Difference between revisions of "Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall"

From bering-uClibc
Jump to: navigation, search
m (adjust documentation link and shorewall configuration screen)
(fix shorewall default files; remove note that this is Bering-uClibc material)
Line 7: Line 7:
 
|}
 
|}
 
----
 
----
 
 
'''This material copied directly from http://leaf.sourceforge.net/doc/buci-shorwall3.html - needs to be checked/updated for Bering-uClibc 4.x!'''<br>[[User:Davidmbrooke|Davidmbrooke]] 19:39, 8 November 2010 (UTC)
 
  
 
One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is that it relies on [http://www.shorewall.net/ Shorewall] to provide its firewall facility.
 
One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is that it relies on [http://www.shorewall.net/ Shorewall] to provide its firewall facility.
Line 68: Line 65:
 
Check the hyperlinks above, the [http://www.shorewall.net/shorewall_quickstart_guide.htm Quickstart Guide] or the Shorewall [http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation documentation] to have a full explanation on those configuration files.
 
Check the hyperlinks above, the [http://www.shorewall.net/shorewall_quickstart_guide.htm Quickstart Guide] or the Shorewall [http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation documentation] to have a full explanation on those configuration files.
  
Four files must be checked absolutely to make sure they fit your needs:
+
Three files must be checked absolutely to make sure they fit your needs:
  
A) The <code class="filename">zone</code> file (entry 2). For a two interfaces setting - Bering-uClibc's default - it looks like:
+
A) The <code class="filename">zones</code> file (entry 3). For a two interfaces setting - Bering-uClibc's default - it looks like:
  
 
  <nowiki> #ZONE  DISPLAY        COMMENTS
 
  <nowiki> #ZONE  DISPLAY        COMMENTS
  net    Net            Internet
+
  net    ipv4
  loc    Local          Local networks
+
  loc    ipv4
 +
#dmz    ipv4
 
  #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</nowiki>
 
  #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</nowiki>
  
B) The <code class="filename">interfaces</code> file (entry 3) defines your interfaces. Default in Bering-uClibc is:
+
B) The <code class="filename">interfaces</code> file (entry 4) defines your interfaces. Default in Bering-uClibc is:
  
 
  <nowiki> (...)
 
  <nowiki> (...)
 
  #ZONE  INTERFACE      BROADCAST      OPTIONS
 
  #ZONE  INTERFACE      BROADCAST      OPTIONS
  net    eth0            detect          dhcp,routefilter,norfc1918
+
  net    eth0            detect          dhcp
  loc    eth1            detect
+
  loc    eth1            detect         dhcp
 
  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
  </nowiki>
 
  </nowiki>
  
C) The <code class="filename">rules</code> file (entry 6) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:
+
C) The <code class="filename">rules</code> file (entry 7) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:
  
 
  <nowiki> (...)
 
  <nowiki> (...)
 
  ######################################################################################################
 
  ######################################################################################################
  #ACTION  SOURCE        DEST            PROTO  DEST    SOURCE    ORIGINAL    RATE            USER/
+
  #ACTION  SOURCE        DEST            PROTO  DEST    SOURCE    ORIGINAL    RATE            USER
 
  #                                              PORT    PORT(S)    DEST        LIMIT          GROUP
 
  #                                              PORT    PORT(S)    DEST        LIMIT          GROUP
 
  #                                              PORT    PORT(S)    DEST        LIMIT
 
  #                                              PORT    PORT(S)    DEST        LIMIT
 
  #      Accept DNS connections from the firewall to the network
 
  #      Accept DNS connections from the firewall to the network
  #      and from the local network to the firewall (in case dnsmasq is          DNS/ACCEPT  fw          net
+
  #      and from the local network to the firewall (in case dnsmasq is           
  DNS/ACCEPT  loc        fw
+
DNS(ACCEPT)   fw          net
 +
  DNS(ACCEPT)   loc        fw
  
 
  #      Accept SSH connections from the local network for administrati
 
  #      Accept SSH connections from the local network for administrati
 
  #
 
  #
  SSH/ACCEPT  loc        fw
+
  SSH(ACCEPT)   loc        fw
  
 
  #      Allow Ping to Firewall                                                  #
 
  #      Allow Ping to Firewall                                                  #
  Ping/ACCEPT  net        fw
+
  Ping(ACCEPT) net        fw
  Ping/ACCEPT  loc        fw
+
  Ping(ACCEPT) loc        fw
  
