Copyright © 2010 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2023/02/18
Table of Contents
Once you have installed the Shorewall software, you must configure it. The easiest way to do that is to use one of Shorewall's Sample Configurations. The Universal Configuration is one of those samples.
The Universal Shorewall configuration requires that you simply copy
the configuration to /etc/shorewall
and start Shorewall. This sample configuation:
Allows all outgoing traffic.
Blocks all incoming connections except:
Secure Shell
Ping
Allows forwarding of traffic, provided that the system has more than one interface or is set up to route between networks on a single interface.
The location of the sample configuration files is dependent on your distribution and how you installed Shorewall.
If you installed using an RPM, the samples
will be in the Samples/Universal
subdirectory of the
Shorewall documentation directory. If you don't know where the
Shorewall documentation directory is, you can find the samples using
this command:
~# rpm -ql shorewall-common | fgrep Universal /usr/share/doc/packages/shorewall/Samples/Universal /usr/share/doc/packages/shorewall/Samples/Universal/interfaces /usr/share/doc/packages/shorewall/Samples/Universal/policy /usr/share/doc/packages/shorewall/Samples/Universal/rules /usr/share/doc/packages/shorewall/Samples/Universal/zones ~#
If you installed using the tarball, the samples are in the
Samples/Universal
directory in
the tarball.
If you installed using a Shorewall 4.x .deb, the samples are in
/usr/share/doc/shorewall-common/examples/Universal
..
You do not need the shorewall-doc package to have access to the
samples.
Simple copy the files from the Universal directory to /etc/shorewall.
Before starting Shorewall for the first time, it's a good idea to stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt type:
service iptables stop
If you are running SuSE, use Yast or Yast2 to stop SuSEFirewall.
Once you have Shorewall running to your satisfaction, you should totally disable your existing firewall. On /Redhat/CentOS/Fedora:
chkconfig --del iptables
At a root prompt, type:
/sbin/shorewall start
That's it. Shorewall will automatically start again when you reboot.
At a root prompt, type:
/sbin/shorewall clear
The system is now 'wide open'.
Edit /etc/shorewall/rules
and remove the line
that reads:
Ping(ACCEPT) net $FW
and at a root prompt, type:
/sbin/shorewall restart
Shorewall includes a collection of macros
that can be used to quickly allow or deny services. You can find a list
of the macros included in your version of Shorewall using the command
ls /usr/share/shorewall/macro.*
or at a shell prompt type:
/sbin/shorewall show macros
If you wish to enable connections from the Internet to your
firewall and you find an appropriate macro in
/etc/shorewall/macro.*
, the general format of a
rule in /etc/shorewall/rules
is:
#ACTION SOURCE DESTINATION PROTO DPORT
<macro>(ACCEPT) net $FW
Be sure to add your rules after the line that reads SECTION NEW.
Example 1. You want to run a Web Server and a IMAP Server on your firewall system:
#ACTION SOURCE DESTINATION PROTO DPORT Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW
You may also choose to code your rules directly without using the
pre-defined macros. This will be necessary in the event that there is
not a pre-defined macro that meets your requirements. In that case the
general format of a rule in /etc/shorewall/rules
is:
#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT net $FW <protocol> <port>
Example 2. You want to run a Web Server and a IMAP Server on your firewall system:
#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 143
If you don't know what port and protocol a particular application uses, see here.
Shorewall does not maintain a log itself but rather relies on your system's logging configuration. The following commands rely on knowing where Netfilter messages are logged:
shorewall show log (Displays the last 20 Netfilter log messages)
shorewall logwatch (Polls the log at a settable interval
shorewall dump (Produces an extensive report for inclusion in Shorewall problem reports)
It is important that these commands work properly because when you encounter connection problems when Shorewall is running, the first thing that you should do is to look at the Netfilter log; with the help of Shorewall FAQ 17, you can usually resolve the problem quickly.
The Netfilter log location is distribution-dependent:
Debian and its derivatives log Netfilter messages to
/var/log/kern.log
.
Recent SuSE/OpenSuSE™ releases come
preconfigured with syslog-ng and log netfilter messages to
/var/log/firewall
.
For other distributions, Netfilter messages are most commonly
logged to /var/log/messages
.
Modify the LOGFILE setting in
/etc/shorewall/shorewall.conf
to specify the name
of your log.
The LOGFILE setting does not control where the Netfilter log is
maintained -- it simply tells the /sbin/shorewall
utility where to find the log.
Now, edit /etc/shorewall/policy
and modify
the line that reads:
net all DROP
to
net all DROP info
Then at a root prompt, type:
/sbin/shorewall reload
Edit /etc/shorewall/interfaces, and remove the routeback option from the interface. e.g., change the line that reads:
net all - dhcp,physical=+,routeback,optional
to
net all - dhcp,physical=+,optional
Then at a root prompt, type:
/sbin/shorewall reload