Chapter 9. Configure Shorewall

Chapter 9. Configure Shorewall
Prev	Bering-uClibc Installation Guide	Next

One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is, that it relies on Shorewall to provide it's firewall facility.

The reasons behind this choice are numerous:

Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
It is very well documented. I strongly recommend that you print out the full documentation available in pdf format in the Shorewall download area and that you spend the time to understand the concept behind it. A worthwhile effort !
It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading !
It has a tremendous support from it's developper, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.

To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:

                        shorwall configuration files

        1) Params    Assign parameter values
        2) Zones     Partition the network into Zones
        3) Ifaces    Shorewall Networking Interfaces
        4) Hosts     Define specific zones
        5) Policy    Firewall high-level policy
        6) Rules     Exceptions to policy
        7) Maclist   MAC Verification
        8) Masq      Internal MASQ Server Configuration
        9) ProxyArp  Proxy ARP Configuration
        10) Stopped   Hosts admitted after 'shorewall stop'
        11) Nat       Static NAT Configuration
        12) Tunnels   Tunnel Definition (ipsec)
        13) TCRules   FWMark Rules
        14) Config    Shorewall Global Parameters
        15) Modules   Netfilter modules to load
        16) TOS       Type of Service policy
        17) Blacklist Blacklisted hosts
        18) ECN       Disable ECN to hosts and networks
        19) Init      Commands executed before [re]start
        20) Start     Commands executed after [re]start
        21) Stop      Commands executed before stop
        22) Stopped   Commands executed after stop
        23) Account   Traffic Accounting Rules
        24) Actions   Define user actions

  q) quit
  ----------------------------------------------------------------------------
        Selection:

Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.

Four files must be checked absolutely to make sure they fit your needs:

A) The zone file (entry 2). For a two interfaces setting - Bering-uClibc's default - it looks like:

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

B) The interfaces file (entry 3) defines your interfaces. Default in Bering-uClibc is:

(...)
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,routefilter,norfc1918
loc     eth1            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

C) The rules file (entry 6) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:

(...)
######################################################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
#                                               PORT    PORT(S)    DEST         LIMIT
#      Accept DNS connections from the firewall to the network
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
#
# Bering specific rules:
# allow loc to fw udp/53 for local/caching DNS servers to work
# allow loc to fw tcp/80 for weblet to work
ACCEPT          loc       fw            udp     53
ACCEPT          loc       fw            tcp     80
# uncomment to use dnsmasq's dhcpd in your LAN
#ACCEPT          loc       fw            udp     67,68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

D/ Finally the masq file (entry 7). In Bering-uClibc it looks like:

(...)
###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
eth0                    eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Important

If you change any of the shorewall parameters, remember to backup shorwall.lrp !

Prev	Up	Next
Chapter 8. Configure your network	Home	Chapter 10. Choosing the preferred editor