forked from extern/shorewall_code
1609 lines
60 KiB
XML
1609 lines
60 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||
<article>
|
||
<!--$Id$-->
|
||
|
||
<articleinfo>
|
||
<title>Configuration Files Tips and Hints</title>
|
||
|
||
<authorgroup>
|
||
<author>
|
||
<firstname>Tom</firstname>
|
||
|
||
<surname>Eastep</surname>
|
||
</author>
|
||
</authorgroup>
|
||
|
||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||
|
||
<copyright>
|
||
<year>2001-2010</year>
|
||
|
||
<holder>Thomas M. Eastep</holder>
|
||
</copyright>
|
||
|
||
<legalnotice>
|
||
<para>Permission is granted to copy, distribute and/or modify this
|
||
document under the terms of the GNU Free Documentation License, Version
|
||
1.2 or any later version published by the Free Software Foundation; with
|
||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||
Texts. A copy of the license is included in the section entitled
|
||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||
License</ulink></quote>.</para>
|
||
</legalnotice>
|
||
</articleinfo>
|
||
|
||
<caution>
|
||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||
later. If you are running a version of Shorewall earlier than Shorewall
|
||
4.3.5 then please see the documentation for that
|
||
release.</emphasis></para>
|
||
</caution>
|
||
|
||
<caution>
|
||
<para>If you copy or edit your configuration files on a system running
|
||
Microsoft Windows, you must run them through <ulink
|
||
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
|
||
before you use them with Shorewall.</para>
|
||
</caution>
|
||
|
||
<section>
|
||
<title id="Intro">Introduction</title>
|
||
|
||
<para>This article offers hints about how to accomplish common tasks with
|
||
Shorewall. The <ulink url="Introduction.html">Introduction to
|
||
Shorewall</ulink> is required reading for being able to use this article
|
||
effectively. For information about setting up your first Shorewall-based
|
||
firewall, see the <ulink url="GettingStarted.html">Quickstart
|
||
Guides</ulink>.</para>
|
||
</section>
|
||
|
||
<section id="Files">
|
||
<title>Files</title>
|
||
|
||
<para><itemizedlist>
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/shorewall.conf</filename> - used to
|
||
set global firewall parameters.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/params</filename> - use this file to
|
||
set shell variables that you will expand in other files.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/zones</filename> - partition the
|
||
firewall's view of the world into zones.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/policy</filename> - establishes
|
||
firewall high-level policy.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/interfaces</filename> - describes the
|
||
interfaces on the firewall system.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/hosts</filename> - allows defining
|
||
zones in terms of individual hosts and subnetworks.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/masq</filename> - directs the
|
||
firewall where to use many-to-one (dynamic) Network Address
|
||
Translation (a.k.a. Masquerading) and Source Network Address
|
||
Translation (SNAT).</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/rules</filename> - defines rules that
|
||
are exceptions to the overall policies established in
|
||
/etc/shorewall/policy.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/nat</filename> - defines one-to-one
|
||
NAT rules.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/proxyarp</filename> - defines use of
|
||
Proxy ARP.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/routestopped</filename> - defines
|
||
hosts accessible when Shorewall is stopped.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tcrules </filename>- The file has a
|
||
rather unfortunate name because it is used to define marking of
|
||
packets for later use by both traffic control/shaping and policy
|
||
routing.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tos</filename> - defines rules for
|
||
setting the TOS field in packet headers.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tunnels</filename> - defines tunnels
|
||
(VPN) with end-points on the firewall system.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/blacklist</filename> - lists
|
||
blacklisted IP/subnet/MAC addresses.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/init</filename> - commands that you
|
||
wish to execute at the beginning of a <quote>shorewall start</quote>
|
||
or <quote>shorewall restart</quote>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/start</filename> - commands that you
|
||
wish to execute at the completion of a <quote>shorewall
|
||
start</quote> or <quote>shorewall restart</quote></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/stop </filename>- commands that you
|
||
wish to execute at the beginning of a <quote>shorewall
|
||
stop</quote>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/stopped</filename> - commands that
|
||
you wish to execute at the completion of a <quote>shorewall
|
||
stop</quote>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/ecn</filename> - disable Explicit
|
||
Congestion Notification (ECN - RFC 3168) to remote hosts or
|
||
networks.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/accounting</filename> - define IP
|
||
traffic accounting rules</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/actions</filename> and
|
||
<filename>/usr/share/shorewall/action.template</filename> allow
|
||
user-defined actions.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/providers</filename> - defines an
|
||
alternate routing table.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/route_rules</filename> - Defines
|
||
routing rules to be used in conjunction with the routing tables
|
||
defined in <filename>/etc/shorewall/providers</filename>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tcdevices</filename>,
|
||
<filename>/etc/shorewall/tcclasses</filename>,
|
||
<filename>/etc/shorewall/tcfilters</filename> - Define complex
|
||
traffic shaping.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tcrules</filename> - Mark or classify
|
||
traffic for traffic shaping or multiple providers.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tcinterfaces</filename> and
|
||
<filename>/etc/shorewall-tcpri</filename> - Define simple traffic
|
||
shaping.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/secmarks</filename> - Added in
|
||
Shorewall 4.4.13. Attach an SELinux context to selected
|
||
packets.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/vardir</filename> - Determines the
|
||
directory where Shorewall maintains its state.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/usr/share/shorewall/actions.std</filename> -
|
||
Actions defined by Shorewall.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/usr/share/shorewall/action.*</filename> - Details
|
||
of actions defined by Shorewall.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/usr/share/shorewall/macro.*</filename> - Details of
|
||
macros defined by Shorewall.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/usr/share/shorewall/modules</filename> - directs
|
||
the firewall to load kernel modules.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/usr/share/modules</filename> — Specifies the kernel
|
||
