<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="usefull_links">
  <!--$Id$-->

  <articleinfo>
    <title>Introduction</title>

    <author>
      <firstname>Tom</firstname>

      <surname>Eastep</surname>
    </author>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2003-2006</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink type="" url="Copyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>Introduction</title>

    <para>The information in this document applies only to 3.x releases of
    Shorewall.</para>

    <section>
      <title>Glossary</title>

      <itemizedlist>
        <listitem>
          <para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
          packet filter facility built into the 2.4 and later Linux
          kernels.</para>
        </listitem>

        <listitem>
          <para>ipchains - the packet filter facility built into the 2.2 Linux
          kernels. Also the name of the utility program used to configure and
          control that facility. Netfilter can be used in ipchains
          compatibility mode.</para>
        </listitem>

        <listitem>
          <para>iptables - the utility program used to configure and control
          Netfilter. The term <quote>iptables</quote> is often used to refer
          to the combination of iptables+Netfilter (with Netfilter not in
          ipchains compatibility mode).</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>What is Shorewall?</title>

      <para>The Shoreline Firewall, more commonly known as
      <quote>Shorewall</quote>, is high-level tool for configuring Netfilter.
      You describe your firewall/gateway requirements using entries in a set
      of configuration files. Shorewall reads those configuration files and
      with the help of the iptables utility, Shorewall configures Netfilter to
      match your requirements. Shorewall can be used on a dedicated firewall
      system, a multi-function gateway/router/server or on a standalone
      GNU/Linux system. Shorewall does not use Netfilter's ipchains
      compatibility mode and can thus take advantage of Netfilter's connection
      state tracking capabilities.</para>

      <para>Shorewall is not a daemon. Once Shorewall has configured
      Netfilter, its job is complete and there is no <quote>Shorewall
      process</quote> left running in your system. The <ulink
      url="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
      used at any time to monitor the Netfilter firewall</ulink>.</para>

      <para>Shorewall is not the easiest to use of the available iptables
      configuration tools but I believe that it is the most flexible and
      powerful. So if you are looking for a simple point-and-click
      set-and-forget Linux firewall solution that requires a minimum of
      networking knowledge, I would encourage you to check out the following
      alternatives:</para>

      <itemizedlist>
        <listitem>
          <para><ulink
          url="http://www.m0n0.ch/wall/">http://www.m0n0.ch/wall/</ulink></para>
        </listitem>

        <listitem>
          <para><ulink
          url="http://www.fs-security.com/">http://www.fs-security.com/</ulink></para>
        </listitem>
      </itemizedlist>

      <para>If you are looking for a Linux firewall solution that can handle
      complex and fast changing network environments then Shorewall is a
      logical choice.</para>
    </section>
  </section>

  <section>
    <title>Shorewall Concepts</title>

    <para>The configuration files for Shorewall are contained in the directory
    <filename class="directory">/etc/shorewall</filename> -- for simple
    setups, you will only need to deal with a few of them.</para>

    <para>Shorewall views the network where it is running as being composed of
    a set of <firstterm>zones</firstterm>. In the <ulink
    url="three-interface.htm">three-interface sample configuration</ulink> for
    example, the following zone names are used:</para>

    <programlisting>#NAME                  DESCRIPTION
fw                     The firewall itself
net                    The Internet
loc                    Your Local Network
dmz                    Demilitarized Zone</programlisting>

    <para>Zones are declared and given a type in the <ulink
    url="Documentation.htm#Zones"><filename
    class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
    file.Here is the <ulink url="Documentation.htm#Zones"><filename
    class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
    file from the three-interface sample:</para>

    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
dmz     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>

    <para>Note that Shorewall recognizes the firewall system as its own zone.
    The name of the zone designating the firewall itself (usually 'fw' as
    shown in the above file) is stored in the shell variable
    $<firstterm>FW</firstterm> which may be used throughout the Shorewall
    configuration to refer to the firewall zone.</para>

    <para>The simplest way to define the hosts in a zone is to associate the
    zone with a network interface using the <ulink
    url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
    file. In the three-interface sample, the three zones are defined using
    that file as follows:</para>

    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
net        eth0          detect        dhcp,routefilter,norfc1918
loc        eth1          detect
dmz        eth2          detect</programlisting>

    <para>The above file defines the net zone as all IPv4 hosts interfacing to
    the firewall through eth0, the loc zone as all IPv4 hosts interfacing
    through eth1 and the dmz as all IPv4 hosts interfacing through eth2. It is
    important to note that the composition of a zone is defined in terms of a
    combination of addresses <emphasis role="bold">and</emphasis> interfaces.
    When using the <ulink
    url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
    file to define a zone, all addresses are included; when you want to define
    a zone that contains a limited subset of the IPv4 address space, you use
    the <ulink
    url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
    file.</para>

