1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article id="IPIP">
<!--$Id$-->
<articleinfo>
<title>Shorewall Setup Guide</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section id="Introduction">
<title>Introduction</title>
<para>This guide is intended for users who are setting up Shorewall in an
environment where a set of public IP addresses must be managed or who want
to know more about Shorewall than is contained in the <ulink
url="shorewall_quickstart_guide.htm">single-address guides</ulink>.
Because the range of possible applications is so broad, the Guide will
give you general guidelines and will point you to other resources as
necessary.</para>
<caution>
<para>Shorewall requires that the iproute/iproute2 package be installed
(on RedHat, the package is called iproute). You can tell if this package
is installed by the presence of an <emphasis role="bold">ip</emphasis>
program on your firewall system. As root, you can use the
<quote>which</quote> command to check for this program:</para>
<programlisting>[root@gateway root]# <command>which ip</command>
/sbin/ip
[root@gateway root]#</programlisting>
<para>I recommend that you first read through the guide to familiarize
yourself with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <inlinegraphic
fileref="images/BD21298_.gif" />.</para>
</caution>
<caution>
<para>If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using it
with Shorewall.</para>
<itemizedlist>
<listitem>
<para><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</ulink></para>
</listitem>
<listitem>
<para><ulink
url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</ulink></para>
</listitem>
</itemizedlist>
</caution>
</section>
<section id="Concepts">
<title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for most setups,
you will only need to deal with a few of these as described in this guide.
Skeleton files are created during the Shorewall <ulink
url="Install.htm">Installation Process</ulink>.<warning>
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found
on your system in the directory <filename
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall-common/default-config/modules to
<filename class="directory">/etc/shorewall</filename> even if you do
not modify those files.</para>
</warning></para>
<para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
instructions.</para>
<para>Shorewall views the network where it is running as being composed of
a set of zones. A zone is one or more hosts, which can be defined as
individual hosts or networks in <filename
class="directory">/etc/shorewall/hosts</filename>, or as an entire
interface in <filename
class="directory">/etc/shorewall/interfaces</filename>. In this guide, we
will use the following zones:</para>
<variablelist>
<varlistentry>
<term>fw</term>
<listitem>
<para>The firewall system itself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net</term>
<listitem>
<para>The public Internet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc</term>
<listitem>
<para>A private local network using private IP addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dmz</term>
<listitem>
<para>A Demilitarized Zone holding publicly-accessible
servers.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Zones are defined in the file <filename><ulink
url="manpages/shorewall-zones.html"><filename>/etc/shorewall/zones</filename></ulink></filename>.</para>
<important>
<para>The <filename>/etc/shorewall/zones</filename> file included in the
release is empty. You can create the standard set of zones described
above by copying and pasting the following into the file:</para>
<programlisting>#ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4</programlisting>
</important>
<para>Note that Shorewall recognizes the firewall system as its own zone -
The above example follows the usual convention of naming the Firewall zone
<emphasis role="bold">fw</emphasis>. The name specified for the firewall
zone (<emphasis role="bold">fw</emphasis> in the above example) is stored
in the shell variable <firstterm>$FW</firstterm> when the
/etc/shorewall/zones file is processed. With the exception of the name
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you
should not expect Shorewall to do something special <quote>because this is
the Internet zone</quote> or <quote>because that is the
DMZ</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Edit the /etc/shorewall/zones file and make any changes
necessary.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</para>
<itemizedlist>
<listitem>
<para>You express your default policy for connections from one zone to
another zone in the <filename><ulink
url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink></filename>
file.</para>
</listitem>
<listitem>
<para>You define exceptions to those default policies in the
<filename><ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>.</para>
</listitem>
</itemizedlist>
<para>Shorewall is built on top of the <ulink
url="http://www.netfilter.org">Netfilter</ulink> kernel facility.
Netfilter implements a <ulink
url="http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html">connection
tracking function</ulink> that allows what is often referred to as
stateful inspection of packets. This stateful property allows firewall
rules to be defined in terms of connections rather than in terms of
packets. With Shorewall, you:</para>
<orderedlist>
<listitem>
<para>Identify the source (client) zone.</para>
</listitem>
<listitem>
<para>Identify destination (server) zone.</para>
</listitem>
<listitem>
<para>If the POLICY from the client's zone to the server's zone is
what you want for this client/server pair, you need do nothing
further.</para>
</listitem>
<listitem>
<para>If the POLICY is not what you want, then you must add a rule.
That rule is expressed in terms of the client's zone and the server's
zone.</para>
</listitem>
</orderedlist>
<para>Just because connections of a particular type are allowed from zone
A to the firewall and are also allowed from the firewall to zone B
<emphasis role="bold">DOES NOT mean that these connections are allowed
from zone A to zone B</emphasis> (in other words, policies and rules
involving the firewall zone are not transitive). It rather means that you
can have a proxy running on the firewall that accepts a connection from
zone A and then establishes its own separate connection from the firewall
to zone B.</para>
<para>For each connection request entering the firewall, the request is
first checked against the <filename>/etc/shorewall/rules</filename> file.
