RHEL - Shorewall Configuration

If you've gotten this far, you've should have successfully gotten Shorewall installed on your slice. Now we'll learn how to configure it, providing a powerful and simple mechanism for managing your slice's firewall.


This is part 2 of our journey into the wonderful world of Shorwall firewalling. If you missed part 1 where we installed Shorewall, take this opportunity to go back and review it. Because, you know, otherwise you'll be trying to configure something that hasn't been installed on your system.

Warning

If you read nothing else here, read this. You're configuring your firewall. Firewalls are meant to keep people out, including you if you aren't careful. WHEN CONFIGURING YOUR FIREWALL, KEEP YOUR PERSISTENT CONNECTION OPEN.

Don't close your terminal session before you're sure that you can get back into your system. If you want to test, open a new terminal while you have your existing session going. If by some chance you do get locked out, you can still get in through the web console in the SliceManager, but let's not take the chance.

Basic Configuration and preparation

Now that we've got that bit of business out of the way, let's get started building a nice, basic Shorewall configuration that will service one public interface. The first step is to let Shorewall know that we want it to start up when we tell it to start. That may sound ridiculously obvious, but Shorewall installs with this option off. Kind of a safety on the gun if you will. Anyway, let's make our change:

sudo nano /etc/shorewall/shorewall.conf

In that file, you're going to see a setting that looks like this:

STARTUP_ENABLED=No

Let's make it look like this:

STARTUP_ENABLED=Yes

Can't get much simpler than that. Save and exit.

Next, let's pull in the base configuration files that come with the Shorewall package into the proper directory:

cp /usr/share/doc/shorewall-4.2.10/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

Remember, we're setting this up for a one interface environment. If you're wanting to configure for two or three interfaces, those directories are in the package as well. You'll just change the "one-interfaces" directory to "two-interfaces" or "three-interfaces".

Now it's time to get to the meat of the matter. We're going to start making changes to the Shorewall files that will define the rules of our system and our firewall.

Zone Setup

Let's start with defining our zones. The zones are what the firewall will refer to when determining where requests are coming from and what to do with them depending on where they are going. Try to think of them like this: loc (local) is the system itself, dmz (de-militarized zone) is your private network, and net (internet) is, well, the internet.

Right off the bat, your zone file probably looks something like this at the end:

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Let's make the zone file look something like this:

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
dmz     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

ipv4 is just the format of internet address that we're going to deal with. Now that we've got our zones defined, let's tell the firewall what interfaces it's going to be looking at.

Interfaces Setup

Go ahead and pull up your interfaces and see what's there

sudo /sbin/ifconfig

Remember how we defined our zones. We have to have our interfaces correspond with those zones. So your public interface will reflect the net zone and the private interface will reflect the dmz. For a one-interface system, eth0 is the public interface and eth1 is the private interface (if you have one). The lo interface corresponds to the loc zone, the system itself.

Now that we've figured out what's what, we can enter it into our interfaces file so the firewall knows as well. Let's make our adjustments:

sudo nano /etc/shorewall/interfaces

Initially, the interfaces file will look something like this:

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Here's a good, basic configuration for the interfaces file:

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc     lo              detect          tcpflags,nosmurfs
dmz     eth1            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

You can kinda see what's happening here. We're adding in the interfaces and assigning them a "location". If you put “detect” under the broadcast setting, the firewall will determine the broadcast address for the interface by itself. Neat, huh? As for the options, if you're curious, feel free to type “man shorewall-interfaces” for an in depth description of each one. Go ahead, we'll wait.

Policy Setup

Next comes policies. The Shorewall policy file will define what the default rules of the firewall are, i.e. what the firewall will do with a request if there's no specific rule covering that request. In order to set our policy, we'll have to adjust our policy file.

sudo nano /etc/shorewall/policy

Here's what the end of that file should look like initially:

###############################################################################
#SOURCE DEST    POLICY          LOG  LEVEL       LIMIT:BURST 
#                                                                    
#LAST LINE -- DO NOT REMOVE

Look at this configuration:

