An Introduction to Shorewall Firewall

Shorewall-logo

Shorewall is a very powerful, high level configuration tool for the Linux firewall subsystem. The Linux kernel has an inbuilt framework to manipulate network packets called Netfilter. A front end tool “Iptables” is used to configure this netfilter subsystem. Iptables is sufficient for simple configurations and personal firewalls. However, for complex configuration scenarios you can easily get lost and bogged down with its syntax and myriad options.

Shorewall provides a high level abstraction and keeps the underlying complexity hidden. This makes firewall configurations easier to design and manage. Think of it as, Shorewall is to Iptables, what C is to assembly language. Also, keep in mind that Shorewall is not a daemon that runs in the background. It simply generates the rules, applies them and gets out-of-the-way.

To start with, I will cover a simple two interface firewall example configuration using Shorewall. We can move to more complex configurations in future posts.

In this scenario we have a server with one ADSL PPPOE connection – ppp0 and a local network on eth0. I have chosen this setup to hopefully explain the core concepts behind shorewall and set a stage for later enhancements.

1. First, install shorewall

# apt-get install shorewall

2. Shorewall configuration lives in /etc/shorewall folder which only has two files by default :

root@cronos:etc/shorewall# ls
Makefile shorewall.conf

3. In order to configure a simple firewall we should, at least, set up the following files:

  • /etc/shorewall/zones
  • /etc/shorewall/interfaces
  • /etc/shorewall/policy
  • /etc/shorewall/rules

4. Configuration file skeletons are stored in /usr/share/doc/shorewall-common/default-config, however we will be using the files form the two-interfaces example.

5. Except for “shorewall.conf” copy all files from /usr/share/doc/shorewall-common/examples/two-interfaces to /etc/shorewall directory :

root@cronos:/usr/share/doc/shorewall-common/examples/two-interfaces# ls
interfaces  masq  policy  README.txt  routestopped  rules  shorewall.conf  zones
root@cronos:/etc/shorewall# sudo cp /usr/share/doc/shorewall-common/default-config/zones zones
root@cronos:/etc/shorewall# ls
interfaces      Makefile      masq      policy    routestopped     rules    shorewall.conf     zones

6. Shorewall.conf

This is the main Shorewall configuration file. Most of the defaults should be fine, expect :

  • To enable IP forwarding you have to set the IP_FORWARDING variable “on”
  • To disable IPv6 set DISABLE_IPV6 to “yes”
  • Since our external interface is ppp0 we will want to set CLAMPMSS=yes. This sets the MSS to 1452 which is recommended on pppoe connections.

7. Zones

The network zones are defined by this file. Zones are an abstraction that help identify different areas of a network. This is a similar to the zones concept used in hardware based firewalls.

  • The $FW variable refers to Shorewall itself, which may be used to refer to the firewall zone throughout the Shorewall configuration.
  • Define a new zone called “modem” which will contain only our ADSL modem.
root@cronos:/etc/shorewall# cat zones
###########################################################
#ZONE   TYPE    OPTIONS           IN              OUT
#                                 OPTIONS         OPTIONS
fw              firewall
net             ipv4
loc             ipv4
modem           ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

8. Interfaces

This file is used to define the interfaces on the firewall and the zones they belong to.

root@cronos:/etc/shorewall# cat interfaces
###########################################################################
#ZONE   INTERFACE       BROADCAST             OPTIONS
net      ppp0              -      tcpflags,routefilter,nosmurfs,logmartians
modem    eth1            detect
loc      eth0            detect          tcpflags,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9. Masq

This file is used for masquerading and snat configuration. Masquerading or natting is used to allow a number of systems in a local network to get access to the internet over a single public IP.

Change the first column to the name of our external interface and the second column to the name of our internal interface.

root@cronos:/etc/shorewall# cat masq
########################################################################
#INTERFACE   SOURCE     ADDRESS    PROTO      PORT(S) IPSEC   MARK
ppp0          eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 

With the above files we have described our simple network layout from the perspective of the firewall. Next, we have to define the firewall policy and rules.

