Shorewall consists of the following components:
You may use the file /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.
It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs
Example:
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918
Example (/etc/shorewall/interfaces record):
net $NET_IF $NET_BCAST $NET_OPTIONS
The result will be the same as if the record had been written
net eth0 130.252.100.255 blacklist,norfc1918
Variables may be used anywhere in the other configuration files.
This file is used to define the network zones. There is one entry in /etc/shorewall/zones for each zone; Columns in an entry are:
The /etc/shorewall/zones file released with Shorewall is as follows:
ZONE | DISPLAY | COMMENTS |
net | Net | Internet |
loc | Local | Local networks |
dmz | DMZ | Demilitarized zone |
You may add, delete and modify entries in the /etc/shorewall/zones file as desired so long as you have at least one zone defined.
Warning 1: If you rename or delete a zone, you should perform "shorewall stop; shorewall start" to install the change rather than "shorewall restart".
Warning 2: The order of entries in the /etc/shorewall/zones file is significant in some cases.
This file is used to tell the firewall which of your firewall's network interfaces are connected to which zone. There will be one entry in /etc/shorewall/interfaces for each of your interfaces. Columns in an entry are:
tcpflags (added in version 1.3.11) - This option
causes
Shorewall to make sanity checks on the header flags in TCP packets
arriving
on this interface. Checks include Null flags, SYN+FIN, SYN+RST and
FIN+URG+PSH;
these flag combinations are typically used for "silent" port scans.
Packets failing these checks are logged according to the
TCP_FLAGS_LOG_LEVEL option in
/etc/shorewall/shorewall.conf and are disposed of
according to the TCP_FLAGS_DISPOSITION option.
blacklist - This option causes incoming packets on this interface
to be checked against the blacklist.
dhcp - The interface is assigned an IP address via DHCP or is used
by a DHCP server running on the firewall. The firewall will be
configured to allow DHCP traffic to and from the interface even when
the firewall is stopped. You may also wish to use this option if you
have a static IP
but you are on a LAN segment that has a lot of Laptops that
use DHCP and you select the norfc1918 option (see below).
norfc1918 - Packets arriving on this interface and that
have a source address that is reserved in RFC 1918 or in other RFCs
will be dropped after being optionally logged. If packet
mangling is enabled in /etc/shorewall/shorewall.conf , then packets
arriving on this interface that have a destination address that is
reserved by one of these RFCs will also be logged and dropped.
Addresses blocked by the standard rfc1918 file
include those addresses reserved by RFC1918 plus other ranges reserved
by the IANA or by other RFCs.
Beware that as IPv4 addresses become in increasingly short supply, ISPs are beginning to use RFC 1918 addresses within their own infrastructure. Also, many cable and DSL "modems" have an RFC 1918 address that can be used through a web browser for management and monitoring functions. If you want to specify norfc1918 on your external interface but need to allow access to certain addresses from the above list, see FAQ 14.
routefilter - Invoke the Kernel's route filtering (anti-spoofing) facility on this interface. The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the firewall. Warning: If you specify this option for an interface then the interface must be up prior to starting the firewall.
dropunclean - Packets from this interface that are
selected by the 'unclean' match target in iptables will be optionally logged and then dropped. Warning: This feature requires that UNCLEAN match
support be configured in your kernel, either in the kernel itself or as
a module. UNCLEAN support is broken in some versions of the kernel but
appears to work ok in 2.4.17-rc1.
Update 12/17/2001: The unclean match patch from 2.4.17-rc1
is available
for download. I am currently running this patch applied to kernel
2.4.16.
