Bering-uClibc 5.x - User Guide - IPv4 Networking - Configure Shorewall
IPv4 Networking - Configure Shorewall | ||
---|---|---|
Prev | Bering-uClibc 5.x - User Guide | Next |
Contents
Introduction
One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is that it relies on Shorewall to provide its firewall facility.
The reasons behind this choice are numerous:
- Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
- It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
- It is very well documented. We strongly recommend that you have a look at the full documentation available at shorewall.net and that you spend the time to understand the concept behind it. A worthwhile effort!
- It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading!
- It has a tremendous support from its developer, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.
This is not the place to discuss all of the features of Shorewall 4.x but particular highlights which might be of interest to Bering-uClibc 5.x users include:
- The option to simplify management of multiple Shorewall installations by installing "full" Shorewall only on a single, central administration machine and then running "Shorewall Lite" on the managed firewalls. See this page of the Shorewall manual for further details and note that both
shorwall.lrp
andshorwall-lite.lrp
Packages are available. - A companion utility for IPv6 firewalling called Shorewall6. On dual-stack hosts Shorewall handles IP(v4) firewalling and Shorewall6 handles IPv6 firewalling. There is a separate Shorewall6 page in this Wiki.
- A simple way to direct all HTTP traffic via an HTTP proxy server such as Squid or Privoxy (both available as Bering-uClibc 5.x Packages) in order to implement a "Transparent" or "Intercepting" Proxy. See this page of the Shorewall manual for further details.
- Out-of-the-box support for "dynamic" IP address blacklisting which can be used to block Denial of Service attacks and could in principle be automated using a tool like sshblack. See this page of the Shorewall manual for further details.
- Support for various different Traffic Management mechanisms which are described in more detail in the next page.
- Support for multiple Internet connections, either working together and sharing the traffic between them or alternatively used in an active:passive configuration such that the secondary (low bandwidth or expensive) connection will only be enabled when the primary connection fails. See the MultiISP page of the Shorewall manual for further details.
The Bering-uClibc 5.x Package name for Shorewall is shorwall.lrp
rather than shorewall.lrp
because on older versions of Bering-uClibc filenames were constrained by the 8.3 filename length limit of the floppy disk file system. This constraint was removed in Bering-uClibc 4.x (which supports longer names via the VFAT file system) but the shortened name is retained for historical reasons and applies to all variants of the Shorewall Packages (so e.g. shorwall6.lrp
rather than shorewall6.lrp
even though shorwall6
is 9 characters!).
Configuration
To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:
shorwall configuration files 1) Shorewall Runtime Startup options 2) Params Assign parameter values 3) Zones Partition the network into Zones 4) Ifaces Shorewall Networking Interfaces 5) Hosts Define specific zones 6) Policy Firewall high-level policy 7) Rules Exceptions to policy 8) Masq Internal MASQ Server Configuration 9) RStopped Hosts admitted after 'shorewall stop' 10) Nat Static NAT Configuration 11) Config Shorewall Global Parameters 12) Modules Netfilter modules to load 13) TOS Type of Service policy 14) Blacklist Blacklisted hosts 15) ECN Disable ECN to hosts and networks 16) Init Commands executed before [re]start 17) Initdone Commands executed during [re]start 18) Start Commands executed after [re]start 19) Started Commands executed after complete [re]start 20) Stop Commands executed before stop 21) Stopped Commands executed after stop 22) Actions Define user actions 23) Netmap Network Mapping Table 24) Route_rules Routing to providers 25) Tunnels Tunnel Definition (ipsec 26) Account Traffic Accounting Rules 27) TCClasses Define htb classes 28) TCDevices Specify speed of devices for traffic shaping 29) TCFilters Classify traffic for shaping 30) TCInterfaces Devices for simplified traffic shaping 31) TCPri Classify traffic for simplified traffic shaping 32) TCRules FWMark Rules 33) Maclist MAC Verification 34) Providers Additional routing table 35) ProxyArp Proxy ARP Configuration 36) Notrack Exclude traffic from connection tracking 37) secmarks q) quit ---------------------------------------------------------------------------- Selection:
Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.
Some files worthy of specific mention for Bering-uClibc 5.x are described below.
Zones
The zones
file (entry 3). For a two interfaces setting - Bering-uClibc's default - it looks like:
#ZONE DISPLAY COMMENTS net ipv4 loc ipv4 #dmz ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Ifaces
The interfaces
file (entry 4) defines your interfaces. Default in Bering-uClibc is:
(...) #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp loc eth1 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Rules
The rules
file (entry 7) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:
(...) ###################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT # Accept DNS connections from the firewall to the network # and from the local network to the firewall (in case dnsmasq is DNS(ACCEPT) fw net DNS(ACCEPT) loc fw # Accept SSH connections from the local network for administrati # SSH(ACCEPT) loc fw # Allow Ping to Firewall # Ping(ACCEPT) net fw Ping(ACCEPT) loc fw # Allow all ICMP types (including ping) from firewall ACCEPT fw loc icmp ACCEPT fw net icmp # Allow local network to access weblet/webconf # HTTP(ACCEPT) loc fw HTTPS(ACCEPT) loc fw # timeserver (allow syncing with time servers (default: pool.ntp.org)) NTP(ACCEPT) fw net # timeserver (allow LAN clients to sync with the time service on the router) # NTP(ACCEPT) loc fw #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Modules
The modules
file (entry 12) contains a list of kernel Modules that Shorewall should load when it starts.
Mostly these are NetFilter "helper" Modules - for example nf_conntrack_tftp
which understands how to track TFTP UDP network connections.
In many ways this file overlaps with /etc/modules
which contains the main list of kernel Modules that a Bering-uClibc 5.x machine should load. Modules can be listed in either file.
Note: For Bering-uClibc 4.0 the settings in the /etc/shorewall/shorewall.conf
file (menu entry 11) mean that the Shorewall modules file is not processed. To change this behaviour edit the line in /etc/shorewall/shorewall.conf
which specifies MODULESDIR to read as follows:
MODULESDIR=/lib/modules
This modified setting is the default for Bering-uClibc 4.1 onwards. See Trac ticket #44.
Important: If you change any of the Shorewall parameters, remember to save your configuration!
Logfiles
With Bering-uClibc 5.x Shorewall-related messages are written to two different logfiles:
- Shorewall startup messages are written to file
/var/log/shorewall-init.log
- This is because that file is specified as STARTUP_LOG in
/etc/shorewall/shorewall.conf
- This is because that file is specified as STARTUP_LOG in
- Any messages from the Linux kernel "Netfilter" code which contain the string "Shorewall" are written to file
/var/log/shorewall.log
- This is controlled by the entries in file
/etc/syslog-ng/syslog-ng.conf
- This is controlled by the entries in file
In addition, the logfile rotation logic defined in file /etc/lrp.conf
means that /var/log/shorewall.log
gets renamed to /var/log/shorewall.log.0
and then /var/log/shorewall.log.1.gz
etc. on a daily basis.
Troubleshooting
- If you have IPv6 enabled (in other words you have the
ipv6.ko
Module loaded, which is the default) but you do not have theip6tables.lrp
Package installed then expect to see the following error when (re)starting Shorewall:WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables
This indicates that IPv6 is active but there are no IPv6 firewall rules in operation. This is A Bad Thing, which is why theip6tables.lrp
Package is enabled in all of the disk Images by default and why Shorewall (for IPv4) disables IPv6 by default.
Prev | Up | Next |