1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
<h2 id="shorewall">2.3. Shorewall</h2>
<p><a href="http://shorewall.net">Shorewall</a> is a gateway/firewall
configuration tool. "You describe your firewall/gateway requirements
using entries in a set of configuration files. Shorewall reads those
configuration files and with the help of the iptables, iptables-restore,
ip and tc utilities, Shorewall configures Netfilter and the Linux
networking subsystem to match your requirements.".</p>
<p>This is a resume from
<a href="http://shorewall.net/two-interface.htm">Basic Two-Interface Firewall</a>.
</p>
<h3 id="shorewall-install">2.3.1. Install Shorewall</h3>
<p>Shorewall port is part of <a href="https://crux.nu/portdb/index.php?a=repo&q=kris">Kris Collection</a>
and <a href="../install/ports.html#sysdoccollection">sysdoc collection</a>.</p>
<pre>
$ prt-get depinst shorewall
</pre>
<p>Get the samples from distribution file;</p>
<pre>
$ mkdir sample && cd sample
$ tar xf ../shorewall-5.0.8.2.tar.bz2
$ cd /srv/ports/work/shorewall-5.0.8.2
$ ls
README.txt policy shorewall.conf.annotated
interfaces policy.annotated stoppedrules
interfaces.annotated rules stoppedrules.annotated
masq rules.annotated zones
masq.annotated shorewall.conf zones.annotated
</pre>
<p>Copy files to /etc/shorewall</p>
<pre>
$ sudo cp Samples/two-interfaces/* /etc/shorewall/
</pre>
<p>Distribution extracted files are not needed anymore;</p>
<pre>
$ cd ../../ && rm -fR sample
</pre>
<h3 id="shorewall-configure">2.3.2. Configure Shorewall</h3>
<p>Tip how to get help about files in /etc/shorewall, for example
to get help about file zones call man shorewall-zones. There are
Some files have names ending in '.annotated'. You might
choose to look at those files instead.</p>
<p>Rules about traffic to allow and what traffic to deny are expressed in
terms of zones;</p>
<ul>
<li>Define default policy for connections from one zone to
another zone in /etc/shorewall/policy.</li>
<li>Define exceptions to those default policies in
/etc/shorewall/rules.</li>
</ul>
<p>Edit <a href="../conf/etc/shorewall/shorewall.conf">/etc/shorewall/shorewall.conf</a></p>
<pre>
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
</pre>
<h4 id="shorewall-interfaces">2.3.5. Configure Interfaces</h4>
<p>Show defoult route, last should be your external interface;</p>
<pre>
# ip route ls
</pre>
<p>This example assumes enp8s0 is connected to router and
wlp7s0 is wireless access point.</p>
<p>Edit <a href="../conf/etc/shorewall/interfaces">/etc/shorewall/interfaces</a></p>
<pre>
###############################################################################
#ZONE INTERFACE OPTIONS
net enp8s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc wlp7s0 tcpflags,nosmurfs,routefilter,logmartians
</pre>
<p>Edit <a href="../conf/etc/shorewall/stoppedrules">/etc/shorewall/stoppedrules</a></p>
<pre>
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
ACCEPT enp3s0 -
ACCEPT - enp3s0
</pre>
<h4 id="shorewall-zones">2.3.3. Configure Zones</h4>
<p>Shorewall recognizes the firewall system as its own zone, as can be
seen on zones defined by two-interfaces example;</p>
<p>Edit <a href="../conf/etc/shorewall/zones">/etc/shorewall/zones</a></p>
<pre>
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
</pre>
<h4 id="shorewall-policy">2.3.4. Configure Policy</h4>
<p>Change default /etc/shorewall/policy this example will limit
witch connections are allow to and from firewall, default policy
will be drop;</p>
<p>Edit <a href="../conf/etc/shorewall/policy">/etc/shorewall/policy</a></p>
<pre>
##############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT info
net all DROP warning
$FW net DROP warning
loc $FW DROP warning
$FW loc DROP warning
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT warning
</pre>
<h4 id="shorewall-snat">2.3.6. SNAT/Masquerading</h4>
<p>In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p>Since <a href="../conf/etc/rc.d/net">/etc/rc.d/net</a>
configured enp8s0 static, change /etc/shorewall/masq so
that uses SNAT;</p>
<p>Edit <a href="../conf/etc/shorewall/masq">/etc/shorewall/masq</a></p>
<pre>
#######################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#
wlp7s0 10.0.0.0/24 192.168.1.254
</pre>
<h4 id="shorewall-dnat">2.3.7. DNAT</h4>
<p>Destination Network Address Translation are defined in
/etc/shorewall/rules;</p>
<h4 id="shorewall-rules">2.3.8. Rules</h4>
<p>Example <a href="../conf/etc/shorewall/rules">/etc/shorewall/rules</a> file.</p>
<h4 id="shorewall-log">2.3.9. Logging</h4>
<pre>
$ sudo mkdir /var/log/shorewall
</pre>
<p>Example of syslog-ng configuration for shorewall;</p>
<pre>
destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };
filter f_shorewall_warn {
level (warn)
and match ("Shorewall" value("MESSAGE"));
};
filter f_shorewall_info {
level (info)
and match ("Shorewall" value("MESSAGE"));
};
log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);};
log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);};
</pre>
|