Update 12/20/2001: I've seen a number of tcp connection requests with OPT (020405B40000080A...) being dropped in the badpkt chain. This appears to be a bug in the remote TCP stack whereby it is 8-byte aligning a timestamp (TCP option 8) but rather than padding with 0x01 it is padding with 0x00. It's a tough call whether to deny people access to your servers because of this rather minor bug in their networking software. If you wish to disable the check that causes these connections to be dropped, here's a kernel patch against 2.4.17-rc2.
logunclean - This option works like dropunclean with the exception that packets selected by the 'unclean' match target in iptables are logged but not dropped. The level at which the packets are logged is determined by the setting of LOGUNCLEAN and if LOGUNCLEAN has not been set, "info" is assumed.
proxyarp (Added in version 1.3.5) - This option causes
Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
and is used when implementing Proxy ARP Sub-netting as described at
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do not
set this option if you are implementing Proxy ARP through entries in /etc/shorewall/proxyarp.
maclist (Added in version 1.3.10) - If this option is
specified, all connection requests from this interface are subject to MAC Verification. May
only be specified for ethernet interfaces.
My recommendations concerning options:
Example 1: You have a conventional firewall setup in which eth0 connects to a Cable or DSL modem and eth1 connects to your local network and eth0 gets its IP address via DHCP. You want to check all packets entering from the internet against the black list. Your /etc/shorewall/interfaces file would be as follows:
ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,norfc1918,blacklist loc eth1 detect
Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces file would be:
ZONE INTERFACE BROADCAST OPTIONS net ppp0
Example 3: You have local interface eth1 with two IP addresses - 192.168.1.1/24 and 192.168.12.1/24
ZONE INTERFACE BROADCAST OPTIONS loc eth1 192.168.1.255,192.168.12.255
For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.
WARNING: The only times that you
need entries
in /etc/shorewall/hosts are:
Columns in this file are:
- An IP address (example - eth1:192.168.1.3)
- A subnet in CIDR notation (example - eth2:192.168.2.0/24)
The interface name much match an entry in /etc/shorewall/interfaces.
Warning: If you are running a version of Shorewall earlier than 1.4.6, only a single host/subnet address may be specified in an entry in /etc/shorewall/hosts.
routeback (Added in version 1.4.2) - This option causes Shorewall to set up handling for routing packets sent by this host group back back to the same group.
maclist - Added in version 1.3.10. If specified, connection requests from the hosts specified in this entry are subject to MAC Verification. This option is only valid for ethernet interfaces.
If you don't define any hosts for a zone, the hosts in the zone default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the zone.
Note: You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules.
Example 1:
Your local interface is eth1 and you have two groups of local hosts that you want to make into separate zones:
Your /etc/shorewall/interfaces file might look like:
ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,norfc1918 - eth1 192.168.1.127,192.168.1.255
The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces to multiple zones.
Your /etc/shorewall/hosts file might look like:
ZONE HOST(S) OPTIONS loc1 eth1:192.168.1.0/25
loc2 eth1:192.168.1.128/25
Example 2:
Your local interface is eth1 and you have two groups of local hosts that you want to consider as one zone and you want Shorewall to route between them:
Your /etc/shorewall/interfaces file might look like:
ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,norfc1918 loc
eth1 192.168.1.127,192.168.1.255
Your /etc/shorewall/hosts file might look like:
If you are running Shorewall 1.4.6 or later, your hosts file may look like:
ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/25
loc eth1:192.168.1.128/25
ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/25,192.168.1.128/25
The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you to define nested or overlapping zones. Such overlapping/nested zones are allowed and Shorewall processes zones in the order that they appear in the /etc/shorewall/zones file. So if you have nested zones, you want the sub-zone to appear before the super-zone and in the case of overlapping zones, the rules that will apply to hosts that belong to both zones is determined by which zone appears first in /etc/shorewall/zones.
Hosts that belong to more than one zone may be managed by the rules of all of those zones. This is done through use of the special CONTINUE policy described below.
This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones.
Policies established in /etc/shorewall/policy can be viewed as default policies. If no rule in /etc/shorewall/rules applies to a particular connection request then the policy from /etc/shorewall/policy is applied.
Four policies are defined:
For each policy specified in /etc/shorewall/policy, you can indicate that you want a message sent to your system log each time that the policy is applied.
Entries in /etc/shorewall/policy have four columns as follows:
In the SOURCE and DEST columns, you can enter "all" to indicate all zones.