10. Policy

The Policy file is used to define our default policy for connections from one zone to another zone. This describes which zones are allowed to establish connections with other zones. Later, we define exceptions to these default policies in the rules file to allow/deny desired traffic.

root@cronos:/etc/shorewall# cat policy
######################################################################
#SOURCE        DEST        POLICY     LOG LEVEL       LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc                        net                  ACCEPT
loc                       $FW                   REJECT                info
loc                        all                  REJECT                info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.

$FW                     net           ACCEPT
$FW                     loc           REJECT              info
$FW                     all           REJECT              info

#
# Policies for traffic originating from the Internet zone (net)
#
net                     $FW                     DROP      info
net                     loc                     DROP      info
net                     all                     DROP      info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

11. Rules

This file defines exceptions to the default policies established in the policy file. This is where you will be adding firewall rules to allow or deny traffic to the services running in your network – Usually accomplished thorough dnat or port forwarding rules.

root@cronos:/etc/shorewall# cat rules
################################################################################################
#ACTION    SOURCE    DEST    PROTO   DEST SOURCE      ORIGINAL    RATE            USER/   MARK
#                                    PORT PORT(S)     DEST        LIMIT           GROUP
#
#       Accept DNS connections from the firewall to the network
#
DNS/ACCEPT    $FW             net
#
#       Accept SSH connections from the local network for administration
#
SSH/ACCEPT      loc             $FW
#
#       Allow Ping from the local network
#
Ping/ACCEPT     loc             $FW

#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping/REJECT     net             $FW

ACCEPT          $FW             loc     icmp
ACCEPT          $FW             net     icmp
#

########################################################
# Custom Lines

#ACTION         SOURCE    DEST               PROTO     DEST PORT(S)
# <macro>/ACCEPT  $FW       <destination zone>
# ACCEPT          $FW       <destination zone> <protocol> <port>

## From Local Network ##
Web/ACCEPT      loc       $FW

VNC/ACCEPT      loc       $FW

## From Internet ##
# Port Forwarding

# DNAT          net       loc:[:]
# Web/DNAT      net       loc:10.10.10.2
# FTP/DNAT      net       loc:10.10.10.1

SSH/ACCEPT      net       $FW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12. Starting shorewall

Automatic startup is disabled by default. To enable it just edit the file /etc/default/shorewall and set the startup variable to 1. Also, set wait_interface=”ppp0″

root@cronos:/etc/shorewall# cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=1
wait_interface="ppp0""

The firewall is started using the shorewall start command and stopped using shorewall stop.

root@cronos:/# sudo shorewall start
Compiling...
Initializing...
Determining Zones...
 IPv4 Zones: net loc modem
 Firewall Zone: fw
Validating interfaces file...
...
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
Activating Rules...
done.

The shorewall stop command does not remove all netfilter rules and open the firewall for all traffic to pass. It rather places the firewall in a safe state defined by the contents of /etc/shorewall/routestopped file. Use the shorewall clear command to remove all netfilter rules.

Note: For pppoe connections, when the PPP interface for the ADSL link goes down, Shorewall needs to be restarted to take the new IP address assignments into account. We will need to restart the firewall by placing /sbin/shorewall restart in the /etc/ppp/ip-up.d directory.

root@cronos:/etc/ppp/ip-up.d# cat shorewall
#!/bin/sh
/sbin/shorewall -f restart
exit 0

This concludes the short introduction to Shorewall. A lot has been introduced above and I haven’t gone thorough the details of each configuration file since most of it is quite self-explanatory. Hopefully, that is enough to get started on Shorewall.

To truly admire Shorewall’s versatility however, we need to explore more complex setups such as multi-isp, load-balancing , active failover , traffic shaping etc. I hope to bring these topics in future posts.

