One of the distintive feature of Bering is that it relies on Shorewall to provide it's firewall facility.
The reasons behind this choice are numerous:
Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
It is very well documented. I strongly recommend that you print out the full documentation available in pdf format in the Shorewall download area and that you spend the time to understand the concept behind it. A worthwhile effort !
It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading !
It has a tremendous support from it's developper, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.
The shorwall.lrp package provided on the Bering distro (starting with v1.0-rc2) is built as follow:
Download the latest shorewall-x.y.lrp package fro Tom's download area and rename it shorwall.lrp.
Download either the Two-interfaces Masquerading Firewall or the Three-interfaces Masquerading Firewall with DMZ depending on your own situation. They will provide you with default setup for the interfaces, masq, policy, rules and zones files that will be used in replacement of those provided in Tom's original package.
Add two statements in the "rules" file in order to allow query to dnscache and weblet servers from the internal network. See below.
Replace the info entry in the Rules and Config file by ULOG as explained here to redirect Shorewall output through ulogd daemon
The four previous steps will allow you to update shorwall.lrp on your own Bering distro whenever a more recent Shorewall version is released.
Bering shorwall.lrp package is provided by default with the Two-interfaces Masquerading Firewall and the two extra rules mentionned earlier. This setup assumes that eth0 is connected to the Internet via a dynamic IP and that your local network is interfaced through eth1.
To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:
shorwall configuration files
1) Params Assign parameter values
2) Zones Partition the network into Zones
3) Ifaces Shorewall Networking Interfaces
4) Hosts Define specific zones
5) Policy Firewall high-level policy
6) Rules Exceptions to policy
7) Maclist MAC verification
8) Masq Internal MASQ Server Configuration
9) ProxyArp Proxy ARP Configuration
10) Stopped Hosts admitted after 'shorewall stop'
11) Nat Static NAT Configuration
12) Tunnels Tunnel Definition (ipsec)
13) TCRules FWMark Rules
14) Config Shorewall Global Parameters
15) Modules Netfilter modules to load
16) TOS Type of Service policy
17) Blacklist Blacklisted hosts
18) RFC1918 Defines 'norfc1918' interface option
19) ECN Disable ECN to hosts and networks
20) Init Commands executed before [re]start
21) Start Commands executed after [re]start
22) Stop Commands executed before stop
23) Stopped Commands executed after stop
q) quit
----------------------------------------------------------------------------
Selection:
Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.
Four files must be checked absolutely to make sure they fit your needs:
A/ The zone file (entry 2). For a two interfaces
setting - Bering's default - it looks like:
#ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE a>
B/ The interfaces file (entry 3) defines your
interfaces. Default in Bering is:
(...) #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
C/ The rules file (entry 6) is one of the most
important files in Shorewall. Here is the one from Bering:
(...) ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 # # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # allow loc to fw tcp/80 for weblet to work # ACCEPT loc fw udp 53 ACCEPT loc fw tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
As you can notice from above, two rules have been added to the two-interfaces file. They allow:
UDP requests from the local network (loc) to the firewall (fw) on port 53. This is the port used by dnscache to listen at dns requests coming from the internal network.
TCP requests from the local network (loc) to the firewall (fw) on port 80. This is the port used by weblet for its web server.
D/ Finally the masq file (entry 7). In Bering it
looks like:
(...) #INTERFACE SUBNET eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
If you change any of the shorewall parameters, remember to backup shorwall.lrp !