RHEL - Shorewall Configuration
If you've gotten this far, you've should have successfully gotten Shorewall installed on your slice. Now we'll learn how to configure it, providing a powerful and simple mechanism for managing your slice's firewall.
This is part 2 of our journey into the wonderful world of Shorwall firewalling. If you missed part 1 where we installed Shorewall, take this opportunity to go back and review it. Because, you know, otherwise you'll be trying to configure something that hasn't been installed on your system.
Warning
If you read nothing else here, read this. You're configuring your firewall. Firewalls are meant to keep people out, including you if you aren't careful. WHEN CONFIGURING YOUR FIREWALL, KEEP YOUR PERSISTENT CONNECTION OPEN.
Don't close your terminal session before you're sure that you can get back into your system. If you want to test, open a new terminal while you have your existing session going. If by some chance you do get locked out, you can still get in through the web console in the SliceManager, but let's not take the chance.
Basic Configuration and preparation
Now that we've got that bit of business out of the way, let's get started building a nice, basic Shorewall configuration that will service one public interface. The first step is to let Shorewall know that we want it to start up when we tell it to start. That may sound ridiculously obvious, but Shorewall installs with this option off. Kind of a safety on the gun if you will. Anyway, let's make our change:
sudo nano /etc/shorewall/shorewall.confIn that file, you're going to see a setting that looks like this:
STARTUP_ENABLED=NoLet's make it look like this:
STARTUP_ENABLED=YesCan't get much simpler than that. Save and exit.
Next, let's pull in the base configuration files that come with the Shorewall package into the proper directory:
cp /usr/share/doc/shorewall-4.2.10/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/Remember, we're setting this up for a one interface environment. If you're wanting to configure for two or three interfaces, those directories are in the package as well. You'll just change the "one-interfaces" directory to "two-interfaces" or "three-interfaces".
Now it's time to get to the meat of the matter. We're going to start making changes to the Shorewall files that will define the rules of our system and our firewall.
Zone Setup
Let's start with defining our zones. The zones are what the firewall will refer to when determining where requests are coming from and what to do with them depending on where they are going. Try to think of them like this: loc (local) is the system itself, dmz (de-militarized zone) is your private network, and net (internet) is, well, the internet.
Right off the bat, your zone file probably looks something like this at the end:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVELet's make the zone file look something like this:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEipv4 is just the format of internet address that we're going to deal with. Now that we've got our zones defined, let's tell the firewall what interfaces it's going to be looking at.
Interfaces Setup
Go ahead and pull up your interfaces and see what's there
sudo /sbin/ifconfigRemember how we defined our zones. We have to have our interfaces correspond with those zones. So your public interface will reflect the net zone and the private interface will reflect the dmz. For a one-interface system, eth0 is the public interface and eth1 is the private interface (if you have one). The lo interface corresponds to the loc zone, the system itself.
Now that we've figured out what's what, we can enter it into our interfaces file so the firewall knows as well. Let's make our adjustments:
sudo nano /etc/shorewall/interfacesInitially, the interfaces file will look something like this:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEHere's a good, basic configuration for the interfaces file:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc lo detect tcpflags,nosmurfs
dmz eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEYou can kinda see what's happening here. We're adding in the interfaces and assigning them a "location". If you put “detect” under the broadcast setting, the firewall will determine the broadcast address for the interface by itself. Neat, huh? As for the options, if you're curious, feel free to type “man shorewall-interfaces” for an in depth description of each one. Go ahead, we'll wait.
