Introduction
Tom
Eastep
2005-04-20
2003-2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
Introduction
The information in this document applies only to 2.x releases of
Shorewall.
Glossary
Netfilter - the
packet filter facility built into the 2.4 and later Linux
kernels.
ipchains - the packet filter facility built into the 2.2 Linux
kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains
compatibility mode.
iptables - the utility program used to configure and control
Netfilter. The term iptables
is often used to refer
to the combination of iptables+Netfilter (with Netfilter not in
ipchains compatibility mode).
What is Shorewall?
The Shoreline Firewall, more commonly known as
Shorewall
, is high-level tool for configuring Netfilter.
You describe your firewall/gateway requirements using entries in a set
of configuration files. Shorewall reads those configuration files and
with the help of the iptables utility, Shorewall configures Netfilter to
match your requirements. Shorewall can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system. Shorewall does not use Netfilter's ipchains
compatibility mode and can thus take advantage of Netfilter's connection
state tracking capabilities.
Shorewall is not a daemon. Once Shorewall has configured
Netfilter, it's job is complete and there is no Shorewall
process
left running in your system. The /sbin/shorewall program can be
used at any time to monitor the Netfilter firewall.
Shorewall is not the easiest to use of the available iptables
configuration tools but I believe that it is the most flexible and
powerful. So if you are looking for a simple point-and-click
set-and-forget Linux firewall solution that requires a minimum of
networking knowledge, I would encourage you to check out the following
alternatives:
http://www.m0n0.ch/wall/
http://www.fs-security.com/
If you are looking for a Linux firewall solution that can handle
complex and fast changing network environments then Shorewall is a
logical choice.
Shorewall Concepts
The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple
setups, you will only need to deal with a few of them.
Shorewall views the network where it is running as being composed of
a set of zones. In the three-interface sample configuration for
example, the following zone names are used:
Name
Description
net
The Internet
loc
Your Local Network
dmz
Demilitarized Zone
Zones are defined in the /etc/shorewall/zones
file.
Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as fw.
Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.
You express your default policy for connections from one zone
to another zone in the /etc/shorewall/policy
file. The basic choices for policy are:
ACCEPT - Accept the connection.
DROP - Ignore the connection request.
REJECT - Return an appropriate error to the connection
request.
Connection request logging may be specified as part of a
policy and it is conventional to log DROP and REJECT
policies.
You define exceptions to these default policies in the /etc/shorewall/rules
file.
You only need concern yourself with connection requests. You
don't need to define rules for how traffic that is part of an
established connection is handled and in most cases you don't have
to worry about how related connections are handled (ICMP error
packets and related TCP connection requests
such as used by FTP).
For each connection request entering the firewall, the
request is first checked against the /etc/shorewall/rules
file. If no rule in that file matches the connection request then the
first policy in /etc/shorewall/policy
that matches the request is applied. If there is a common action defined
for the policy in /etc/shorewall/actions (or
/usr/share/shorewall/actions.std) then that action is
invoked before the policy is enforces. In the standard Shorewall
distribution, the DROP policy has a common action called Drop and the REJECT policy has a common action
called Reject. Common actions are used
primarily to discard
The /etc/shorewall/policy
file included with the three-interface sample has the following policies:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT infoIn the three-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT The above policy will:
Allow all connection requests from your local network to the
internet
Drop (ignore) all connection requests from the internet to
your firewall or local network; these ignored connection requests
will be logged using the info syslog priority
(log level).
Optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)
reject all other connection requests; these rejected
connection requests will be logged using the
info syslog priority (log level).
The simplest way to define a zone is to associate the zone with a
network interface using the /etc/shorewall/interfaces
file. In the three-interface sample, the three zones are defined using
that file as follows:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
The above file defines the net zone as all hosts interfacing to the
firewall through eth0, the loc zone as all hosts interfacing through eth1
and the dmz as all hosts interfacing through eth2.
To illustrate how rules provide exceptions to policies, suppose that
you have the polcies listed above but you want to be able to connect to
your firewall from the internet using Secure Shell (SSH). Recall that SSH
connects uses TCP port 22.
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net fw tcp 22
So although you have a policy of ignoring all connection attempts
from the net zone (from the internet), the above exception to that policy
allows you to connect to the SSH server running on your firewall.
Because Shorewall makes no assumptions about what traffic you want
accepted, there are certain rules (exceptions) that need to be added to
almost any configuration.
The QuickStart
guildes provide links to download pre-populated files for use
in common setups and the Shorewall Setup Guide shows
you examples for use with other more complex setups.
To keep your firewall
log from filling up with useless noise, Shorewall provides
common actions that silently discard
or reject such noise before it can be logged. As with everything in
Shorewall, you can alter the behavior of these common actions (or do
away with them entirely) as you see fit.
License
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General
Public License as published by the Free Software
Foundation.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more detail.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA