forked from extern/shorewall_code
c4e7744b0f
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@988 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
491 lines
17 KiB
XML
491 lines
17 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="standalone">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Standalone Firewall</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2003-11-15</pubdate>
|
|
|
|
<copyright>
|
|
<year>2002</year>
|
|
|
|
<year>2003</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para>Setting up Shorewall on a standalone Linux system is very easy if
|
|
you understand the basics and follow the documentation.</para>
|
|
|
|
<para>This guide doesn't attempt to acquaint you with all of the
|
|
features of Shorewall. It rather focuses on what is required to configure
|
|
Shorewall in one of its most common configurations:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Linux system</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Single external IP address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Connection through Cable Modem, DSL, ISDN, Frame Relay,
|
|
dial-up...</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<section>
|
|
<title>Requirements</title>
|
|
|
|
<para>Shorewall requires that you have the iproute/iproute2 package
|
|
installed (on RedHat, the package is called <emphasis>iproute</emphasis>).
|
|
You can tell if this package is installed by the presence of an
|
|
<emphasis role="bold">ip</emphasis> program on your firewall system. As
|
|
root, you can use the <quote>which</quote> command to check for this
|
|
program:</para>
|
|
|
|
<programlisting>[root@gateway root]# which ip
|
|
/sbin/ip
|
|
[root@gateway root]#</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Before you start</title>
|
|
|
|
<para>I recommend that you read through the guide first to familiarize
|
|
yourself with what's involved then go back through it again making
|
|
your configuration changes.</para>
|
|
|
|
<caution>
|
|
<para>If you edit your configuration files on a Windows system, you
|
|
must save them as Unix files if your editor supports that option or
|
|
you must run them through dos2unix before trying to use them.
|
|
Similarly, if you copy a configuration file from your Windows hard
|
|
drive to a floppy disk, you must run dos2unix against the copy before
|
|
using it with Shorewall.</para>
|
|
|
|
<simplelist>
|
|
<member><ulink url="???">Windows Version of dos2unix</ulink></member>
|
|
|
|
<member><ulink url="???">Linux Version of dos2unix</ulink></member>
|
|
</simplelist>
|
|
</caution>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Conventions</title>
|
|
|
|
<para>Points at which configuration changes are recommended are flagged
|
|
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PPTP/ADSL</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> If you
|
|
have an ADSL Modem and you use PPTP to communicate with a server in that
|
|
modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
|
|
recommended here</ulink> in addition to those described in the steps
|
|
below. ADSL with PPTP is most commonly found in Europe, notably in
|
|
Austria.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall Concepts</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> The
|
|
configuration files for Shorewall are contained in the directory
|
|
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
|
these as described in this guide. After you have <ulink url="Install.htm">installed
|
|
Shorewall</ulink>, <emphasis role="bold">download the <ulink
|
|
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
|
|
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
|
|
files to /etc/shorewall (they will replace files with the same names that
|
|
were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
|
|
|
|
<para>As each file is introduced, I suggest that you look through the
|
|
actual file on your system -- each file contains detailed configuration
|
|
instructions and default entries.</para>
|
|
|
|
<para>Shorewall views the network where it is running as being composed of
|
|
a set of <emphasis>zones</emphasis>. In the one-interface sample
|
|
configuration, only one zone is defined:</para>
|
|
|
|
<informaltable>
|
|
<tgroup cols="2">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">Name</entry>
|
|
|
|
<entry align="center">Description</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>net</entry>
|
|
|
|
<entry>The Internet</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
|
|
<para>Shorewall zones are defined in <ulink url="Documentation.htm#Zones">/etc/shorewall/zones</ulink>.</para>
|
|
|
|
<para>Shorewall also recognizes the firewall system as its own zone - by
|
|
default, the firewall itself is known as <emphasis role="bold">fw</emphasis>.</para>
|
|
|
|
<para>Rules about what traffic to allow and what traffic to deny are
|
|
expressed in terms of zones.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>You express your default policy for connections from one zone to
