Shorewall Firewall

Shorewall Firewall is a flexible high-level tool for configuring firewalls. You describe your firewall requirements using entries in configuration files. Shorewall reads those configuration files and builds the appropriate firewall rules necessary.

  1. Introduction
  2. Installation
  3. Configuration
    1. zones
    2. interfaces
    3. policy
    4. rules
  4. Starting it up

Introduction

If you are looking for information about how to setup Shorewall for your network, you probably want to read their documentation (especially the Quickstart Guide) as this documentation is more about how our configuration is setup, rather than an exhaustive re-hashing of better documentation that exists elsewhere.

Installation

# apt-get install shorewall

The important pieces of shorewall will be located in /etc/shorewall, this is where the files that describe your firewall will be, once you put them there. Immediately after installation there is only going to be the shorewall.conf file there, this file does not describe your filewall, but instead are shorewall options. The defaults that are set in this file by Debian are good enough for most purposes, but if you want to tweak logging or other things, it is recommended that you skim the file to get an idea of what options are available there. I find it particularly amusing to direct you to read the section that reads, "FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT", I think that setting the variable ADMINISABSENTMINDED to Yes is a Good Idea(tm).

Configuration

For a minimal configuration, copy the following files from /usr/share/doc/shorewall/default-config into /etc/shorewall:

zones
interfaces
policy
rules

zones

First edit the zones file to specify the different network zones, these are just labels that you will use in the other files. Consider the Internet as one zone, and a private network as another zone. If you have this then the zones file would look like this:
#ZONE                   DISPLAY         COMMENTS
net                     Net             Internet
loc                     Local           Private net

There is another zone that is not put in this zones file, called the "firewall zone" or "fw". This is already defined in /etc/shorewall.conf

interfaces

The next file to edit is the interfaces file to specify the interfaces on your machine. Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point, read what each is in the documentation linked above.
net  eth0    detect   routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc  eth1    detect   tcpflags

policy

The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy. An example policy (based on the zones and interfaces we used above) would be:
fw              net             ACCEPT
fw              loc             ACCEPT
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level "info". The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know they've been rejected.

rules

The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:

#ACTION  SOURCE  DEST  PROTO   DEST  SOURCE  ORIGINAL  RATE  USER/
#                              PORT  PORT(S)  DEST     LIMIT GROUP
ACCEPT   net     fw    icmp    8
ACCEPT   fw      net   icmp
ACCEPT   net     fw    tcp     ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT   net     fw    udp     https
ACCEPT   net:216.162.217.194     fw      tcp     munin

This example can be written in long-hand as, "Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443). While you are at it, accept only tcp connections from the IP 216.162.217.194 coming from the internet to the munin port (1040).

Starting it up

It is at this step that the fine difference between good sysadmins and wreckless cowboys comes clear. If the machine that you are setting up a firewall on is not sitting next to you, but instead in a colo somewhere, you now have a choice: risk it, or wait until someone is at the colo to fix things if they break. If you have a remote console available, you can ignore this, but if you do not: you ignore this at your own peril. Shorewall has some neat mechanisms to keep you from shooting yourself in the foot (such as routestopped and the configuration in shorewall.conf), but if you got users riding in your cattle train, there isn't any length of leather thats long enough to cover your hide. My recommendation is don't do this step unless you got a way to get out of it.

You will need to edit /etc/default/shorewall and change the startup variable to have '1':

# prevent startup with default configuration
# set the below varible to 1 in order to allow shorewall to start
startup=1

Then you can start shorewall up:

# /etc/init.d/shorewall start

If there was a syntax error in your configuration you will get an error saying so and you should have a read of /var/log/shorewall-init.log to figure out why.

If everything does start up, you should make sure that you aren't blocking something that you don't mean to, you can do that by looking at your firewall logs. See the next section on shorewall/Logs for more information.