The policy file installed by default is as follows:
SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT
net all DROP info
all all REJECT info
This table may be interpreted as follows:
WARNING:
The firewall script processes the /etc/shorewall/policy file from top to bottom and uses the first applicable policy that it finds. For example, in the following policy file, the policy for (loc, loc) connections would be ACCEPT as specified in the first entry even though the third entry in the file specifies REJECT.
SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc all ACCEPT
net all DROP info
loc loc REJECT info
Any time that you have multiple interfaces associated with a single
zone, you should ask yourself if you really want traffic routed between
those interfaces. Cases where you might not want that behavior are:
Where zones are nested or overlapping , the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones. Let's look at an example:
/etc/shorewall/zones:
ZONE DISPLAY COMMENTS sam Sam Sam's system at home net Internet The Internet loc Loc Local Network
/etc/shorewall/interfaces:
ZONE INTERFACE BROADCAST OPTIONS - eth0 detect dhcp,norfc1918 loc eth1 detect
/etc/shorewall/hosts:
ZONE HOST(S) OPTIONS net eth0:0.0.0.0/0
sam eth0:206.191.149.197
Note that Sam's home system is a member of both the sam zone and the net zone and as described above , that means that sam must be listed before net in /etc/shorewall/zones.
/etc/shorewall/policy:
SOURCE DEST POLICY LOG LEVEL loc net ACCEPT
sam all CONTINUE
net all DROP info all all REJECT info
The second entry above says that when Sam is the client, connection requests should first be process under rules where the source zone is sam and if there is no match then the connection request should be treated under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all).
Partial /etc/shorewall/rules:
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SET...
DNAT sam loc:192.168.1.3 tcp ssh -
DNAT net loc:192.168.1.5 tcp www -
...
Given these two rules, Sam can connect to the firewall's internet interface with ssh and the connection request will be forwarded to 192.168.1.3. Like all hosts in the net zone, Sam can connect to the firewall's internet interface on TCP port 80 and the connection request will be forwarded to 192.168.1.5. The order of the rules is not significant.
Sometimes it is necessary to suppress port forwarding for a sub-zone. For example, suppose that all hosts can SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the firewall's external IP, he should be connected to the firewall itself. Because of the way that Netfilter is constructed, this requires two rules as follows:
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SET
...
DNAT sam fw tcp ssh -
DNAT net!sam loc:192.168.1.3 tcp ssh -
...
The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the net zone with the exception of those in the 'sam' zone should have their connection port forwarded to 192.168.1.3. If you need to exclude more than one zone in this way, you can list the zones separated by commas (e.g., net!sam,joe,fred). This technique also may be used when the ACTION is REDIRECT.
The /etc/shorewall/rules file defines exceptions to the policies
established in the /etc/shorewall/policy file. There is one entry in
/etc/shorewall/rules for each of these rules.
Shorewall automatically enables firewall->firewall traffic over
the loopback interface (lo) -- that traffic cannot be regulated using
rules and any rule that tries to regulate such traffic will generate a
warning and will be ignored.
Entries in the file have the following columns:
Beginning with Shorewall version 1.4.7, you may rate-limit the
rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
< <rate>/<interval>[:<burst>] >
where
<rate> is the number of connections per
<interval> ("sec" or "min") and <burst> is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.
There may be no whitespace embedded in the
specification.
Let's take an example:
ACCEPT<2/sec:4>
net dmz tcp 80
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.
Warning: When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.
Rate limiting may also be specified in the RATE LIMIT column below; in
that case, it must not be specified as part of the ACTION column.
The ACTION (and rate limit) may optionally be followed by ":" and a syslog level (example: REJECT:info
or ACCEPT<2/sec:4>:debugging).
This
causes the packet to be logged at the specified level prior to being
processed according to the specified ACTION. Note: if the ACTION
is LOG then you MUST specify a syslog level.
The use of DNAT or REDIRECT requires that you have NAT enabled.
