Shorewall FAQs

Answer: Check out the QuickStart Guides.

Answer: The first example in the rules file documentation shows how to do port forwarding under Shorewall. The format of a port-forwarding rule to a local system is as follows:

#ACTION    SOURCE      DEST                                   PROTO        DEST PORT
DNAT       net         loc:<local IP address>[:<local port>]  <protocol>   <port #>

So to forward UDP port 7777 to internal system 192.168.1.5, the rule is:

#ACTION    SOURCE   DEST             PROTO    DEST PORT
DNAT       net      loc:192.168.1.5  udp      7777

If you want to forward requests directed to a particular address ( <external IP> ) on your firewall to an internal system:

#ACTION SOURCE DEST                                   PROTO       DEST PORT  SOURCE  ORIGINAL
#                                                                            PORT    DEST.
DNAT    net    loc:<local IP address>[:<local port>]  <protocol>  <port #>   -       <external IP>

Finally, if you need to forward a range of ports, in the PORT column specify the range as <low-port>:<high-port>.

#ACTION    SOURCE   DEST              PROTO    DEST PORT
DNAT       net      loc:192.168.3:22  tcp      1022

It would be a good idea to review the QuickStart Guide appropriate for your setup; the guides cover this topic in a tutorial fashion. DNAT rules should be used for connections that need to go the opposite direction from SNAT/MASQUERADE. So if you masquerade or use SNAT from your local network to the internet then you will need to use DNAT rules to allow connections from the internet to your local network. In all other cases, you use ACCEPT unless you need to hijack connections as they go through your firewall and handle them on the firewall box itself; in that case, you use a REDIRECT rule.

Answer: I have two objections to this setup.

If you insist on an IP solution to the accessibility problem rather than a DNS solution, then assuming that your external interface is eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24.

If you are running Shorewall 1.4.0 or earlier see the 1.3 FAQ for instructions suitable for those releases.

If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please upgrade to Shorewall 1.4.2 or later.

Otherwise:

Oct 4 10:26:40 netgw kernel:
          Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200
          DST=192.168.118.210 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1342 DF
          PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN URGP=0

#ZONE    INTERFACE    BROADCAST       OPTIONS
loc      eth2         192.168.2.255   routeback

#SOURCE    DESTINATION    POLICY     LIMIT:BURST
dmz        dmz            ACCEPT

#INTERFACE       SUBNET            ADDRESS
eth2             192.168.2.0/24

Answer: There is an H.323 connection tracking/NAT module that helps with Netmeeting. Note however that one of the Netfilter developers recently posted the following:

Look here for a solution for MSN IM but be aware that there are significant security risks involved with this solution. Also check the Netfilter mailing list archives at http://www.netfilter.org.

Answer: (Shorewall versions prior to 2.0.0 only). The common.def included with version 1.3.x always rejects connection requests on TCP port 113 rather than dropping them. This is necessary to prevent outgoing connection problems to services that use the “Auth” mechanism for identifying requesting users. Shorewall also rejects TCP ports 135, 137, 139 and 445 as well as UDP ports 137-139. These are ports that are used by Windows (Windows can be configured to use the DCE cell locator on port 135). Rejecting these connection requests rather than dropping them cuts down slightly on the amount of Windows chatter on LAN segments connected to the Firewall.

If you are seeing port 80 being “closed”, that's probably your ISP preventing you from running a web server in violation of your Service Agreement.

Answer: (Shorewall versions 2.0.0 and later). The default Shorewall setup invokes the Drop action prior to enforcing a DROP policy and the default policy to all zone from the internet is DROP. The Drop action is defined in /etc/shorewall/action.Drop which in turn invokes the RejectAuth action (defined in /etc/shorewall/action.RejectAuth). This is necessary to prevent outgoing connection problems to services that use the “Auth” mechanism for identifying requesting users. That is the only service which the default setup rejects.

If you are seeing closed TCP ports other than 113 (auth) then either you have added rules to REJECT those ports or a router outside of your firewall is responding to connection requests on those ports.

Answer: If you want your firewall to be totally open for “ping”,

For a complete description of Shorewall “ping” management, see this page.

