Chapter 9. Configure Shorewall

Chapter 9. Configure Shorewall
Prev	Bering-uClibc 3.x Installation Guide	Next

One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is, that it relies on Shorewall to provide it's firewall facility.

The reasons behind this choice are numerous:

Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
It is very well documented. I strongly recommend that you print out the full documentation available in pdf format in the Shorewall download area and that you spend the time to understand the concept behind it. A worthwhile effort !
It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading !
It has a tremendous support from it's developper, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.

To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:

                        shorwall configuration files

1) Shorewall Runtime Startup options
2) Params    Assign parameter values
3) Zones     Partition the network into Zones
4) Ifaces    Shorewall Networking Interfaces
5) Ipsec     Define Zone IPSEC Properties
6) Hosts     Define specific zones
7) Policy    Firewall high-level policy
8) Rules     Exceptions to policy
9) Maclist   MAC Verification
10) Masq      Internal MASQ Server Configuration
11) ProxyArp  Proxy ARP Configuration
12) RStopped  Hosts admitted after 'shorewall stop'
13) Nat       Static NAT Configuration
14) Tunnels   Tunnel Definition (ipsec)
15) TCDevices
16) TCClasses
17) TCRules   FWMark Rules
18) Config    Shorewall Global Parameters
19) Modules   Netfilter modules to load
20) TOS       Type of Service policy
21) Blacklist Blacklisted hosts
22) ECN       Disable ECN to hosts and networks
23) Init      Commands executed before [re]start
24) Start     Commands executed after [re]start
25) Stop      Commands executed before stop
26) Stopped   Commands executed after stop
27) Account   Traffic Accounting Rules
28) Actions   Define user actions
29) Continue  Commands executed early in [re]start
30) Netmap    Network Mapping Table
31) Providers Additional routing tables


  q) quit
  ----------------------------------------------------------------------------
        Selection:

Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.

Four files must be checked absolutely to make sure they fit your needs:

A) The zone file (entry 2). For a two interfaces setting - Bering-uClibc's default - it looks like:

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

B) The interfaces file (entry 3) defines your interfaces. Default in Bering-uClibc is:

(...)
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,routefilter,norfc1918
loc     eth1            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

C) The rules file (entry 6) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:

(...)
######################################################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
#                                               PORT    PORT(S)    DEST         LIMIT
#      Accept DNS connections from the firewall to the network
#      and from the local network to the firewall (in case dnsmasq is           DNS/ACCEPT   fw          net
DNS/ACCEPT   loc         fw

#      Accept SSH connections from the local network for administrati
#
SSH/ACCEPT   loc         fw

#      Allow Ping to Firewall                                                   #
Ping/ACCEPT  net         fw
Ping/ACCEPT  loc         fw

#      Allow all ICMP types (including ping) from firewall
ACCEPT    fw           loc                     icmp
ACCEPT    fw           net                     icmp
#      Allow local network to access weblet/webconf
#
Web/ACCEPT   loc        fw
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

D/ Finally the masq file (entry 7). In Bering-uClibc it looks like:

(...)
###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
eth0                    eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Important

If you change any of the shorewall parameters, remember to save your configuration!

Prev	Up	Next
Chapter 8. Configure your network	Home	Chapter 10. Choosing the preferred editor