If no rule in that file matches the connection request then the first
policy in <filename>/etc/shorewall/policy</filename> that matches the
request is applied after the request is passed to the appropriate <ulink
url="Actions.html">default action</ulink> (if any).</para>
<para>Prior to Shorewall 2.2.0, the default
<filename>/etc/shorewall/policy</filename> file had the following
policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>
<important>
<para>The currently released policy file is empty. You can copy and
paste the above entries to create a starting point from which to
customize your policies.</para>
</important>
<para>The above policies will:</para>
<orderedlist>
<listitem>
<para>allow all connection requests from your local network to the
Internet</para>
</listitem>
<listitem>
<para>drop (ignore) all connection requests from the Internet to your
firewall or local network and log a message at the info level (<ulink
url="shorewall_logging.html">here is a description of log
levels</ulink>).</para>
</listitem>
<listitem>
<para>reject all other connection requests and log a message at the
info level. When a request is rejected, the firewall will return an
RST (if the protocol is TCP) or an ICMP port-unreachable packet for
other protocols.</para>
</listitem>
</orderedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>At this point, edit your <filename>/etc/shorewall/policy
</filename>and make any changes that you wish.</para>
</section>
<section id="Interfaces">
<title>Network Interfaces</title>
<para>For the remainder of this guide, we'll refer to the following
diagram. While it may not look like your own network, it can be used to
illustrate the important aspects of Shorewall configuration.</para>
<para>In this diagram:</para>
<itemizedlist>
<listitem>
<para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
to isolate your Internet-accessible servers from your local systems so
that if one of those servers is compromised, you still have the
firewall between the compromised system and your local systems.</para>
</listitem>
<listitem>
<para>The Local Zone consists of systems Local 1, Local 2 and Local
3.</para>
</listitem>
<listitem>
<para>All systems from the ISP outward comprise the Internet
Zone.</para>
</listitem>
</itemizedlist>
<graphic align="center" fileref="images/dmz3.png" />
<para>The simplest way to define zones is to associate the zone name
(previously defined in /etc/shorewall/zones) with a network interface.
This is done in the <ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>
file. The firewall illustrated above has three network interfaces. Where
Internet connectivity is through a cable or DSL <quote>Modem</quote>, the
<emphasis>External Interface</emphasis> will be the Ethernet adapter that
is connected to that <quote>Modem</quote> (e.g., <filename
class="devicefile">eth0</filename>) unless you connect via Point-to-Point
Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP)
in which case the External Interface will be a ppp interface (e.g.,
<filename class="devicefile">ppp0</filename>). If you connect via a
regular modem, your External Interface will also be <filename
class="devicefile">ppp0</filename>. If you connect using ISDN, you
external interface will be <filename
class="devicefile">ippp0</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>If your external interface is <filename
class="devicefile">ppp0</filename> or <filename
class="devicefile">ippp0</filename> then you will want to set CLAMPMSS=yes
in <filename><ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
<para>Your <emphasis>Local Interface</emphasis> will be an Ethernet
adapter (<filename class="devicefile">eth0</filename>,
<filename>eth1</filename> or <filename class="devicefile">eth2</filename>)
and will be connected to a hub or switch. Your local computers will be
connected to the same switch (note: If you have only a single local
system, you can connect the firewall directly to the computer using a
cross-over cable).</para>
<para>Your <emphasis>DMZ Interface</emphasis> will also be an Ethernet
adapter (<filename class="devicefile">eth0</filename>, <filename
class="devicefile">eth1</filename> or <filename
class="devicefile">eth2</filename>) and will be connected to a hub or
switch. Your DMZ computers will be connected to the same switch (note: If
you have only a single DMZ system, you can connect the firewall directly
to the computer using a cross-over cable).</para>
<caution>
<para>Do not connect the internal and external interface to the same hub
or switch except for testing. You can test using this kind of
configuration if you specify the <emphasis
role="bold">arp_filter</emphasis> option or the <emphasis
role="bold">arp_ignore</emphasis> option in
<filename>/etc/shorewall/interfaces</filename> for all interfaces
connected to the common hub/switch. Using such a setup with a production
firewall is strongly recommended against.</para>
</caution>
<para>For the remainder of this Guide, we will assume that:</para>
<itemizedlist>
<listitem>
<para>The External Interface is <filename
class="devicefile">eth0</filename>.</para>
</listitem>
<listitem>
<para>The Local Interface <filename
class="devicefile">eth1</filename>.</para>
</listitem>
<listitem>
<para>The DMZ Interface <filename