modules to be loaded during shorewall start/restart.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/usr/share/helpers</filename> — Added in Shorewall
|
||
4.4.7. Specifies the kernel modules to be loaded during shorewall
|
||
start/restart when LOAD_HELPERS_ONLY=Yes in
|
||
<filename>shorewall.conf</filename>.</para>
|
||
</listitem>
|
||
</itemizedlist></para>
|
||
|
||
<para><emphasis role="bold">If you need to change a file in
|
||
/usr/share/shorewall/, copy it to <filename>/etc/shorewall</filename> and
|
||
modify the copy</emphasis></para>
|
||
</section>
|
||
|
||
<section id="Manpages">
|
||
<title>Man Pages</title>
|
||
|
||
<para>Man pages are provided in section 5 for each of the Shorewall
|
||
configuration files. The name of the page is formed by prefixing the file
|
||
name with "shorewall-".</para>
|
||
|
||
<para>Example — To view the manual page for
|
||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||
|
||
<programlisting>man shorewall-interfaces</programlisting>
|
||
|
||
<para>The /etc/shorewall/shorewall.conf file is an exception -- the man
|
||
page for that file is 'shorewall.conf':</para>
|
||
|
||
<programlisting>man shorewall.conf</programlisting>
|
||
</section>
|
||
|
||
<section id="Comments">
|
||
<title>Comments</title>
|
||
|
||
<para>You may place comments in configuration files by making the first
|
||
non-whitespace character a pound sign (<quote>#</quote>). You may also
|
||
place comments at the end of any line, again by delimiting the comment
|
||
from the rest of the line with a pound sign.</para>
|
||
|
||
<example id="comment">
|
||
<title>Comments in a Configuration File</title>
|
||
|
||
<programlisting># This is a comment
|
||
ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting>
|
||
</example>
|
||
</section>
|
||
|
||
<section id="Names">
|
||
<title>Names</title>
|
||
|
||
<para>When you define an object in Shorewall (<ulink
|
||
url="manpages/shorewall-zones.html">Zone</ulink>, <link
|
||
linkend="Logical">Logical Interface</link>, <ulink
|
||
url="ipsets.html">ipsets</ulink>, <ulink
|
||
url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
|
||
names start with a letter and consist of letters, digits or underscores
|
||
("_"). Except for Zone names, Shorewall does not impose a limit on name
|
||
length.</para>
|
||
|
||
<para>When an ipset is referenced, the name must be preceded by a plus
|
||
sign ("+").</para>
|
||
|
||
<para>The last character of an interface may also be a plus sign to
|
||
indicate a wildcard name.</para>
|
||
|
||
<para>Physical interface names match names shown by 'ip link ls'; if the
|
||
name includes an at sign ("@"), do not include that character or any
|
||
character that follows. For example, "sit1@NONE" is referred to as simply
|
||
'sit1".</para>
|
||
</section>
|
||
|
||
<section id="COMMENT">
|
||
<title>Attach Comment to Netfilter Rules</title>
|
||
|
||
<para>If you kernel and iptables contain comment match support (see the
|
||
output of <command>shorewall show capabilities</command>), then you can
|
||
attach comments to Netfilter rules. This feature is available in the
|
||
following files:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/accounting</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/masq</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/nat</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/notrack</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/rules</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/secmarks</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tcrules</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>/etc/shorewall/tunnels</filename></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Action definition files
|
||
(<filename>/etc/shorewall/action.*</filename>)</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Macro definition files (/etc/shorewall/macro.*)</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>To attach a comment to one or more rules, insert a record above the
|
||
rules that begins with the word COMMENT (must be in all caps). The
|
||
remainder of the line is treated as a comment -- that comment will appear
|
||
delimited by "/* ... */" in the output of the <command>shorewall[-lite]
|
||
show</command> and <command>shorewall[-lite] dump</command> commands. The
|
||
comment will be attached to each generated rule until another COMMENT line
|
||
appears. To stop attaching comments to rules, simply insert a line that
|
||
contains the single word COMMENT.</para>
|
||
|
||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||
|
||
<programlisting>COMMENT Stop NETBIOS noise
|
||
|
||
REJECT loc net tcp 137,445
|
||
REJECT loc net udp 137:139
|
||
|
||
COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||
|
||
DROP loc:!192.168.0.0/22 net
|
||
|
||
COMMENT</programlisting>
|
||
|
||
<para>Here's the corresponding output from
|
||
<filename>/sbin/shorewall-lite</filename>:</para>
|
||
|
||
<programlisting>gateway:~ # <command>shorewall-lite show loc2net</command>
|
||
Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
|
||
|
||
Counters reset Mon Oct 16 14:52:17 PDT 2006
|
||
|
||
Chain loc2net (1 references)
|
||
pkts bytes target prot opt in out source destination
|
||
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
|
||
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031
|
||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,445 <emphasis
|
||
role="bold">/* Stop NETBIOS noise */</emphasis>
|
||
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 <emphasis
|
||
role="bold">/* Stop NETBIOS noise */</emphasis>
|
||
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 <emphasis
|
||
role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
|
||
5 316 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
||
gateway:~ #
|
||
|
||
</programlisting>
|
||
|
||
<para>COMMENT lines in macro files work somewhat differently from other
|
||
files. COMMENT lines in macros are ignored if COMMENT support is not
|
||
available or if there was a COMMENT in use when the top-level macro was
|
||
invoked. This allows the following:</para>
|
||
|
||
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
|
||
|
||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||
# PORT(S) PORT(S) LIMIT GROUP
|
||
COMMENT SSH
|
||
PARAM - - tcp 22 </programlisting>
|
||
<filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home
|
||
SSH(ACCEPT) net:$MYIP $FW
|
||
COMMENT</programlisting>The comment line in macro.SSH will not override the
|
||
COMMENT line in the rules file and the generated rule will show <emphasis
|
||
role="bold">/* Allow SSH from home */</emphasis> when displayed through
|
||
the Shorewall show and dump commands.</para>
|
||
</section>
|
||
|
||
<section id="BlankColumn">
|
||
<title>"Blank" Columns</title>
|
||
|
||
<para>If you don't want to supply a value in a column but want to supply a
|
||
value in a following column, simply enter '-' to make the column appear
|
||
empty.</para>
|
||
|
||
<para>Example:<programlisting>#INTERFACE BROADCAST OPTIONS
|
||
br0 - routeback</programlisting></para>
|
||
</section>
|
||
|
||
<section id="Continuation">
|
||
<title>Line Continuation</title>
|
||
|
||
<para>You may continue lines in the configuration files using the usual
|
||
backslash (<quote>\</quote>) followed immediately by a new line character
|
||
(Enter key).</para>
|
||
|
||
<example id="continuation">
|
||
<title>Line Continuation</title>
|
||
|
||
<programlisting>ACCEPT net $FW tcp \↵
|
||
smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||
|
||
<para>In certain cases, leading white space is ignored in continuation
|
||
lines:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>The continued line ends with a colon (":")</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>The continued line ends with a comma (",")</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||
|
||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||
# PORT(S)
|
||
ACCEPT net:\
|
||
206.124.146.177,\
|
||
206.124.146.178,\
|
||
206.124.146.180\
|
||
dmz tcp 873</programlisting>
|
||
|
||
<para>The leading white space on the first through third continuation
|
||
lines is ignored so the SOURCE column effectively contains
|
||
"net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
|
||
continuation line does not end with a comma or colon, the leading white
|
||
space in the last line is not ignored.</para>
|
||
</example>
|
||
</section>
|
||
|
||
<section>
|
||
<title>Addresses</title>
|
||
|
||
<para>In both Shorewall and Shorewall6, there are two basic types of
|
||
addresses:</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>Host Address</term>
|
||
|
||
<listitem>
|
||
<para>This address type refer to a single host.</para>
|
||
|
||
<para>In IPv4, the format is <emphasis>i.j.k.l</emphasis> where
|
||
<emphasis>i</emphasis> through <emphasis>l</emphasis> are decimal
|
||
numbers between 1 and 255.</para>
|
||
|
||
<para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
|
||
where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
|
||
of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
|
||
single series of 0 addresses may be omitted. For example
|
||
2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
|
||
<varlistentry>
|
||
<term>Network Address</term>
|
||
|
||
<listitem>
|
||
<para>A network address refers to 1 or more hosts and consists of a
|
||
host address followed by a slash ("/") and a <firstterm>Variable
|
||
Length Subnet Mask</firstterm> (VLSM). This is known as
|
||
<firstterm>Classless Internet Domain Routing</firstterm> (CIDR)
|
||
notation.</para>
|
||
|
||
<para>The VLSM is a decimal number. For IPv4, it is in the range 0
|
||
through 32. For IPv6, the range is 0 through 128. The number
|
||
represents the number of leading bits in the address that represent
|
||
the network address; the remainder of the bits are a host address
|
||
and are generally given as zero.</para>
|
||
|
||
<para>Examples:</para>
|
||
|
||
<para>IPv4: 192.168.1.0/24</para>
|
||
|
||
<para>IPv6: 2001:227:e857:1:0:0:0:0:1/64</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<para>In the Shorewall documentation and manpages, we have tried to make
|
||
it clear which type of address is accepted in each specific case.</para>
|
||
|
||
<para>For more information about addressing, see the<ulink
|
||
url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
|
||
</section>
|
||
|
||
<section id="SOURCE-DEST">
|
||
<title>Specifying SOURCE and DEST</title>
|
||
|
||
<para>Entries in Shorewall configuration files often deal with the source
|
||
(SOURCE) and destination (DEST) of connections and Shorewall implements a
|
||
uniform way for specifying them.</para>
|
||
|
||
<para>A SOURCE or DEST consists of one to three parts separated by colons
|
||
(":"):</para>
|
||
|
||
<orderedlist>
|
||
<listitem>
|
||
<para>ZONE — The name of a zone declared in
|
||
<filename>/etc/shorewall/zones</filename> or
|
||
<filename>/etc/shorewall6/zones</filename>. This part is only
|
||
available in the rules file (<filename>/etc/shorewall/rules</filename>
|
||
and <filename>/etc/shorewall6/rules</filename>).</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>INTERFACE — The name of an interface that matches an entry in
|
||
<filename>/etc/shorewall/interfaces</filename>
|
||
(<filename>/etc/shorewall6/interfaces</filename>).</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>ADDRESS LIST — A list of one or more addresses (host or network)
|
||
or address ranges, separated by commas. In an IPv6 configuration, this
|
||
list must be includef in square or angled brackets ("[...]" or
|
||
"<...>"). The list may have <link
|
||
linkend="Exclusion">exclusion</link>.</para>
|
||
</listitem>
|
||
</orderedlist>
|
||
|
||
<para>Examples.</para>
|
||
|
||
<orderedlist>
|
||
<listitem>
|
||
<para>All hosts in the <emphasis role="bold">net</emphasis> zone —
|
||
<emphasis role="bold">net</emphasis></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Subnet 192.168.1.0/29 in the <emphasis
|
||
role="bold">loc</emphasis> zone — <emphasis
|
||
role="bold">loc:192.168.1.0/29</emphasis></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>All hosts in the net zone connecting through <filename
|
||
class="devicefile">ppp0</filename> — <emphasis
|
||
role="bold">net:ppp0</emphasis></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>All hosts interfaced by <filename
|
||
class="devicefile">eth3</filename> — <emphasis
|
||
role="bold">eth3</emphasis></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Subnet 10.0.1.0/24 interfacing through <filename><filename
|
||
class="devicefile">eth2</filename></filename> — <emphasis
|
||
role="bold">eth2:10.0.1.0/24</emphasis></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
|
||
role="bold">loc</emphasis> zone — <emphasis
|
||
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
||
</listitem>
|
||
</orderedlist>
|
||
</section>
|
||
|
||
<section id="INCLUDE">
|
||
<title>INCLUDE Directive</title>
|
||
|
||
<para>Any configuration file may contain INCLUDE directives. An INCLUDE
|
||
directive consists of the word INCLUDE followed by a path name and causes
|
||
the contents of the named file to be logically included into the file
|
||
containing the INCLUDE. Relative path names given in an INCLUDE directive
|
||
are resolved using the current CONFIG_PATH setting (see <ulink
|
||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||
|
||
<para>INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
|
||
directives are ignored with a warning message.</para>
|
||
|
||
<caution>
|
||
<para>If you are using <ulink
|
||
url="CompiledPrograms.html%23Lite">Shorewall Lite</ulink> , it is not
|
||
advisable to use INCLUDE in the <filename>params</filename> file in an
|
||
export directory. If you do that, you must ensure that the included file
|
||
is also present on the firewall system's <filename
|
||
class="directory">/etc/shorewall-lite/</filename> directory.</para>
|
||
|
||
<para>If you only need the <filename>params</filename> file at compile
|
||
time, you can set EXPORTPARAMS=No in
|
||
<filename>shorewall.conf</filename>. That prevents the
|
||
<filename>params</filename> file from being copied into the compiled
|
||
script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the
|
||
<filename>params</filename> file.</para>
|
||
</caution>
|
||
|
||
<example id="include">
|
||
<title>Use of INCLUDE</title>
|
||
|
||
<programlisting> shorewall/params.mgmt:
|
||
|
||
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
|
||
TIME_SERVERS=4.4.4.4
|
||
BACKUP_SERVERS=5.5.5.5
|
||
|
||
----- end params.mgmt -----
|
||
|
||
shorewall/params:
|
||
|
||
# Shorewall 1.3 /etc/shorewall/params
|
||
[..]
