<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                                                                 
  <meta http-equiv="Content-Language" content="en-us">
                                                                 
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                 
  <meta name="ProgId" content="FrontPage.Editor.Document">
                                                                 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Two-Interface Firewall</title>
                                                                        
                                         
  <meta name="Microsoft Theme" content="none">
</head>
  <body>
                                  
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber5"
 bgcolor="#400169" height="90">
                   <tbody>
                    <tr>
                     <td width="100%">                                  
                                                                        
         
      <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
                     </td>
                   </tr>
                                                                 
  </tbody>                
</table>
                                 
<p align="left">Setting up a Linux system as a firewall for a small network
        is a  fairly straight-forward task if you understand the basics and
  follow      the  documentation.</p>
                                 
<p>This guide doesn't attempt to acquaint you with all of the features of
         Shorewall. It rather focuses on what is required to configure Shorewall
       in its  most common configuration:</p>
                                 
<ul>
                   <li>Linux system used as a firewall/router for a small 
local    network.</li>
                   <li>Single public IP address.</li>
                   <li>Internet connection through cable modem, DSL, ISDN,
 Frame    Relay,    dial-up    ...</li>
                                 
</ul>
                                 
<p align="left">Here is a schematic of a typical installation.</p>
                                 
<p align="center"> <img border="0" src="images/basics.png" width="444"
 height="635">
                </p>
                                 
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
     configure the above setup using the Mandrake "Internet Connection Sharing"
     applet. From the Mandrake Control Center, select "Network &amp; Internet"
     then "Connection Sharing".<br>
 </b></p>
 
<p><b>Note however, that the Shorewall configuration produced by Mandrake 
Internet Connection Sharing is strange and is apt to confuse you if you use 
the rest of this documentation (it has two local zones; "loc" and "masq" where
"loc" is empty; this conflicts with this documentation which assumes a single
local zone "loc"). We therefore recommend that once you have set up this
sharing that you uninstall the Mandrake Shorewall RPM and install the one
from the <a href="download.htm">download page</a> then follow the instructions
in this Guide.</b><br>
  </p>
                    
<p>Shorewall requires that you have the iproute/iproute2 package installed
        (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can
 tell     if  this  package is installed by the presence of an <b>ip</b>
program    on   your  firewall  system. As root, you can use the 'which'
command to   check   for this  program:</p>
                                 
<pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
                               
<p>I recommend that you first read through the  guide to familiarize yourself
        with what's involved then go back through it again  making your configuration
        changes. Points at which configuration changes are  recommended are
  flagged      with <img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                . Configuration notes that are unique to LEAF/Bering are
marked  with�<img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
 height="36">
   </p>
                                 
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
                ���  If you edit your configuration files on a Windows system,
   you   must   save them as  Unix files if your editor supports that option
   or you   must  run them through  dos2unix before trying to use them. Similarly,
   if   you copy  a configuration file  from your Windows hard drive to a
floppy    disk, you must run dos2unix against the  copy before using it with
Shorewall.</p>
                                 
<ul>
                   <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
    Version     of    dos2unix</a></li>
                   <li><a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux    Version 
of    dos2unix</a></li>
                                 
</ul>
                                 
<h2 align="left">Shorewall Concepts</h2>
                                 
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
         ��� The configuration files for Shorewall are contained in the directory 
     /etc/shorewall -- for simple setups, you will only need to deal with 
a  few  of  these as described in this guide.  After you have <a
 href="Install.htm">installed Shorewall</a>,  <b>download the <a
 href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
        un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
 /etc/shorewall        (these files will replace files with the same name).</b></p>
                                 
<p>As each file is introduced, I suggest that you  look through the actual
        file on your system -- each file contains detailed  configuration
instructions        and default entries.</p>
                                 
<p>Shorewall views the network where it is running as being composed of a
        set of  <i>zones.</i> In the two-interface sample configuration,
the    following     zone names are used:</p>
                                 
