<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Introduction</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="usefull_links"></a>Introduction</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div><div><p class="copyright">Copyright © 2003-2007 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id288224"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="Copyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#Glossary">Glossary</a></span></dt><dt><span class="section"><a href="#Shorewall">What is Shorewall?</a></span></dt></dl></dd><dt><span class="section"><a href="#Concepts">Shorewall Concepts</a></span></dt><dt><span class="section"><a href="#Compile">Compile then Execute</a></span></dt><dt><span class="section"><a href="#Packages">Shorewall Packages</a></span></dt><dt><span class="section"><a href="#License">License</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>The information in this document applies only to 4.x releases of Shorewall.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Glossary"></a>Glossary</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p><a class="ulink" href="http://www.netfilter.org" target="_self">Netfilter</a> - the packet filter facility builtinto the 2.4 and later Linux kernels.</p></li><li><p>ipchains - the packet filter facility builtinto the 2.2 Linux kernels. Also the name of the utility program used to configure and control that facility. Netfilter can be used in ipchains compatibility mode.</p></li><li><p>iptables - the utility program used to configure and control Netfilter. The term “<span class="quote">iptables</span>” is often used to refer to the combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).</p></li><li><p>iptables-restore - a program included with iptables that allows for atomic installation of a set of Netfilter rules. This is a much more efficient way to install a rule set than running the iptables utility once for each rule in the rule set.</p></li><li><p>ifconfig - An obsolete program included in the net-utils package. ifconfig was used to configure network interfaces.</p></li><li><p>route - An obsolete program included in the net-utils package. route was used to configure routing.</p></li><li><p>ip - A program included in the iproute2 package. ip replaces ifconfig and route in modern Linux systems.</p></li><li><p>tc - A program included in the iproute2 package. tc is used to configure QOS/Traffic Shaping on Linux systems.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Shorewall"></a>What is Shorewall?</h3></div></div></div><p>The Shoreline Firewall, more commonly known as “<span class="quote">Shorewall</span>”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.</p><p>Shorewall is not a daemon. Once Shorewall has configured the Linux networking subsystem, its job is complete and there is no “<span class="quote">Shorewall process</span>” left running in your system. The <a class="ulink" href="starting_and_stopping_shorewall.htm" target="_self">/sbin/shorewall program can be used at any time to monitor the Netfilter firewall</a>.</p><p>Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives:</p><div class="itemizedlist"><ul type="disc"><li><p><a class="ulink" href="http://www.m0n0.ch/wall/" target="_self">http://www.m0n0.ch/wall/</a></p></li><li><p><a class="ulink" href="http://www.fs-security.com/" target="_self">http://www.fs-security.com/</a></p></li></ul></div><p>If you are looking for a Linux firewall solution that can handle complex and fast changing network environments then Shorewall is a logical choice.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Concepts"></a>Shorewall Concepts</h2></div></div></div><p>The configuration files for Shorewall are contained in the directory <code class="filename">/etc/shorewall</code> -- for simple setups, you will only need to deal with a few of them.</p><p>Shorewall views the network where it is running as being composed of a set of <em class="firstterm">zones</em>. In the <a class="ulink" href="three-interface.htm" target="_self">three-interface sample configuration</a> for example, the following zone names are used:</p><pre class="programlisting">#NAME DESCRIPTION fw The firewall itself net The Internet loc Your Local Network dmz Demilitarized Zone</pre><p>Zones are declared and given a type in the <a class="ulink" href="manpages/shorewall-zones.html" target="_self"><code class="filename">/etc/shorewall/</code><code class="filename">zones</code></a> file.Here is the <a class="ulink" href="manpages/shorewall-zones.html" target="_self"><code class="filename">/etc/shorewall/</code><code class="filename">zones</code></a> file from the three-interface sample:</p><pre class="programlisting">#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 dmz ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre><p>Note that Shorewall recognizes the firewall system as its own zone. The name of the zone designating the firewall itself (usually 'fw' as shown in the above file) is stored in the shell variable $<em class="firstterm">FW</em> which may be used throughout the Shorewall configuration to refer to the firewall zone.</p><p>The simplest way to define the hosts in a zone is to associate the zone with a network interface using the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a> file. In the three-interface sample, the three zones are defined using that file as follows:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dmz eth2 detect</pre><p>The above file defines the <span class="emphasis"><em>net</em></span> zone as all IPv4 hosts interfacing to the firewall through eth0, the <span class="emphasis"><em>loc</em></span> zone as all IPv4 hosts interfacing through eth1 and the <span class="emphasis"><em>dmz</em></span> as all IPv4 hosts interfacing through eth2. It is important to note that the composition of a zone is defined in terms of a combination of addresses <span class="bold"><strong>and</strong></span> interfaces. When using the <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a> file to define a zone, all addresses are included; when you want to define a zone that contains a limited subset of the IPv4 address space, you use the <a class="ulink" href="manpages/shorewall-hosts.html" target="_self"><code class="filename">/etc/shorewall/hosts</code></a> file.</p><p>Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. </p><div class="itemizedlist"><ul type="disc" compact="compact"><li><p>You express your default policy for connections from one zone to another zone in the <a class="ulink" href="manpages/shorewall-policy.html" target="_self"><code class="filename">/etc/shorewall/</code><code class="filename">policy</code></a> file. The basic choices for policy are:</p><div class="itemizedlist"><ul type="circle"><li><p>ACCEPT - Accept the connection.</p></li><li><p>DROP - Ignore the connection request.</p></li><li><p>REJECT - Return an appropriate error to the connection request.</p></li></ul></div><p>Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.