|
||
#######################################
|
||
|
||
INCLUDE params.mgmt
|
||
|
||
# params unique to this host here
|
||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||
|
||
----- end params -----
|
||
|
||
shorewall/rules.mgmt:
|
||
|
||
ACCEPT net:$MGMT_SERVERS $FW tcp 22
|
||
ACCEPT $FW net:$TIME_SERVERS udp 123
|
||
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
|
||
|
||
----- end rules.mgmt -----
|
||
|
||
shorewall/rules:
|
||
|
||
# Shorewall version 1.3 - Rules File
|
||
[..]
|
||
#######################################
|
||
|
||
INCLUDE rules.mgmt
|
||
|
||
# rules unique to this host here
|
||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||
|
||
----- end rules -----</programlisting>
|
||
|
||
<para>You may include multiple files in one command using an <link
|
||
linkend="Embedded">embedded shell command</link>.</para>
|
||
|
||
<para>Example (include all of the files ending in ".rules" in a
|
||
directory:):<programlisting>gateway:/etc/shorewall # ls rules.d
|
||
ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules
|
||
gateway:/etc/shorewall # </programlisting></para>
|
||
|
||
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
|
||
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
||
</example>
|
||
</section>
|
||
|
||
<section id="Variables">
|
||
<title>Using Shell Variables</title>
|
||
|
||
<para>You may use the <filename>/etc/shorewall/params</filename> file to
|
||
set shell variables that you can then use in the other configuration
|
||
files.</para>
|
||
|
||
<para>It is suggested that variable names begin with an upper case letter
|
||
to distinguish them from variables used internally within the Shorewall
|
||
programs</para>
|
||
|
||
<para>The following variable names must be avoided. Those in <emphasis
|
||
role="bold">bold font</emphasis> must be avoided in all Shorewall
|
||
versions; those in regular font must be avoided in versions prior to
|
||
4.4.8.</para>
|
||
|
||
<simplelist>
|
||
<member><emphasis role="bold">Any option from <ulink
|
||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>
|
||
(5)</emphasis></member>
|
||
|
||
<member><emphasis role="bold">COMMAND</emphasis></member>
|
||
|
||
<member><emphasis role="bold">CONFDIR</emphasis></member>
|
||
|
||
<member>DEBUG</member>
|
||
|
||
<member>ECHO_E</member>
|
||
|
||
<member>ECHO_N</member>
|
||
|
||
<member>EXPORT</member>
|
||
|
||
<member>FAST</member>
|
||
|
||
<member>FILEMODE</member>
|
||
|
||
<member>HOSTNAME</member>
|
||
|
||
<member>IPT_OPTIONS</member>
|
||
|
||
<member>NOROUTES</member>
|
||
|
||
<member>PREVIEW</member>
|
||
|
||
<member>PRODUCT</member>
|
||
|
||
<member>PROFILE</member>
|
||
|
||
<member>PURGE</member>
|
||
|
||
<member>RECOVERING</member>
|
||
|
||
<member>RESTOREPATH</member>
|
||
|
||
<member>RING_BELL</member>
|
||
|
||
<member><emphasis role="bold">SHAREDIR</emphasis></member>
|
||
|
||
<member><emphasis role="bold">Any name beginning with SHOREWALL_ or
|
||
SW_</emphasis></member>
|
||
|
||
<member>STOPPING</member>
|
||
|
||
<member>TEST</member>
|
||
|
||
<member>TIMESTAMP</member>
|
||
|
||
<member>USE_VERBOSITY</member>
|
||
|
||
<member><emphasis role="bold">VARDIR</emphasis></member>
|
||
|
||
<member>VERBOSE</member>
|
||
|
||
<member>VERBOSE_OFFSET</member>
|
||
|
||
<member>VERSION</member>
|
||
</simplelist>
|
||
|
||
<para>Example:</para>
|
||
|
||
<blockquote>
|
||
<programlisting> /etc/shorewall/params
|
||
|
||
NET_IF=eth0
|
||
NET_BCAST=130.252.100.255
|
||
NET_OPTIONS=routefilter,routefilter
|
||
|
||
/etc/shorewall/interfaces record:
|
||
|
||
net $NET_IF $NET_BCAST $NET_OPTIONS
|
||
|
||
The result will be the same as if the record had been written
|
||
|
||
net eth0 130.252.100.255 routefilter,routefilter
|
||
</programlisting>
|
||
</blockquote>
|
||
|
||
<para>Variables may be used anywhere in the other configuration
|
||
files.<note>
|
||
<para>If you use "$FW" on the right side of assignments in the
|
||
<filename>/etc/shorewall/params</filename> file, you must also set the
|
||
FW variable in that file.</para>
|
||
|
||
<para>Example:<programlisting>/etc/shorewall/zones:
|
||
|
||
#ZONE TYPE OPTIONS
|
||
<emphasis role="bold">fw</emphasis> firewall
|
||
|
||
/etc/shorewall/params:
|
||
|
||
FW=<emphasis role="bold">fw</emphasis>
|
||
BLARG=$FW:206.124.146.176</programlisting></para>
|
||
</note></para>
|
||
|
||
<para>Because the <filename>/etc/shorewall/params</filename> file is
|
||
simply sourced into the shell, you can place arbitrary shell code in the
|
||
file and it will be executed each time that the file is read. Any code
|
||
included should follow these guidelines:</para>
|
||
|
||
<orderedlist>
|
||
<listitem>
|
||
<para>The code should not have side effects, especially on other
|
||
shorewall configuration files.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>The code should be safe to execute multiple times without
|
||
producing different results.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Should not depend on where the code is called from.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Should not assume anything about the state of Shorewall.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>The names of any functions or variables declared should begin
|
||
with an upper case letter.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>The <filename>/etc/shorewall/params</filename> file is processed
|
||
by the compiler at compile-time and by the compiled script at
|
||
run-time. If you have set EXPORTPARAMS=No in
|
||
<filename>shorewall.conf</filename>, then the
|
||
<filename><filename>params</filename></filename> file is only
|
||
processed by the compiler; it is not run by the compiled
|
||
script.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If you are using <ulink
|
||
url="CompiledPrograms.html#Lite">Shorewall Lite</ulink> and if the
|
||
<filename>params</filename> script needs to set shell variables based