class="devicefile">eth2</filename>.</para>
</listitem>
</itemizedlist>
<para>The Shorewall default configuration does not define the contents of
any zone. To define the above configuration using the <ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
</ulink>file, that file would might contain:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
dmz eth2 detect</programlisting>
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
in the /etc/shorewall/interfaces file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Edit the <filename>/etc/shorewall/interfaces</filename> file and
define the network interfaces on your firewall and associate each
interface with a zone. If you have a zone that is interfaced through more
than one interface, simply include one entry for each interface and repeat
the zone name as many times as necessary.</para>
<example id="multi">
<title>Multiple Interfaces to a Zone</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
loc eth2 detect</programlisting>
</example>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>You may define more complicated zones using the<filename> <ulink
url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename>
file but in most cases, that isn't necessary. See <ulink
url="Shorewall_and_Aliased_Interfaces.html">Shorewall_and_Aliased_Interfaces.html</ulink>
and <ulink url="Multiple_Zones.html">Multiple_Zones.html</ulink> for
examples.</para>
</section>
<section id="Addressing">
<title>Addressing, Subnets and Routing</title>
<para>Normally, your ISP will assign you a set of Public IP addresses. You
will configure your firewall's external interface to use one of those
addresses permanently and you will then have to decide how you are going
to use the rest of your addresses. Before we tackle that question though,
some background is in order.</para>
<para>If you are thoroughly familiar with IP addressing and routing, you
may go to the next section.</para>
<para>The following discussion barely scratches the surface of addressing
and routing. If you are interested in learning more about this subject, I
highly recommend <quote><emphasis>IP Fundamentals: What Everyone Needs to
Know about Addressing & Routing</emphasis></quote>, Thomas A. Maufer,
Prentice-Hall, 1999, ISBN 0-13-975483-0.</para>
<section id="Addresses">
<title>IP Addresses</title>
<para>IP version 4 (IPv4) addresses are 32-bit numbers. The notation
w.x.y.z refers to an address where the high-order byte has value
<quote>w</quote>, the next byte has value <quote>x</quote>, etc. If we
take the address 192.0.2.14 and express it in hexadecimal, we
get:</para>
<para><programlisting>C0.00.02.0E</programlisting>or looking at it as a
32-bit integer</para>
<para><programlisting>C000020E</programlisting></para>
</section>
<section id="Subnets">
<title>Subnets</title>
<para>You will still hear the terms <quote>Class A network</quote>,
<quote>Class B network</quote> and <quote>Class C network</quote>. In
the early days of IP, networks only came in three sizes (there were also
Class D networks but they were used differently):</para>
<simplelist>
<member>Class A - netmask 255.0.0.0, size = 2 ** 24</member>
<member>Class B - netmask 255.255.0.0, size = 2 ** 16</member>
<member>Class C - netmask 255.255.255.0, size = 256</member>
</simplelist>
<para>The class of a network was uniquely determined by the value of the
high order byte of its address so you could look at an IP address and
immediately determine the associated netmask. The netmask is a number
that when logically ANDed with an address isolates the network number;
the remainder of the address is the host number. For example, in the
Class C address 192.0.2.14, the network number is hex C00002 and the
host number is hex 0E.</para>
<para>As the Internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting
(early on, large corporations and universities were assigned their own
class A network!). After some false starts, the current technique of
subnetting these networks into smaller subnetworks evolved; that
technique is referred to as <emphasis>Classless InterDomain
Routing</emphasis> (CIDR). Today, any system that you are likely to work
with will understand CIDR and Class-based networking is largely a thing
of the past.</para>
<para>A <emphasis>subnetwork</emphasis> (often referred to as a
<emphasis>subnet</emphasis>) is a contiguous set of IP addresses such
that:</para>
<orderedlist>
<listitem>
<para>The number of addresses in the set is a power of 2; and</para>
</listitem>
<listitem>
<para>The first address in the set is a multiple of the set
size.</para>
</listitem>
<listitem>
<para>The first address in the subnet is reserved and is referred to
as the <emphasis>subnet address</emphasis>.</para>
</listitem>
<listitem>
<para>The last address in the subnet is reserved as the subnet's
<emphasis>broadcast address</emphasis>.</para>
</listitem>
</orderedlist>
<para>As you can see by this definition, in each subnet of size n there
are (n - 2) usable addresses (addresses that can be assigned to hosts).
The first and last address in the subnet are used for the subnet address
and subnet broadcast address respectively. Consequently, small
subnetworks are more wasteful of IP addresses than are large
ones.</para>
