forked from extern/shorewall_code
abf477019c
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2922 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
531 lines
20 KiB
XML
531 lines
20 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="standalone">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Standalone Firewall</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2005-10-20</pubdate>
|
|
|
|
<copyright>
|
|
<year>2002-2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para>Setting up Shorewall on a standalone Linux system is very easy if
|
|
you understand the basics and follow the documentation.</para>
|
|
|
|
<para>This guide doesn't attempt to acquaint you with all of the features
|
|
of Shorewall. It rather focuses on what is required to configure Shorewall
|
|
in one of its most common configurations:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Linux system</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Single external IP address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Connection through Cable Modem, DSL, ISDN, Frame Relay,
|
|
dial-up... or connected to a LAN and you simply wish to protect your
|
|
Linux system from other systems on that LAN.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<section>
|
|
<title>Requirements</title>
|
|
|
|
<para>Shorewall requires that you have the iproute/iproute2 package
|
|
installed (on RedHat, the package is called
|
|
<emphasis>iproute</emphasis>). You can tell if this package is installed
|
|
by the presence of an <emphasis role="bold">ip</emphasis> program on
|
|
your firewall system. As root, you can use the <quote>which</quote>
|
|
command to check for this program:</para>
|
|
|
|
<programlisting>[root@gateway root]# <command>which ip</command>
|
|
/sbin/ip
|
|
[root@gateway root]#</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Before you start</title>
|
|
|
|
<para>I recommend that you read through the guide first to familiarize
|
|
yourself with what's involved then go back through it again making your
|
|
configuration changes.</para>
|
|
|
|
<caution>
|
|
<para>If you edit your configuration files on a Windows system, you
|
|
must save them as Unix files if your editor supports that option or
|
|
you must run them through dos2unix before trying to use them.
|
|
Similarly, if you copy a configuration file from your Windows hard
|
|
drive to a floppy disk, you must run dos2unix against the copy before
|
|
using it with Shorewall.</para>
|
|
|
|
<simplelist>
|
|
<member><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
|
|
Version of dos2unix</ulink></member>
|
|
|
|
<member><ulink
|
|
url="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
|
|
dos2unix</ulink></member>
|
|
</simplelist>
|
|
</caution>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Conventions</title>
|
|
|
|
<para>Points at which configuration changes are recommended are flagged
|
|
with <inlinegraphic fileref="images/BD21298_.gif"
|
|
format="GIF" />.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PPTP/ADSL</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
|
|
|
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
|
server in that modem, you must make the <ulink
|
|
url="PPTP.htm#PPTP_ADSL">changes recommended here</ulink> <emphasis
|
|
role="underline">in addition to those described in the steps
|
|
below</emphasis>. ADSL with PPTP is most commonly found in Europe, notably
|
|
in Austria.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall Concepts</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
|
|
|
<para>The configuration files for Shorewall are contained in the directory
|
|
<filename class="directory">/etc/shorewall</filename> -- for simple
|
|
setups, you only need to deal with a few of these as described in this
|
|
guide. After you have <ulink url="Install.htm">installed
|
|
Shorewall</ulink>, you can find the Samples as follows:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>If you installed using an RPM, the samples will be in the
|
|
Samples/one-interface/ subdirectory of the Shorewall documentation
|
|
directory. If you don't know where the Shorewall documentation
|
|
directory is, you can find the samples using this command:</para>
|
|
|
|
<programlisting>~# rpm -ql shorewall | fgrep one-interface
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/rules
|
|
/usr/share/doc/packages/shorewall/Samples/one-interface/zones
|
|
~#</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you installed using the tarball, the samples are in the
|
|
Samples/one-interface directory in the tarball.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<warning>
|
|
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
|
|
|
<para>If you install using the .deb, you will find that your <filename
|
|
class="directory">/etc/shorewall</filename> directory is empty. This is
|
|
intentional. The released configuration file skeletons may be found on
|
|
your system in the directory <filename
|
|
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
|
Simply copy the files you need from that directory to <filename
|
|
class="directory">/etc/shorewall</filename> and modify the
|
|
copies.</para>
|
|
|
|
<para>Note that you must copy <filename
|
|
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
|
and /usr/share/doc/shorewall/default-config/modules to <filename
|
|
class="directory">/etc/shorewall</filename> even if you do not modify
|
|
those files.</para>
|
|
</warning>
|
|
|
|
<para>As each file is introduced, I suggest that you look through the
|
|
actual file on your system -- each file contains detailed configuration
|
|
instructions and default entries.</para>
|
|
|
|
<para>Shorewall views the network where it is running as being composed of
|
|
a set of <emphasis>zones</emphasis>. In the one-interface sample
|
|
configuration, only two zones are defined:</para>
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
|
# OPTIONS OPTIONS
|
|
fw firewall
|
|
net ipv4</programlisting>
|
|
|
|
<para>Shorewall zones are defined in <ulink
|
|
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
|
|
|
<para>Note that Shorewall recognizes the firewall system as its own zone.