|
||
on the configuration of the firewall system, you can use this
|
||
trick:</para>
|
||
|
||
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
|
||
|
||
<para>The <command>shorewall-lite call</command> command allows you to
|
||
to call interactively any Shorewall function that you can call in an
|
||
extension script.</para>
|
||
</listitem>
|
||
</orderedlist>
|
||
|
||
<note>
|
||
<para>Within your configuration files, only the $VAR and ${VAR} forms of
|
||
variable expansion are supported. You may not use the more exotic forms
|
||
supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
|
||
</note>
|
||
</section>
|
||
|
||
<section id="Embedded">
|
||
<title>Embedded Shell and Perl</title>
|
||
|
||
<para>Earlier versions of Shorewall offered <ulink
|
||
url="shorewall_extension_scripts.htm">extension scripts</ulink> to allow
|
||
users to extend Shorewall's functionality. Extension scripts were designed
|
||
to work under the limitations of the Bourne Shell. With the current
|
||
Perl-based compiler, <firstterm>Embedded scripts</firstterm> offer a
|
||
richer and more flexible extension capability.</para>
|
||
|
||
<para>While inline scripts may be written in either Shell or Perl, those
|
||
written in Perl have a lot more power.</para>
|
||
|
||
<para>Embedded scripts can be either single-line or multi-line. Single
|
||
line scripts take one of the following forms:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><emphasis role="bold">PERL</emphasis> <<emphasis>perl
|
||
script</emphasis>></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis role="bold">SHELL</emphasis> <<emphasis>shell
|
||
script</emphasis>></para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>Shell scripts run in a child shell process and their output is piped
|
||
back to the compiler which processes that output as if it were embedded at
|
||
the point of the script.</para>
|
||
|
||
<para>Example: The following entries in
|
||
<filename>/etc/shorewall/rules</filename> are equivalent:<programlisting>SHELL for z in net loc dmz; do echo "ACCEPT $z fw tcp 22"; done</programlisting><programlisting>ACCEPT net fw tcp 22
|
||
ACCEPT loc fw tcp 22
|
||
ACCEPT dmz fw tcp 22</programlisting></para>
|
||
|
||
<para>Perl scripts run in the context of of the compiler process using
|
||
Perl's eval() function. Perl scripts are implicitly prefixed by the
|
||
following:</para>
|
||
|
||
<programlisting>package Shorewall::User;
|
||
use Shorewall::Config qw/shorewall/;</programlisting>
|
||
|
||
<para>To produce output that will be processed by the compiler as if it
|
||
were embedded in the file at the point of the script, pass that output to
|
||
the Shorewall::Config::shorewall() function. The Perl equivalent of the
|
||
above SHELL script would be:<programlisting>PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }</programlisting>A
|
||
couple of more points should be mentioned:</para>
|
||
|
||
<orderedlist>
|
||
<listitem>
|
||
<para>Compile-time extension scripts are also implicitly prefixed by
|
||
"package Shorewall::User;".</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>A <emphasis role="bold">compile</emphasis> extension script is
|
||
supported. That script is run early in the compilation process and
|
||
allows users to load additional modules and to define data and
|
||
functions for use in subsequent embedded scripts and extension
|
||
scripts.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><ulink url="ManualChains.html">Manual Chains</ulink> may be
|
||
added in the <emphasis role="bold">compile</emphasis> extension
|
||
script..</para>
|
||
</listitem>
|
||
</orderedlist>
|
||
|
||
<para>Multi-line scripts use one of the following forms:<programlisting><emphasis
|
||
role="bold">BEGIN SHELL</emphasis>
|
||
<<emphasis>shell script</emphasis>>
|
||
<emphasis role="bold">END</emphasis> [ <emphasis role="bold">SHELL</emphasis> ]</programlisting><programlisting><emphasis
|
||
role="bold">BEGIN PERL</emphasis> [;]
|
||
<<emphasis>perl script</emphasis>>
|
||
<emphasis role="bold">END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
|
||
role="bold">;</emphasis>]</programlisting></para>
|
||
|
||
<para><emphasis role="bold">Note: </emphasis>The '[' and ']' above are
|
||
meta-characters which indicate that what they enclose is optional and may
|
||
be omitted. So you may follow PERL with a semicolon ( ';') or you may omit
|
||
the semicolon.</para>
|
||
</section>
|
||
|
||
<section id="dnsnames">
|
||
<title>Using DNS Names</title>
|
||
|
||
<caution>
|
||
<para>I personally recommend strongly against using DNS names in
|
||
Shorewall configuration files. If you use DNS names and you are called
|
||
out of bed at 2:00AM because Shorewall won't start as a result of DNS
|
||
problems then don't say that you were not forewarned.</para>
|
||
</caution>
|
||
|
||
<para>Host addresses in Shorewall configuration files may be specified as
|
||
either IP addresses or DNS Names.</para>
|
||
|
||
<para>DNS names in iptables rules aren't nearly as useful as they first
|
||
appear. When a DNS name appears in a rule, the iptables utility resolves
|
||
the name to one or more IP addresses and inserts those addresses into the
|
||
rule. So changes in the DNS->IP address relationship that occur after
|
||
the firewall has started have absolutely no effect on the firewall's rule
|
||
set.</para>
|
||
|
||
<para>For some sites, using DNS names is very risky. Here's an
|
||
example:</para>
|
||
|
||
<programlisting>teastep@ursa:~$ dig pop.gmail.com
|
||
|
||
; <<>> DiG 9.4.2-P1 <<>> pop.gmail.com
|
||
;; global options: printcmd
|
||
;; Got answer:
|
||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1774
|
||
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
|
||
|
||
;; QUESTION SECTION:
|
||
;pop.gmail.com. IN A
|
||
|
||
;; ANSWER SECTION:
|
||
pop.gmail.com. <emphasis role="bold">300</emphasis> IN CNAME gmail-pop.l.google.com.