4. Configuration file skeletons are stored here, however we will be using the files form the two-interfaces example.#:/usr/share/doc/shorewall-common/default-config$ ls
accounting  continue  init        ipsec     masq     netmap  providers    routestopped  started  tcclasses  tos      zones
actions     ecn       initdone    ipsecvpn  modules  params  proxyarp     rules         stop     tcdevices  tunnel
blacklist   hosts     interfaces  maclist   nat      policy  route_rules  start         stopped  tcrules    tunnels5. Except for “shorewall.conf” copy all files from /usr/share/doc/shorewall-common/examples/two-interfaces to /etc/shorewall directory

#:/usr/share/doc/shorewall-common/examples/two-interfaces$ ls
interfaces  masq  policy  README.txt  routestopped  rules  shorewall.conf  zones

#:/etc/shorewall$ sudo cp /usr/share/doc/shorewall-common/default-config/zones zones
#:/etc/shorewall$ ls
interfaces  Makefile  masq  policy  routestopped  rules  shorewall.conf  zones

6. shorewall.conf

* IP forwarding is neither enabled nor disabled. It is set to “keep”. To enable IP forwarding you have to set to “on” the IP_FORWARDING variable.

* IPv6 support is enabled by default. To disable it set DISABLE_IPV6 to “yes”.

* Since our external interface is ppp0 we will want to set CLAMPMSS=yes.

7. zones

* This file is used to define the network zones

* Shorewall recognizes the firewall system as its own zone. The name of the firewall zone is stored in the shell variable $FW which may be used to refer to the firewall zone throughout the Shorewall configuration.

* Define a new zone called “modem” which will contain only our ADSL modem.

#:/etc/shorewall$ cat zones

###############################################################################
#ZONE   TYPE    OPTIONS              IN              OUT
#                                    OPTIONS            OPTIONS
fw      firewall
net     ipv4
loc     ipv4
modem   ipv4

#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

8. interfaces

* This file is used to tell the firewall which of your firewall’s network interfaces are connected to which zone.

#:/etc/shorewall$ cat interfaces

###############################################################################
#ZONE   INTERFACE       BROADCAST    OPTIONS
net     ppp0               –            tcpflags,routefilter,nosmurfs,logmartians
modem   eth1            detect
loc     eth0            detect          tcpflags,nosmurfs
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

9. masq

* Masquerade describes the case where you let your firewall system automatically detect the external interface address.

* SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use.

* In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static.

* Edit /etc/shorewall/masq and change the first column to the name of your external interface and the second column to the name of your internal interface.

#:/etc/shorewall$ cat masq

###############################################################################
#INTERFACE              SOURCE       ADDRESS         PROTO      PORT(S) IPSEC   MARK
ppp0                    eth0
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

* policy

* Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

* We express our default policy for connections from one zone to another zone in the /etc/shorewall/policy file.

* We define exceptions to those default policies in the /etc/shorewall/rules file.

* This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests.

* Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones.

#:/etc/shorewall$ cat policy

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

#
# Note about policies and logging:
#       This file contains an explicit policy for every combination of
#       zones defined in this sample.  This is solely for the purpose of
#       providing more specific messages in the logs.  This is not
#       necessary for correct operation of the firewall, but greatly
#       assists in diagnosing problems. The policies below are logically
#       equivalent to:
#
#       loc     net             ACCEPT
#       net     all             DROP    info
#       all     all             REJECT          info
#
#       The Shorewall-perl compiler will generate the individual policies
#       below from the above general policies if you set
#       EXPAND_POLICIES=Yes in shorewall.conf.
#

# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc             net             ACCEPT
loc             $FW             REJECT          info
loc             all             REJECT          info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.

# $FW           net             REJECT          info

$FW             net             ACCEPT
$FW             loc             REJECT          info
$FW             all             REJECT          info

#
# Policies for traffic originating from the Internet zone (net)
#
net             $FW             DROP    info
net             loc             DROP    info
net             all             DROP    info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

9. rules

* The /etc/shorewall/rules file defines exceptions to the policies established in the /etc/shorewall/policy file.

