forked from extern/shorewall_code
d630f57305
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4029 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
467 lines
17 KiB
XML
467 lines
17 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Compiled Firewall Programs and Shorewall Lite</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2006-06-08</pubdate>
|
|
|
|
<copyright>
|
|
<year>2006</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Overview</title>
|
|
|
|
<para>Beginning with Shorewall version 3.1, Shorewall has the capability
|
|
to compile a Shorewall configuration and produce a runnable firewall
|
|
program script. The script is a complete program which can be placed in
|
|
the /etc/init.d/ directory on a system without Shorewall installed and can
|
|
serve as the firewall creation script for that system.</para>
|
|
|
|
<para>Compiled programs can also be created to instantiate special
|
|
configurations during parts of the day; for example, to disallow web
|
|
browsing between the hours of 9pm and 7AM. The program can be run as a
|
|
cron job at 9PM and another program run at 6AM to restore normal
|
|
operation.</para>
|
|
|
|
<section>
|
|
<title>Restrictions</title>
|
|
|
|
<para>While compiled Shorewall programs are useful in many cases, there
|
|
are some important restrictions that you should be aware of before
|
|
attempting to use them.</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>The <emphasis role="bold">detectnets</emphasis> interface
|
|
option is not supported.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DYNAMIC_ZONES=Yes in <filename>shorewall.conf</filename> is
|
|
not supported.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>All extension scripts used are copied into the program. The
|
|
ramifications of this are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If you update an extension script, the compiled program
|
|
will not use the updated script.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <filename>/etc/shorewall/params</filename> extension
|
|
script is executed at compile time as well as at run
|
|
time.</para>
|
|
|
|
<para>Running the script at compile time allows variable
|
|
expansion (expanding $variable to it's defined value) of
|
|
variables used in Shorewall configuration files to occur at
|
|
compile time. Running it at run-time allows your extension
|
|
scripts to use the variables that it creates. BUT -- for any
|
|
given variable, the value at compile time may be different from
|
|
the value at run-time unless you only assign constant
|
|
values.</para>
|
|
|
|
<para>For example, if you have:</para>
|
|
|
|
<programlisting>EXT_IP=$(fiind_first_interface_address eth0)</programlisting>
|
|
|
|
<para>in <filename>/etc/shorewall/params</filename> then all
|
|
occurrences of $EXT_IP in Shorewall configuration files will be
|
|
replaced with eth0's IP address when the program is being
|
|
compiled. On the other hand, if you use $EXT_IP in your
|
|
/etc/shorewall/start script, the value will be the IP address of
|
|
eth0 when the program is run.</para>
|
|
|
|
<para>Bottom line: You probably want to use only constant values
|
|
for variables set in
|
|
<filename>/etc/shorewall/params</filename>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You must install Shorewall Lite on the system where you want
|
|
to run the script. You then install the compiled program in
|
|
/usr/share/shorewall/firewall and use the /sbin/shorewall program
|
|
included with Shorewall Lite to control the firewall just as if the
|
|
full Shorewall distribution was installed.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>The "shorewall compile" command</title>
|
|
|
|
<para>A compiled script is produced using the <command>compile</command>
|
|
command:</para>
|
|
|
|
<blockquote>
|
|
<para><command>shorewall compile [ -e ] [ <directory name> ]
|
|
<path name></command></para>
|
|
</blockquote>
|
|
|
|
<para>where</para>
|
|
|
|
<blockquote>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-e</term>
|
|
|
|
<listitem>
|
|
<para>Indicates that the program is to be "exported" to another
|
|
system. When this flag is set, the "detectnets" interface is not
|
|
allowed but the created program may be run on a system that has
|
|
only Shorewall Lite installed</para>
|
|
|
|
<para>When this flag is given, Shorewall does not probe the
|
|
current system to determine the kernel/iptables features that it
|
|
supports. It rather reads those capabilities from
|
|
<filename>/etc/shorewall/capabilities</filename>. See below for
|
|
details.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><directory name></term>
|
|
|
|
<listitem>
|
|
<para>specifies a directory to be searched for configuration files
|
|
before those directories listed in the CONFIG_PATH variable in
|
|
<filename>shorewall.conf</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><path name></term>
|
|
|
|
<listitem>
|
|
<para>specifies the name of the script to be created.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section id="Lite">
|
|