<table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
                   <tbody>
                    <tr>
                     <td><u><b>Name</b></u></td>
                     <td><u><b>Description</b></u></td>
                   </tr>
                   <tr>
                     <td><b>net</b></td>
                     <td><b>The Internet</b></td>
                   </tr>
                   <tr>
                     <td><b>loc</b></td>
                     <td><b>Your Local Network</b></td>
                   </tr>
                                                                   
  </tbody>                
</table>
                                 
<p>Zones are defined in the <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>
        file.</p>
                                 
<p>Shorewall also recognizes the firewall system as its own zone - by default,
         the firewall itself is known as <b>fw.</b></p>
                                 
<p>Rules about what traffic to allow and what traffic to deny are expressed
        in  terms of zones.</p>
                                 
<ul>
                   <li>You express your default policy for connections from 
 one   zone   to  another    zone in the<a
 href="Documentation.htm#Policy"> /etc/shorewall/policy           </a>file.</li>
                   <li>You define exceptions to those default policies in 
the         <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
                                 
</ul>
                                 
<p>For each connection request entering the firewall, the request is first
        checked against the  /etc/shorewall/rules file. If no rule in that
 file     matches  the connection  request then the first policy in /etc/shorewall/policy
      that  matches the    request is applied. If that policy is REJECT or
 DROP�     the request is first  checked against the rules in /etc/shorewall/common
     (the samples provide that  file for you).</p>
                                 
<p>The /etc/shorewall/policy file included with the two-interface sample
has the  following policies:</p>
                                 
<blockquote>                                                   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                     <tbody>
                      <tr>
                       <td><u><b>Source Zone</b></u></td>
                       <td><u><b>Destination Zone</b></u></td>
                       <td><u><b>Policy</b></u></td>
                       <td><u><b>Log Level</b></u></td>
                       <td><u><b>Limit:Burst</b></u></td>
                     </tr>
                     <tr>
                       <td>loc</td>
                       <td>net</td>
                       <td>ACCEPT</td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                     <tr>
                       <td>net</td>
                       <td>all</td>
                       <td>DROP</td>
                       <td>info</td>
                       <td>�</td>
                     </tr>
                     <tr>
                       <td>all</td>
                       <td>all</td>
                       <td>REJECT</td>
                       <td>info</td>
                       <td>�</td>
                     </tr>
                                                                        
                          
    </tbody>                                                
  </table>
                 </blockquote>
                                 
<blockquote>                                                 
  <p>In the two-interface sample, the line below is included but commented
        out. If  you want your firewall system to have full access to servers
    on   the internet,  uncomment that line.</p>
                                                                 
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                     <tbody>
                      <tr>
                       <td><u><b>Source Zone</b></u></td>
                       <td><u><b>Destination Zone</b></u></td>
                       <td><u><b>Policy</b></u></td>
                       <td><u><b>Log Level</b></u></td>
                       <td><u><b>Limit:Burst</b></u></td>
                     </tr>
                     <tr>
                       <td>fw</td>
                       <td>net</td>
                       <td>ACCEPT</td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                                                                        
                          
    </tbody>                                                
  </table>
                 </blockquote>
                                 
<p>The above policy will:</p>
                                 
<ol>
                   <li>allow all connection requests from your local network
  to  the   internet</li>
                   <li>drop (ignore) all connection requests from the internet
   to  your   firewall     or local network</li>
                   <li>optionally accept all connection requests from the 
firewall     to  the     internet (if you uncomment the additional policy)</li>
                   <li>reject all other connection requests.</li>
                                 
</ol>
                                 
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
                ��� At this point, edit your /etc/shorewall/policy and make 
 any   changes     that you  wish.</p>
                                 
<h2 align="left">Network Interfaces</h2>
                                 
<p align="center"> <img border="0" src="images/basics.png" width="444"
 height="635">
                </p>
                                 