Example 1. You wish to forward all ssh connection requests from the internet to local system 192.168.1.3. You wish to limit the number of connections to 4/minute with a burst of 8 (Shorewall 1.4.7 and later only):
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SET
DNAT<4/min:8> net loc:192.168.1.3 tcp ssh
Example 2. You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers. This example shows yet another use for the ORIGINAL DEST column; here, connection requests that were NOT (notice the "!") originally destined to 206.124.146.177 are redirected to local port 3128.
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SET
REDIRECT loc 3128 tcp www -
!206.124.146.177
ACCEPT fw net tcp www
Example 3. You want to run a web server at 155.186.235.222 in your DMZ and have it accessible remotely and locally. the DMZ is managed by Proxy ARP or by classical sub-netting.
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SETACCEPT net dmz:155.186.235.222 tcp www -
ACCEPT loc dmz:155.186.235.222 tcp www
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded DMZ. Your internet interface address is 155.186.235.151 and you want the FTP server to be accessible from the internet in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since the server is in the 192.168.2.0/24 subnetwork, we can assume that access to the server from that subnet will not involve the firewall (but see FAQ 2). Note that unless you have more than one external IP address, you can leave the ORIGINAL DEST column blank in the first rule. You cannot leave it blank in the second rule though because then all ftp connections originating in the local subnet 192.168.1.0/24 would be sent to 192.168.2.2 regardless of the site that the user was trying to connect to. That is clearly not what you want .
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SETDNAT net dmz:192.168.2.2 tcp ftp
DNAT loc:192.168.1.0/24 dmz:192.168.2.2 tcp ftp - 155.186.235.151
If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions so I use port range 65500-65535. In /etc/ftpaccess, this entry is appropriate:
passive ports 0.0.0.0/0 65500 65534
If you are running pure-ftpd, you would include "-p 65500:65534" on the pure-ftpd runline.
The important point here is to ensure that the port range used for FTP passive connections is unique and will not overlap with any usage on the firewall system.
Example 5. You wish to allow unlimited DMZ access to the host with MAC address 02:00:08:E3:FA:55.
Example 6. You wish to allow access to the SMTP server in your DMZ from all zones.
ACTION SOURCE DEST PROTO DEST
PORT(S)SOURCE
PORT(S)ORIGINAL
DESTRATE
LIMIT
USER
SETACCEPT loc:~02-00-08-E3-FA-55 dmz all
Example 7. Your firewall's external interface has several IP addresses but you only want to accept SSH connections on address 206.124.146.176.
ACTION
SOURCE
DEST
PROTO
DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
RATE
LIMIT
USER
SETACCEPT
all
dmz
tcp
25
Note: When 'all' is used as a source or destination, intra-zone traffic is not affected. In this example, if there were two DMZ interfaces then the above rule would NOT enable SMTP traffic between hosts on these interfaces.
Example 8 (For advanced users running Shorewall version 1.3.13 or later). From the internet, you with to forward tcp port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 in your DMZ. You also want to allow access from the internet directly to tcp port 25 on 192.0.2.177.
ACTION
SOURCE
DEST
PROTO
DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
RATE
LIMIT
USER
SETACCEPT
net
fw:206.124.146.176
tcp
22
Using "DNAT-" rather than "DNAT" avoids two extra copies of the third rule from being generated.
ACTION
SOURCE
DEST
PROTO
DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
RATE
LIMIT
USER
SETDNAT-
net
dmz:192.0.2.177
tcp
25
0
192.0.2.178
DNAT-
net
dmz:192.0.2.177
tcp
25
0
192.0.2.179
ACCEPT
net
dmz:192.0.2.177
tcp
25
ACTION
SOURCE
DEST
PROTO
DEST
PORT(S)
SOURCE
PORT(S)
ORIGINAL
DEST
RATE
LIMIT
USER
SETDNAT
net
loc:192.168.1.101-192.168.1.109
tcp
80
Look here for information on other services.
Shorewall allows definition of rules that apply between all zones. By default, these rules are defined in the file /etc/shorewall/common.def but may be modified to suit individual requirements. Rather than modify /etc/shorewall/common.def, you should copy that file to /etc/shorewall/common and modify that file.
