Anatomy of Shorewall 4.0

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2007/10/09



Table of Contents

Products
Shorewall-common
/sbin
/usr/share/shorewall
/etc/shorewall
/etc/init.d or /etc/rc.d (depends on distribution)
/var/lib/shorewall
Shorewall-shell
Shorewall-perl
Shorewall-lite
/sbin
/etc/init.d or /etc/rc.d (depends on distribution)
/etc/shorewall-lite
/usr/share/shorewall-lite
/var/lib/shorewall-lite

Products

Shorewall 4.0 consists of four packages.

  1. Shorewall-common. This package must be installed on at least one system in your network. That system must also have Shorewall-shell and/or Shorewall-perl installed.

  2. Shorewall-shell. This package includes the legacy Shorewall configuration compiler written in Bourne Shell. This compiler is very portable but suffers from performance problems and has become hard to maintain.

  3. Shorewall-perl. An alternative to Shorewall-shell written in the Perl language. This compiler is highly portable to those Unix-like platforms that support Perl (including Cygwin) and is the compiler of choice for new Shorewall installations.

  4. Shorewall-lite. Shorewall allows for central administration of multiple firewalls through use of Shorewall lite. The full Shorewall product (along with Shorewall-shell and/or Shorewall-perl) are installed on a central administrative system where compiled Shorewall scripts are generated. These scripts are copied to the firewall systems where they run under the control of Shorewall-lite.

Shorewall-common

The Shorewall-common package includes a large number of files which are installed in /sbin, /usr/share/shorewall, /etc/shorewall, /etc/init.d and /var/lilb/shorewall/. These are described in the sub-sections that follow.

/sbin

The /sbin/shorewall shell program is use to interact with Shorewall. See shorewall(8).

/usr/share/shorewall

The bulk of Shorewall is installed here.

  • action.template - template file for creating actions.

  • action.* - standard Shorewall actions.

  • actions.std - file listing the standard actions.

  • configfiles - A directory containing configuration files to copy to create a Shorewall-lite export directory.

  • configpath - A file containing distribution-specific path assignments.

  • firewall - A shell program that handles the add and delete commands (see shorewall(8)). It also handles the stop and clear commands when there is no current compiled firewall script on the system.

  • functions - A symbolic link to lib.base that provides for compatibility with older versions of Shorewall.

  • init - A symbolic link to the init script (usually /etc/init.d/shorewall).

  • lib.* - Shell function libraries used by the other shell programs.

  • macro.* - The standard Shorewall macros.

  • modules - File that drives the loading of Netfilter kernel modules. May be overridden by /etc/shorewall/modules.

  • version - A file containing the currently install version of Shorewall.

  • wait4ifup - A shell program that extension scripts can use to delay until a network interface is available.

/etc/shorewall

This is where the modifiable configuration files are installed.

/etc/init.d or /etc/rc.d (depends on distribution)

An init script is installed here. Depending on the distribution, it is named shorewall or rc.firewall.

/var/lib/shorewall

Shorewall doesn't install any files in this directory but rather uses the directory for storing state information. This directory may be relocated using shorewall-vardir(5).

  • chains - If DYNAMIC_ZONES=Yes in shorewall.conf(5), this file contains information used by the add and delete commands (see shorewall(8)).

  • .iptables-restore-input - The file passed as input to the iptables-restore program to initialize the firewall during the last start or restart command (see shorewall(8)).

  • .modules - The contents of the modules file used during the last start or restart command (see shorewall(8) for command information).

  • .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the last start or restart.

  • nat - This unfortunately-named file records the IP addresses added by ADD_SNAT_ALIASES=Yes and ADD_IP_ALIASES=Yes in shorewall.conf(5).

  • proxyarp - Records the arp entries added by entries in shorewall-proxyarp(5).

  • .refresh - The shell program that performed the last successful refresh command.

  • .restart - The shell program that performed the last successful restart command.