<p align="left">The firewall has two network interfaces. Where Internet  connectivity
is through a cable or DSL "Modem", the <i>External Interface</i>  will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)� 
        <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
         over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
   <u>T</u>unneling     <u>P</u>rotocol </i>(PPTP) in which case the External
   Interface will be   a ppp  interface (e.g., <b>ppp0</b>). If you connect
  via a regular modem,   your External  Interface will also be <b>ppp0</b>.
  If you connect via ISDN,   your external  interface will be <b>ippp0.</b></p>
                                 
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                ��� If your external interface is <b>ppp0</b>  or<b> ippp0</b>� 
   then   you   will want to  set CLAMPMSS=yes in <a
 href="Documentation.htm#Conf">  /etc/shorewall/shorewall.conf.</a></p>
                                 
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
        (eth1  or eth0) and will be connected to a hub or switch. Your other
   computers     will be  connected to the same hub/switch (note: If you
have    only a single     internal system,  you can connect the firewall
directly    to the computer   using  a <i>cross-over </i> cable).</p>
                                 
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
 width="60" height="60">
                </b></u>Do not connect the internal and external interface
  to  the   same   hub or switch (even for testing). It won't work the way 
 that  you think  that   it will and you will end up confused and  believing 
 that  Shorewall   doesn't   work at all.</p>
                                 
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
 width="13" height="13">
                ��� The Shorewall two-interface sample configuration assumes
  that    the   external  interface is <b>eth0</b> and the internal interface
  is <b>eth1</b>.     If your  configuration is different, you will have
to   modify the sample    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
  file    accordingly.  While you are there, you may wish to  review the list
  of options   that are  specified for the interfaces. Some hints:</p>
                                 
<ul>
                   <li>                                                 
                                 
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
        you can replace the    "detect" in the second column with "-".  
    </p>
                  </li>
                  <li>                                                  
                                
    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
        or if you have a static IP    address, you can remove "dhcp" from
the    option    list. </p>
                  </li>
                               
</ul>
                                 
<h2 align="left">IP Addresses</h2>
                                 
<p align="left">Before going further, we should say a few words about Internet
         Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
  a  single    <i> Public</i> IP address. This address may be assigned via
 the<i>  Dynamic    Host  Configuration Protocol</i> (DHCP) or as part of
establishing  your  connection   when you dial in (standard modem) or establish
your PPP  connection.  In rare   cases, your ISP may assign you a<i> static</i>
IP address; that  means that  you  configure your firewall's external interface
   to use that  address permanently.<i>  </i>However your external address
 is  assigned, it  will be shared by all of your systems when you access
the   Internet. You will have to assign your  own addresses in your  internal
network (the Internal  Interface on your firewall  plus your other  computers).
RFC 1918 reserves  several <i>Private </i>IP address ranges for this  purpose:</p>
                                 
<div align="left">                   
<pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
                 </div>
                                 
<div align="left">                   
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                ���    Before starting Shorewall, you should look at the
IP  address     of  your  external    interface and if it is one of the above 
 ranges, you    should  remove  the    'norfc1918' option from the external 
 interface's   entry  in    /etc/shorewall/interfaces.</p>
                </div>
                                 
<div align="left">                   
<p align="left">You will want to assign your addresses from the same <i> 
 sub-network </i>(<i>subnet)</i>.� For our purposes, we can consider a subnet
           to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a  subnet       will    have a <i>Subnet Mask </i>of 255.255.255.0. The address
 x.y.z.0     is  reserved as    the <i>Subnet Address</i> and x.y.z.255 is
 reserved  as   the  <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
 a subnet  is  described  using�<a
 href="shorewall_setup_guide.htm#Subnets"><i>Classless  InterDomain Routing
  </i>(CIDR)  notation</a> with consists of the subnet  address followed
   by "/24". The  "24" refers to the number of    consecutive  leading "1"
bits from the left  of the subnet mask. </p>
                </div>
                                 
<div align="left">                   
<p align="left">Example sub-network:</p>
                </div>
                                 