<para>Since n is a power of two, we can easily calculate the
<emphasis>Base-2 Logarithm</emphasis> (log2) of n. For the more common
subnet sizes, the size and its base-2 logarithm are given in the
following table:</para>
<table id="Logs">
<title>Base-2 Logarithms</title>
<tgroup cols="3">
<tbody>
<row>
<entry><emphasis role="bold">n</emphasis></entry>
<entry><emphasis role="bold">log2 n</emphasis></entry>
<entry><emphasis role="bold">(32 - log2 n)</emphasis></entry>
</row>
<row>
<entry>8</entry>
<entry>3</entry>
<entry>29</entry>
</row>
<row>
<entry>16</entry>
<entry>4</entry>
<entry>28</entry>
</row>
<row>
<entry>32</entry>
<entry>5</entry>
<entry>27</entry>
</row>
<row>
<entry>64</entry>
<entry>6</entry>
<entry>26</entry>
</row>
<row>
<entry>128</entry>
<entry>7</entry>
<entry>25</entry>
</row>
<row>
<entry>256</entry>
<entry>8</entry>
<entry>24</entry>
</row>
<row>
<entry>512</entry>
<entry>9</entry>
<entry>23</entry>
</row>
<row>
<entry>1024</entry>
<entry>10</entry>
<entry>22</entry>
</row>
<row>
<entry>2048</entry>
<entry>11</entry>
<entry>21</entry>
</row>
<row>
<entry>4096</entry>
<entry>12</entry>
<entry>20</entry>
</row>
<row>
<entry>8192</entry>
<entry>13</entry>
<entry>19</entry>
</row>
<row>
<entry>16384</entry>
<entry>14</entry>
<entry>18</entry>
</row>
<row>
<entry>32768</entry>
<entry>15</entry>
<entry>17</entry>
</row>
<row>
<entry>65536</entry>
<entry>16</entry>
<entry>16</entry>
</row>
</tbody>
</tgroup>
</table>
<para>You will notice that the above table also contains a column for
(32 - log2 <emphasis role="bold">n)</emphasis>. That number is the
<emphasis>Variable Length Subnet Mask</emphasis> (VLSM) for a network of
size n. From the above table, we can derive the following one which is a
little easier to use.</para>
<table id="vlsm">
<title>VLSM</title>
<tgroup cols="3">
<tbody>
<row>
<entry><emphasis role="bold">Subnet Size</emphasis></entry>
<entry><emphasis role="bold">VLSM</emphasis></entry>
<entry><emphasis role="bold">Subnet Mask</emphasis></entry>
</row>
<row>
<entry>8</entry>
<entry>/29</entry>
<entry>255.255.255.248</entry>
</row>
<row>
<entry>16</entry>
<entry>/28</entry>
<entry>255.255.255.240</entry>
</row>
<row>
<entry>32</entry>
<entry>/27</entry>
<entry>255.255.255.224</entry>
</row>
<row>
<entry>64</entry>
<entry>/26</entry>
<entry>255.255.255.192</entry>
</row>
<row>
<entry>128</entry>
<entry>/25</entry>
<entry>255.255.255.128</entry>
</row>
<row>
<entry>256</entry>
<entry>/24</entry>
<entry>255.255.255.0</entry>
</row>
<row>
<entry>512</entry>
<entry>/23</entry>
<entry>255.255.254.0</entry>
</row>
<row>
<entry>1024</entry>
<entry>/22</entry>
<entry>255.255.252.0</entry>
</row>
<row>
<entry>2048</entry>
<entry>/21</entry>
<entry>255.255.248.0</entry>
</row>
<row>
<entry>4096</entry>
<entry>/20</entry>
<entry>255.255.240.0</entry>
</row>
<row>
<entry>8192</entry>
<entry>/19</entry>
<entry>255.255.224.0</entry>
</row>
<row>
<entry>16384</entry>
<entry>/18</entry>
<entry>255.255.192.0</entry>
</row>
<row>
<entry>32768</entry>
<entry>/17</entry>
<entry>255.255.128.0</entry>
</row>
<row>
<entry>65536</entry>
<entry>/16</entry>
<entry>255.255.0.0</entry>
</row>
<row>
<entry>2 ** 24</entry>
<entry>/8</entry>
<entry>255.0.0.0</entry>
</row>
</tbody>
</tgroup>
</table>
<para>Notice that the VLSM is written with a slash (<quote>/</quote>) --
you will often hear a subnet of size 64 referred to as a <quote>slash
26</quote> subnet and one of size 8 referred to as a <quote>slash
29</quote>.</para>
<para>The subnet's mask (also referred to as its
<emphasis>netmask</emphasis>) is simply a 32-bit number with the first
<quote>VLSM</quote> bits set to one and the remaining bits set to zero.
For example, for a subnet of size 64, the subnet mask has 26 leading one
bits:</para>
<para><programlisting>11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 = 255.255.255.192</programlisting>The
subnet mask has the property that if you logically AND the subnet mask
with an address in the subnet, the result is the subnet address. Just as
important, if you logically AND the subnet mask with an address outside
the subnet, the result is NOT the subnet address. As we will see below,
this property of subnet masks is very useful in routing.</para>
<para>For a subnetwork whose address is <emphasis
role="bold">a.b.c.d</emphasis> and whose Variable Length Subnet Mask is
<emphasis role="bold">/v</emphasis>, we denote the subnetwork as
<quote><emphasis role="bold">a.b.c.d/v</emphasis></quote> using
<emphasis>CIDR Notation</emphasis>. Example:</para>
<table id="Subnet">
<title>Subnet</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">Subnet:</emphasis></entry>
<entry>10.10.10.0 - 10.10.10.127</entry>
</row>
<row>
<entry><emphasis role="bold">Subnet Size:</emphasis></entry>
<entry>128</entry>
</row>
<row>
<entry><emphasis role="bold">Subnet Address:</emphasis></entry>
<entry>10.10.10.0</entry>
</row>
<row>
<entry><emphasis role="bold">Broadcast
Address:</emphasis></entry>
<entry>10.10.10.127</entry>
</row>
<row>
<entry><emphasis role="bold">CIDR Notation:</emphasis></entry>
<entry>10.10.10.0/25</entry>
</row>
</tbody>
</tgroup>
</table>
<para>There are two degenerate subnets that need mentioning; namely, the
subnet with one member and the subnet with 2 ** 32 members.</para>
