added tools

1 files changed, 201 insertions, 0 deletions

diff --git a/tools/shorewall.html b/tools/shorewall.html
new file mode 100644
index 0000000..749d4e6
--- /dev/null
+++ b/tools/shorewall.html
@@ -0,0 +1,201 @@
+        <h2 id="shorewall">2.3. Shorewall</h2>
+
+        <p><a href="http://shorewall.net">Shorewall</a> is a gateway/firewall
+        configuration tool. "You describe your firewall/gateway requirements
+        using entries in a set of configuration files. Shorewall reads those
+        configuration files and with the help of the iptables, iptables-restore,
+        ip and tc utilities, Shorewall configures Netfilter and the Linux
+        networking subsystem to match your requirements.".</p>
+
+        <p>This is a resume from
+        <a href="http://shorewall.net/two-interface.htm">Basic Two-Interface Firewall</a>.
+        </p>
+
+        <h3 id="shorewall-install">2.3.1. Install Shorewall</h3>
+
+        <p>Shorewall port is part of <a href="https://crux.nu/portdb/index.php?a=repo&amp;q=kris">Kris Collection</a>
+        and <a href="../install/ports.html#sysdoccollection">sysdoc collection</a>.</p>
+
+        <pre>
+        $ prt-get depinst shorewall
+        </pre>
+
+        <p>Get the samples from distribution file;</p>
+
+        <pre>
+    $ mkdir sample && cd sample
+        $ tar xf ../shorewall-5.0.8.2.tar.bz2
+        $ cd /srv/ports/work/shorewall-5.0.8.2
+        $ ls
+        README.txt            policy            shorewall.conf.annotated
+        interfaces            policy.annotated  stoppedrules
+        interfaces.annotated  rules             stoppedrules.annotated
+        masq                  rules.annotated   zones
+        masq.annotated        shorewall.conf    zones.annotated
+        </pre>
+
+        <p>Copy files to /etc/shorewall</p>
+
+        <pre>
+        $ sudo cp Samples/two-interfaces/* /etc/shorewall/
+        </pre>
+
+        <p>Distribution extracted files are not needed anymore;</p>
+
+        <pre>
+        $ cd ../../ && rm -fR sample
+        </pre>
+
+        <h3 id="shorewall-configure">2.3.2. Configure Shorewall</h3>
+
+        <p>Tip how to get help about files in /etc/shorewall, for example
+        to get help about file zones call man shorewall-zones. There are
+        Some files have names ending in '.annotated'. You might
+        choose to look at those files instead.</p>
+
+        <p>Rules about traffic to allow and what traffic to deny are expressed in
+        terms of zones;</p>
+
+        <ul>
+            <li>Define default policy for connections from one zone to
+                another zone in /etc/shorewall/policy.</li>
+
+            <li>Define exceptions to those default policies in
+                /etc/shorewall/rules.</li>
+        </ul>
+
+        <p>Edit <a href="../conf/etc/shorewall/shorewall.conf">/etc/shorewall/shorewall.conf</a></p>
+
+        <pre>
+        ###############################################################################
+        #                      S T A R T U P   E N A B L E D
+        ###############################################################################
+
+        STARTUP_ENABLED=Yes
+        </pre>
+
+        <h4 id="shorewall-interfaces">2.3.5. Configure Interfaces</h4>
+
+        <p>Show defoult route, last should be your external interface;</p>
+
+        <pre>
+        # ip route ls
+        </pre>
+
+        <p>This example assumes enp8s0 is connected to router and
+        wlp7s0 is wireless access point.</p>
+
+        <p>Edit <a href="../conf/etc/shorewall/interfaces">/etc/shorewall/interfaces</a></p>
+
+        <pre>
+        ###############################################################################
+        #ZONE   INTERFACE       OPTIONS
+net     enp8s0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     wlp7s0            tcpflags,nosmurfs,routefilter,logmartians
+        </pre>
+
+        <p>Edit <a href="../conf/etc/shorewall/stoppedrules">/etc/shorewall/stoppedrules</a></p>
+
+        <pre>
+        ###############################################################################
+        #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
+        #                                                       PORT(S)         PORT(S)
+        ACCEPT          enp3s0          -
+        ACCEPT          -               enp3s0
+        </pre>
+
+        <h4 id="shorewall-zones">2.3.3. Configure Zones</h4>
+
+        <p>Shorewall recognizes the firewall system as its own zone, as can be
+        seen on zones defined by two-interfaces example;</p>
+
+        <p>Edit <a href="../conf/etc/shorewall/zones">/etc/shorewall/zones</a></p>
+
+        <pre>
+        ###############################################################################
+        #ZONE	TYPE	OPTIONS			IN			OUT
+        #					OPTIONS			OPTIONS
+        fw	firewall
+        net	ipv4
+        loc	ipv4
+        </pre>
+
+        <h4 id="shorewall-policy">2.3.4. Configure Policy</h4>
+
+        <p>Change default /etc/shorewall/policy this example will limit
+        witch connections are allow to and from firewall, default policy
+        will be drop;</p>
+
+        <p>Edit <a href="../conf/etc/shorewall/policy">/etc/shorewall/policy</a></p>
+
+        <pre>
+        ##############################################################################
+        #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+
+        loc             net             ACCEPT          info
+        net             all             DROP            warning
+
+        $FW             net             DROP            warning
+        loc             $FW             DROP            warning
+        $FW             loc             DROP            warning
+
+        # THE FOLLOWING POLICY MUST BE LAST
+        all             all             REJECT          warning
+        </pre>
+
+        <h4 id="shorewall-snat">2.3.6. SNAT/Masquerading</h4>
+
+        <p>In Shorewall, both Masquerading and SNAT are configured with
+        entries in the /etc/shorewall/masq file. You will normally use
+        Masquerading if your external IP is dynamic and SNAT if the IP
+        is static.</p>
+
+        <p>Since <a href="../conf/etc/rc.d/net">/etc/rc.d/net</a>
+        configured enp8s0 static, change /etc/shorewall/masq so
+        that uses SNAT;</p>
+
+        <p>Edit <a href="../conf/etc/shorewall/masq">/etc/shorewall/masq</a></p>
+
+        <pre>
+        #######################################################################################
+        #INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
+        #
+        wlp7s0                  10.0.0.0/24      192.168.1.254
+        </pre>
+
+        <h4 id="shorewall-dnat">2.3.7. DNAT</h4>
+
+        <p>Destination Network Address Translation are defined in
+        /etc/shorewall/rules;</p>
+
+        <h4 id="shorewall-rules">2.3.8. Rules</h4>
+
+        <p>Example <a href="../conf/etc/shorewall/rules">/etc/shorewall/rules</a> file.</p>
+
+        <h4 id="shorewall-log">2.3.9. Logging</h4>
+
+        <pre>
+        $ sudo mkdir /var/log/shorewall
+        </pre>
+
+        <p>Example of syslog-ng configuration for shorewall;</p>
+
+        <pre>
+        destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
+        destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };
+
+        filter f_shorewall_warn {
+                level (warn)
+                and match ("Shorewall" value("MESSAGE"));
+        };
+
+        filter f_shorewall_info {
+                level (info)
+                and match ("Shorewall" value("MESSAGE"));
+        };
+
+        log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);};
+        log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);};
+        </pre>
+
+