|
|
another zone in the <ulink url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>
|
|
file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You define exceptions to those default policies in the <ulink
|
|
url="Documentation.htm#Rules">/etc/shorewall/rules</ulink> file.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>For each connection request entering the firewall, the request is
|
|
first checked against the /etc/shorewall/rules file. If no rule in that
|
|
file matches the connection request then the first policy in
|
|
/etc/shorewall/policy that matches the request is applied. If that policy
|
|
is REJECT or DROP the request is first checked against the rules in
|
|
/etc/shorewall/common if that file exists; otherwise the rules in
|
|
/etc/shorewall/common.def are checked.</para>
|
|
|
|
<para>The /etc/shorewall/policy file included with the one-interface
|
|
sample has the following policies:</para>
|
|
|
|
<table>
|
|
<title>one-interface sample /etc/shorewall/policy</title>
|
|
|
|
<tgroup cols="5">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">SOURCE ZONE</entry>
|
|
|
|
<entry align="center">DESTINATION ZONE</entry>
|
|
|
|
<entry align="center">POLICY</entry>
|
|
|
|
<entry align="center">LOG LEVEL</entry>
|
|
|
|
<entry align="center">LIMIT:BURST</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>fw</entry>
|
|
|
|
<entry>net</entry>
|
|
|
|
<entry>ACCEPT</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>net</entry>
|
|
|
|
<entry>all</entry>
|
|
|
|
<entry>DROP</entry>
|
|
|
|
<entry>info</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>all</entry>
|
|
|
|
<entry>all</entry>
|
|
|
|
<entry>REJECT</entry>
|
|
|
|
<entry>info</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>The above policy will:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>allow all connection requests from the firewall to the internet</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>drop (ignore) all connection requests from the internet to your
|
|
firewall</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>reject all other connection requests (Shorewall requires this
|
|
catchall policy).</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>At this point, edit your /etc/shorewall/policy and make any changes
|
|
that you wish.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>External Interface</title>
|
|
|
|
<para>The firewall has a single network interface. Where Internet
|
|
connectivity is through a cable or DSL <quote>Modem</quote>, the
|
|
<emphasis>External Interface</emphasis> will be the ethernet adapter (<emphasis
|
|
role="bold">eth0</emphasis>) that is connected to that <quote>Modem</quote>
|
|
<emphasis role="underline">unless</emphasis> you connect via
|
|
<emphasis>Point-to-Point Protocol over Ethernet</emphasis> (PPPoE) or
|
|
<emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP) in which
|
|
case the External Interface will be a <emphasis role="bold">ppp0</emphasis>.
|
|
If you connect via a regular modem, your External Interface will also be
|
|
<emphasis role="bold">ppp0</emphasis>. If you connect using ISDN, your
|
|
external interface will be <emphasis role="bold">ippp0</emphasis>.</para>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> The
|
|
Shorewall one-interface sample configuration assumes that the external
|
|
interface is <emphasis role="bold">eth0</emphasis>. If your configuration
|
|
is different, you will have to modify the sample /etc/shorewall/interfaces
|
|
file accordingly. While you are there, you may wish to review the list of
|
|
options that are specified for the interface. Some hints:</para>
|
|
|
|
<tip>
|
|
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
|
|
or <emphasis role="bold">ippp0</emphasis>, you can replace the
|
|
<quote>detect</quote> in the second column with <quote>-</quote>.</para>
|
|
</tip>
|
|
|
|
<tip>
|
|
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
|
|
or <emphasis role="bold">ippp0</emphasis> or if you have a static IP
|
|
address, you can remove <quote>dhcp</quote> from the option list.</para>
|
|
</tip>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IP Addresses</title>
|
|
|
|
<para>RFC 1918 reserves several <emphasis>Private</emphasis> IP address
|
|
ranges for use in private networks:</para>
|
|
|
|
<programlisting>10.0.0.0 - 10.255.255.255
|
|
172.16.0.0 - 172.31.255.255
|
|
192.168.0.0 - 192.168.255.255</programlisting>
|
|
|
|
<para>These addresses are sometimes referred to as <emphasis>non-routable</emphasis>
|
|
because the Internet backbone routers will not forward a packet whose
|
|
destination address is reserved by RFC 1918. In some cases though, ISPs
|
|
are assigning these addresses then using <emphasis>Network Address
|
|
Translation</emphasis> to rewrite packet headers when forwarding to/from
|
|
the internet.</para>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> Before
