forked from extern/shorewall_code
1dff1444dd
Signed-off-by: Tom Eastep <teastep@shorewall.net>
353 lines
12 KiB
XML
353 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Universal Configuration</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2010</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Configuring Shorewall</title>
|
|
|
|
<para>Once you have installed the Shorewall software, you must configure
|
|
it. The easiest way to do that is to use one of Shorewall's
|
|
<firstterm>Sample Configurations</firstterm>. The Universal Configuration
|
|
is one of those samples.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>What the Universal Configuration does</title>
|
|
|
|
<para>The Universal Shorewall configuration requires that you simply copy
|
|
the configuration to <filename class="directory">/etc/shorewall</filename>
|
|
and start Shorewall. This sample configuation:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Allows all outgoing traffic.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Blocks all incoming connections except:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Secure Shell</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Ping</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Allows forwarding of traffic, provided that the system has more
|
|
than one interface or is set up to route between networks on a single
|
|
interface.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>How to Install it</title>
|
|
|
|
<para>The location of the sample configuration files is dependent on your
|
|
distribution and <ulink url="Install.htm">how you installed
|
|
Shorewall</ulink>.</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>If you installed using an <acronym>RPM</acronym>, the samples
|
|
will be in the <filename
|
|
class="directory">Samples/Universal</filename> subdirectory of the
|
|
Shorewall documentation directory. If you don't know where the
|
|
Shorewall documentation directory is, you can find the samples using
|
|
this command:</para>
|
|
|
|
<programlisting>~# rpm -ql shorewall-common | fgrep Universal
|
|
/usr/share/doc/packages/shorewall/Samples/Universal
|
|
/usr/share/doc/packages/shorewall/Samples/Universal/interfaces
|
|
/usr/share/doc/packages/shorewall/Samples/Universal/policy
|
|
/usr/share/doc/packages/shorewall/Samples/Universal/rules
|
|
/usr/share/doc/packages/shorewall/Samples/Universal/zones
|
|
~#</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you installed using the tarball, the samples are in the
|
|
<filename class="directory">Samples/Universal</filename> directory in
|
|
the tarball.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you installed using a Shorewall 4.x .deb, the samples are in
|
|
<filename
|
|
class="directory">/usr/share/doc/shorewall-common/examples/Universal</filename>..
|
|
You do not need the shorewall-doc package to have access to the
|
|
samples.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>Simple copy the files from the Universal directory to
|
|
/etc/shorewall.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>How to Start the firewall</title>
|
|
|
|
<para>Before starting Shorewall for the first time, it's a good idea to
|
|
stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt
|
|
type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>service iptables stop</command></para>
|
|
</blockquote>
|
|
|
|
<para>If you are running SuSE, use Yast or Yast2 to stop
|
|
SuSEFirewall.</para>
|
|
|
|
<para>Once you have Shorewall running to your satisfaction, you should
|
|
totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
|
|
|
|
<blockquote>
|
|
<para><command>chkconfig --del iptables</command></para>
|
|
</blockquote>
|
|
|
|
<para>At a root prompt, type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>/sbin/shorewall start</command></para>
|
|
</blockquote>
|
|
|
|
<para>That's it. Shorewall will automatically start again when you
|
|
reboot.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Now that it is running, ...</title>
|
|
|
|
<section>
|
|
<title>How do I stop the firewall?</title>
|
|
|
|
<para>At a root prompt, type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>/sbin/shorewall clear</command></para>
|
|
</blockquote>
|
|
|
|
<para>The system is now 'wide open'.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>How do I prevent it from responding to ping?</title>
|
|
|
|
<para>Edit <filename>/etc/shorewall/rules</filename> and remove the line
|
|
that reads:</para>
|
|
|
|
<blockquote>
|
|
<para>Ping(ACCEPT) net $FW</para>
|
|
</blockquote>
|
|
|
|
<para>and at a root prompt, type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>/sbin/shorewall restart</command></para>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>How do I allow other kinds of incoming connections?</title>
|
|
|
|
<para>Shorewall includes a collection of <firstterm>macros</firstterm>
|
|
that can be used to quickly allow or deny services. You can find a list
|
|
of the macros included in your version of Shorewall using the command
|
|