The /etc/shorewall/common file is expected to contain iptables commands; rather than running iptables directly, you should run it indirectly using the Shorewall function 'run_iptables'. That way, if iptables encounters an error, the firewall will be safely stopped.
The /etc/shorewall/masq file is used to define classical IP Masquerading and Source Network Address Translation (SNAT). There is one entry in the file for each subnet that you want to masquerade. In order to make use of this feature, you must have NAT enabled .
Columns are:
Example 1: You have eth0 connected to a cable modem and eth1 connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq file would look like:
INTERFACE SUBNET ADDRESS eth0 192.168.9.0/24
Example 2: You have a number of IPSEC tunnels through ipsec0 and you want to masquerade traffic from your 192.168.9.0/24 subnet to the remote subnet 10.1.0.0/16 only.
INTERFACE SUBNET ADDRESS ipsec0:10.1.0.0/16 192.168.9.0/24
Example 3: You have a DSL line connected on eth0 and a local network (192.168.10.0/24) connected to eth1. You want all local->net connections to use source address 206.124.146.176.
INTERFACE SUBNET ADDRESS eth0 192.168.10.0/24 206.124.146.176
Example 4: Same as example 3 except that you wish to exclude 192.168.10.44 and 192.168.10.45 from the SNAT rule.
Example 5 (Shorewall version >= 1.3.14): You have a second IP address (206.124.146.177) assigned to you and wish to use it for SNAT of the subnet 192.168.12.0/24. You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
INTERFACE SUBNET ADDRESS eth0 192.168.10.0/24!192.168.10.44,192.168.10.45 206.124.146.176
Example 6 (Shorewall version >= 1.4.7): You want to use both 206.124.146.177 and 206.124.146.179 for SNAT of the subnet 192.168.12.0/24. Each address will be used on alternate outbound connections.
INTERFACE SUBNET ADDRESS eth0:0 192.168.12.0/24 206.124.146.177
INTERFACE SUBNET ADDRESS eth0 192.168.12.0/24 206.124.146.177,206.124.146.179
If you want to use proxy ARP on an entire sub-network, I suggest that you look at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. If you decide to use the technique described in that HOWTO, you can set the proxy_arp flag for an interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) by including the proxyarp option in the interface's record in /etc/shorewall/interfaces. When using Proxy ARP sub-netting, you do NOT include any entries in /etc/shorewall/proxyarp.
The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for enabling Proxy ARP on a small set of systems since you need one entry in this file for each system using proxy ARP. Columns are:
Note: After you have made a change to the /etc/shorewall/proxyarp file, you may need to flush the ARP cache of all routers on the LAN segment connected to the interface specified in the EXTERNAL column of the change/added entry(s). If you are having problems communicating between an individual host (A) on that segment and a system whose entry has changed, you may need to flush the ARP cache on host A as well.
ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long while to time out. I personally have had to contact my ISP and ask them to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.
Example: You have public IP addresses 155.182.235.0/28. You configure your firewall as follows:
In your DMZ, you want to install a Web/FTP server with public address 155.186.235.4. On the Web server, you subnet just like the firewall's eth0 and you configure 155.186.235.1 as the default gateway. In your /etc/shorewall/proxyarp file, you will have:
ADDRESS INTERFACE EXTERNAL HAVEROUTE 155.186.235.4 eth2 eth0 No
Note: You may want to configure the servers in your DMZ with a subnet that is smaller than the subnet of your internet interface. See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) for details. In this case you will want to place "Yes" in the HAVEROUTE column.
Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. If you start or restart Shorewall with an IPSEC tunnel active, the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to the interface that you specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I can't say if it is a bug in the Kernel or in FreeS/Wan.
You might be able to work around this problem using the following (I haven't tried it):
In /etc/shorewall/init, include:
qt service ipsec stop
In /etc/shorewall/start, include:
qt service ipsec start
The /etc/shorewall/nat file is used to define one-to-one NAT. There is one entry in the file for each one-to-one NAT relationship that you wish to define. In order to make use of this feature, you must have NAT enabled .