<div align="left">                   
<blockquote>                                                     
  <table border="1" style="border-collapse: collapse;" id="AutoNumber1"
 cellpadding="2">
                       <tbody>
                      <tr>
                         <td><b>Range:</b></td>
                         <td>10.10.10.0 - 10.10.10.255</td>
                       </tr>
                       <tr>
                         <td><b>Subnet Address:</b></td>
                         <td>10.10.10.0</td>
                       </tr>
                       <tr>
                         <td><b>Broadcast Address:</b></td>
                         <td>10.10.10.255</td>
                       </tr>
                       <tr>
                         <td><b>CIDR�Notation:</b></td>
                         <td>10.10.10.0/24</td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
                                 
<div align="left">                   
<p align="left">It is conventional to assign the internal interface either
        the    first usable address in the subnet (10.10.10.1 in the above
 example)       or the    last usable address (10.10.10.254).</p>
                </div>
                                 
<div align="left">                   
<p align="left">One of the purposes of subnetting is to allow all computers
        in the    subnet to understand which other computers can be communicated
       with directly.    To communicate with systems outside of the subnetwork,
      systems send packets    through a<i>� gateway</i>� (router).</p>
                </div>
                                 
<div align="left">                   
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
 height="13">
                ��� Your local computers (computer    1 and computer 2 in 
the   above    diagram)   should be configured with their<i>    default gateway</i> 
  to  be  the IP address   of the firewall's internal    interface.<i>����� 
  </i>  </p>
                </div>
                                 
<p align="left">The foregoing short discussion barely scratches the surface
         regarding subnetting and routing. If you are interested in learning
   more     about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
        What Everyone  Needs to Know about Addressing &amp; Routing",</i>
Thomas       A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
                                 
<p align="left">The remainder of this quide will assume that you have configured
         your network as shown here:</p>
                                 
<p align="center"> <img border="0" src="images/basics1.png" width="444"
 height="635">
                </p>
                                 
<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.<br>
     </p>
         
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13" alt="">
    ��� <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
  your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24   subnet then you will need to select a DIFFERENT RFC 1918
subnet for your  local network.</b><br>
     </p>
                                 
<h2 align="left">IP Masquerading (SNAT)</h2>
                                 
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
        to as <i>non-routable</i> because the Internet backbone routers don't
    forward    packets  which have an RFC-1918 destination address. When
one    of your local    systems  (let's assume computer 1) sends a connection
request    to an internet    host, the  firewall must perform <i>Network
Address Translation     </i>(NAT).    The firewall  rewrites the source address
in the packet to   be the address    of the firewall's  external interface;
in other words,   the firewall makes    it look as if the firewall  itself
is initiating the   connection.� This is   necessary so that the  destination
 host will be able   to route return packets   back to the firewall  (remember
 that packets whose   destination address is   reserved by RFC 1918 can't
 be routed across the   internet so the remote host  can't address its response
 to  computer 1).  When the firewall receives a return packet, it  rewrites
 the destination address  back to 10.10.10.1  and  forwards the packet on
to computer 1. </p>
                                 
<p align="left">On Linux systems, the above process is often referred to
as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
Address  Translation </i>(SNAT) used. Shorewall follows the convention used
with  Netfilter:</p>
                                 
<ul>
                   <li>                                                 
                                 
    <p align="left"><i>Masquerade</i> describes the case where you let your
           firewall system automatically detect the external interface address.
            </p>
                  </li>
                  <li>                                                  
                                
    <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
        the    source address that you want outbound packets from your local
   network     to use.    </p>
                  </li>
                               
</ul>
                                 
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
         entries in the /etc/shorewall/masq file. You will normally use Masquerading
        if  your external IP is dynamic and SNAT if the IP is static.</p>
                                 
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                ��� If your external firewall interface is <b>eth0</b>, you 
 do  not    need   to modify the file provided with the sample. Otherwise, 
 edit   /etc/shorewall/masq      and change the first column to the name of
 your  external  interface and    the  second column to the name of your internal
  interface.</p>
                                 
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                ��� If your external IP is  static, you can enter it in the 
 third    column    in the /etc/shorewall/masq entry if  you like although 
 your firewall    will    work fine if you leave that column empty.  Entering 
 your static  IP  in column    3 makes processing outgoing packets a little 
  more efficient.<br>
        <br>
        <img border="0" src="images/BD21298_.gif" width="13" height="13"
 alt="">
        ��� If you are using the Debian package, please check your shorewall.conf
    file to ensure that the following are set correctly; if they are not,
change    them appropriately:<br>
        </p>
               
<ul>
          <li>NAT_ENABLED=Yes</li>
          <li>IP_FORWARDING=On<br>
          </li>
               
</ul>
                                 
<h2 align="left">Port Forwarding (DNAT)</h2>
                                 
<p align="left">One of your goals may be to run one or more servers on your
         local computers. Because these computers have RFC-1918 addresses,
 it   is   not  possible for clients on the internet to connect directly
to  them.   It   is rather  necessary for those clients to address their
connection   requests     to the firewall  who rewrites the destination address
to the   address of   your   server and forwards  the packet to that server.
When  your server responds,     the firewall automatically  performs SNAT
to rewrite   the source address   in  the response.</p>
                                 
<p align="left">The above process is called<i> Port Forwarding</i> or <i> 
        Destination Network Address Translation</i> (DNAT). You configure 
port      forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
                                 
<p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules
        is:</p>
                                 
<blockquote>                                                   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                     <tbody>
                      <tr>
                       <td><u><b>ACTION</b></u></td>
                       <td><u><b>SOURCE</b></u></td>
                       <td><u><b>DESTINATION</b></u></td>
                       <td><u><b>PROTOCOL</b></u></td>
                       <td><u><b>PORT</b></u></td>
                       <td><u><b>SOURCE PORT</b></u></td>
                       <td><u><b>ORIGINAL ADDRESS</b></u></td>
                     </tr>
                     <tr>
                       <td>DNAT</td>
                       <td>net</td>
                       <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server 
      port&gt;</i>]</td>
                       <td><i>&lt;protocol&gt;</i></td>
                       <td><i>&lt;port&gt;</i></td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                                                                        
                          
    </tbody>                                                
  </table>
                 </blockquote>
                                 
<p>Example - you run a Web Server on computer 2 and you want to forward incoming
         TCP port 80 to that system:</p>
                                 
<blockquote>                                                   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                     <tbody>
                      <tr>
                       <td><u><b>ACTION</b></u></td>
                       <td><u><b>SOURCE</b></u></td>
                       <td><u><b>DESTINATION</b></u></td>
                       <td><u><b>PROTOCOL</b></u></td>
                       <td><u><b>PORT</b></u></td>
                       <td><u><b>SOURCE PORT</b></u></td>
                       <td><u><b>ORIGINAL ADDRESS</b></u></td>
                     </tr>
                     <tr>
                       <td>DNAT</td>
                       <td>net</td>
                       <td>loc:10.10.10.2</td>
                       <td>tcp</td>
                       <td>80</td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                                                                        
                          
    </tbody>                                                
  </table>
                 </blockquote>
                                 
<p>A couple of important points  to keep in mind:</p>
                                 
<ul>
                   <li>You must test the above rule from a client outside 
of  your   local    network    (i.e., don't test from a browser running on 
computers     1 or 2  or  on the    firewall). If you want to be able to access
your  web   server  using  the IP    address of your external interface, see
    <a href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
                   <li>Many ISPs block incoming connection requests to port 
 80.   If  you   have     problems connecting to your web server, try the 
following   rule and  try     connecting to port 5000.</li>
                                 
</ul>
                                 
<blockquote>                                                   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                     <tbody>
                      <tr>
                       <td><u><b>ACTION</b></u></td>
                       <td><u><b>SOURCE</b></u></td>
                       <td><u><b>DESTINATION</b></u></td>
                       <td><u><b>PROTOCOL</b></u></td>
                       <td><u><b>PORT</b></u></td>
                       <td><u><b>SOURCE PORT</b></u></td>
                       <td><u><b>ORIGINAL ADDRESS</b></u></td>
                     </tr>
                     <tr>
                       <td>DNAT</td>
                       <td>net</td>
                       <td>loc:10.10.10.2:80</td>
                       <td>tcp</td>
                       <td>5000</td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                                                                        
                          