|
|
The name of the firewall zone (<emphasis role="bold">fw</emphasis> in the
|
|
above example) is stored in the shell variable <firstterm>$FW</firstterm>
|
|
which may be used throughout the rest of the Shorewall configuration to
|
|
refer to the firewall itself.</para>
|
|
|
|
<para>Rules about what traffic to allow and what traffic to deny are
|
|
expressed in terms of zones.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>You express your default policy for connections from one zone to
|
|
another zone in the <ulink
|
|
url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
|
|
file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You define exceptions to those default policies in the <ulink
|
|
url="Documentation.htm#Rules"><filename>/etc/shorewall/rules</filename></ulink>
|
|
file.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>For each connection request entering the firewall, the request is
|
|
first checked against the
|
|
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
|
|
rule in that file matches the connection request then the first policy in
|
|
<filename>/etc/shorewall/policy</filename> that matches the request is
|
|
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
|
|
action</ulink> defined for the policy in
|
|
<filename>/etc/shorewall/actions</filename> or
|
|
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
|
peformed before the action is applied.</para>
|
|
|
|
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
|
the one-interface sample has the following policies:</para>
|
|
|
|
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
|
$FW net ACCEPT
|
|
net all DROP info
|
|
all all REJECT info</programlisting>
|
|
|
|
<para>The above policy will:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>allow all connection requests from the firewall to the
|
|
internet</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>drop (ignore) all connection requests from the internet to your
|
|
firewall</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>reject all other connection requests (Shorewall requires this
|
|
catchall policy).</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
|
and make any changes that you wish.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>External Interface</title>
|
|
|
|
<para>The firewall has a single network interface. Where Internet
|
|
connectivity is through a cable or DSL <quote>Modem</quote>, the
|
|
<emphasis>External Interface</emphasis> will be the ethernet adapter
|
|
(<emphasis role="bold">eth0</emphasis>) that is connected to that
|
|
<quote>Modem</quote> <emphasis role="underline">unless</emphasis> you
|
|
connect via <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
|
|
(PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP)
|
|
in which case the External Interface will be a <emphasis
|
|
role="bold">ppp0</emphasis>. If you connect via a regular modem, your
|
|
External Interface will also be <emphasis role="bold">ppp0</emphasis>. If
|
|
you connect using ISDN, your external interface will be <emphasis
|
|
role="bold">ippp0</emphasis>.</para>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
|
|
|
<para>The Shorewall one-interface sample configuration assumes that the
|
|
external interface is <emphasis role="bold">eth0</emphasis>. If your
|
|
configuration is different, you will have to modify the sample
|
|
/etc/shorewall/interfaces file accordingly. While you are there, you may
|
|
wish to review the list of options that are specified for the interface.
|
|
Some hints:</para>
|
|
|
|
<tip>
|
|
<para>If your external interface is <emphasis
|
|
role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis>,
|
|
you can replace the <quote>detect</quote> in the second column with
|
|
<quote>-</quote>.</para>
|
|
</tip>
|
|
|
|
<tip>
|
|
<para>If your external interface is <emphasis
|
|
role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis> or
|
|
if you have a static IP address, you can remove <quote>dhcp</quote> from
|
|
the option list.</para>
|
|
</tip>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IP Addresses</title>
|
|
|
|
<para>RFC 1918 reserves several <emphasis>Private</emphasis> IP address
|
|
ranges for use in private networks:</para>
|
|
|
|
<programlisting>10.0.0.0 - 10.255.255.255
|
|
172.16.0.0 - 172.31.255.255
|
|
192.168.0.0 - 192.168.255.255</programlisting>
|
|
|
|
<para>These addresses are sometimes referred to as
|
|
<emphasis>non-routable</emphasis> because the Internet backbone routers
|
|
will not forward a packet whose destination address is reserved by RFC
|
|
1918. In some cases though, ISPs are assigning these addresses then using
|
|
<emphasis>Network Address Translation</emphasis> to rewrite packet headers
|
|
when forwarding to/from the internet.</para>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
|
|
|
<para>Before starting Shorewall, <emphasis role="bold">you should look at
|
|
the IP address of your external interface and if it is one of the above
|
|
ranges, you should remove the <quote>norfc1918</quote> option from the
|
|
entry in <filename>/etc/shorewall/interfaces</filename>.</emphasis></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Enabling other Connections</title>
|
|
|
|
<para>Shorewall includes a collection of macros that can be used to
|
|
quickly allow or deny services. You can find a list of the macros included
|
|
in your version of Shorewall using the command <command>ls
|
|
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
|
|
|
|
<para>If you wish to enable connections from the internet to your firewall
|
|
and you find an appropriate macro in
|
|
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
|
|