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
# Policies defining traffic pertaining to the firewall interface
$FW             net             ACCEPT
loc             $FW             ACCEPT
$FW             loc             ACCEPT
# Policies defining traffic originating from the local zone
loc             net             ACCEPT
loc             dmz             REJECT          info
loc             all             REJECT          info
# Policies defining traffic originating from the dmz
dmz             loc             REJECT          info
dmz             net             REJECT          info
dmz             all             REJECT          info
# Policies defining traffic originating from the net
net             loc             DROP            info
net             dmz             DROP            info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Wow, look at all those drops and rejects! Remember, folks, this is a firewall. You want it to be restrictive. Again, you should be able to see the format of what's being entered. We've got our zones represented and we're letting the firewall know what to do based on what zone a packet is coming from and to what zone it's destined. We're just keeping info level set to logging, no need to clutter things up with more detailed logs right now.

If you've noticed that new zone in there, $FW, don't be confused. The easy way to think about it is as a zone very similar to loc, just used for routing that we don't need to worry about for this series of articles.

If you need to change things based on what you need your server to do and how you want it to communicate, go ahead. But it's better to work within the rules rather than the policy if at all possible.

Shorewall Rules

Wait, I'm sure you're asking, what rules? Well, here comes the beauty of using Shorewall. Here, do this:

ls /usr/share/shorewall/macro.*

Wondering what all that is that just got displayed on your screen? Those are the pre-configured settings covering a host of well used applications that you can plug into your firewall. This is done by making adjustments to the rules file.

sudo nano /etc/shorewall/rules

Initially, your rules file should be empty, like this:

###############################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE USER/   MARK    CONNLIMIT     TIME
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Go ahead and add this to the configuration:

###############################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT     TIME
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
# Accept DNS connections from the firewall
DNS/ACCEPT      $FW             net
##
#
# Accept SSH connections from the local zone
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      loc             dmz
##
#
## Accept SSH connections from the net
SSH/ACCEPT      net             $FW
# Accept DMZ DNS access from the internet
DNS/ACCEPT      dmz             net
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The rules file is the file you'll interact with the most to control your firewall. If you look at those entries, you can get a feel for what's going on. You're telling the firewall what to do with a specific request based on where it's coming from and where it's headed. We'll touch on this a little more later but first, let's get this thing up and running.

Important note for those who have changed their SSH port

If you've been following from the beginning of the RHEL setup articles you've rightly changed your SSH answering port off of the default of 22. We need to make note of that change in the Shorewall or, you guessed it, you'll be locked out when you start it.

We're going to edit the rule that controls SSH access. Enter this command:

sudo nano /usr/share/shorewall/macro.SSH

You should then see a file that looks like this:

###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

We're going to change that 22 so that the port that we need opened is available to us:

###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                               PORT(S) PORT(S) LIMIT   GROUP
PARAM   -       -       tcp     30000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Of course, if you didn't use port 30000 as suggested in the article, enter the port number that you used instead.

Putting it all together

So you've got your zones defined, your interfaces outlined, and your rules in place. We're about ready to turn this thing on. First, let's see if we made any mistakes. Shorewall comes with a checker that will look to see if there are any glaring errors that you made, like syntax errors, undefined rules, or bad zones. Let's see how we did.

sudo /sbin/shorewall check

Did it end with this?

Shorewall configuration verified

Cool, then you're probably good to go. Let's start it up.

sudo /etc/init.d/shorewall start

Look like this?

Starting shorewall:                                        [  OK  ]

Looking good. Confirm?

sudo /etc/init.d/shorewall status

Shorewall-4.2.10 Status at rhelsandbox - Sat Jul  4 16:22:53 CDT 2009

Shorewall is running
State:Started (Fri Jul  3 15:45:57 CDT 2009)

Success.

Now lets OPEN ANOTHER TERMINAL WINDOW and make sure that we can still connect to our server on via SSH.

~> ssh -p 30000 rhelsandbox
password:

Outstanding. Shorewall is now up and standing between you and the evil clutches of the internet's bad guys. Next time, we'll be looking at advanced configurations and testing for multiple ports and programs. Don't worry, it sounds worse than it is.

DP

Article Comments:

Brad commented Wed Jan 13 17:28:40 UTC 2010:

What about icmp? I noticed these line in the default configuration:

Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT $FW net icmp

Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping/DROP net $FW

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)