Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall

From bering-uClibc
Jump to: navigation, search
IPv4 Networking - Configure Shorewall
Prev Bering-uClibc 4.x - User Guide Next


Introduction

One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is that it relies on Shorewall to provide its firewall facility.

The reasons behind this choice are numerous:

  • Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
  • It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
  • It is very well documented. We strongly recommend that you have a look at the full documentation available at shorewall.net and that you spend the time to understand the concept behind it. A worthwhile effort !
  • It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading!
  • It has a tremendous support from its developer, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.

For Bering-uClibc 4.x Shorewall is upgraded to version 4.4.x (e.g. Shorewall 4.4.15.3 for Bering-uClibc 4.0) which could not easily be implemented on Bering-uClibc 3.x because of the requirement for a Perl interpreter (which in turn was a challenge given the target of booting Bering-uClibc 3.x from a floppy disk).

This is not the place to discuss all of the features of Shorewall 4.x but particular highlights which might be of interest to Bering-uClibc 4.x users include:

  • The option to simplify management of multiple Shorewall installations by installing "full" Shorewall only on a single, central administration machine and then running "Shorewall Lite" on the managed firewalls. See this page of the Shorewall manual for further details and note that both shorwall.lrp and shorwall-lite.lrp Packages are available.
  • A companion utility for IPv6 firewalling called Shorewall6. On dual-stack hosts Shorewall handles IP(v4) firewalling and Shorewall6 handles IPv6 firewalling. There is a separate Shorewall6 page in this Wiki.
  • A simple way to direct all HTTP traffic via an HTTP proxy server such as Squid or Privoxy (both available as Bering-uClibc 4.x Packages) in order to implement a "Transparent" or "Intercepting" Proxy. See this page of the Shorewall manual for further details.
  • Out-of-the-box support for "dynamic" IP address blacklisting which can be used to block Denial of Service attacks and could in principle be automated using a tool like sshblack. See this page of the Shorewall manual for further details.

The Bering-uClibc 4.x Package name for Shorewall is shorwall.lrp rather than shorewall.lrp because on older versions of Bering-uClibc filenames were constrained by the 8.3 filename length limit of the floppy disk file system. This constraint was removed in Bering-uClibc 4.x (which supports longer names via the VFAT file system) but the shortened name is retained for historical reasons and applies to all variants of the Shorewall Packages (so e.g. shorwall6.lrp rather than shorewall6.lrp even though shorwall6 is 9 characters!).

Configuration

To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:

                        shorwall configuration files

1) Shorewall Runtime Startup options
2) Params    Assign parameter values
3) Zones     Partition the network into Zones
4) Ifaces    Shorewall Networking Interfaces
5) Hosts     Define specific zones
6) Policy    Firewall high-level policy
7) Rules     Exceptions to policy
8) Masq      Internal MASQ Server Configuration
9) RStopped  Hosts admitted after 'shorewall stop'
10) Nat       Static NAT Configuration
11) Config    Shorewall Global Parameters
12) Modules   Netfilter modules to load
13) TOS       Type of Service policy
14) Blacklist Blacklisted hosts
15) ECN       Disable ECN to hosts and networks
16) Init      Commands executed before [re]start
17) Initdone     Commands executed during [re]start
18) Start     Commands executed after [re]start
19) Started     Commands executed after complete [re]start
20) Stop      Commands executed before stop
21) Stopped   Commands executed after stop
22) Actions   Define user actions
23) Netmap    Network Mapping Table
24) Route_rules Routing to providers
25) Tunnels   Tunnel Definition (ipsec
26) Account   Traffic Accounting Rules
27) TCClasses  Define htb classes
28) TCDevices  Specify speed of devices for traffic shaping
29) TCFilters    Classify traffic for shaping
30) TCInterfaces  Devices for simplified traffic shaping
31) TCPri Classify traffic for simplified traffic shaping
32) TCRules   FWMark Rules
33) Maclist   MAC Verification
34) Providers Additional routing table
35) ProxyArp  Proxy ARP Configuration
36) Notrack  Exclude traffic from connection tracking


  q) quit
  ----------------------------------------------------------------------------
        Selection:

Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.

Some files worthy of specific mention for Bering-uClibc 4.x are described below.

