Google
 
 
Home arrow Linux Articles arrow Shorewall Stand Alone Firewall

Main Menu
 Home
 Linux Articles
 FreeBSD Articles
 Apache Articles
 Perl Articles
 Other Articles
 Program Downloads
 Free Books
 News
 The Web Links
 Contact Us

Most Read
Automating SFTP using expect
FreeBSD PPTP VPN
Shorewall Router on Linux
Shorewall Stand Alone Firewall
SnortShorwall - Using Snort And Shorewall Together

Polls
Favorite Linux/BSD
Fedora
Mandrake
Debian
Slackware
Gentoo
Suse
FreeBSD
Other
  

Syndicate
Latest news direct to your desktop
RSS

Login Form
Username

Password

Remember me
Forgotten your password?
No account yet? Create one

Members Online
Linux-BSD-Central Has a Total of 139 Members   Members (139) # Online
We have 8 Guests Online. Guests 8
We have 0 Users Online. Users 0

Online Users
No Users Online

Statistics
OS: Linux b
PHP: 5.2.5
MySQL: 5.0.45-community-log
Time: 14:42
Members: 139
Hits: 731592
News: 269
WebLinks: 15




Shorewall Stand Alone Firewall   PDF  Print  E-mail 
Contributed by Chad Brandt  
Thursday, 17 June 2004

Learn how to install and configure shorewall as a stand alone firewall on you linux system (No Router)

NOTE: looking for instructions to configure a 2 interface shorewall router click here

1. Download the latest rpm from Shorewalls Web Site ( as of this article the latest is 2.0.5 )

2. Install the rpm

   [root]# rpm -Uvh shorewall-2.0.5-1.noarch.rpm

** On some Mandrake systems you may get an error about a dependency on ip. Mandrake systems install ip2 which works fine. Verify that you have ip2 installed and, if you do, you can safely force the install by typing in the following:

[root]# rpm -Uvh --nodeps shorewall-2.0.5-1.noarch.rpm

3.Shorewall installs files in two seperate locations.

The shorewall core files are installed in
/usr/share/shorewall

The shorewall configuration files are installed in
/etc/shorewall

4. Modify the configuration files for your system. I will go through the files and settings for a very secure stand alone firewall.

/etc/shorewall/zones
net     Net       Internet

/etc/shorewall/policy
fw    net    DROP    info
net    fw    DROP    info
# THE FOLLOWING POLICY MUST BE LAST
all    all    REJECT    info

/etc/shorewall/interfaces
net    eth0    detect    dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs, nobogons

/etc/shorewall/rules ( for standalone fw you do not need the loc rules)
AllowWeb     fw     net
AllowSSH     fw    net
AllowFTP     fw    net
AllowNTP     fw    net
AllowSMTP   fw    net
AllowPOP3   fw    net
AllowRRDNS    fw    net    #( this is a custom action for the road runner dns servers )

/etc/shorewall/actions ( you only need to edit this file if you created your own custom actions )
AllowRRDNS

/etc/shorewall/action.AllowRRDNS ( this is the custom action )
ACCEPT     -     24.26.163.32,24.26.163.24,24.94.165.132     udp     53
ACCEPT     -     24.26.163.32,24.26.163.24,24.94.165.132     tcp     53

** If you would like to block known Ip addresses you can put them in the blacklist file

/etc/shorewall/blacklist
24.30.199.231

In addition, if you have a cable modem, you will want to add a RETURN rule in the rfc1918 file for your head end router address. You can find this by simply doing a traceroute. The first hop will be the rfc1918 address of your head end router.

[root]# traceroute microsoft.com
traceroute: Warning: microsoft.com has multiple addresses; using 207.46.245.214
traceroute to microsoft.com (207.46.245.214), 30 hops max, 38 byte packets
 1  10.38.128.1 (10.38.128.1)  6.786 ms  8.421 ms  10.476 ms
 2  srp2-0.mplsmn01-rtr2.mn.rr.com (24.26.162.34)  8.296 ms  8.734 ms  9.122 ms
 3  so0-1-2.chcgilL3-rtr1.kc.rr.com (24.94.160.13)  20.399 ms  20.157 ms  17.070 ms

In my case I will add the following to rfc1918 file
10.38.128.1             RETURN

Download common custom rules

action.AllowMSN - Allow MSN messenger traffic
action.AllowSquid - Allow squid traffic
action.AllowWHOIS - Allow whois command query's
action.AllowWebmin - Allow webmin traffic
action.AllowCVSUP - Allow access to the freeBSD cvsup servers
action.AllowWINMX  - Allow access to the winmx file sharing program

5. Start shorewall up

/etc/init.d/shorewall start

All messages will be logged to /var/log/messages.

I also have a shorewall log parser written in perl that works nicely to display your current days log in an easy to read format.
You can download it here  .
An example output would be like:

Mar 31 07:24:32     net2all     DROP    TCP     24.11.244.72:3449    ->     24.163.219.104:2745

This shows a TCP packet from 24.11.244.72 port 3449 was being sent to my machines port 2745 and was dropped by shorewall as a result of the net2all chain

If you would like to proactively protect your network against hackers you can install snort instrusion detection system and install my progam SnortShorewall to block intrusion attempts. You can read more about the program Here

Comments
what about GYach and web cam
Written by Guest on 2005-02-17 09:45:44
when i use gyach and i invite a buddy to view myc am i am unable to recieve the ack of the buddy 
i have to pull down shorewall then i get the ack
Written by Guest on 2005-02-17 12:23:22
It sounds like you are allowing the traffic out but not allowing in. You should look in your logs and find out what protocol and port is being blocked and than allow traffic in on that port and protocol
Written by Guest on 2005-06-29 17:09:43
:)

Only registered users can write comments.
Please login or register.

Powered by AkoComment 1.0 beta 2!



 
Google Ads