|
|
starting Shorewall, you should look at the IP address of your external
|
|
interface and if it is one of the above ranges, you should remove the
|
|
<quote>norfc1918</quote> option from the entry in
|
|
/etc/shorewall/interfaces.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Enabling other Connections</title>
|
|
|
|
<para>If you wish to enable connections from the internet to your
|
|
firewall, the general format is:</para>
|
|
|
|
<table>
|
|
<title>/etc/shorewall/rules</title>
|
|
|
|
<tgroup cols="7">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">ACTION</entry>
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
<entry align="center">PORT</entry>
|
|
|
|
<entry align="center">SOURCE PORT</entry>
|
|
|
|
<entry align="center">ORIGINAL ADDRESS</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>ACCEPT</entry>
|
|
|
|
<entry>net</entry>
|
|
|
|
<entry>fw</entry>
|
|
|
|
<entry><<emphasis>protocol</emphasis>></entry>
|
|
|
|
<entry><<emphasis>port</emphasis>></entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<example>
|
|
<title>You want to run a Web Server and a POP3 Server on your firewall
|
|
system:</title>
|
|
|
|
<para><table><title>/etc/shorewall/rules</title><tgroup cols="7"><thead><row><entry
|
|
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
|
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
|
align="center">PORT</entry><entry align="center">SOURCE PORT</entry><entry
|
|
align="center">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry>tcp</entry><entry>110</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
|
|
</example>
|
|
|
|
<para>If you don't know what port and protocol a particular
|
|
application uses, see <ulink url="ports.htm">here</ulink>.</para>
|
|
|
|
<important>
|
|
<para>I don't recommend enabling telnet to/from the internet because
|
|
it uses clear text (even for login!). If you want shell access to your
|
|
firewall from the internet, use SSH:</para>
|
|
|
|
<table>
|
|
<title>/etc/shorewall/rules</title>
|
|
|
|
<tgroup cols="7">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">ACTION</entry>
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
<entry align="center">PORT</entry>
|
|
|
|
<entry align="center">SOURCE PORT</entry>
|
|
|
|
<entry align="center">ORIGINAL ADDRESS</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>ACCEPT</entry>
|
|
|
|
<entry>net</entry>
|
|
|
|
<entry>fw</entry>
|
|
|
|
<entry>tcp</entry>
|
|
|
|
<entry>22</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</important>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> At this
|
|
point, edit /etc/shorewall/rules to add other connections as desired.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Starting and Stopping Your Firewall</title>
|
|
|
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> The
|
|
<ulink url="Install.htm">installation procedure</ulink> configures your
|
|
system to start Shorewall at system boot but beginning with Shorewall
|
|
version 1.3.9 startup is disabled so that your system won't try to
|
|
start Shorewall before configuration is complete. Once you have completed
|
|
configuration of your firewall, you can enable Shorewall startup by
|
|
removing the file /etc/shorewall/startup_disabled.</para>
|
|
|
|
<important>
|
|
<para><emphasis role="bold">Users of the .deb package must edit
|
|
/etc/default/shorewall and set <quote>startup=1</quote>.</emphasis></para>
|
|
</important>
|
|
|
|
<para>The firewall is started using the <quote>shorewall start</quote>
|
|
command and stopped using <quote>shorewall stop</quote>. When the firewall
|
|
is stopped, routing is enabled on those hosts that have an entry in <ulink
|
|
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
|
|
A running firewall may be restarted using the <quote>shorewall restart</quote>
|
|
command. If you want to totally remove any trace of Shorewall from your
|
|
Netfilter configuration, use <quote>shorewall clear</quote>.</para>
|
|
|
|
<warning>
|
|
<para>If you are connected to your firewall from the internet, do not
|
|
issue a <quote>shorewall stop</quote> command unless you have added an
|
|
entry for the IP address that you are connected from to <ulink
|
|
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
|
|
Also, I don't recommend using <quote>shorewall restart</quote>; it
|
|
is better to create an <emphasis><ulink
|
|
url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis>
|
|
and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote>shorewall
|
|
try</quote> command</ulink>.</para>
|
|
</warning>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Additional Recommended Reading</title>
|
|
|
|
<para>I highly recommend that you review the <ulink
|
|
url="configuration_file_basics.htm">Common Configuration File Features
|
|
page</ulink> -- it contains helpful tips about Shorewall features than
|
|
make administering your firewall easier.</para>
|
|
</section>
|
|
</article> |