Answer: Every time I read “systems can't see out to the net”, I wonder where the poster bought computers with eyes and what those computers will “see” when things are working properly. That aside, the most common causes of this problem are:

See the Shorewall and FTP page.

Answer: Most likely, you need to set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.

Answer: NetFilter uses the kernel's equivalent of syslog (see “man syslog”) to log messages. It always uses the LOG_KERN (kern) facility (see “man openlog”) and you get to choose the log level (again, see “man syslog”) in your policies and rules. The destination for messaged logged by syslog is controlled by /etc/syslog.conf (see “man syslog.conf”). When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, “service syslog restart”).

By default, older versions of Shorewall ratelimited log messages through settings in /etc/shorewall/shorewall.conf -- If you want to log all messages, set:

LOGLIMIT=""
LOGBURST=""

Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages to a separate file.

DROP net fw udp 10619

Jan 8 15:50:48 norcomix kernel:
        Shorewall:net2all:DROP:IN=eth0 OUT=
        MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16
        DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF
        PROTO=UDP SPT=53 DPT=40275 LEN=33

#
# Include the standard common.def file
# 
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00

Answer: If you are running Shorewall version 1.4.4 or 1.4.4a then check the errata. Otherwise:

Answer: Logging occurs out of a number of chains (as indicated in the log message) in Shorewall:

Jun 27 15:37:56 gateway kernel:
        Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2
        DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP
        SPT=1803 DPT=53 LEN=47

ACCEPT dmz loc udp 53

Nov 25 18:58:52 linux kernel:
      Shorewall:net2all:DROP:IN=eth1 OUT=
      MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179
      DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP
      TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00
      TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]

192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN

Answer: While most people associate the Internet Control Message Protocol (ICMP) with “ping”, ICMP is a key piece of the internet. ICMP is used to report problems back to the sender of a packet; this is what is happening here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), there are a lot of broken implementations. That is what you are seeing with these messages.

Here is my interpretation of what is happening -- to confirm this analysis, one would have to have packet sniffers placed a both ends of the connection.

Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and your DNS server tried to send a response (the response information is in the brackets -- note source port 53 which marks this as a DNS reply). When the response was returned to to 206.124.146.179, it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had a connection on UDP port 2857. This causes a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, that box correctly changes the source address in the packet to 206.124.146.179 but doesn't reset the DST IP in the original DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related to anything that was sent. The final result is that the packet gets logged and dropped in the all2all chain. I have also seen cases where the source IP in the ICMP itself isn't set back to the external IP of the remote NAT gateway; that causes your firewall to log and drop the packet out of the rfc1918 chain because the source IP is reserved by RFC 1918.

Setting this up in Shorewall is easy; setting up the routing is a bit harder.

Assuming that eth0 and eth1 are the interfaces to the two ISPs then:

/etc/shorewall/interfaces:

#ZONE    INTERFACE    BROADCAST       OPTIONS
net      eth0         detect
net      eth1         detect

/etc/shorewall/policy:

#SOURCE    DESTINATION    POLICY     LIMIT:BURST
net        net            DROP

If you have masqueraded hosts, be sure to update /etc/shorewall/masq to masquerade to both ISPs. For example, if you masquerade all hosts connected to eth2 then:

#INTERFACE       SUBNET            ADDRESS
eth0             eth2
eth1             eth2

There was an article in SysAdmin covering this topic. It may be found at http://www.samag.com/documents/s=1824/sam0201h/

The following information regarding setting up routing for this configuration is reproduced from the LARTC HOWTO and has not been verified by the author. If you have questions or problems with the instructions given below, please post to the LARTC mailing list.