 
  #      Allow all ICMP types (including ping) from firewall
 
  #      Allow all ICMP types (including ping) from firewall
Line 110: Line 109:
 
  #      Allow local network to access weblet/webconf
 
  #      Allow local network to access weblet/webconf
 
  #
 
  #
  Web/ACCEPT  loc        fw
+
  HTTP(ACCEPT)   loc        fw
 +
HTTPS(ACCEPT)  loc        fw
 +
# timeserver (allow syncing with time servers (default: pool.ntp.org))                                                       
 +
NTP(ACCEPT)        fw      net             
 +
# timeserver (allow LAN clients to sync with the time service on the router)
 +
# NTP(ACCEPT)        loc    fw
 
  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</nowiki>
 
  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</nowiki>
  

Revision as of 18:46, 4 January 2011

IPv4 Networking - Configure Shorewall
Prev Bering-uClibc 4.x - User Guide Next

One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is that it relies on Shorewall to provide its firewall facility.

The reasons behind this choice are numerous:

  • Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
  • It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
  • It is very well documented. We strongly recommend that you have a look at the full documentation available at shorewall.net and that you spend the time to understand the concept behind it. A worthwhile effort !
  • It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading!
  • It has a tremendous support from it's developer, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.

To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:

                        shorwall configuration files

1) Shorewall Runtime Startup options
2) Params    Assign parameter values
3) Zones     Partition the network into Zones
4) Ifaces    Shorewall Networking Interfaces
5) Hosts     Define specific zones
6) Policy    Firewall high-level policy
7) Rules     Exceptions to policy
8) Masq      Internal MASQ Server Configuration
9) RStopped  Hosts admitted after 'shorewall stop'
10) Nat       Static NAT Configuration
11) Config    Shorewall Global Parameters
12) Modules   Netfilter modules to load
13) TOS       Type of Service policy
14) Blacklist Blacklisted hosts
15) ECN       Disable ECN to hosts and networks
16) Init      Commands executed before [re]start
17) Initdone     Commands executed during [re]start
18) Start     Commands executed after [re]start
19) Started     Commands executed after complete [re]start
20) Stop      Commands executed before stop
21) Stopped   Commands executed after stop
22) Actions   Define user actions
23) Netmap    Network Mapping Table
24) Route_rules Routing to providers
25) Tunnels   Tunnel Definition (ipsec
26) Account   Traffic Accounting Rules
27) TCClasses  Define htb classes
28) TCDevices  Specify speed of devices for traffic shaping
29) TCFilters    Classify traffic for shaping
30) TCInterfaces  Devices for simplified traffic shaping
31) TCPri Classify traffic for simplified traffic shaping
32) TCRules   FWMark Rules
33) Maclist   MAC Verification
34) Providers Additional routing table
35) ProxyArp  Proxy ARP Configuration
36) Notrack  Exclude traffic from connection tracking


  q) quit
  ----------------------------------------------------------------------------
        Selection:

Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.

Three files must be checked absolutely to make sure they fit your needs:

A) The zones file (entry 3). For a two interfaces setting - Bering-uClibc's default - it looks like:

 #ZONE   DISPLAY         COMMENTS
 net     ipv4
 loc     ipv4
 #dmz    ipv4
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

B) The interfaces file (entry 4) defines your interfaces. Default in Bering-uClibc is:

 (...)
 #ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0            detect          dhcp
 loc     eth1            detect          dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 

C) The rules file (entry 7) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:

 (...)
 ######################################################################################################
 #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER
 #                                               PORT    PORT(S)    DEST         LIMIT           GROUP
 #                                               PORT    PORT(S)    DEST         LIMIT
 #      Accept DNS connections from the firewall to the network
 #      and from the local network to the firewall (in case dnsmasq is           
 DNS(ACCEPT)   fw          net
 DNS(ACCEPT)   loc         fw

 #      Accept SSH connections from the local network for administrati
 #
 SSH(ACCEPT)   loc         fw

 #      Allow Ping to Firewall                                                   #
 Ping(ACCEPT)  net         fw
 Ping(ACCEPT)  loc         fw

 #      Allow all ICMP types (including ping) from firewall
 ACCEPT    fw           loc                     icmp
 ACCEPT    fw           net                     icmp
 #      Allow local network to access weblet/webconf
 #
 HTTP(ACCEPT)   loc        fw
 HTTPS(ACCEPT)  loc        fw
 # timeserver (allow syncing with time servers (default: pool.ntp.org))                                                        
 NTP(ACCEPT)         fw       net               
 # timeserver (allow LAN clients to sync with the time service on the router)
 # NTP(ACCEPT)         loc    fw
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Important: If you change any of the shorewall parameters, remember to save your configuration!



Prev Up Next