<title>Shorewall Lite (Added in version 3.2.0 RC 1)</title>
|
|
|
|
<para>Shorewall Lite is a companion product to Shorewall and is designed
|
|
to allow you to maintain all Shorewall configuration information on a
|
|
single system within your network.</para>
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>You install the full Shorewall release on one system within your
|
|
network. You need not configure Shorewall there and you may totally
|
|
disable startup of Shorewall in your init scripts. For ease of
|
|
reference, we call this system the 'administrative system'.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On each system where you wish to run a Shorewall-generated
|
|
firewall, you install Shorewall Lite. For ease of reference, we will
|
|
call these systems the 'firewall systems'.</para>
|
|
|
|
<note>
|
|
<para>The firewall systems do <emphasis role="bold">NOT</emphasis>
|
|
have the full Shorewall product installed but rather only the
|
|
Shorewall Lite product. Shorewall and Shorewall LIte may not be
|
|
installed on the same system.</para>
|
|
</note>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On the administrative system you create a separete
|
|
'configuration directory' for each firewall system. You copy the
|
|
contents of /usr/share/shorewall/configfiles into each configuration
|
|
directory.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On each firewall system, you run:</para>
|
|
|
|
<programlisting><command>/usr/share/shorewall/shorecap > capabilities</command>
|
|
<command>scp capabilities <admin system>:<this system's config dir></command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On the administrative system, for each firewall system you do
|
|
the following (this may be done by a non-root user):</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>modify the files in the corresponding configuration
|
|
directory appropriately. It's a good idea to include the IP
|
|
address of the administrative system in the
|
|
<filename>routestopped</filename> file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para></para>
|
|
|
|
<programlisting><command>cd <configuration directory></command>
|
|
<command>/sbin/shorewall compile -e . firewall</command>
|
|
<command>scp firewall root@<firewall system>:/usr/share/shorewall/</command></programlisting>
|
|
</listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On each firewall system:</para>
|
|
|
|
<para>Modify <filename>/etc/shorewall/shorewall.conf</filename> as
|
|
needed.</para>
|
|
|
|
<programlisting><command>shorewall start</command></programlisting>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>Shorewall Lite includes a very limited version of
|
|
<filename>/etc/shorewall/shorewall.conf</filename>. It includes the
|
|
following options which have the same meaning as in a full Shorewall
|
|
installation except as noted below:</para>
|
|
|
|
<blockquote>
|
|
<simplelist>
|
|
<member>VERBOSITY</member>
|
|
|
|
<member>LOGFILE</member>
|
|
|
|
<member>LOGFORMAT — used by <filename>/sbin/shorewall</filename> for
|
|
finding 'Shorewall' log messages only. The format of the messages
|
|
themselves is defined by the LOGFORMAT in shorewall.conf used when the
|
|
firewall script was compiled on the administrative system. If
|
|
LOGFORMAT was not specified at compile time then the firewall script
|
|
will use the value from
|
|
<filename>/etc/shorewall/shorewall.conf</filename> on the firewall
|
|
system.</member>
|
|
|
|
<member>IPTABLES — determines the iptables binary to be used by
|
|
<filename>/sbin/shorewall</filename>. The compiled firewall script
|
|
will use the IPTABLES specified in <filename>shorewall.conf</filename>
|
|
at compile-time on the administrative system; if IPTABLES was not
|
|
specified at compile time then the IPTABLES value from
|
|
<filename>/etc/shorewall/shorewall.conf</filename> on the firewall
|
|
system will be used by the firewall script.</member>
|
|
|
|
<member>PATH</member>
|
|
|
|
<member>SHOREWALL_SHELL</member>
|
|
|
|
<member>SUBSYSLOCK</member>
|
|
</simplelist>
|
|
</blockquote>
|
|
|
|
<para>The <filename>/sbin/shorewall</filename> program included with
|
|
Shorewall Lite supports the same set of commands as the one in a full
|
|
Shorewall installation with the following exceptions:</para>
|
|
|
|
<blockquote>
|
|
<simplelist>
|
|
<member>add</member>
|
|
|
|
<member>compile</member>
|
|
|
|
<member>delete</member>
|
|
|
|
<member>try</member>
|
|
|
|
<member>safe-start</member>
|
|
|
|
<member>safe-restart</member>
|
|
</simplelist>
|
|
</blockquote>
|
|
|
|
<section>
|
|
<title>Converting a system from Shorewall to Shorewall Lite</title>
|
|
|
|
<para>Converting a firewall system that is currently running Shorewall
|
|
to run Shorewall Lite instead is straight-forward.</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>On the administrative system, create a configuration directory
|
|
for the firewall system.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Copy the contents of <filename
|
|
class="directory">/etc/shorewall/</filename> from the firewall
|
|