|
||
gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.201.109
|
||
gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.201.111</programlisting>
|
||
|
||
<para>Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five
|
||
minutes later, the answer may change!</para>
|
||
|
||
<para>So this rule may work for five minutes then suddently stop
|
||
working:</para>
|
||
|
||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||
# PORT(S)
|
||
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||
|
||
<para>If your firewall rules include DNS names then:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
|
||
firewall won't start.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
|
||
your firewall won't start.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If your Name Server(s) is(are) down then your firewall won't
|
||
start.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If your startup scripts try to start your firewall before
|
||
starting your DNS server then your firewall won't start.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Factors totally outside your control (your ISP's router is down
|
||
for example), can prevent your firewall from starting.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>You must bring up your network interfaces prior to starting your
|
||
firewall.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>Each DNS name must be fully qualified and include a minimum of two
|
||
periods (although one may be trailing). This restriction is imposed by
|
||
Shorewall to insure backward compatibility with existing configuration
|
||
files.</para>
|
||
|
||
<example id="validdns">
|
||
<title>Valid DNS Names</title>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>mail.shorewall.net</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>shorewall.net. (note the trailing period).</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</example>
|
||
|
||
<example id="invaliddns">
|
||
<title>Invalid DNS Names</title>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>mail (not fully qualified)</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>shorewall.net (only one period)</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</example>
|
||
|
||
<para>DNS names may not be used as:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>The server address in a DNAT rule (/etc/shorewall/rules
|
||
file)</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>In the ADDRESS column of an entry in /etc/shorewall/masq.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>In the <filename>/etc/shorewall/nat</filename> file.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>These restrictions are imposed by Netfilter and not by
|
||
Shorewall.</para>
|
||
</section>
|
||
|
||
<section id="Lists">
|
||
<title>Comma-separated Lists</title>
|
||
|
||
<para>Comma-separated lists are allowed in a number of contexts within the
|
||
configuration files. A comma separated list:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter
|
||
Invalid: routefilter, dhcp, arpfilter</programlisting></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If you use line continuation to break a comma-separated list,
|
||
the comma must be the last thing on the continued line before '\'
|
||
unless the continuation line has no leading white space.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>Entries in a comma-separated list may appear in any
|
||
order.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section id="Compliment">
|
||
<title>Complementing an Address or Subnet</title>
|
||
|
||
<para>Where specifying an IP address, a subnet or an interface, you can
|
||
precede the item with <quote>!</quote> to specify the complement of the
|
||
item. For example, !192.168.1.4 means <quote>any host but
|
||
192.168.1.4</quote>. There must be no white space following the
|
||
<quote>!</quote>.</para>
|
||
</section>
|
||
|
||
<section id="Exclusion">
|
||
<title>Exclusion Lists</title>
|
||
|
||
<para>Where a comma-separated list of addresses is accepted, an
|
||
<firstterm>exclusion list</firstterm> may also be included. An exclusion
|
||
list is a comma-separated list of addresses that begins with "!".</para>
|
||
|
||
<para>Example:</para>
|
||
|
||
<programlisting>!192.168.1.3,192.168.1.12,192.168.1.32/27</programlisting>
|
||
|
||
<para>The above list refers to "All addresses except 192.168.1.3,
|
||
192.168.1.12 and 192.168.1.32-192.168.1.63.</para>
|
||
|
||
<para>Exclusion lists can also be added after a network address.</para>
|
||
|
||
<para>Example:</para>
|
||
|
||
<programlisting>192.168.1.0/24!192.168.1.3,192.168.1.12,192.168.1.32/27</programlisting>
|
||
|
||
<para>The above list refers to "All addresses in 192.168.1.0-192.168.1.255
|
||
except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63.</para>
|
||
</section>
|
||
|
||
<section id="IPRanges">
|
||
<title>IP Address Ranges</title>
|
||
|
||
<para>If you kernel and iptables have iprange match support, you may use
|
||
IP address ranges in Shorewall configuration file entries; IP address
|
||
ranges have the syntax <<emphasis>low IP
|
||
address</emphasis>>-<<emphasis>high IP address</emphasis>>.
|
||
Example: 192.168.1.5-192.168.1.12.</para>
|
||
|
||
<para>To see if your kernel and iptables have the required support, use
|
||
the <command>shorewall show capabilities</command> command:</para>
|
||
|
||
<programlisting>>~ <command>shorewall show capabilities</command>
|
||
...
|
||
Shorewall has detected the following iptables/netfilter capabilities:
|
||
NAT: Available
|
||
Packet Mangling: Available
|
||
Multi-port Match: Available
|
||
Connection Tracking Match: Available
|
||
Packet Type Match: Not available
|
||
Policy Match: Available
|
||
Physdev Match: Available
|
||
<emphasis role="bold">IP range Match: Available <--------------</emphasis></programlisting>
|
||
</section>
|
||
|
||
<section id="Ports">
|
||
<title>Protocol Number/Names and Port Numbers/Service Names</title>
|
||
|
||
<para>Unless otherwise specified, when giving a protocol number you can
|
||
use either an integer or a protocol name from
|
||
<filename>/etc/protocols</filename>. Similarly, when giving a port number
|
||
you can use either an integer or a service name from
|
||
<filename>/etc/services</filename>.<note>
|
||
<para>The rules compiler translates protocol names to protocol numbers
|
||
and service names to port numbers itself.</para>
|
||
</note></para>
|
||
|
||
<para>Also, unless otherwise documented, a protocol number/name can be
|
||
preceded by '!' to specify "All protocols except this one" (e.g.,
|
||
"!tcp").</para>
|
||
</section>
|
||
|
||
<section id="ICMP">
|
||
<title>ICMP and ICMP6 Types and Codes</title>
|
||
|
||
<para>When dealing with ICMP, the DEST PORT specifies the type or type and
|
||
code. You may specify the numeric type, the numeric type and code
|
||
separated by a slash (e.g., 3/4) or you may use a type name.</para>
|
||
|
||
<para>Type names for IPv4 and their corresponding type or type/code
|
||
are:</para>
|
||
|
||
<programlisting>echo-reply' => 0
|
||
destination-unreachable => 3
|
||
network-unreachable => 3/0
|
||
host-unreachable => 3/1
|
||
protocol-unreachable => 3/2
|
||
port-unreachable => 3/3
|
||
fragmentation-needed => 3/4
|
||
source-route-failed => 3/5
|
||
network-unknown => 3/6
|
||
host-unknown => 3/7
|
||
network-prohibited => 3/9
|
||
host-prohibited => 3/10
|
||
TOS-network-unreachable => 3/11
|
||
TOS-host-unreachable => 3/12
|
||
communication-prohibited => 3/13
|
||
host-precedence-violation => 3/14
|
||
precedence-cutoff => 3/15
|
||
source-quench => 4
|
||
redirect => 5
|
||
network-redirect => 5/0
|
||
host-redirect => 5/1
|
||
TOS-network-redirect => 5/2
|
||
TOS-host-redirect => 5/3
|
||
echo-request => 8
|
||
router-advertisement => 9
|
||
router-solicitation => 10
|
||
time-exceeded => 11
|
||
ttl-zero-during-transit => 11/0
|
||
ttl-zero-during-reassembly=> 11/1
|
||
parameter-problem => 12
|
||
ip-header-bad => 12/0
|
||
required-option-missing => 12/1
|
||
timestamp-request => 13
|
||
timestamp-reply => 14
|
||
address-mask-request => 17
|
||
address-mask-reply => 18</programlisting>
|
||
|
||
<para>Type names for IPv6 and their corresponding type or type/code
|
||
are:</para>
|
||
|
||
<programlisting>destination-unreachable => 1
|
||
no-route' => 1/0
|
||
communication-prohibited => 1/1
|
||
address-unreachable' => 1/2
|
||
port-unreachable' => 1/3
|
||
packet-too-big => 2
|
||
time-exceeded' => 3
|
||
ttl-exceeded' => 3
|
||
ttl-zero-during-transit => 3/0
|
||
ttl-zero-during-reassembly => 3/1
|
||
parameter-problem => 4
|
||
bad-header => 4/0
|
||
unknown-header-type => 4/1
|
||
unknown-option => 4/2
|
||
echo-request => 128
|
||
echo-reply => 129
|
||
router-solicitation => 133
|
||
router-advertisement => 134
|
||
neighbour-solicitation => 135
|
||
neighbour-advertisement => 136
|
||
redirect => 137</programlisting>
|
||
</section>
|
||
|
||
<section id="Ranges">
|
||
<title>Port Ranges</title>
|
||
|
||
<para>If you need to specify a range of ports, the proper syntax is
|
||
<low port number>:<high port number>. For example, if you want
|
||
to forward the range of tcp ports 4000 through 4100 to local host
|
||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||
|
||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||
DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||
|
||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||
omit the high port number, a value of 65535 is assumed.</para>
|
||
|
||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||
'!' to specify "All ports except those in this range" (e.g.,
|
||
"!4000:4100").</para>
|
||
</section>
|
||
|
||
<section id="Portlists">
|
||
<title>Port Lists</title>
|
||
|
||
<para>In most cases where a port or port range may appear, a
|
||
comma-separated list of ports or port ranges may also be entered.