<table id="degenerate">
<title>/32 and /0</title>
<tgroup cols="4">
<tbody>
<row>
<entry><emphasis role="bold">Subnet Size</emphasis></entry>
<entry><emphasis role="bold">VLSM Length</emphasis></entry>
<entry><emphasis role="bold">Subnet Mask</emphasis></entry>
<entry><emphasis role="bold">CIDR Notation</emphasis></entry>
</row>
<row>
<entry>1</entry>
<entry>32</entry>
<entry>255.255.255.255</entry>
<entry>a.b.c.d/32</entry>
</row>
<row>
<entry>32</entry>
<entry>0</entry>
<entry>0.0.0.0</entry>
<entry>0.0.0.0/0</entry>
</row>
</tbody>
</tgroup>
</table>
<para>So any address <emphasis role="bold">a.b.c.d</emphasis> may also
be written <emphasis role="bold">a.b.c.d/32</emphasis> and the set of
all possible IP addresses is written <emphasis
role="bold">0.0.0.0/0</emphasis>.</para>
<para role="bold">A Shorewall user has contributed a <ulink
url="http://shorewall.net/pub/shorewall/contrib/IPSubNetMask.html">useful
graphical summary</ulink> of the above information.</para>
<para>Later in this guide, you will see the notation <emphasis
role="bold">a.b.c.d/v</emphasis> used to describe the ip configuration
of a network interface (the <quote>ip</quote> utility also uses this
syntax). This simply means that the interface is configured with ip
address <emphasis role="bold">a.b.c.d</emphasis> and with the netmask
that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para>
<example id="Example0">
<title>192.0.2.65/29</title>
<para>The interface is configured with IP address 192.0.2.65 and
netmask 255.255.255.248.</para>
</example>
<para>/sbin/shorewall supports an ipcalc command that automatically
calculates information about a [sub]network.</para>
<example id="Example1">
<title>Using the <command>ipcalc </command>command</title>
<programlisting>shorewall ipcalc 10.10.10.0/25
CIDR=10.10.10.0/25
NETMASK=255.255.255.128
NETWORK=10.10.10.0
BROADCAST=10.10.10.127
</programlisting>
</example>
<example id="Example2">
<title>Using the <command>ipcalc</command> command</title>
<programlisting>shorewall ipcalc 10.10.10.0 255.255.255.128
CIDR=10.10.10.0/25
NETMASK=255.255.255.128
NETWORK=10.10.10.0
BROADCAST=10.10.10.127</programlisting>
</example>
</section>
<section id="Routing">
<title>Routing</title>
<para>One of the purposes of subnetting is that it forms the basis for
routing. Here's the routing table on my firewall (compressed for
PDF):</para>
<programlisting>[root@gateway root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flgs MSS Win irtt Iface
192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas
206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1
206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0
[root@gateway root]#</programlisting>
<para>The device <emphasis>texas</emphasis> is a GRE tunnel to a peer
site in the Dallas, Texas area.</para>
<para>The first three routes are <emphasis>host routes</emphasis> since
they indicate how to get to a single host. In the <quote>netstat</quote>
output this can be seen by the <quote>Genmask</quote> (Subnet Mask) of
255.255.255.255 and the <quote>H</quote> in the Flags column. The
remainder are <emphasis><quote>net</quote> routes</emphasis> since they
tell the kernel how to route packets to a subnetwork. The last route is
the <emphasis>default route </emphasis>and the gateway mentioned in that
route is called the <emphasis>default gateway</emphasis>.</para>
<para>When the kernel is trying to send a packet to IP address <emphasis
role="bold">A</emphasis>, it starts at the top of the routing table
and:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">A</emphasis> is logically ANDed with the
<quote>Genmask</quote> value in the table entry.</para>
</listitem>
<listitem>
<para>The result is compared with the <quote>Destination</quote>
value in the table entry.</para>
</listitem>
<listitem>
<para>If the result and the <quote>Destination</quote> value are the
same, then:</para>
<itemizedlist>
<listitem>
<para>If the <quote>Gateway</quote> column is non-zero, the
packet is sent to the gateway over the interface named in the
<quote>Iface</quote> column.</para>
</listitem>
<listitem>
<para>Otherwise, the packet is sent directly to <emphasis
role="bold">A</emphasis> over the interface named in the
<quote>iface</quote> column.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Otherwise, the above steps are repeated on the next entry in
the table.</para>
</listitem>
</itemizedlist>
<para>Since the default route matches any IP address (<emphasis
role="bold">A </emphasis>LAND 0.0.0.0 = 0.0.0.0), packets that don't
match any of the other routing table entries are sent to the default
gateway which is usually a router at your ISP. Lets take an example.
Suppose that we want to route a packet to 192.168.1.5. That address
clearly doesn't match any of the host routes in the table but if we
logically and that address with 255.255.255.0, the result is 192.168.1.0
which matches this routing table entry:</para>
<para><programlisting>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</programlisting></para>
<para>So to route a packet to 192.168.1.5, the packet is sent directly
over eth2.</para>
<para>One more thing needs to be emphasized -- all outgoing packet are
sent using the routing table and reply packets are not a special case.