system to the configuration directory on the administrative
|
|
system.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Uninstall Shorewall on the firewall system. I recommend
|
|
totally removing <filename
|
|
class="directory">/etc/shorewall</filename>, <filename
|
|
class="directory">/usr/share/shorewall</filename> and <filename
|
|
class="directory">/var/lib/shorewall</filename> after you have used
|
|
the relevant package manager to remove Shorewall.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Install Shorewall Lite on the firewall system.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On the firewall system:</para>
|
|
|
|
<programlisting><command>/usr/share/shorewall/shorecap > capabilities</command>
|
|
<command>scp capabilities <admin system>:<this system's config dir></command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On the administrative system:</para>
|
|
|
|
<para>It's a good idea to include the IP address of the
|
|
administrative system in the firewall system's
|
|
<filename>routestopped</filename> file.</para>
|
|
|
|
<programlisting><command>cd <configuration directory></command>
|
|
<command>/sbin/shorewall compile -e . firewall</command>
|
|
<command>scp firewall root@<firewall system>:/usr/share/shorewall/</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>On the firewall system:</para>
|
|
|
|
<para>Modify <filename>/etc/shorewall/shorewall.conf</filename> as
|
|
needed.</para>
|
|
|
|
<programlisting><command>shorewall restart</command></programlisting>
|
|
|
|
<para>I recommend using the <command>restart</command> command
|
|
because many package managers don't clear shorewall as part of the
|
|
uninstall process.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>The /etc/shorewall/capabilities file and the shorecap
|
|
program</title>
|
|
|
|
<para>As mentioned above, the /etc/shorewall/capabilities file specifies
|
|
that kernel/iptables capabilities of the target system. Here is a sample
|
|
file:</para>
|
|
|
|
<blockquote>
|
|
<programlisting>NAT_ENABLED=Yes # NAT
|
|
MANGLE_ENABLED=Yes # Packet Mangling
|
|
MULTIPORT=Yes # Multi-port Match
|
|
XMULTIPORT=Yes # Extended Multi-port Match
|
|
CONNTRACK_MATCH=Yes # Connection Tracking Match
|
|
USEPKTTYPE= # Packet Type Match
|
|
POLICY_MATCH=Yes # Policy Match
|
|
PHYSDEV_MATCH=Yes # Physdev Match
|
|
LENGTH_MATCH=Yes # Packet Length Match
|
|
IPRANGE_MATCH=Yes # IP range Match
|
|
RECENT_MATCH=Yes # Recent Match
|
|
OWNER_MATCH=Yes # Owner match
|
|
IPSET_MATCH= # Ipset Match
|
|
CONNMARK=Yes # CONNMARK Target
|
|
XCONNMARK=Yes # Extended CONNMARK Target
|
|
CONNMARK_MATCH=Yes # Connmark Match
|
|
XCONNMARK_MATCH=Yes # Extended Connmark Match
|
|
RAW_TABLE=Yes # Raw Table
|
|
IPP2P_MATCH= # IPP2P Match
|
|
CLASSIFY_TARGET=Yes # CLASSIFY Target
|
|
ENHANCED_REJECT=Yes # Extended REJECT
|
|
KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command
|
|
MARK=Yes # MARK Target Support
|
|
XMARK=YES # Extended MARK Target Support
|
|
MANGLE_FORWARD # Mangle table has FORWARD chain</programlisting>
|
|
</blockquote>
|
|
|
|
<para>As you can see, the file contains a simple list of shell variable
|
|
assignments -- the variables correspond to the capabilities listed by the
|
|
<command>shorewall show capabilities</command> command appear in the same
|
|
order as the output of that command.</para>
|
|
|
|
<para>To aid in creating this file, Shorewall Lite includes a
|
|
<command>shorecap</command> program. The program is installed in the
|
|
<filename>/usr/share/shorewall/</filename> directory and may be run as
|
|
follows:</para>
|
|
|
|
<blockquote>
|
|
<para><command>[ IPTABLES=<iptables binary> ] [
|
|
MODULESDIR=<kernel modules directory> ]
|
|
/usr/share/shorewall/shorecap > capabilities</command></para>
|
|
</blockquote>
|
|
|
|
<para>The IPTABLES and MODULESDIR options have their <ulink
|
|
url="Documentation.htm#Conf">usual Shorewall default
|
|
values</ulink>.</para>
|
|
|
|
<para>The <filename>capabilities</filename> file may then be copied to a
|
|
system with Shorewall installed and used when compiling firewall programs
|
|
to run on the remote system.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Running compiled programs directly</title>
|
|
|
|
<para>Compiled firewall programs are complete programs that support the
|
|
following run-line commands:</para>
|
|
|
|
<blockquote>
|
|
<simplelist>
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
start</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
stop</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
clear</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
restart</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
status</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
version</command></member>
|
|
</simplelist>
|
|
</blockquote>
|
|
|
|
<para>The options have their same meaning is when they are passed to
|
|
<filename>/sbin/shorewall</filename> itself. The default VERBOSITY level
|
|
is the level specified in the shorewall.conf file used when then program
|
|
was compiled.</para>
|
|
</section>
|
|
</article> |