    </tbody>                                                
  </table>
                 </blockquote>
                                 
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
                ��� At this point, modify  /etc/shorewall/rules to add any
 DNAT   rules    that  you require.</p>
                                 
<h2 align="left">Domain Name Server (DNS)</h2>
                                 
<p align="left">Normally, when you connect to your ISP, as part of getting
        an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
       will be  automatically configured (e.g., the /etc/resolv.conf file
will     be  written).  Alternatively, your ISP may have given you the IP
address    of a  pair of DNS <i> name servers</i> for you to manually configure
as  your    primary  and secondary  name servers. Regardless of how DNS gets
 configured    on your  firewall, it is <u>your</u> responsibility to configure
 the resolver    in your   internal systems. You can take one of two approaches:</p>
                                 
<ul>
                   <li>                                                 
                                 
    <p align="left">You can configure your internal systems to use your ISP's
        name    servers. If you ISP gave you the addresses of their servers
  or   if   those    addresses are available on their web site, you can configure
     your   internal    systems to use those addresses. If that information
  isn't   available,   look in    /etc/resolv.conf on your firewall system
 -- the name  servers are  given in    "nameserver" records in that file.
  </p>
                  </li>
                  <li>                                                  
                                
    <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                ��� You can configure a<i> Caching Name Server </i>on your
    firewall.<i>          </i>Red Hat has an RPM for a caching name server 
 (the  RPM also    requires    the 'bind' RPM) and for Bering users, there 
 is dnscache.lrp.  If you    take   this approach, you configure your internal 
 systems to use  the firewall    itself as their primary (and only) name server.
 You use the  internal IP     address of the firewall (10.10.10.254 in the
 example above)  for the name       server address. To allow your local systems
 to talk to  your caching name      server, you must open port 53 (both UDP
 and TCP) from  the local network   to the    firewall; you do that by adding
 the following  rules in /etc/shorewall/rules.       </p>
                  </li>
                               
</ul>
                                 
<blockquote>                                                   
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                     <tbody>
                      <tr>
                       <td><u><b>ACTION</b></u></td>
                       <td><u><b>SOURCE</b></u></td>
                       <td><u><b>DESTINATION</b></u></td>
                       <td><u><b>PROTOCOL</b></u></td>
                       <td><u><b>PORT</b></u></td>
                       <td><u><b>SOURCE PORT</b></u></td>
                       <td><u><b>ORIGINAL ADDRESS</b></u></td>
                     </tr>
                     <tr>
                       <td>ACCEPT</td>
                       <td>loc</td>
                       <td>fw</td>
                       <td>tcp</td>
                       <td>53</td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                     <tr>
                       <td>ACCEPT</td>
                       <td>loc</td>
                       <td>fw</td>
                       <td>udp</td>
                       <td>53</td>
                       <td>�</td>
                       <td>�</td>
                     </tr>
                                                                        
                          
    </tbody>                                                
  </table>
                 </blockquote>
                                 
<div align="left">                   
<h2 align="left">Other Connections</h2>
                 </div>
                                 
<div align="left">                   
<p align="left">The two-interface sample includes the following rules:</p>
                </div>
                                 
<div align="left">                   
<blockquote>                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
                      <tr>
                         <td><u><b>ACTION</b></u></td>
                         <td><u><b>SOURCE</b></u></td>
                         <td><u><b>DESTINATION</b></u></td>
                         <td><u><b>PROTOCOL</b></u></td>
                         <td><u><b>PORT</b></u></td>
                         <td><u><b>SOURCE PORT</b></u></td>
                         <td><u><b>ORIGINAL ADDRESS</b></u></td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>fw</td>
                         <td>net</td>
                         <td>tcp</td>
                         <td>53</td>
                         <td>�</td>
                         <td>�</td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>fw</td>
                         <td>net</td>
                         <td>udp</td>
                         <td>53</td>
                         <td>�</td>
                         <td>�</td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
                                 