|
||
Shorewall requires the Netfilter <emphasis
|
||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||
(see the output of "<emphasis role="bold">shorewall show
|
||
capabilities</emphasis>").</para>
|
||
|
||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||
|
||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||
list count as two ports each.</para>
|
||
</section>
|
||
|
||
<section id="MAC">
|
||
<title>Using MAC Addresses</title>
|
||
|
||
<para>Media Access Control (MAC) addresses can be used to specify packet
|
||
source in several of the configuration files. In order to control traffic
|
||
to/from a host by its MAC address, the host must be on the same network as
|
||
the firewall.</para>
|
||
|
||
<para>To use this feature, your kernel must have MAC Address Match support
|
||
(CONFIG_IP_NF_MATCH_MAC) included.</para>
|
||
|
||
<para>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||
unique MAC address.</para>
|
||
|
||
<para>In GNU/Linux, MAC addresses are usually written as a series of 6 hex
|
||
numbers separated by colons.</para>
|
||
|
||
<example id="mac">
|
||
<title>MAC Address of an Ethernet Controller</title>
|
||
|
||
<programlisting> gateway:~ # <command>ip link ls dev eth0</command>
|
||
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb qlen 1000
|
||
link/ether <emphasis role="bold">02:00:08:E3:FA:55</emphasis> brd ff:ff:ff:ff:ff:ff
|
||
gateway:~ #</programlisting>
|
||
</example>
|
||
|
||
<para>Because Shorewall uses colons as a separator for address fields,
|
||
Shorewall requires MAC addresses to be written in another way. In
|
||
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
|
||
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
|
||
the example above would be written <emphasis
|
||
role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
|
||
|
||
<note>
|
||
<para>It is not necessary to use the special Shorewall notation in the
|
||
<filename><ulink
|
||
url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
|
||
file.</para>
|
||
</note>
|
||
</section>
|
||
|
||
<section id="RateLimit">
|
||
<title>Rate Limiting (Rate and Burst)</title>
|
||
|
||
<para>Shorewall supports rate limiting in a number of ways. When
|
||
specifying a rate limit, both a <firstterm>rate</firstterm> and a
|
||
<firstterm>burst</firstterm> value are given.</para>
|
||
|
||
<para>Example from <ulink
|
||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
|
||
|
||
<simplelist>
|
||
<member>LOGRATE=10/minute</member>
|
||
|
||
<member>LOGBURST=5</member>
|
||
</simplelist>
|
||
|
||
<para>For each logging rule, the first time the rule is reached, the
|
||
packet will be logged; in fact, since the burst is 5, the first five
|
||
packets will be logged. After this, it will be 6 seconds (1 minute divided
|
||
by the rate of 10) before a message will be logged from the rule,
|
||
regardless of how many packets reach it. Also, every 6 seconds which
|
||
passes, one of the bursts will be regained; if no packets hit the rule for
|
||
30 seconds, the burst will be fully recharged; back where we
|
||
started.</para>
|
||
</section>
|
||
|
||
<section id="Logical">
|
||
<title>Logical Interface Names</title>
|
||
|
||
<para>When dealing with a complex configuration, it is often awkward to
|
||
use physical interface names in the Shorewall configuration.</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>You need to remember which interface is which.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If you move the configuration to another firewall, the interface
|
||
names might not be the same.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>Beginning with Shorewall 4.4.4, you can use logical interface names
|
||
which are mapped to the actual interface using the
|
||
<option>physical</option> option in <ulink
|
||
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||
(5).</para>
|
||
|
||
<para>Here is an example:</para>
|
||
|
||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||
net COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
|
||
net EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
|
||
loc INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
|
||
dmz VPS_IF detect logmartians=1,routefilter=0,routeback,physical=venet0
|
||
loc TUN_IF detect physical=tun+</programlisting>
|
||
|
||
<para>In this example, COM_IF is a logical interface name that refers to
|
||
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
|
||
a logical interface name that refers to Ethernet interface <filename
|
||
class="devicefile">eth2</filename>, and so on.</para>
|
||
|
||
<para>Here are a couple of more files from the same configuration:</para>
|
||
|
||
<para><ulink url="manpages/shorewall-masq.html">shorewall-masq</ulink>
|
||
(5):</para>
|
||
|
||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||
|
||
COMMENT Masquerade Local Network
|
||
COM_IF 0.0.0.0/0
|
||
EXT_IF !206.124.146.0/24 206.124.146.179:persistent</programlisting>
|
||
|
||
<para><ulink
|
||
url="manpages/shorewall-providers.html">shorewall-providers</ulink>
|
||
(5)</para>
|
||
|
||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||
Avvanta 1 0x10000 main EXT_IF 206.124.146.254 loose,fallback INT_IF,VPS_IF,TUN_IF
|
||
Comcast 2 0x20000 main COM_IF detect balance INT_IF,VPS_IF,TUN_IF</programlisting>
|
||
|
||
<para>Note in particular that Shorewall translates TUN_IF to <filename
|
||
class="devicefile">tun*</filename> in the COPY column.</para>
|
||
</section>
|
||
|
||
<section>
|
||
<title>Zone and Chain Names</title>
|
||
|
||
<para>For a pair of zones, Shorewall creates two Netfilter chains; one for
|
||
connections in each direction. The names of these chains are formed by
|
||
separating the names of the two zones by either "2" or "-".</para>
|
||
|
||
<para>Example: Traffic from zone A to zone B would go through chain A2B
|
||
(think "A to B") or "A-B".</para>
|
||
|
||
<para>The default separator is "2" but you can override that by setting
|
||
ZONE_SEPARATOR="-" in <ulink
|
||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||
|
||
<para>Zones themselves have names that begin with a letter and are
|
||
composed of letters, numerals, and "_". The maximum length of a name is
|
||
dependent on the setting of LOGFORMAT in <ulink
|
||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). See <ulink
|
||
url="manpages/shorewall-zones.html">shorewall-zones</ulink> (5) for
|
||