* There is one entry in /etc/shorewall/rules for each of these rules. Entries in this file only govern the establishment of new connections — packets that are part of an existing connection or that establish a connection that is related to an existing connection are automatically accepted.

* Rules : http://www.shorewall.net/3.0/Documentation.htm#Rules

#:/etc/shorewall$ cat rules

#############################################################################################################
#ACTION         SOURCE          DEST    PROTO   DEST SOURCE             ORIGINAL        RATE            USER/   MARK
#                                               PORT PORT(S)            DEST            LIMIT           GROUP
#
#       Accept DNS connections from the firewall to the network
#

# DNS/ACCEPT    $FW             net
#
#       Accept SSH connections from the local network for administration
#
SSH/ACCEPT      loc             $FW
#
#       Allow Ping from the local network
#
Ping/ACCEPT     loc             $FW

#
# Reject Ping from the “bad” net zone.. and prevent your log from being flooded..
#

Ping/REJECT     net             $FW

ACCEPT          $FW             loc     icmp
ACCEPT          $FW             net     icmp
#

########################################################
# Custom Lines

#ACTION         SOURCE    DEST               PROTO     DEST PORT(S)
# <macro>/ACCEPT  $FW       <destination zone>
# ACCEPT          $FW       <destination zone> <protocol> <port>

## From Local Network ##
# Accept DNS requests from local nw

DNS/ACCEPT      loc       $FW

Web/ACCEPT      loc       $FW

VNC/ACCEPT      loc       $FW

## From Internet ##
# Port Forwarding

# DNAT          net       loc:[:]
# Web/DNAT      net       loc:10.10.10.2
# FTP/DNAT      net       loc:10.10.10.1
SSH/ACCEPT      net       $FW

#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

10. Port Forwarding (DNAT)

* Port forwarding configuration is done using DNAT rules in the /etc/shorewall/rules file.

The general form of a simple port forwarding rule in /etc/shorewall/rules is:

#ACTION   SOURCE    DEST                                          PROTO      DEST PORT(S)
DNAT      net       loc:[:]

* Shorewall has macros for many popular applications. Look at /usr/share/shorewall/macro.* to see what is available.

* Macros simplify creating DNAT rules by supplying the protocol and port(s) as shown in the following examples.

#:/usr/share/shorewall$ ls
action.Drop       macro.BitTorrent  macro.HTTPS         macro.Jetdirect  macro.PostgreSQL  macro.SPAMD       macro.Web
action.Reject     macro.CVS         macro.ICQ           macro.L2TP       macro.Printer     macro.SSH         macro.Webmin
actions.std       macro.Distcc      macro.IMAP          macro.LDAP       macro.Rdate       macro.Submission  macro.Whois
action.template   macro.DNS         macro.IMAPS         macro.LDAPS      macro.RDP         macro.SVN         Makefile-lite
configpath        macro.Drop        macro.IPIP          macro.MySQL      macro.Reject      macro.Syslog      modules
firewall          macro.DropDNSrep  macro.IPP           macro.NNTP       macro.Rsync       macro.Telnet      rfc1918
lib.base          macro.DropUPnP    macro.IPPserver     macro.NNTPS      macro.SixXS       macro.Telnets     strip
lib.cli           macro.Edonkey     macro.IPsec         macro.NTP        macro.SMB         macro.template    version
lib.config        macro.Finger      macro.IPsecah       macro.NTPbrd     macro.SMBBI       macro.TFTP        wait4ifup
lib.dynamiczones  macro.FTP         macro.IPsecnat      macro.PCA        macro.SMBswat     macro.Time
macro.AllowICMPs  macro.Gnutella    macro.Jabberd       macro.Ping       macro.SMTP        macro.Trcrt
macro.Amanda      macro.GRE         macro.JabberPlain   macro.POP3       macro.SMTPS       macro.VNC
macro.Auth        macro.HTTP        macro.JabberSecure  macro.POP3S      macro.SNMP        macro.VNCL

* Example :

#ACTION         SOURCE    DEST             PROTO     DEST PORT(S)
Web/DNAT        net       loc:10.10.10.2

VNC/ACCEPT      loc       $FW

* Starting shorewall

* In order to avoid the startup of the firewall on an unconfigured machine, automatic startup, on boot, is disabled by default. To enable it just edit the file /etc/default/shorewall and set the startup variable to 1.

