http://bering-uclibc.zetam.org/index.php?title=Bering-uClibc_7.x_-_User_Guide_-_IPv4_Networking_-_Configure_Shorewall&feed=atom&action=historyBering-uClibc 7.x - User Guide - IPv4 Networking - Configure Shorewall - Revision history2024-03-29T14:07:42ZRevision history for this page on the wikiMediaWiki 1.26.0http://bering-uclibc.zetam.org/index.php?title=Bering-uClibc_7.x_-_User_Guide_-_IPv4_Networking_-_Configure_Shorewall&diff=4516&oldid=prevJeanrocco: Created page with "{| summary="Navigation header" width="100%" ! colspan="3" align="center" | Bering-uClibc 7.x - User Guide - IPv4 Networking - Configure Shorewall|IPv4 Networking - Configure..."2020-10-24T18:23:19Z<p>Created page with "{| summary="Navigation header" width="100%" ! colspan="3" align="center" | Bering-uClibc 7.x - User Guide - IPv4 Networking - Configure Shorewall|IPv4 Networking - Configure..."</p>
<p><b>New page</b></p><div>{| summary="Navigation header" width="100%"<br />
! colspan="3" align="center" | [[Bering-uClibc 7.x - User Guide - IPv4 Networking - Configure Shorewall|IPv4 Networking - Configure Shorewall]]<br />
|-<br />
| width="20%" align="left" | [[Bering-uClibc 7.x - User Guide - IPv4 Networking - Internal Network Connections|Prev]]<br />
! width="60%" align="center" | [[Bering-uClibc 7.x - User Guide]]<br />
| width="20%" align="right" | [[Bering-uClibc 7.x - User Guide - IPv4 Networking - Configure Traffic Management|Next]]<br />
|}<br />
----<br />
<br />
<br />
==Introduction==<br />
One of the distinctive feature of [[LEAF]] [[Bering-uClibc]] (introduced with [[Bering]]) is that it relies on [http://www.shorewall.net/ Shorewall] to provide its firewall facility.<br />
<br />
The reasons behind this choice are numerous:<br />
* [http://www.shorewall.net/ Shorewall] is an [http://www.netfilter.org/ iptables] based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail [http://www.shorewall.net/shorewall_features.htm here.]<br />
* It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.<br />
* It is very well documented. We strongly recommend that you have a look at the full documentation available at [http://shorewall.net/Documentation.html shorewall.net] and that you spend the time to understand the concept behind it. A worthwhile effort!<br />
* It has a nice [http://www.shorewall.net/shorewall_quickstart_guide.htm QuickStart Guide] which will allow the reader to quickly grasp the basics. A prerequisite reading!<br />
* It has a tremendous support from its developer, Tom Eastep, who replies very quickly to requests addressed to the [http://dir.gmane.org/gmane.comp.security.shorewall shorewall user's mailing list]. Mail archives are also available and searchable.<br />
<br />
This is not the place to discuss all of the features of Shorewall 4.x but particular highlights which might be of interest to [[Bering-uClibc 7.x]] users include:<br />
* The option to simplify management of multiple Shorewall installations by installing "full" Shorewall only on a single, central administration machine and then running "Shorewall Lite" on the managed firewalls. See [http://www.shorewall.net/CompiledPrograms.html this page of the Shorewall manual] for further details and note that both <code class="filename">shorwall.lrp</code> and <code class="filename">shorwall-lite.lrp</code> Packages are available.<br />
* A companion utility for IPv6 firewalling called Shorewall6. On dual-stack hosts Shorewall handles IP(v4) firewalling and Shorewall6 handles IPv6 firewalling. There is a separate [[Bering-uClibc 7.x - User Guide - IPv6 Networking - Configure Shorewall6|Shorewall6]] page in this Wiki.<br />
* A simple way to direct all HTTP traffic via an HTTP proxy server such as [http://www.squid-cache.org/ Squid] or [http://www.privoxy.org/ Privoxy] (both available as [[Bering-uClibc 7.x]] Packages) in order to implement a "Transparent" or "Intercepting" Proxy. See [http://www.shorewall.net/Shorewall_Squid_Usage.html this page of the Shorewall manual] for further details.<br />
* Out-of-the-box support for "dynamic" IP address blacklisting which can be used to block Denial of Service attacks and could in principle be automated using a tool like [http://www.pettingers.org/code/sshblack.html sshblack]. See [http://www.shorewall.net/blacklisting_support.htm#Dynamic this page of the Shorewall manual] for further details.<br />