                                                                 ________
                                          +------------+        /
                                          |            |       |
                            +-------------+ Provider 1 +-------
        __                  |             |            |     /
    ___/  \_         +------+-------+     +------------+    |
  _/        \__      |     if1      |                      /
 /             \     |              |                      |
| Local network -----+ Linux router |                      |     Internet
 \_           __/    |              |                      |
   \__     __/       |     if2      |                      \
      \___/          +------+-------+     +------------+    |
                            |             |            |     \
                            +-------------+ Provider 2 +-------
                                          |            |       |
                                          +------------+        \________

ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

ip route add default via $P1

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET dev $IF0 table T1
ip route add $P2_NET dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo table T1
ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo table T2

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
     nexthop via $P2 dev $IF2 weight 1

The “stop” command is intended to place your firewall into a safe state whereby only those hosts listed in /etc/shorewall/routestopped' are activated. If you want to totally open up your firewall, you must use the “shorewall clear” command.

Answer: The output you will see looks something like this:

/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

This problem is usually corrected through the following sequence of commands

service ipchains stop
chkconfig --delete ipchains
rmmod ipchains

Also, be sure to check the errata for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.

I just installed Shorewall and when I issue the start command, I see the following:

Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
   Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
    Net Zone: eth0:0.0.0.0/0
    Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...

Why can't Shorewall detect my interfaces properly?

Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1. If you are running Shorewall 1.4.10 or later, you can consider setting the detectnets interface option on your local interface (eth1 in the above example). That will cause Shorewall to restrict the local zone to only those networks routed through that interface.

You can place these commands in one of the Shorewall Extension Scripts. Be sure that you look at the contents of the chain(s) that you will be modifying with your commands to be sure that the commands will do what they are intended. Many iptables commands published in HOWTOs and other instructional material use the -A command which adds the rules to the end of the chain. Most chains that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT rule and any rules that you add after that will be ignored. Check “man iptables” and look at the -I (--insert) command.

Shorewall works with any GNU/Linux distribution that includes the proper prerequisites.

Answer: See the Shorewall Feature List.

Answer: Yes. Shorewall support is included in Webmin 1.060 and later versions. See http://www.webmin.com

Answer: Shorewall is a concatenation of “Shoreline” (the city where I live) and “Firewall”. The full name of the product is actually “Shoreline Firewall” but “Shorewall” is must more commonly used.

The Shorewall web site is almost font neutral (it doesn't explicitly specify fonts except on a few pages) so the fonts you see are largely the default fonts configured in your browser. If you don't like them then reconfigure your browser.

At the shell prompt, type:

/sbin/shorewall version

The first release of Shorewall was in March of 2001. Shorewall 1.2.12 was released in May of 2002. It is now the year 2004 and soon Shorewall 2.0 will be available. Shorewall 1.2.12 is poorly documented and is missing many of the features that Shorewall users find essential today.

Is there any way it can add a rule before the rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address of the modem in/out but still block all other rfc1918 addresses?

Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:

run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT

If you are running version 1.3.1 or later, simply add the following to /etc/shorewall/rfc1918:

Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.

#SUBNET        TARGET
192.168.100.1  RETURN

#SUBNET        TARGET
192.168.100.1  RETURN
192.168.100.2  RETURN

Answer: Yes. See Shorewall and Aliased Interfaces.

You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so the contents of the tcrules file are simply being ignored.

Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.

In the SOURCE column of the rule, follow “net” by a colon and a list of the host/subnet addresses as a comma-separated list.

net:<ip1>,<ip2>,...

ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22

Edit /etc/shorewall/shorewall.conf and change “NEWNOTSYN=No” to “NEWNOTSYN=Yes” then restart Shorewall.

run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP

First take a look at the Shorewall kernel configuration page. You probably also want to be sure that you have selected the “NAT of local connections (READ HELP)” on the Netfilter Configuration menu. Otherwise, DNAT rules with your firewall as the source zone won't work with your new kernel.

+ run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j
MASQUERADE
+ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j
MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.
0/0 -j MASQUERADE' ']'
+ run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j
MASQUERADE
+ iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j
MASQUERADE
iptables: Invalid argument
+ '[' -z '' ']'
+ stop_firewall
+ set +x

Basically, you don't. While there are kernel patches that allow you to route bridge traffic through Netfilter, the environment is so different from the Layer 3 firewalling environment that very little of Shorewall works. In fact, so much of Shorewall doesn't work that my official position is that “Shorewall doesn't work with Layer 2 Bridging”.