There seems to be a common misconception whereby people think that
request packets are like salmon and contain a genetic code that is
magically transferred to reply packets so that the replies follow the
reverse route taken by the request. That isn't the case; the replies may
take a totally different route back to the client than was taken by the
requests -- they are totally independent.</para>
</section>
<section id="ARP">
<title>Address Resolution Protocol (ARP)</title>
<para>When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <emphasis>Media Access
Control</emphasis> (MAC) addresses. Each Ethernet device has its own
unique MAC address which is burned into a PROM on the device during
manufacture. You can obtain the MAC of an Ethernet device using the
<quote>ip</quote> utility:</para>
<programlisting>[root@gateway root]# <command>ip addr show eth0</command>
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
[root@gateway root]#
</programlisting>
<para>As you can see from the above output, the MAC is 6 bytes (48 bits)
wide. A card's MAC is usually also printed on a label attached to the
card itself. Because IP uses IP addresses and Ethernet uses MAC
addresses, a mechanism is required to translate an IP address into a MAC
address; that is the purpose of the <emphasis>Address Resolution
Protocol </emphasis>(ARP). Here is ARP in action:</para>
<programlisting>[root@gateway root]# <command>tcpdump -nei eth2 arp</command>
tcpdump: listening on eth2
09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42:
arp who-has 192.168.1.19 tell 192.168.1.254
09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60:
arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0
2 packets received by filter
0 packets dropped by kernel
[root@gateway root]#</programlisting>
<para>In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants to know
the MAC of the device with IP address 192.168.1.19. The system having
that IP address is responding that the MAC address of the device with IP
address 192.168.1.19 is 0:6:25:aa:8a:f0.</para>
<para>In order to avoid having to exchange ARP information each time
that an IP packet is to be sent, systems maintain an <emphasis>ARP
cache</emphasis> of IP<->MAC correspondences. You can see the ARP
cache on your system (including your Windows system) using the
<quote>arp</quote> command:</para>
<programlisting>[root@gateway root]# <command>arp -na</command>
? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</programlisting>
<para>The leading question marks are a result of my having specified the
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
option) which causes the <quote>arp</quote> program to forgo IP->DNS
name translation. Had I not given that option, the question marks would
have been replaced with the FQDN corresponding to each IP address.
Notice that the last entry in the table records the information we saw
using tcpdump above.</para>
</section>
<section id="RFC1918">
<title>RFC 1918</title>
<para>IP addresses are allocated by the <ulink
url="http://www.iana.org/">Internet Assigned Number Authority</ulink>
(IANA) who delegates allocations on a geographic basis to Regional
Internet Registries (RIRs). For example, allocation for the Americas and
for sub-Sahara Africa is delegated to the <ulink
url="http://www.arin.net/">American Registry for Internet
Numbers</ulink> (ARIN). These RIRs may in turn delegate to national
registries. Most of us don't deal with these registrars but rather get
our IP addresses from our ISP. It's a fact of life that most of us can't
afford as many Public IP addresses as we have devices to assign them to
so we end up making use of Private IP addresses. RFC 1918 reserves
several IP address ranges for this purpose:</para>
<programlisting>10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</programlisting>
<para>The addresses reserved by RFC 1918 are sometimes referred to as
<firstterm>non-routable</firstterm> because the Internet backbone
routers don't forward packets which have an RFC-1918 destination
address. This is understandable given that anyone can select any of
these addresses for their private use but the term non-routable is
somewhat unfortunate because it leads people to the erroneous conclusion
that traffic destined for one of these addresses can't be sent through a
router. This is definitely not true; private routers (including your
Shorewall-based firewall) can forward RFC 1918 addressed traffic just
fine.</para>
<para>When selecting addresses from these ranges, there's a couple of
things to keep in mind:</para>
<itemizedlist>
<listitem>
<para>As the IPv4 address space becomes depleted, more and more
organizations (including ISPs) are beginning to use RFC 1918
addresses in their infrastructure.</para>
</listitem>
<listitem>
<para>You don't want to use addresses that are being used by your
ISP or by another organization with whom you want to establish a VPN
relationship.</para>
</listitem>
</itemizedlist>
<para>So it's a good idea to check with your ISP to see if they are
using (or are planning to use) private addresses before you decide the
addresses that you are going to use.</para>
<warning>
<para><emphasis role="bold">In this document, external
<quote>real</quote> IP addresses are of the form 192.0.2.x.
192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
printed examples and test networks. These "real" addresses are not to
be confused with addresses in 192.168.0.0/16; as described above,
those addresses are reserved by RFC 1918 for private
use.</emphasis></para>
</warning>
</section>
</section>
<section id="Options">
<title>Setting Up Your Network</title>
<para>The choice of how to set up your network depends primarily on how
many Public IP addresses you have vs. how many addressable entities you
have in your network. Regardless of how many addresses you have, your ISP
will handle that set of addresses in one of two ways:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Routed</emphasis> - Traffic to any of your
addresses will be routed through a single gateway address. This will
generally only be done if your ISP has assigned you a complete subnet
(/29 or larger). In this case, you will assign the gateway address as
the IP address of your firewall/router's external interface.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Non-routed</emphasis> - Your ISP will send
traffic to each of your addresses directly.</para>
</listitem>
</itemizedlist>
<para>In the subsections that follow, we'll look at each of these
separately.</para>
<para>Before we begin, there is one thing for you to check:</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>If you are using the Debian package, please check your
shorewall.conf file to ensure that the following are set correctly; if
they are not, change them appropriately:</para>
<itemizedlist>
<listitem>
<para>IP_FORWARDING=On</para>
</listitem>
</itemizedlist>
<section id="Routed">
<title>Routed</title>
<para>Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP
addresses 192.0.2.64 - 192.0.2.79 and that your firewall's external IP
address is 192.0.2.65. Your ISP has also told you that you should use a
netmask of 255.255.255.0 (so your /28 is part of a larger /24). With
this many IP addresses, you are able to subnet your /28 into two /29's
and set up your network as shown in the following diagram.</para>
<graphic align="center" fileref="images/dmz4.png" />
<para>Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
be configured to 192.0.2.66 and the default gateway for hosts in the
local network would be 192.0.2.73.</para>
<para>Notice that this arrangement is rather wasteful of public IP
addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and
192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router.