* Support for various different Traffic Management mechanisms which are described in more detail in the [[Bering-uClibc 7.x - User Guide - IPv4 Networking - Configure Traffic Management|next page]].<br />
* Support for multiple Internet connections, either working together and sharing the traffic between them or alternatively used in an active:passive configuration such that the secondary (low bandwidth or expensive) connection will only be enabled when the primary connection fails. See the [http://shorewall.net/MultiISP.html MultiISP] page of the Shorewall manual for further details.<br />
<br />
The [[Bering-uClibc 7.x]] Package name for Shorewall is <code class="filename">shorwall.lrp</code> rather than <code class="filename">shor'''e'''wall.lrp</code> because on older versions of [[Bering-uClibc]] filenames were constrained by the 8.3 filename length limit of the floppy disk file system. This constraint was removed in [[Bering-uClibc 4.x]] (which supports longer names via the VFAT file system) but the shortened name is retained for historical reasons and applies to all variants of the Shorewall Packages (so e.g. <code class="filename">shorwall6.lrp</code> rather than <code class="filename">shor'''e'''wall6.lrp</code> even though <code class="filename">shorwall6</code> is 9 characters!).<br />
<br />
==Configuration==<br />
To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:<br />
<br />
shorwall configuration files<br />
<br />
1) Shorewall Runtime Startup options<br />
2) Params Assign parameter values<br />
3) Zones Partition the network into Zones<br />
4) Ifaces Shorewall Networking Interfaces<br />
5) Hosts Define specific zones<br />
6) Policy Firewall high-level policy<br />
7) Rules Exceptions to policy<br />
8) Masq Internal MASQ Server Configuration<br />
9) RStopped Hosts admitted after 'shorewall stop'<br />
10) Nat Static NAT Configuration<br />
11) Config Shorewall Global Parameters<br />
12) Modules Netfilter modules to load<br />
13) TOS Type of Service policy<br />
14) Blacklist Blacklisted hosts<br />
15) ECN Disable ECN to hosts and networks<br />
16) Init Commands executed before [re]start<br />
17) Initdone Commands executed during [re]start<br />
18) Start Commands executed after [re]start<br />
19) Started Commands executed after complete [re]start<br />
20) Stop Commands executed before stop<br />
21) Stopped Commands executed after stop<br />
22) Actions Define user actions<br />
23) Netmap Network Mapping Table<br />
24) Route_rules Routing to providers<br />
25) Tunnels Tunnel Definition (ipsec<br />
26) Account Traffic Accounting Rules<br />
27) TCClasses Define htb classes<br />
28) TCDevices Specify speed of devices for traffic shaping<br />
29) TCFilters Classify traffic for shaping<br />
30) TCInterfaces Devices for simplified traffic shaping<br />
31) TCPri Classify traffic for simplified traffic shaping<br />
32) TCRules FWMark Rules<br />
33) Maclist MAC Verification<br />
34) Providers Additional routing table<br />
35) ProxyArp Proxy ARP Configuration<br />
36) Notrack Exclude traffic from connection tracking<br />
37) secmarks<br />
<br />
q) quit<br />
----------------------------------------------------------------------------<br />
Selection:<br />
<br />
Check the hyperlinks above, the [http://www.shorewall.net/shorewall_quickstart_guide.htm Quickstart Guide] or the Shorewall [http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation documentation] to have a full explanation on those configuration files.<br />
<br />
Some files worthy of specific mention for [[Bering-uClibc 7.x]] are described below.<br />
<br />
===Zones===<br />
The <code class="filename">zones</code> file (entry 3). For a two interfaces setting - Bering-uClibc's default - it looks like:<br />
<br />
<nowiki> #ZONE DISPLAY COMMENTS<br />
net ipv4<br />
loc ipv4<br />
#dmz ipv4<br />
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</nowiki><br />
<br />
===Ifaces===<br />
The <code class="filename">interfaces</code> file (entry 4) defines your interfaces. Default in Bering-uClibc is:<br />
<br />
<nowiki> (...)<br />
#ZONE INTERFACE BROADCAST OPTIONS<br />
net eth0 detect dhcp<br />
loc eth1 detect dhcp<br />
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br />
</nowiki><br />
<br />
===Rules===<br />
The <code class="filename">rules</code> file (entry 7) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:<br />
<br />
<nowiki> (...)<br />
######################################################################################################<br />
