2.3. Shorewall

Shorewall is a gateway/firewall configuration tool. "You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements.".

This is a resume from Basic Two-Interface Firewall.

2.3.1. Install Shorewall

Shorewall port is part of Kris Collection and sysdoc collection.

        $ prt-get depinst shorewall
        

Get the samples from distribution file;

    $ mkdir sample && cd sample
        $ tar xf ../shorewall-5.0.8.2.tar.bz2
        $ cd /srv/ports/work/shorewall-5.0.8.2
        $ ls
        README.txt            policy            shorewall.conf.annotated
        interfaces            policy.annotated  stoppedrules
        interfaces.annotated  rules             stoppedrules.annotated
        masq                  rules.annotated   zones
        masq.annotated        shorewall.conf    zones.annotated
        

Copy files to /etc/shorewall

        $ sudo cp Samples/two-interfaces/* /etc/shorewall/
        

Distribution extracted files are not needed anymore;

        $ cd ../../ && rm -fR sample
        

2.3.2. Configure Shorewall

Tip how to get help about files in /etc/shorewall, for example to get help about file zones call man shorewall-zones. There are Some files have names ending in '.annotated'. You might choose to look at those files instead.

Rules about traffic to allow and what traffic to deny are expressed in terms of zones;

• Define default policy for connections from one zone to another zone in /etc/shorewall/policy.
• Define exceptions to those default policies in /etc/shorewall/rules.

Edit /etc/shorewall/shorewall.conf

        ###############################################################################
        #                      S T A R T U P   E N A B L E D
        ###############################################################################

        STARTUP_ENABLED=Yes
        

2.3.5. Configure Interfaces

Show defoult route, last should be your external interface;

        # ip route ls
        

This example assumes enp8s0 is connected to router and wlp7s0 is wireless access point.

Edit /etc/shorewall/interfaces

        ###############################################################################
        #ZONE   INTERFACE       OPTIONS
net     enp8s0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     wlp7s0            tcpflags,nosmurfs,routefilter,logmartians
        

Edit /etc/shorewall/stoppedrules

        ###############################################################################
        #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
        #                                                       PORT(S)         PORT(S)
        ACCEPT          enp3s0          -
        ACCEPT          -               enp3s0
        

2.3.3. Configure Zones

Shorewall recognizes the firewall system as its own zone, as can be seen on zones defined by two-interfaces example;

Edit /etc/shorewall/zones

        ###############################################################################
        #ZONE	TYPE	OPTIONS			IN			OUT
        #					OPTIONS			OPTIONS
        fw	firewall
        net	ipv4
        loc	ipv4
        

2.3.4. Configure Policy

Change default /etc/shorewall/policy this example will limit witch connections are allow to and from firewall, default policy will be drop;

Edit /etc/shorewall/policy

        ##############################################################################
        #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

        loc             net             ACCEPT          info
        net             all             DROP            warning

        $FW             net             DROP            warning
        loc             $FW             DROP            warning
        $FW             loc             DROP            warning

        # THE FOLLOWING POLICY MUST BE LAST
        all             all             REJECT          warning
        

2.3.6. SNAT/Masquerading

In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static.

Since /etc/rc.d/net configured enp8s0 static, change /etc/shorewall/masq so that uses SNAT;

Edit /etc/shorewall/masq

        #######################################################################################
        #INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
        #
        wlp7s0                  10.0.0.0/24      192.168.1.254
        

2.3.7. DNAT

Destination Network Address Translation are defined in /etc/shorewall/rules;

2.3.8. Rules

Example /etc/shorewall/rules file.

2.3.9. Logging

        $ sudo mkdir /var/log/shorewall
        

Example of syslog-ng configuration for shorewall;

        destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
        destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };

        filter f_shorewall_warn {
                level (warn)
                and match ("Shorewall" value("MESSAGE"));
        };

        filter f_shorewall_info {
                level (info)
                and match ("Shorewall" value("MESSAGE"));
        };

        log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);};
        log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);};