Policy Setup
Next comes policies. The Shorewall policy file will define what the default rules of the firewall are, i.e. what the firewall will do with a request if there's no specific rule covering that request. In order to set our policy, we'll have to adjust our policy file.
sudo nano /etc/shorewall/policyHere's what the end of that file should look like initially:
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
#LAST LINE -- DO NOT REMOVELook at this configuration:
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
# Policies defining traffic pertaining to the firewall interface
$FW net ACCEPT
loc $FW ACCEPT
$FW loc ACCEPT
# Policies defining traffic originating from the local zone
loc net ACCEPT
loc dmz REJECT info
loc all REJECT info
# Policies defining traffic originating from the dmz
dmz loc REJECT info
dmz net REJECT info
dmz all REJECT info
# Policies defining traffic originating from the net
net loc DROP info
net dmz DROP info
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEWow, look at all those drops and rejects! Remember, folks, this is a firewall. You want it to be restrictive. Again, you should be able to see the format of what's being entered. We've got our zones represented and we're letting the firewall know what to do based on what zone a packet is coming from and to what zone it's destined. We're just keeping info level set to logging, no need to clutter things up with more detailed logs right now.
If you've noticed that new zone in there, $FW, don't be confused. The easy way to think about it is as a zone very similar to loc, just used for routing that we don't need to worry about for this series of articles.
If you need to change things based on what you need your server to do and how you want it to communicate, go ahead. But it's better to work within the rules rather than the policy if at all possible.
Shorewall Rules
Wait, I'm sure you're asking, what rules? Well, here comes the beauty of using Shorewall. Here, do this:
ls /usr/share/shorewall/macro.*Wondering what all that is that just got displayed on your screen? Those are the pre-configured settings covering a host of well used applications that you can plug into your firewall. This is done by making adjustments to the rules file.
sudo nano /etc/shorewall/rulesInitially, your rules file should be empty, like this:
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEGo ahead and add this to the configuration:
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
# Accept DNS connections from the firewall
DNS/ACCEPT $FW net
##
#
# Accept SSH connections from the local zone
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
##
#
## Accept SSH connections from the net
SSH/ACCEPT net $FW
# Accept DMZ DNS access from the internet
DNS/ACCEPT dmz net
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEThe rules file is the file you'll interact with the most to control your firewall. If you look at those entries, you can get a feel for what's going on. You're telling the firewall what to do with a specific request based on where it's coming from and where it's headed. We'll touch on this a little more later but first, let's get this thing up and running.
Important note for those who have changed their SSH port
If you've been following from the beginning of the RHEL setup articles you've rightly changed your SSH answering port off of the default of 22. We need to make note of that change in the Shorewall or, you guessed it, you'll be locked out when you start it.
We're going to edit the rule that controls SSH access. Enter this command:
sudo nano /usr/share/shorewall/macro.SSHYou should then see a file that looks like this:
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEWe're going to change that 22 so that the port that we need opened is available to us:
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 30000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEOf course, if you didn't use port 30000 as suggested in the article, enter the port number that you used instead.
Putting it all together
So you've got your zones defined, your interfaces outlined, and your rules in place. We're about ready to turn this thing on. First, let's see if we made any mistakes. Shorewall comes with a checker that will look to see if there are any glaring errors that you made, like syntax errors, undefined rules, or bad zones. Let's see how we did.
sudo /sbin/shorewall checkDid it end with this?
Shorewall configuration verifiedCool, then you're probably good to go. Let's start it up.
sudo /etc/init.d/shorewall startLook like this?
Starting shorewall: [ OK ]Looking good. Confirm?
sudo /etc/init.d/shorewall status
Shorewall-4.2.10 Status at rhelsandbox - Sat Jul 4 16:22:53 CDT 2009
Shorewall is running
State:Started (Fri Jul 3 15:45:57 CDT 2009)Success.
Now lets OPEN ANOTHER TERMINAL WINDOW and make sure that we can still connect to our server on via SSH.
~> ssh -p 30000 rhelsandbox
password:Outstanding. Shorewall is now up and standing between you and the evil clutches of the internet's bad guys. Next time, we'll be looking at advanced configurations and testing for multiple ports and programs. Don't worry, it sounds worse than it is.
DP
Article Comments:
Brad commented Wed Jan 13 17:28:40 UTC 2010:
What about icmp? I noticed these line in the default configuration:
Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/DROP net $FW