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER<br />
# PORT PORT(S) DEST LIMIT GROUP<br />
# PORT PORT(S) DEST LIMIT<br />
# Accept DNS connections from the firewall to the network<br />
# and from the local network to the firewall (in case dnsmasq is <br />
DNS(ACCEPT) fw net<br />
DNS(ACCEPT) loc fw<br />
<br />
# Accept SSH connections from the local network for administrati<br />
#<br />
SSH(ACCEPT) loc fw<br />
<br />
# Allow Ping to Firewall #<br />
Ping(ACCEPT) net fw<br />
Ping(ACCEPT) loc fw<br />
<br />
# Allow all ICMP types (including ping) from firewall<br />
ACCEPT fw loc icmp<br />
ACCEPT fw net icmp<br />
# Allow local network to access weblet/webconf<br />
#<br />
HTTP(ACCEPT) loc fw<br />
HTTPS(ACCEPT) loc fw<br />
# timeserver (allow syncing with time servers (default: pool.ntp.org)) <br />
NTP(ACCEPT) fw net <br />
# timeserver (allow LAN clients to sync with the time service on the router)<br />
# NTP(ACCEPT) loc fw<br />
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</nowiki><br />
<br />
===Modules===<br />
The <code class="filename">modules</code> file (entry 12) contains a list of kernel Modules that Shorewall should load when it starts.<br />
Mostly these are NetFilter "helper" Modules - for example <code class="filename">nf_conntrack_tftp</code> which understands how to track TFTP UDP network connections.<br />
<br />
In many ways this file overlaps with <code class="filename">/etc/modules</code> which contains the main list of kernel Modules that a [[Bering-uClibc 7.x]] machine should load. Modules can be listed in either file.<br />
<br />
'''Note:''' For Bering-uClibc 4.'''0''' the settings in the <code class="filename">/etc/shorewall/shorewall.conf</code> file (menu entry 11) mean that the Shorewall modules file is '''not''' processed. To change this behaviour edit the line in <code class="filename">/etc/shorewall/shorewall.conf</code> which specifies <tt>MODULESDIR</tt> to read as follows:<br />
MODULESDIR=/lib/modules<br />
This modified setting is the default for Bering-uClibc 4.'''1''' onwards. See [http://sourceforge.net/apps/trac/leaf/ticket/44 Trac ticket #44].<br />
<br />
<br />
'''Important:''' If you change any of the Shorewall parameters, remember to save your configuration!<br />
<br />
==Logfiles==<br />
With [[Bering-uClibc 7.x]] Shorewall-related messages are written to two different logfiles:<br />
* Shorewall startup messages are written to file <code class="filename">/var/log/shorewall-init.log</code><br />
** This is because that file is specified as <tt>STARTUP_LOG</tt> in <code class="filename">/etc/shorewall/shorewall.conf</code><br />
* Any messages from the Linux kernel "Netfilter" code which contain the string "<tt>Shorewall</tt>" are written to file <code class="filename">/var/log/shorewall.log</code><br />
** This is controlled by the entries in file <code class="filename">/etc/syslog-ng/syslog-ng.conf</code><br />
<br />
In addition, the logfile rotation logic defined in file <code class="filename">/etc/lrp.conf</code> means that <code class="filename">/var/log/shorewall.log</code> gets renamed to <code class="filename">/var/log/shorewall.log.0</code> and then <code class="filename">/var/log/shorewall.log.1.gz</code> etc. on a daily basis.<br />
<br />
<br />
==Troubleshooting==<br />
* If you have IPv6 enabled (in other words you have the <code class="filename">ipv6.ko</code> Module loaded, which is the default) but you do not have the <code class="filename">ip6tables.lrp</code> Package installed then expect to see the following error when (re)starting Shorewall:<pre>WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables</pre> This indicates that IPv6 is active but there are no IPv6 firewall rules in operation. This is A Bad Thing, which is why the <code class="filename">ip6tables.lrp</code> Package is enabled in all of the disk Images by default and why Shorewall (for IPv4) disables IPv6 by default.<br />
<br />
<br />
----<br />
{| summary="Navigation footer" width="100%"<br />
| width="40%" align="left" | [[Bering-uClibc 7.x - User Guide - IPv4 Networking - Internal Network Connections|Prev]]<br />
| width="20%" align="center" | [[Bering-uClibc 7.x - User Guide - IPv4 Networking|Up]]<br />
| width="40%" align="right" | [[Bering-uClibc 7.x - User Guide - IPv4 Networking - Configure Traffic Management|Next]]<br />
|}<br />
<br />
[[Category:Bering-uClibc 7.x]]<br />
[[Category:User Guide]]</div>Jeanrocco