Nevertheless, it shows how subnetting can work and if we were dealing
with a /24 rather than a /28 network, the use of 6 IP addresses out of
256 would be justified because of the simplicity of the setup.</para>
<para>The astute reader may have noticed that the Firewall/Router's
external interface is actually part of the DMZ subnet (192.0.2.64/29).
What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
routing table on DMZ 1 will look like this:</para>
<programlisting format="linespecific">Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.0.2.64 0.0.0.0 255.255.255.248 U 40 0 0 eth0
0.0.0.0 192.0.2.66 0.0.0.0 UG 40 0 0 eth0</programlisting>
<para>This means that DMZ 1 will send an ARP <quote>who-has
192.0.2.65</quote> request and no device on the DMZ Ethernet segment has
that IP address. Oddly enough, the firewall will respond to the request
with the MAC address of its <emphasis role="underline">DMZ
Interface</emphasis>!! DMZ 1 can then send Ethernet frames addressed to
that MAC address and the frames will be received (correctly) by the
firewall/router.</para>
<para>It is this rather unexpected ARP behavior on the part of the Linux
Kernel that prompts the warning earlier in this guide regarding the
connecting of multiple firewall/router interfaces to the same hub or
switch. When an ARP request for one of the firewall/router's IP
addresses is sent by another system connected to the hub/switch, all of
the firewall's interfaces that connect to the hub/switch can respond! It
is then a race as to which <quote>here-is</quote> response reaches the
sender first.</para>
</section>
<section id="NonRouted">
<title>Non-routed</title>
<para>If you have the above situation but it is non-routed, you can
configure your network exactly as described above with one additional
twist; simply specify the <quote>proxyarp</quote> option on all three
firewall interfaces in the /etc/shorewall/interfaces file.</para>
<para>Most of us don't have the luxury of having enough public IP
addresses to set up our networks as shown in the preceding example (even
if the setup is routed).</para>
<para><emphasis role="bold">For the remainder of this section, assume
that your ISP has assigned you IP addresses 192.0.2.176-180 and has told
you to use netmask 255.255.255.0 and default gateway
192.0.2.254.</emphasis></para>
<para>Clearly, that set of addresses doesn't comprise a subnetwork and
there aren't enough addresses for all of the network interfaces. There
are four different techniques that can be used to work around this
problem.</para>
<itemizedlist>
<listitem>
<para><emphasis>Source Network Address Translation</emphasis>
(SNAT).</para>
</listitem>
<listitem>
<para><emphasis>Destination Network Address Translation</emphasis>
(DNAT) also known as <emphasis>Port Forwarding</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis>Proxy ARP</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis>Network Address Translation</emphasis> (NAT) also
referred to as <emphasis>One-to-one NA</emphasis>T.</para>
</listitem>
</itemizedlist>
<para>Often a combination of these techniques is used. Each of these
will be discussed in the sections that follow.</para>
<section id="SNAT">
<title>SNAT</title>
<para>With SNAT, an internal LAN segment is configured using RFC 1918
addresses. When a host <emphasis role="bold">A</emphasis> on this
internal segment initiates a connection to host <emphasis
role="bold">B</emphasis> on the Internet, the firewall/router rewrites
the IP header in the request to use one of your public IP addresses as
the source address. When <emphasis role="bold">B</emphasis> responds
and the response is received by the firewall, the firewall changes the
destination address back to the RFC 1918 address of <emphasis
role="bold">A</emphasis> and forwards the response back to <emphasis
role="bold">A.</emphasis></para>
<para>Let's suppose that you decide to use SNAT on your local zone and
use public address 192.0.2.176 as both your firewall's external IP
address and the source IP address of Internet requests sent from that
zone.</para>
<graphic align="center" fileref="images/dmz5.png" />
<para>The local zone has been subnetted as 192.168.201.0/29 (netmask
255.255.255.248).</para>
<simplelist>
<member><inlinegraphic fileref="images/BD21298_.gif" /></member>
<member>The systems in the local zone would be configured with a
default gateway of 192.168.201.1 (the IP address of the firewall's
local interface).</member>
<member><inlinegraphic fileref="images/BD21298_.gif" /></member>
<member>SNAT is configured in Shorewall using the <filename><ulink
url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
file.</member>
</simplelist>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para>This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. If
you wanted to use a different IP address, you would either have to use
your distributions network configuration tools to add that IP address
to the external interface or you could set ADD_SNAT_ALIASES=Yes in
/etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</para>
</section>
<section id="dnat">
<title>DNAT</title>
<para>When SNAT is used, it is impossible for hosts on the Internet to
initiate a connection to one of the internal systems since those
systems do not have a public IP address. DNAT provides a way to allow
selected connections from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Suppose that your daughter wants to run a web server on her