in <filename>/etc/shorewall/rules</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
<<emphasis>macro</emphasis>>/ACCEPT net $FW</programlisting>
|
|
|
|
<example>
|
|
<title>You want to run a Web Server and a IMAP Server on your firewall
|
|
system:</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
Web/ACCEPT net $FW
|
|
IMAP/ACCEPT net $FW</programlisting>
|
|
</example>
|
|
|
|
<para>You may also choose to code your rules directly without using the
|
|
pre-defined macros. This will be necessary in the event that there is not
|
|
a pre-defined macro that meets your requirements. In that case the general
|
|
format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
|
|
|
<example>
|
|
<title>You want to run a Web Server and a IMAP Server on your firewall
|
|
system:</title>
|
|
|
|
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT net $FW tcp 80
|
|
ACCEPT net $FW tcp 143</programlisting></para>
|
|
</example>
|
|
|
|
<para>If you don't know what port and protocol a particular application
|
|
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
|
|
|
<important>
|
|
<para>I don't recommend enabling telnet to/from the internet because it
|
|
uses clear text (even for login!). If you want shell access to your
|
|
firewall from the internet, use SSH:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
SSH/ACCEPT net $FW </programlisting>
|
|
</important>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
|
|
|
<para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
|
|
other connections as desired.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Starting and Stopping Your Firewall</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
|
|
|
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
|
configures your system to start Shorewall at system boot but beginning
|
|
with Shorewall version 1.3.9 startup is disabled so that your system won't
|
|
try to start Shorewall before configuration is complete. Once you have
|
|
completed configuration of your firewall, you can enable Shorewall startup
|
|
by removing the file
|
|
<filename>/etc/shorewall/startup_disabled</filename>.</para>
|
|
|
|
<important>
|
|
<para><emphasis role="bold">Users of the .deb package must edit
|
|
<filename>/etc/default/shorewall</filename> and set
|
|
<quote>startup=1</quote>.</emphasis></para>
|
|
</important>
|
|
|
|
<important>
|
|
<para><emphasis role="bold">You must enable startup by editing
|
|
/etc/shorewall/shorewall.conf and setting
|
|
STARTUP_ENABLED=Yes.</emphasis></para>
|
|
</important>
|
|
|
|
<para>The firewall is started using the <quote><command>shorewall
|
|
start</command></quote> command and stopped using
|
|
<quote><command>shorewall stop</command></quote>. When the firewall is
|
|
stopped, routing is enabled on those hosts that have an entry in
|
|
<filename><ulink
|
|
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
|
|
A running firewall may be restarted using the <quote><command>shorewall
|
|
restart</command></quote> command. If you want to totally remove any trace
|
|
of Shorewall from your Netfilter configuration, use
|
|
<quote><command>shorewall clear</command></quote>.</para>
|
|
|
|
<warning>
|
|
<para>If you are connected to your firewall from the internet, do not
|
|
issue a <quote><command>shorewall stop</command></quote> command unless
|
|
you have added an entry for the IP address that you are connected from
|
|
to <ulink
|
|
url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
|
Also, I don't recommend using <quote><command>shorewall
|
|
restart</command></quote>; it is better to create an <emphasis><ulink
|
|
url="configuration_file_basics.htm#Configs">alternate
|
|
configuration</ulink></emphasis> and test it using the <ulink
|
|
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
|
try</command></quote> command</ulink>.</para>
|
|
</warning>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Additional Recommended Reading</title>
|
|
|
|
<para>I highly recommend that you review the <ulink
|
|
url="configuration_file_basics.htm">Common Configuration File Features
|
|
page</ulink> -- it contains helpful tips about Shorewall features than
|
|
make administering your firewall easier.</para>
|
|
</section>
|
|
|
|
<appendix>
|
|
<title>Revision History</title>
|
|
|
|
<para><revhistory>
|
|
<revision>
|
|
<revnumber>2.0</revnumber>
|
|
|
|
<date>2005-09-12</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>More 3.0 Updates</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.9</revnumber>
|
|
|
|
<date>2005-09-02</date>
|
|
|
|
<authorinitials>CR</authorinitials>
|
|
|
|
<revremark>Update for Shorewall 3.0</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.8</revnumber>
|
|
|
|
<date>2005-07-12</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Change reference to rfc1918 to bogons.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.7</revnumber>
|
|
|
|
<date>2004-02-16</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Move /etc/shorewall/rfc1918 to
|
|
/usr/share/shorewall.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.6</revnumber>
|
|
|
|
<date>2004-02-05</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Update for Shorewall 2.0</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.5</revnumber>
|
|
|
|
<date>2004-01-05</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Standards Changes</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.4</revnumber>
|
|
|
|
<date>2003-12-30</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.3</revnumber>
|
|
|
|
<date>2003-11-15</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Initial Docbook Conversion</revremark>
|
|
</revision>
|
|
</revhistory></para>
|
|
</appendix>
|
|
</article> |