<h2 id="shorewall">2.3. Shorewall</h2>

        <p><a href="http://shorewall.net">Shorewall</a> is a gateway/firewall
        configuration tool. "You describe your firewall/gateway requirements
        using entries in a set of configuration files. Shorewall reads those
        configuration files and with the help of the iptables, iptables-restore,
        ip and tc utilities, Shorewall configures Netfilter and the Linux
        networking subsystem to match your requirements.".</p>

        <p>This is a resume from
        <a href="http://shorewall.net/two-interface.htm">Basic Two-Interface Firewall</a>.
        </p>

        <h3 id="shorewall-install">2.3.1. Install Shorewall</h3>

        <p>Shorewall port is part of <a href="https://crux.nu/portdb/index.php?a=repo&amp;q=kris">Kris Collection</a>
        and <a href="../install/ports.html#sysdoccollection">sysdoc collection</a>.</p>

        <pre>
        $ prt-get depinst shorewall
        </pre>

        <p>Get the samples from distribution file;</p>

        <pre>
    $ mkdir sample && cd sample
        $ tar xf ../shorewall-5.0.8.2.tar.bz2
        $ cd /srv/ports/work/shorewall-5.0.8.2
        $ ls
        README.txt            policy            shorewall.conf.annotated
        interfaces            policy.annotated  stoppedrules
        interfaces.annotated  rules             stoppedrules.annotated
        masq                  rules.annotated   zones
        masq.annotated        shorewall.conf    zones.annotated
        </pre>

        <p>Copy files to /etc/shorewall</p>

        <pre>
        $ sudo cp Samples/two-interfaces/* /etc/shorewall/
        </pre>

        <p>Distribution extracted files are not needed anymore;</p>

        <pre>
        $ cd ../../ && rm -fR sample
        </pre>

        <h3 id="shorewall-configure">2.3.2. Configure Shorewall</h3>

        <p>Tip how to get help about files in /etc/shorewall, for example
        to get help about file zones call man shorewall-zones. There are
        Some files have names ending in '.annotated'. You might
        choose to look at those files instead.</p>

        <p>Rules about traffic to allow and what traffic to deny are expressed in
        terms of zones;</p>

        <ul>
            <li>Define default policy for connections from one zone to
                another zone in /etc/shorewall/policy.</li>

            <li>Define exceptions to those default policies in
                /etc/shorewall/rules.</li>
        </ul>

        <p>Edit <a href="../conf/etc/shorewall/shorewall.conf">/etc/shorewall/shorewall.conf</a></p>

        <pre>
        ###############################################################################
        #                      S T A R T U P   E N A B L E D
        ###############################################################################

        STARTUP_ENABLED=Yes
        </pre>

        <h4 id="shorewall-interfaces">2.3.5. Configure Interfaces</h4>

        <p>Show defoult route, last should be your external interface;</p>

        <pre>
        # ip route ls
        </pre>

        <p>This example assumes enp8s0 is connected to router and
        wlp7s0 is wireless access point.</p>

        <p>Edit <a href="../conf/etc/shorewall/interfaces">/etc/shorewall/interfaces</a></p>

        <pre>
        ###############################################################################
        #ZONE   INTERFACE       OPTIONS
net     enp8s0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     wlp7s0            tcpflags,nosmurfs,routefilter,logmartians
        </pre>

        <p>Edit <a href="../conf/etc/shorewall/stoppedrules">/etc/shorewall/stoppedrules</a></p>

        <pre>
        ###############################################################################
        #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
        #                                                       PORT(S)         PORT(S)
        ACCEPT          enp3s0          -
        ACCEPT          -               enp3s0
        </pre>

        <h4 id="shorewall-zones">2.3.3. Configure Zones</h4>

        <p>Shorewall recognizes the firewall system as its own zone, as can be
        seen on zones defined by two-interfaces example;</p>

        <p>Edit <a href="../conf/etc/shorewall/zones">/etc/shorewall/zones</a></p>

        <pre>
        ###############################################################################
        #ZONE	TYPE	OPTIONS			IN			OUT
        #					OPTIONS			OPTIONS
        fw	firewall
        net	ipv4
        loc	ipv4
        </pre>

        <h4 id="shorewall-policy">2.3.4. Configure Policy</h4>

        <p>Change default /etc/shorewall/policy this example will limit
        witch connections are allow to and from firewall, default policy
        will be drop;</p>

        <p>Edit <a href="../conf/etc/shorewall/policy">/etc/shorewall/policy</a></p>

        <pre>
        ##############################################################################
        #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

        loc             net             ACCEPT          info
        net             all             DROP            warning

        $FW             net             DROP            warning
        loc             $FW             DROP            warning
        $FW             loc             DROP            warning

        # THE FOLLOWING POLICY MUST BE LAST
        all             all             REJECT          warning
        </pre>

        <h4 id="shorewall-snat">2.3.6. SNAT/Masquerading</h4>

        <p>In Shorewall, both Masquerading and SNAT are configured with
        entries in the /etc/shorewall/masq file. You will normally use
        Masquerading if your external IP is dynamic and SNAT if the IP
        is static.</p>

        <p>Since <a href="../conf/etc/rc.d/net">/etc/rc.d/net</a>
        configured enp8s0 static, change /etc/shorewall/masq so
        that uses SNAT;</p>

        <p>Edit <a href="../conf/etc/shorewall/masq">/etc/shorewall/masq</a></p>

        <pre>
        #######################################################################################
        #INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
        #
        wlp7s0                  10.0.0.0/24      192.168.1.254
        </pre>

        <h4 id="shorewall-dnat">2.3.7. DNAT</h4>

        <p>Destination Network Address Translation are defined in
        /etc/shorewall/rules;</p>

        <h4 id="shorewall-rules">2.3.8. Rules</h4>

        <p>Example <a href="../conf/etc/shorewall/rules">/etc/shorewall/rules</a> file.</p>

        <h4 id="shorewall-log">2.3.9. Logging</h4>

        <pre>
        $ sudo mkdir /var/log/shorewall
        </pre>

        <p>Example of syslog-ng configuration for shorewall;</p>

        <pre>
        destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
        destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };

        filter f_shorewall_warn {
                level (warn)
                and match ("Shorewall" value("MESSAGE"));
        };

        filter f_shorewall_info {
                level (info)
                and match ("Shorewall" value("MESSAGE"));
        };

        log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);};
        log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);};
        </pre>