is generally not suitable for being installed in
/etc/init.d.
<directory name>
specifies a directory to be searched for configuration files
before those directories listed in the CONFIG_PATH variable in
shorewall.conf.
<path name>
specifies the name of the script to be created.
The /etc/shorewall/capabilities file and the shorecap
program
As mentioned above, the /etc/shorewall/capabilities file specifies
that kernel/iptables capabilities of the target system. Here is a sample
file:
NAT_ENABLED=Yes # NAT
MANGLE_ENABLED=Yes # Packet Mangling
CONNTRACK_MATCH=Yes # Connection Tracking Match
USEPKTTYPE= # Packet Type Match
MULTIPORT=Yes # Multi-port Match
XMULTIPORT=Yes # Extended Multi-port Match
POLICY_MATCH=Yes # Policy Match
PHYSDEV_MATCH=Yes # Physdev Match
LENGTH_MATCH=Yes # Packet Length Match
IPRANGE_MATCH=Yes # IP range Match
RECENT_MATCH=Yes # Recent Match
OWNER_MATCH=Yes # Owner match
IPSET_MATCH= # Ipset Match
CONNMARK=Yes # CONNMARK Target
CONNMARK_MATCH=Yes # Connmark Match
RAW_TABLE=Yes # Raw Table
IPP2P_MATCH= # IPP2P Match
CLASSIFY_TARGET=Yes # CLASSIFY Target
ENHANCED_REJECT=Yes # Extended REJECT
KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command
As you can see, the file contains a simple list of shell variable
assignments -- the variables correspond to the capabilities listed by the
shorewall show capabilities command appear in the same
order as the output of that command.
To aid in creating this file, Shorewall 3.1 and later include a
shorecap program. The program is installed in the
/usr/share/shorewall/ directory and may be copied to
/usr/bin on a remote system then run as follows:
[ IPTABLES=<iptables binary> ] [
MODULESDIR=<kernel modules directory> ] shorecap >
capabilities
The IPTABLES and MODULESDIR options have their usual Shorewall default
values.
The capabilities file may then be copied to a
system with Shorewall installed and used when compiling firewall programs
to run on the remote system.
Running compiled programs
Compiled firewall programs are complete programs that support the
following run-line commands:
<program> [ -q ] [ -v ] [ -n ]
start
<program> [ -q ] [ -v ] [ -n ]
stop
<program> [ -q ] [ -v ] [ -n ]
clear
<program> [ -q ] [ -v ] [ -n ]
restart
<program> [ -q ] [ -v ] [ -n ]
status
<program> [ -q ] [ -v ] [ -n ]
version
The options have their same meaning is when they are passed to
/sbin/shorewall itself. The default VERBOSITY level
is the level specified in the shorewall.conf file used when then program
was compiled.