<div align="left">                   
<p align="left">Those rules allow DNS access from your firewall and may be
           removed if you uncommented the line in /etc/shorewall/policy allowing
        all    connections from the firewall to the internet.</p>
                </div>
                                 
<div align="left">                   
<p align="left">The sample also includes:</p>
                </div>
                                 
<div align="left">                   
<blockquote>                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
                      <tr>
                         <td><u><b>ACTION</b></u></td>
                         <td><u><b>SOURCE</b></u></td>
                         <td><u><b>DESTINATION</b></u></td>
                         <td><u><b>PROTOCOL</b></u></td>
                         <td><u><b>PORT</b></u></td>
                         <td><u><b>SOURCE PORT</b></u></td>
                         <td><u><b>ORIGINAL ADDRESS</b></u></td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>loc</td>
                         <td>fw</td>
                         <td>tcp</td>
                         <td>22</td>
                         <td>�</td>
                         <td>�</td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
                                 
<div align="left">                   
<p align="left">That rule allows you to run an SSH server on your firewall
        and    connect to that server from your local systems.</p>
                </div>
                                 
<div align="left">                   
<p align="left">If you wish to enable other connections between your firewall
           and other systems, the general format is:</p>
                </div>
                                 
<div align="left">                   
<blockquote>                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
                      <tr>
                         <td><u><b>ACTION</b></u></td>
                         <td><u><b>SOURCE</b></u></td>
                         <td><u><b>DESTINATION</b></u></td>
                         <td><u><b>PROTOCOL</b></u></td>
                         <td><u><b>PORT</b></u></td>
                         <td><u><b>SOURCE PORT</b></u></td>
                         <td><u><b>ORIGINAL ADDRESS</b></u></td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td><i>&lt;source zone&gt;</i></td>
                         <td><i>&lt;destination zone&gt;</i></td>
                         <td><i>&lt;protocol&gt;</i></td>
                         <td><i>&lt;port&gt;</i></td>
                         <td>�</td>
                         <td>�</td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
                                 
<div align="left">                   
<p align="left">Example - You want to run a Web Server on your firewall  
 system:</p>
                </div>
                                 
<div align="left">                   
<blockquote>                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
                      <tr>
                         <td><u><b>ACTION</b></u></td>
                         <td><u><b>SOURCE</b></u></td>
                         <td><u><b>DESTINATION</b></u></td>
                         <td><u><b>PROTOCOL</b></u></td>
                         <td><u><b>PORT</b></u></td>
                         <td><u><b>SOURCE PORT</b></u></td>
                         <td><u><b>ORIGINAL ADDRESS</b></u></td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>net</td>
                         <td>fw</td>
                         <td>tcp</td>
                         <td>80</td>
                         <td>#Allow web access</td>
                         <td>from the internet</td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>loc</td>
                         <td>fw</td>
                         <td>tcp</td>
                         <td>80</td>
                         <td>#Allow web access</td>
                         <td>from the local network</td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
                                 
<div align="left">                   
<p align="left">Those two rules would of course be in addition to the rules
           listed above under "You can configure a Caching Name Server on
your     firewall"</p>
                </div>
                                 
<div align="left">                   
<p align="left">If you don't know what port and protocol a particular   
application uses, look <a href="ports.htm">here</a>.</p>
                </div>
                                 
<div align="left">                   
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
           the internet because it uses clear text (even for login!). If
you    want     shell    access to your firewall from the internet, use SSH:</p>
                </div>
                                 
<div align="left">                   
<blockquote>                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
                      <tr>
                         <td><u><b>ACTION</b></u></td>
                         <td><u><b>SOURCE</b></u></td>
                         <td><u><b>DESTINATION</b></u></td>
                         <td><u><b>PROTOCOL</b></u></td>
                         <td><u><b>PORT</b></u></td>
                         <td><u><b>SOURCE PORT</b></u></td>
                         <td><u><b>ORIGINAL ADDRESS</b></u></td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>net</td>
                         <td>fw</td>
                         <td>tcp</td>
                         <td>22</td>
                         <td>�</td>
                         <td>�</td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
                                 