details.</para>
|
||
</section>
|
||
|
||
<section>
|
||
<title>Optional and Required Interfaces</title>
|
||
|
||
<para>Normally, Shorewall assumes that all interfaces described in <ulink
|
||
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5)
|
||
are going to be in an up and usable state when Shorewall starts or
|
||
restarts. You can alter that assumption by specifying the <emphasis
|
||
role="bold">optional</emphasis> option in the OPTIONS column.</para>
|
||
|
||
<para>When an interface is marked as optional, Shorewall will determine
|
||
the interface state at <command>start</command> and
|
||
<command>restart</command> and adjust its configuration
|
||
accordingly.</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>The <emphasis role="bold">arp_filter</emphasis>, <emphasis
|
||
role="bold">arp_ignore</emphasis>, <emphasis
|
||
role="bold">routefilter</emphasis>, <emphasis
|
||
role="bold">logmartians</emphasis>, <emphasis
|
||
role="bold">proxyarp</emphasis> and <emphasis
|
||
role="bold">sourceroute</emphasis> options are not enforced when the
|
||
interface is down, thus avoiding an error message such
|
||
as:<programlisting>WARNING: Cannot set Martian logging on ppp0</programlisting></para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If the interface is associated with a provider in <ulink
|
||
url="manpages/shorewall-providers.html">shorewall-providers</ulink>
|
||
(5), <command>start</command> and <command>restart</command> will not
|
||
fail if the interface is not usable.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>When DETECT_DNAT_IPADDRS=Yes in <ulink
|
||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5), DNAT
|
||
rules in shorewall-rules (5) involving the interface will be omitted
|
||
when the interface does not have an IP address.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>If <emphasis role="bold">detect</emphasis> is specified in the
|
||
ADDRESS column of an entry in <ulink
|
||
url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
|
||
firewall still start if the optional interface in the INTERFACE column
|
||
does not have an IP address.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>If you don't want the firewall to start unless a given interface is
|
||
usable, then specify required in the OPTIONS column of <ulink
|
||
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
|
||
If you have installed and configured the Shorewall-init package, then when
|
||
the interface becomes available, an automatic attempt will be made to
|
||
start the firewall.</para>
|
||
</section>
|
||
|
||
<section id="Levels">
|
||
<title>Shorewall Configurations</title>
|
||
|
||
<para>Shorewall allows you to have configuration directories other than
|
||
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||
check, start and restart commands allow you to specify an alternate
|
||
configuration directory and Shorewall will use the files in the alternate
|
||
directory rather than the corresponding files in /etc/shorewall. The
|
||
alternate directory need not contain a complete configuration; those files
|
||
not in the alternate directory will be read from <filename
|
||
class="directory">/etc/shorewall</filename>.<important>
|
||
<para>Shorewall requires that the file
|
||
<filename>/etc/shorewall/shorewall.conf</filename> to always exist.
|
||
Certain global settings are always obtained from that file. If you
|
||
create alternative configuration directories, do not remove
|
||
/etc/shorewall/shorewall.conf.</para>
|
||
</important></para>
|
||
|
||
<para>This facility permits you to easily create a test or temporary
|
||
configuration by</para>
|
||
|
||
<orderedlist>
|
||
<listitem>
|
||
<para>copying the files that need modification from /etc/shorewall to
|
||
a separate directory;</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>modify those files in the separate directory; and</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>specifying the separate directory in a <command>shorewall
|
||
start</command> or <command>shorewall restart</command> command (e.g.,
|
||
<command>shorewall restart /etc/testconfig</command> )</para>
|
||
</listitem>
|
||
</orderedlist>
|
||
</section>
|
||
|
||
<section id="Save">
|
||
<title>Saved Configurations</title>
|
||
|
||
<para>Shorewall allows you to <firstterm>save</firstterm> the
|
||
currently-running configuration in a form that permits it to be
|
||
re-installed quickly. When you save the configuration using the
|
||
<command>shorewall save</command> command, the running configuration is
|
||
saved in a file in the <filename
|
||
class="directory">/var/lib/shorewall</filename> directory. The default
|
||
name of that file is <filename>/var/lib/shorewall/restore</filename> but
|
||
you can specify a different name as part of the command. For example, the
|
||
command <command>shorewall save standard</command> will save the running
|
||
configuration in <filename>/var/lib/shorewall/standard</filename>. A saved
|
||
configuration is re-installed using the <command>shorewall
|
||
restore</command> command. Again, that command normally will restore the
|
||
configuration saved in <filename>/var/lib/shorewall/restore</filename> but
|
||
as with the <command>save</command> command, you can specify a different
|
||
file name in the command. For example, <command>shorewall restore
|
||
standard</command> will re-install the configuration saved in
|
||
<filename>/var/lib/shorewall/standard</filename>. By permitting you to
|
||
save different configurations under different names, Shorewall provides a
|
||
means for quickly switching between these different saved
|
||
configurations.</para>
|
||
|
||
<para>As mentioned above, the default configuration is called 'restore'
|
||
but like most things in Shorewall, that default can be changed. The
|
||
default name is specified using the <emphasis
|
||
role="bold">RESTOREFILE</emphasis> option in
|
||
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||
|
||
<warning>
|
||
<para>The default saved configuration is used by Shorewall in a number
|
||
of ways besides in the <command>restore</command> command; to avoid
|
||
surprises, I recommend that you read the <ulink
|
||
url="starting_and_stopping_shorewall.htm#Saved">Shorewall Operations
|
||
documentation section about saved configurations</ulink> before creating
|
||
one.</para>
|
||
</warning>
|
||
</section>
|
||
</article>
|