    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones. <itemizedlist spacing="compact">
        <listitem>
          <para>You express your default policy for connections from one zone
          to another zone in the <ulink
          url="Documentation.htm#Policy"><filename
          class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>
          file. The basic choices for policy are:</para>

          <itemizedlist>
            <listitem>
              <para>ACCEPT - Accept the connection.</para>
            </listitem>

            <listitem>
              <para>DROP - Ignore the connection request.</para>
            </listitem>

            <listitem>
              <para>REJECT - Return an appropriate error to the connection
              request.</para>
            </listitem>
          </itemizedlist>

          <para>Connection request logging may be specified as part of a
          policy and it is conventional to log DROP and REJECT
          policies.</para>
        </listitem>

        <listitem>
          <para>You define exceptions to these default policies in the <ulink
          url="Documentation.htm#Rules"><filename
          class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>
          file.</para>
        </listitem>

        <listitem>
          <para>You only need concern yourself with connection requests. You
          don't need to define rules for how traffic that is part of an
          established connection is handled and in most cases you don't have
          to worry about how related connections are handled (ICMP error
          packets and <ulink url="FTP.html">related TCP connection requests
          such as used by FTP</ulink>).</para>
        </listitem>
      </itemizedlist>For each connection request entering the firewall, the
    request is first checked against the <filename
    class="directory">/etc/shorewall/</filename><filename>rules</filename>
    file. If no rule in that file matches the connection request then the
    first policy in <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    that matches the request is applied. If there is a default action defined
    for the policy in /etc/shorewall/actions (or
    <filename>/usr/share/shorewall/actions.std</filename>) then that action is
    invoked before the policy is enforced. In the standard Shorewall
    distribution, the DROP policy has a default action called <emphasis
    role="bold">Drop</emphasis> and the REJECT policy has a default action
    called <emphasis role="bold">Reject</emphasis>. Default actions are used
    primarily to discard packets silently so that they don't clutter up your
    log.</para>

    <para>The <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    file included with the three-interface sample has the following policies:
    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
loc        net         ACCEPT
net        all         DROP        info
all        all         REJECT      info</programlisting>In the three-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the internet, uncomment
    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
$FW        net         ACCEPT</programlisting> The above policy will:
    <itemizedlist>
        <listitem>
          <para>Allow all connection requests from your local network to the
          internet</para>
        </listitem>

        <listitem>
          <para>Drop (ignore) all connection requests from the internet to
          your firewall or local network; these ignored connection requests
          will be logged using the <emphasis>info</emphasis> syslog priority
          (log level).</para>
        </listitem>

        <listitem>
          <para>Optionally accept all connection requests from the firewall to
          the internet (if you uncomment the additional policy)</para>
        </listitem>

        <listitem>
          <para>reject all other connection requests; these rejected
          connection requests will be logged using the
          <emphasis>info</emphasis> syslog priority (log level).</para>
        </listitem>
      </itemizedlist></para>

    <para>To illustrate how rules provide exceptions to policies, suppose that
    you have the polcies listed above but you want to be able to connect to
    your firewall from the internet using Secure Shell (SSH). Recall that SSH
    connects uses TCP port 22.</para>

    <programlisting>#ACTION    SOURCE        DEST      PROTO      DEST
#                                             PORT(S)
ACCEPT     net           $FW       tcp        22</programlisting>

    <para>So although you have a policy of ignoring all connection attempts
    from the net zone (from the internet), the above exception to that policy
    allows you to connect to the SSH server running on your firewall.</para>

    <para>Because Shorewall makes no assumptions about what traffic you want
    accepted, there are certain rules (exceptions) that need to be added to
    almost any configuration.</para>

    <itemizedlist>
      <listitem>
        <para>The <ulink url="shorewall_quickstart_guide.htm">QuickStart
        guildes</ulink> provide links to download pre-populated files for use
        in common setups and the <ulink
        url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> shows
        you examples for use with other more complex setups.</para>
      </listitem>

      <listitem>
        <para>To keep your <ulink url="shorewall_logging.html">firewall
        log</ulink> from filling up with useless noise, Shorewall provides
        <ulink url="Actions.html">common actions</ulink> that silently discard
        or reject such noise before it can be logged. As with everything in
        Shorewall, you can alter the behavior of these common actions (or do
        away with them entirely) as you see fit.</para>
      </listitem>
    </itemizedlist>
  </section>

  <section>
    <title>License</title>

    <para>This program is free software; you can redistribute it and/or modify
    it under the terms of <ulink
    url="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
    Public License</ulink> as published by the Free Software
    Foundation.</para>

    <para>This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
    for more detail.</para>

    <para>You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software Foundation,
    Inc., 675 Mass Ave, Cambridge, MA 02139, USA</para>
  </section>
</article>