<command>ls <filename>/usr/share/shorewall/macro.*</filename></command>
|
|
or at a shell prompt type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>/sbin/shorewall show macros</command></para>
|
|
</blockquote>
|
|
|
|
<para>If you wish to enable connections from the Internet to your
|
|
firewall and you find an appropriate macro in
|
|
<filename>/etc/shorewall/macro.*</filename>, the general format of a
|
|
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
|
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
|
|
|
<important>
|
|
<para>Be sure to add your rules after the line that reads <emphasis
|
|
role="bold">SECTION NEW.</emphasis></para>
|
|
</important>
|
|
|
|
<example id="Example1">
|
|
<title>You want to run a Web Server and a IMAP Server on your firewall
|
|
system:</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
|
Web(ACCEPT) net $FW
|
|
IMAP(ACCEPT)net $FW</programlisting>
|
|
</example>
|
|
|
|
<para>You may also choose to code your rules directly without using the
|
|
pre-defined macros. This will be necessary in the event that there is
|
|
not a pre-defined macro that meets your requirements. In that case the
|
|
general format of a rule in <filename>/etc/shorewall/rules</filename>
|
|
is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
|
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
|
|
|
<example id="Example2">
|
|
<title>You want to run a Web Server and a IMAP Server on your firewall
|
|
system:</title>
|
|
|
|
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
|
ACCEPT net $FW tcp 80
|
|
ACCEPT net $FW tcp 143</programlisting></para>
|
|
</example>
|
|
|
|
<para>If you don't know what port and protocol a particular application
|
|
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>How do I make the firewall log a message when it disallows an
|
|
incoming connection?</title>
|
|
|
|
<para>Shorewall does not maintain a log itself but rather relies on your
|
|
<ulink url="shorewall_logging.html">system's logging
|
|
configuration</ulink>. The following <ulink
|
|
url="manpages/shorewall.html">commands</ulink> rely on knowing where
|
|
Netfilter messages are logged:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>shorewall show log</command> (Displays the last 20
|
|
Netfilter log messages)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall logwatch</command> (Polls the log at a
|
|
settable interval</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall dump</command> (Produces an extensive
|
|
report for inclusion in Shorewall problem reports)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>It is important that these commands work properly because when you
|
|
encounter connection problems when Shorewall is running, the first thing
|
|
that you should do is to look at the Netfilter log; with the help of
|
|
<ulink url="FAQ.htm#faq17">Shorewall FAQ 17</ulink>, you can usually
|
|
resolve the problem quickly.</para>
|
|
|
|
<para>The Netfilter log location is distribution-dependent:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Debian and its derivatives log Netfilter messages to
|
|
<filename>/var/log/kern.log</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Recent <trademark>SuSE/OpenSuSE</trademark> releases come
|
|
preconfigured with syslog-ng and log netfilter messages to
|
|
<filename>/var/log/firewall</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>For other distributions, Netfilter messages are most commonly
|
|
logged to <filename>/var/log/messages</filename>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Modify the LOGFILE setting in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> to specify the name
|
|
of your log.</para>
|
|
|
|
<important>
|
|
<para>The LOGFILE setting does not control where the Netfilter log is
|
|
maintained -- it simply tells the /sbin/<filename>shorewall</filename>
|
|
utility where to find the log.</para>
|
|
</important>
|
|
|
|
<para>Now, edit <filename>/etc/shorewall/policy</filename> and modify
|
|
the line that reads:</para>
|
|
|
|
<blockquote>
|
|
<para>net all DROP</para>
|
|
</blockquote>
|
|
|
|
<para>to</para>
|
|
|
|
<blockquote>
|
|
<para>net all DROP <emphasis role="bold">info</emphasis></para>
|
|
</blockquote>
|
|
|
|
<para>Then at a root prompt, type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>/sbin/shorewall reload</command></para>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>How do I prevent the firewall from forwarding connection
|
|
requests?</title>
|
|
|
|
<para>Edit /etc/shorewall/interfaces, and remove the routeback option
|
|
from the interface. e.g., change the line that reads:</para>
|
|
|
|
<blockquote>
|
|
<para>net all - dhcp,physical=+<emphasis
|
|
role="bold">,routeback</emphasis>,optional</para>
|
|
</blockquote>
|
|
|
|
<para>to</para>
|
|
|
|
<blockquote>
|
|
<para>net all - dhcp,physical=+,optional</para>
|
|
</blockquote>
|
|
|
|
<para>Then at a root prompt, type:</para>
|
|
|
|
<blockquote>
|
|
<para><command>/sbin/shorewall reload</command></para>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
</article>
|