* Also, set wait_interface=”ppp0″

#:/etc/shorewall$ cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

startup=1

# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in “wait_interface” to get Shorewall to
# wait until the interface is configured. Otherwise the script will fail because
# it won’t be able to detect the IP address.
#
# Example:
#    wait_interface=”ppp0″
# or
#    wait_interface=”ppp0 ppp1″
# or, if you have defined  in /etc/shorewall/params
#    wait_interface=

wait_interface=”ppp0″

#
# Startup options
#

OPTIONS=””

# EOF
#:/etc/shorewall$

* The firewall is started using the shorewall start command and stopped using shorewall stop.

#:/$ sudo shorewall start
Compiling…
Initializing…
Determining Zones…
IPv4 Zones: net loc modem
Firewall Zone: fw
Validating interfaces file…
Validating hosts file…
Pre-processing Actions…
Pre-processing /usr/share/shorewall/action.Drop…
Pre-processing /usr/share/shorewall/action.Reject…
Validating Policy file…
Determining Hosts in Zones…
net Zone: ppp0:0.0.0.0/0
loc Zone: eth0:0.0.0.0/0
modem Zone: eth1:0.0.0.0/0
Deleting user chains…
Compiling /etc/shorewall/routestopped …
Creating Interface Chains…
Compiling Common Rules
Adding Anti-smurf Rules
Compiling TCP Flags checking…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling IP Forwarding…
Compiling /etc/shorewall/rules…
Compiling Actions…
Compiling /usr/share/shorewall/action.Drop for Chain Drop…
Compiling /usr/share/shorewall/action.Reject for Chain Reject…
Compiling /etc/shorewall/policy…
Compiling Masquerading/SNAT
Compiling Traffic Control Rules…
Compiling Rule Activation…
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall….
Initializing…
Clearing Traffic Control/QOS
Deleting user chains…
Enabling Loopback and DNS Lookups
Creating Interface Chains…
Setting up SMURF control…
Setting up Black List…
Adding Anti-smurf Jumps…
Setting up TCP Flags checking…
Setting up ARP filtering…
Setting up Route Filtering…
Setting up Martian Logging…
Setting up Accept Source Routing…
IP Forwarding Enabled
Setting up SYN Flood Protection…
Setting up Rules…
Setting up Actions…
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies…
Setting up Masquerading/SNAT…
Activating Rules…
done.
#:/$

* When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped.

#:/etc/shorewall$ cat routestopped
#
# Shorewall version 4.0 – Sample Routestopped File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#——————————————————————————
# For information about entries in this file, type “man shorewall-routestopped”
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall-routestopped.html
#
# See
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
##############################################################################
#INTERFACE      HOST(S)                  OPTIONS
eth0            –
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

* The shorewall stop command does not remove all netfilter rules and open your firewall for all traffic to pass. It rather places the firewall in a safe state defined by the contents of /etc/shorewall/routestopped file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf

* If you want to remove all Netfilter rules and open your firewall for all traffic to pass, use the shorewall clear command.

* If you change your configuration and want to install the changes, use the shorewall restart command.

[edit] For pppoe

When the PPP interface for the ADSL link goes down, Shorewall needs to be restarted to take the new IP address assignments into account.

We will need to restart the firewall by placing /sbin/shorewall restart in the /etc/ppp/ip-up.d directory.

root@ubuntu:/etc/ppp/ip-up.d# cat shorewall
#!/bin/sh

/sbin/shorewall -f restart

exit 0
root@ubuntu:/etc/ppp/ip-up.d#

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s