IMPORTANT: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use one-to-one NAT. Port forwarding can be accomplished with simple entries in the rules file. Also, in most cases Proxy ARP provides a superior solution to one-to-one NAT because the internal systems are accessed using the same IP address internally and externally.
Columns in an entry are:
Look here for additional information and an example.
The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, OpenVPN, PPTP and 6to4.tunnels with end-points on your firewall. To use ipsec, you must install version 1.9, 1.91 or the current FreeS/WAN development snapshot.
Note: For kernels 2.4.4 and above, you will need to use version 1.91 or a development snapshot as patching with version 1.9 results in kernel compilation errors.
Instructions for setting up IPSEC tunnels
may be found here, instructions for IPIP
and GRE tunnels are here, instructions
for OpenVPN tunnels are here, instructions
for PPTP tunnels are here, instructions for
6to4 tunnels are here and instructions
for integrating Shorewall with other types of tunnels are here.
This file is used to set the following firewall parameters:
Rules not meeting those criteria will continue to generate an individual rule for each listed port or port range.
The file /etc/shorewall/modules contains commands for loading the kernel modules required by Shorewall-defined firewall rules. Shorewall will source this file during start/restart provided that it exists and that the directory specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf above).
The file that is released with Shorewall calls the Shorewall function "loadmodule" for the set of modules that I load.
The loadmodule function is called as follows:
loadmodule <modulename> [ <module parameters> ]
where
<modulename>
is the name of the modules without the trailing ".o" (example ip_conntrack).
<module parameters>
Optional parameters to the insmod utility.
The function determines if the module named by <modulename> is already loaded and if not then the function determines if the ".o" file corresponding to the module exists in the moduledirectory; if so, then the following command is executed:
insmod moduledirectory/<modulename>.o <module parameters>
If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed modules and execute the following command:
insmod moduledirectory/<modulename>.o.gz <module parameters>
The /etc/shorewall/tos file allows you to set the Type of Service field in packet headers based on packet source, packet destination, protocol, source port and destination port. In order for this file to be processed by Shorewall, you must have mangle support enabled .
Entries in the file have the following columns:
Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
Minimize-Cost (2)
Normal-Service (0)
The /etc/shorewall/tos file that is included with Shorewall contains the following entries.
SOURCE DEST PROTOCOL SOURCE
PORT(S)DEST PORT(S) TOS all all tcp - ssh 16 all all tcp ssh - 16 all all tcp - ftp 16 all all tcp ftp - 16 all all tcp - ftp-data 8 all all tcp ftp-data - 8
WARNING: Users have reported that odd routing problems result from adding the ESP and AH protocols to the /etc/shorewall/tos file.
Each line in /etc/shorewall/blacklist contains an IP address, a MAC address in Shorewall Format or subnet address. Example:
130.252.100.69
206.124.146.0/24
Packets from hosts listed in the blacklist file will
be disposed of according to the value assigned to the BLACKLIST_DISPOSITION
and BLACKLIST_LOGLEVEL variables in
/etc/shorewall/shorewall.conf. Only packets arriving on interfaces that
have the 'blacklist' option in
/etc/shorewall/interfaces are checked against the blacklist. The black
list is designed to prevent listed hosts/subnets from accessing
services on your network.
Beginning with Shorewall 1.3.8, the blacklist file has three columns:
Shorewall also has a dynamic blacklist capability.
IMPORTANT: The Shorewall blacklist file is NOT designed to police your users' web browsing -- to do that, I suggest that you install and configure Squid (http://www.squid-cache.org) with SquidGuard (http://www.squidguard.org/).
This file lists the subnets affected by the norfc1918 interface option. Columns in the file are:
This file defines the hosts that are accessible from the firewall when the firewall is stopped. Columns in the file are:
Example: When your firewall is stopped, you want firewall accessibility from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through eth1 and your local hosts through eth2.
INTERFACE HOST(S) eth2 192.168.1.0/24 eth1 -
Updated 11/15/2003 - Tom Eastep