  • restore - The default shell program used to execute restore commands.

  • .restore - The shell program that performed the last successful refresh, restart or start command.

  • save - File created by the save command and used to restore the dynamic blacklist during start/restart.

  • .start - The shell program that performed the last successful start command.

  • state - Records the current firewall state.

  • zones - Records the current zone contents.

Shorewall-shell

The Shorewall-shell product installs all of its files in /usr/share/shorewall-shell.

  • compiler - The configuration compiler shell program.

  • lib.* - Shell function libraries used by the compiler. On embedded systems, only a sub-set of the available libraries may be installed as a space-saving measure.

  • prog.* - Shell program fragments used as input to the compiler.

  • version - A file containing the currently install version of Shorewall-shell.

Shorewall-perl

The Shorewall-perl product installs all of its files in /usr/share/shorewall-perl.

  • buildports.pl - A Perl program that builds the Shorewall/Ports.pm module during installation (This program is removed in Shorewall 4.0.5 and later releases)

  • compiler.pl - The configuration compiler perl program.

  • prog.* - Shell program fragments used as input to the compiler.

  • Shorewall - Directory containing the Shorewall Perl modules used by the compiler.

  • version - A file containing the currently install version of Shorewall-shell.

Shorewall-lite

The Shorewall-lite product includes files installed in /sbin, /usr/share/shorewall-lite, /etc/shorewall-lite, /etc/init.d and /var/lilb/shorewall/. These are described in the sub-sections that follow.

/sbin

The /sbin/shorewall-lite shell program is use to interact with Shorewall lite. See shorewall-lite(8).

/etc/init.d or /etc/rc.d (depends on distribution)

An init script is installed here. Depending on the distribution, it is named shorewall-lite or rc.firewall.

/etc/shorewall-lite

This is where the modifiable configuration files are installed.

/usr/share/shorewall-lite

The bulk of Shorewall-lite is installed here.

  • configpath - A file containing distribution-specific path assignments.

  • functions - A symbolic link to lib.base that provides for compatibility with older versions of Shorewall.

  • lib.* - Shell function libraries used by the other shell programs. These are copies of the corresponding libraries in the Shorewall product.

  • modules - File that drives the loading of Netfilter kernel modules. May be overridden by /etc/shorewall-lite/modules.

  • shorecap - A shell program used for generating capabilities files. See the Shorewall-lite documentation.

  • version - A file containing the currently install version of Shorewall.

  • wait4ifup - A shell program that extension scripts can use to delay until a network interface is available.

/var/lib/shorewall-lite

Shorewall-lite doesn't install any files in this directory but rather uses the directory for storing state information. This directory may be relocated using shorewall-lite-vardir(5).

  • firewall - Compiled shell script installed by running the load or reload command on the administrative system (see shorewall(8)).

  • firewall.conf - Digest of the shorewall.conf file used to compile the firewall script on the administrative system.

  • .iptables-restore-input - The file passed as input to the iptables-restore program to initialize the firewall during the last start or restart command (see shorewall-lite(8)).

  • .modules - The contents of the modules file used during the last start or restart command (see shorewall-lite(8) for command information).

  • .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the last start or restart.

  • nat - This unfortunately-named file records the IP addresses added by ADD_SNAT_ALIASES=Yes and ADD_IP_ALIASES=Yes in shorewall.conf(5).

  • proxyarp - Records the arp entries added by entries in shorewall-proxyarp(5).

  • .refresh - The shell program that performed the last successful refresh command.

  • .restart - The shell program that performed the last successful restart command.

  • restore - The default shell program used to execute restore commands.

  • .restore - The shell program that performed the last successful refresh, restart or start command.

  • save - File created by the save command and used to restore the dynamic blacklist during start/restart.

  • .start - The shell program that performed the last successful start command.

  • state - Records the current firewall state.

  • zones - Records the current zone contents.