The configuration files for Shorewall are contained in the directory
/etc/shorewall
-- for simple setups, you will only need to deal with a few of them.
#NAME DESCRIPTION
fw The firewall itself
net The Internet
loc Your Local Network
dmz Demilitarized Zone
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
Note that Shorewall recognizes the firewall system as its own zone. The name of the zone designating the firewall itself (usually 'fw' as shown in the above file) is stored in the shell variable $
FW which may be used throughout the Shorewall configuration to refer to the firewall zone.
The simplest way to define the hosts in a zone is to associate the zone with a network interface using the
/etc/shorewall/interfaces
file. In the three-interface sample, the three zones are defined using that file as follows:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter
loc eth1 detect
dmz eth2 detect
The above file defines the
net zone as all IPv4 hosts interfacing to the firewall through eth0, the
loc zone as all IPv4 hosts interfacing through eth1 and the
dmz as all IPv4 hosts interfacing through eth2. It is important to note that the composition of a zone is defined in terms of a combination of addresses
and interfaces. When using the
/etc/shorewall/interfaces
file to define a zone, all addresses are included; when you want to define a zone that contains a limited subset of the IPv4 address space, you use the
/etc/shorewall/hosts
file or you may use the nets= option in
/etc/shorewall/interfaces
:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,nets=(!192.168.0.0/23)
loc eth1 detect nets=(192.168.0.0/24)
dmz eth2 detect nets=(192.168.1.0/24)
The above file defines the
net zone as all IPv4 hosts interfacing to the firewall through eth0
except for 192.168.0.0/23, the
loc zone as IPv4 hosts 192.168.0.0/24 interfacing through eth1 and the
dmz as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that 192.168.0.0/24 together with 192.168.1.0/24 comprises 192.168.0.0/23).
Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.
For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/
rules
file. If no rule in that file matches the connection request then the first policy in
/etc/shorewall/
policy
that matches the request is applied. If there is a default action defined for the policy in
/etc/shorewall/shorewall.conf
then that action is invoked before the policy is enforced. In the standard Shorewall distribution, the DROP policy has a default action called
Drop and the REJECT policy has a default action called
Reject. Default actions are used primarily to discard certain packets silently so that they don't clutter up your log.
The
/etc/shorewall/
policy
file included with the three-interface sample has the following policies:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info
In the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the Internet, uncomment that line.
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
The above policies will:
-
Allow all connection requests from your local network to the Internet
-
Drop (ignore) all connection requests from the Internet to your firewall or local networks; these ignored connection requests will be logged using the
info syslog priority (log level).
-
Optionally accept all connection requests from the firewall to the Internet (if you uncomment the additional policy)
-
reject all other connection requests; these rejected connection requests will be logged using the
info syslog priority (log level).
A word about Shorewall logging is in order. Shorewall does not have direct control over where its messages are logged; that is determined by the configuration of the logging daemon (syslog, rsyslog, syslog-ng, ulogd, etc.). The LOGFILE setting in
/etc/shorewall/shorewall.conf tells Shorewall
where to find the log; it doesn't determine where messages are logged. See the
Shorewall logging article for more information.
To illustrate how rules provide exceptions to policies, suppose that you have the polices listed above but you want to be able to connect to your firewall from the Internet using Secure Shell (SSH). Recall that SSH connects uses TCP port 22. You would add the following rule to
/etc/shorewall/
rules
:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net $FW tcp 22
So although you have a policy of ignoring all connection attempts from the net zone (from the Internet), the above exception to that policy allows you to connect to the SSH server running on your firewall.
Because Shorewall makes no assumptions about what traffic you want accepted, there are certain rules (exceptions) that need to be added to almost any configuration.
-
-
Again, to keep your
firewall log from filling up with useless noise, Shorewall provides
common actions that silently discard or reject such noise before it can be logged. As with everything in Shorewall, you can alter the behavior of these common actions (or do away with them entirely) as you see fit.
Shorewall uses a "compile" then "execute" approach. The Shorewall configuration compiler reads the configuration files and generates a shell script. Errors in the compilation step cause the script to be discarded and the command to be aborted. If the compilation step doesn't find any errors then the shell script is executed.
The 'compiled' scripts are placed in the directory
/var/lib/shorewall
and are named to correspond to the command being executed. For example, the command
/sbin/shorewall start will generate a script named
/var/lib/shorewall/.start
and, if the compilation is error free, that script will then be executed. If the script executes successfully, it then copies itself to
/var/lib/shorewall/firewall
. When an
/sbin/shorewall stop or
/sbin/shorewall clear command is subsequently executed,
/var/lib/shorewall/firewall
is run to perform the requested operation.