<div align="left">                   
<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
 width="49" height="36">
   ��� Bering users will want to add the following two rules to be compatible 
 with Jacques's Shorewall configuration.</p>
     
<div align="left">                   
<blockquote>                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber4">
                       <tbody>
                      <tr>
                         <td><u><b>ACTION</b></u></td>
                         <td><u><b>SOURCE</b></u></td>
                         <td><u><b>DESTINATION</b></u></td>
                         <td><u><b>PROTOCOL</b></u></td>
                         <td><u><b>PORT</b></u></td>
                         <td><u><b>SOURCE PORT</b></u></td>
                         <td><u><b>ORIGINAL ADDRESS</b></u></td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>loc<br>
           </td>
                         <td>fw</td>
                         <td>udp<br>
           </td>
                         <td>53<br>
           </td>
                         <td>#Allow DNS Cache to</td>
                         <td>work<br>
           </td>
                       </tr>
                       <tr>
                         <td>ACCEPT</td>
                         <td>loc</td>
                         <td>fw</td>
                         <td>tcp</td>
                         <td>80</td>
                         <td>#Allow weblet to work</td>
                         <td><br>
           </td>
                       </tr>
                                                                        
                            
    </tbody>                                                
  </table>
                   </blockquote>
                 </div>
     
<p align="left"><br>
   <img border="0" src="images/BD21298_.gif" width="13" height="13">
                ��� Now edit your    /etc/shorewall/rules file to add or
delete    other    connections  as required.</p>
                </div>
                                 
<div align="left">                   
<h2 align="left">Starting and Stopping Your Firewall</h2>
                 </div>
                                 
<div align="left">                   
<p align="left">          <img border="0" src="images/BD21298_2.gif"
 width="13" height="13" alt="Arrow">
               ��� The <a href="Install.htm">installation procedure </a>
  configures       your system to start Shorewall at system boot� but beginning
 with Shorewall      version 1.3.9 startup is disabled so that your system
 won't try to start     Shorewall before configuration is complete. Once
you  have completed configuration     of your firewall, you can enable Shorewall
 startup by removing the file   /etc/shorewall/startup_disabled.<br>
                </p>
                           
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
 color="#ff0000">Users of the .deb package must edit /etc/default/shorewall 
      and set 'startup=1'.</font><br>
               </p>
                 </div>
                                 
<div align="left">                   
<p align="left">The firewall is started using the "shorewall start" command
           and stopped using "shorewall stop". When the firewall is stopped,
   routing     is    enabled on those hosts that have an entry in   <a
 href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
           running firewall may be restarted using the "shorewall restart"
 command.       If    you want to totally remove any trace of Shorewall from
 your Netfilter          configuration, use "shorewall clear".</p>
                </div>
                                 
<div align="left">                   
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
 height="13">
                ��� The two-interface sample assumes that you want to enable
     routing     to/from <b>eth1 </b>(the local network) when Shorewall is
 stopped.  If    your local network isn't connected to <b>eth1</b> or if
you  wish to  enable       access to/from other hosts, change /etc/shorewall/routestopped 
   accordingly.</p>
                </div>
                                 
<div align="left">                   
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
        the    internet, do not issue a "shorewall stop" command unless you
  have     added an    entry for the IP address that you are connected from
  to   <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
      Also, I don't recommend using "shorewall restart"; it is better to
create         an   <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i>        and    test it using the <a
 href="starting_and_stopping_shorewall.htm">"shorewall   try" command</a>.</p>
                </div>
                                 
<p align="left"><font size="2">Last updated 2/21/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
                                  
<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
  Thomas      M. Eastep</font></a><br>
  </p>
  <br>
 <br>
</body>
</html>