</p></li><li><p>You define exceptions to these default policies in the <a class="ulink" href="manpages/shorewall-rules.html" target="_self"><code class="filename">/etc/shorewall/</code><code class="filename">rules</code></a> file.</p></li><li><p>You only need concern yourself with connection requests. You don't need to define rules for handling traffic that is part of an established connection is and in most cases you don't have to worry about how related connections are handled (ICMP error packets and <a class="ulink" href="FTP.html" target="_self">related TCP connection requests such as used by FTP</a>).</p></li></ul></div><p>For each connection request entering the firewall, the request is first checked against the <code class="filename">/etc/shorewall/</code><code class="filename">rules</code> file. If no rule in that file matches the connection request then the first policy in <code class="filename">/etc/shorewall/</code><code class="filename">policy</code> that matches the request is applied. If there is a default action defined for the policy in /etc/shorewall/actions (or <code class="filename">/usr/share/shorewall/actions.std</code>) then that action is invoked before the policy is enforced. In the standard Shorewall distribution, the DROP policy has a default action called <span class="bold"><strong>Drop</strong></span> and the REJECT policy has a default action called <span class="bold"><strong>Reject</strong></span>. Default actions are used primarily to discard packets silently so that they don't clutter up your log.</p><p>The <code class="filename">/etc/shorewall/</code><code class="filename">policy</code> file included with the three-interface sample has the following policies: </p><pre class="programlisting">#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info</pre><p>In the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the Internet, uncomment that line. </p><pre class="programlisting">#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT</pre><p> The above policy will: </p><div class="itemizedlist"><ul type="disc"><li><p>Allow all connection requests from your local network to the Internet</p></li><li><p>Drop (ignore) all connection requests from the Internet to your firewall or local networks; these ignored connection requests will be logged using the <span class="emphasis"><em>info</em></span> syslog priority (log level).</p></li><li><p>Optionally accept all connection requests from the firewall to the Internet (if you uncomment the additional policy)</p></li><li><p>reject all other connection requests; these rejected connection requests will be logged using the <span class="emphasis"><em>info</em></span> syslog priority (log level).</p></li></ul></div><p>To illustrate how rules provide exceptions to policies, suppose that you have the polices listed above but you want to be able to connect to your firewall from the Internet using Secure Shell (SSH). Recall that SSH connects uses TCP port 22.</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net $FW tcp 22</pre><p>So although you have a policy of ignoring all connection attempts from the net zone (from the Internet), the above exception to that policy allows you to connect to the SSH server running on your firewall.</p><p>Because Shorewall makes no assumptions about what traffic you want accepted, there are certain rules (exceptions) that need to be added to almost any configuration.</p><div class="itemizedlist"><ul type="disc"><li><p>The <a class="ulink" href="shorewall_quickstart_guide.htm" target="_self">QuickStart guides</a> point to pre-populated files for use in common setups and the <a class="ulink" href="shorewall_setup_guide.htm" target="_self">Shorewall Setup Guide</a> shows you examples for use with other more complex setups.</p></li><li><p>To keep your <a class="ulink" href="shorewall_logging.html" target="_self">firewall log</a> from filling up with useless noise, Shorewall provides <a class="ulink" href="Actions.html" target="_self">common actions</a> that silently discard or reject such noise before it can be logged. As with everything in Shorewall, you can alter the behavior of these common actions (or do away with them entirely) as you see fit.</p></li></ul></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Compile"></a>Compile then Execute</h2></div></div></div><p>Shorewall versions beginning with 3.2.0 use a "compile" then "execute" approach. The Shorewall configuration compiler reads the configuration files and generates a shell script. Errors in the compilation step cause the script to be discarded and the command to be aborted. If the compilation step doesn't find any errors then the shell script is executed.</p><p>The 'compiled' scripts are placed in the directory <code class="filename">/var/lib/shorewall</code> and are named to correspond to the command being executed. For example, the command "/sbin/shorewall start" will generate a script named <code class="filename">/var/lib/shorewall/.start</code> and, if the compilation is error free, that script will then be executed.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packages"></a>Shorewall Packages</h2></div></div></div><p>Shorewall 4.0 consists of four packages.</p><div class="orderedlist"><ol type="1"><li><p><span class="bold"><strong>Shorewall-common</strong></span>. This package must be installed on at least one system in your network. That system must also have Shorewall-shell and/or Shorewall-perl installed.</p></li><li><p><span class="bold"><strong>Shorewall-shell</strong></span>. This package includes the legacy Shorewall configuration compiler written in Bourne Shell. This compiler is very portable but suffers from performance problems and has become hard to maintain.</p></li><li><p><span class="bold"><strong>Shorewall-perl</strong></span>. An alternative to Shorewall-shell written in the Perl language. This compiler is highly portable to those Unix-like platforms that support Perl (including Cygwin) and is the compiler of choice for new Shorewall installations. Scripts created using Shorewall-perl use iptables-restore to install the generated Netfilter rule set.</p></li><li><p><span class="bold"><strong>Shorewall-lite</strong></span>. Shorewall allows for central administration of multiple firewalls through use of Shorewall lite. The full Shorewall product (along with Shorewall-shell and/or Shorewall-perl) are installed on a central administrative system where compiled Shorewall scripts are generated. These scripts are copied to the firewall systems where they run under the control of Shorewall-lite.</p></li></ol></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="License"></a>License</h2></div></div></div><p>This program is free software; you can redistribute it and/or modify it under the terms of <a class="ulink" href="http://www.gnu.org/licenses/gpl.html" target="_self">Version 2 of the GNU General Public License</a> as published by the Free Software Foundation.</p><p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more detail.</p><p>You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.</p></div></div></body></html>