Zones

The zones file (entry 3). For a two interfaces setting - Bering-uClibc's default - it looks like:

 #ZONE   DISPLAY         COMMENTS
 net     ipv4
 loc     ipv4
 #dmz    ipv4
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Ifaces

The interfaces file (entry 4) defines your interfaces. Default in Bering-uClibc is:

 (...)
 #ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0            detect          dhcp
 loc     eth1            detect          dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 

Rules

The rules file (entry 7) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:

 (...)
 ######################################################################################################
 #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER
 #                                               PORT    PORT(S)    DEST         LIMIT           GROUP
 #                                               PORT    PORT(S)    DEST         LIMIT
 #      Accept DNS connections from the firewall to the network
 #      and from the local network to the firewall (in case dnsmasq is           
 DNS(ACCEPT)   fw          net
 DNS(ACCEPT)   loc         fw

 #      Accept SSH connections from the local network for administrati
 #
 SSH(ACCEPT)   loc         fw

 #      Allow Ping to Firewall                                                   #
 Ping(ACCEPT)  net         fw
 Ping(ACCEPT)  loc         fw

 #      Allow all ICMP types (including ping) from firewall
 ACCEPT    fw           loc                     icmp
 ACCEPT    fw           net                     icmp
 #      Allow local network to access weblet/webconf
 #
 HTTP(ACCEPT)   loc        fw
 HTTPS(ACCEPT)  loc        fw
 # timeserver (allow syncing with time servers (default: pool.ntp.org))                                                        
 NTP(ACCEPT)         fw       net               
 # timeserver (allow LAN clients to sync with the time service on the router)
 # NTP(ACCEPT)         loc    fw
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Modules

The modules file (entry 12) contains a list of kernel Modules that Shorewall should load when it starts. Mostly these are NetFilter "helper" Modules - for example nf_conntrack_tftp which understands how to track TFTP UDP network connections.

In many ways this file overlaps with /etc/modules which contains the main list of kernel Modules that a Bering-uClibc 4.x machine should load. Modules can be listed in either file.

Note: For Bering-uClibc 4.0 the settings in the /etc/shorewall/shorewall.conf file (menu entry 11) mean that the Shorewall modules file is not processed. To change this behaviour edit the line in /etc/shorewall/shorewall.conf which specifies MODULESDIR to read as follows:

MODULESDIR=/lib/modules

This modified setting is the default for Bering-uClibc 4.1 onwards. See Trac ticket #44.


Important: If you change any of the Shorewall parameters, remember to save your configuration!

Logfiles

With Bering-uClibc 4.x Shorewall-related messages are written to two different logfiles:

  • Shorewall startup messages are written to file /var/log/shorewall-init.log
    • This is because that file is specified as STARTUP_LOG in /etc/shorewall/shorewall.conf
  • Any messages from the Linux kernel "Netfilter" code which contain the string "Shorewall" are written to file /var/log/shorewall.log
    • This is controlled by the entries in file /etc/syslog-ng/syslog-ng.conf

In addition, the logfile rotation logic defined in file /etc/lrp.conf means that /var/log/shorewall.log gets renamed to /var/log/shorewall.log.0 and then /var/log/shorewall.log.1.gz etc. on a daily basis.


Troubleshooting

  • If you have IPv6 enabled (in other words you have the ipv6.ko Module loaded, which is the default) but you do not have the ip6tables.lrp Package installed then expect to see the following error when (re)starting Shorewall:
    WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables
    This indicates that IPv6 is active but there are no IPv6 firewall rules in operation. This is A Bad Thing, which is why the ip6tables.lrp Package is enabled in all of the disk Images by default and why Shorewall (for IPv4) disables IPv6 by default.


Optional Extra Packages

Some further Packages can optionally be installed to add extra functionality to Shorewall. These are described below.

DShield

Note: The DShield Package is currently under development and not yet included in any Bering-uClibc 4.x release. This documentation is being drafted in parallel with the Package development.' Davidmbrooke 14:58, 24 December 2011 (UTC)

Introduction

Package dshield.lrp adds the capability to send extracts of Shorewall log files to the Internet Storm Center in order to help track the changing profile of firewall attacks by rate of reports, source address, port number etc. The reports are published on the DShield.org web site.

The DShield client software is a simple Perl script which parses the Shorewall log file, filters out any unnecessary data and submits a summary report to dshield.org via email. Reports are typically submitted once every 24 hours. The main complication is synchronizing with the Shorewall log file recycling logic.

Preparation

The first task is to register at dshield.org as described in that site's HOWTO page. This gets you an allocated numeric DShield UserID which needs to be specified in the configuration file, and registers your email address for feedback.

Next, you need to ensure that your Bering-uClibc 4.x host can send email via an SMTP server somewhere. This might be a mail sever on your internal network or your ISP's mail server.

Configuration

TODO



Prev Up Next