system <quote>Local 3</quote>. You could allow connections to the
Internet to her server by adding the following entry in
<filename><ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT net loc:192.168.201.4 tcp www</programlisting>
<para>If one of your daughter's friends at address <emphasis
role="bold">A</emphasis> wants to access your daughter's server, she
can connect to http://192.0.2.176 (the firewall's external IP address)
and the firewall will rewrite the destination IP address to
192.168.201.4 (your daughter's system) and forward the request. When
your daughter's server responds, the firewall will rewrite the source
address back to 192.0.2.176 and send the response back to <emphasis
role="bold">A</emphasis>.</para>
<para>This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses (place it in the
ORIGINAL DEST column in the rule above) but Shorewall will not add
that address to the firewall's external interface for you.</para>
<important>
<para>When testing DNAT rules like those shown above, you must test
from a client OUTSIDE YOUR FIREWALL (in the 'net' zone). You cannot
test these rules from inside the firewall!</para>
<para>For DNAT troubleshooting tips, <ulink url="FAQ.htm#faq1a">see
FAQs 1a and 1b</ulink>.</para>
</important>
</section>
<section id="ProxyARP">
<title>Proxy ARP</title>
<para>The idea behind Proxy ARP is that:</para>
<itemizedlist>
<listitem>
<para>A host <emphasis role="bold">H</emphasis> behind your
firewall is assigned one of your public IP addresses (<emphasis
role="bold">A</emphasis>), and is assigned the same netmask
(<emphasis role="bold">M</emphasis>) as the firewall's external
interface.</para>
</listitem>
<listitem>
<para>The firewall responds to ARP <quote>who has</quote> requests
for <emphasis role="bold">A</emphasis> from machines outside of
the firewall.</para>
</listitem>
<listitem>
<para>When <emphasis role="bold">H</emphasis> issues an ARP
<quote>who has</quote> request for a machine with an address in
the network defined by <emphasis role="bold">M</emphasis> where
the target machine is outside of the firewall, the firewall will
respond to <emphasis role="bold">H</emphasis> (with the MAC of the
firewall interface that <emphasis role="bold">H</emphasis> is
connected to).</para>
</listitem>
</itemizedlist>
<para>For a more complete description of how Proxy ARP works, please
see the <ulink url="ProxyARP.htm">Shorewall Proxy
Documentation</ulink>.</para>
<para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
example network.</para>
<graphic align="center" fileref="images/dmz6.png" />
<para>Here, we've assigned the IP addresses 192.0.2.177 to system DMZ
1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an
arbitrary RFC 1918 IP address and subnet mask to the DMZ interface on
the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>The Shorewall configuration of Proxy ARP is done using the<ulink
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
file.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No</programlisting>
<para>Because the HAVE ROUTE column contains No, Shorewall will add
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The Ethernet
interfaces on DMZ 1 and DMZ 2 should be configured to have the IP
addresses shown but should have the same default gateway as the
firewall itself -- namely 192.0.2.254. In other words, they should be
configured just like they would be if they were parallel to the
firewall rather than behind it.</para>
<caution>
<para><emphasis role="bold">Do not add the Proxy ARP'ed address(es)
(192.0.2.177 and 192.0.2.178 in the above example) to the external
interface (eth0 in this example) of the firewall.</emphasis></para>
</caution>
<para>A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the
Internet. There are a couple of things that you can try:</para>
<orderedlist>
<listitem>
<para>(Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP
Illustrated, Vol 1 reveals that a</para>
<blockquote>
<para><quote>gratuitous</quote> ARP packet should cause the
ISP's router to refresh their ARP cache (section 4.7). A
gratuitous ARP is simply a host requesting the MAC address for
its own IP; in addition to ensuring that the IP address isn't a
duplicate,...</para>
<para><quote>if the host sending the gratuitous ARP has just
changed its hardware address..., this packet causes any other
host...that has an entry in its cache for the old hardware
address to update its ARP cache entry
accordingly.</quote></para>
</blockquote>
<para>Which is, of course, exactly what you want to do when you
switch a host from being exposed to the Internet to behind
Shorewall using proxy ARP (or one-to-one NAT for that matter).
Happily enough, recent versions of Redhat's iputils package
include <quote>arping</quote>, whose <quote>-U</quote> flag does
just that:</para>
<para><programlisting><command>arping -U -I <net if> <newly proxied IP></command>
<command>arping -U -I eth0 66.58.99.83</command> # for example</programlisting>Stevens
goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for <quote>arping -U</quote> seems
to support the idea that it works most of the time.</para>
</listitem>
<listitem>
<para>You can call your ISP and ask them to purge the stale ARP
cache entry but many either can't or won't purge individual
entries.</para>
</listitem>
</orderedlist>
<para>You can determine if your ISP's gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has
a stale ARP cache entry for 192.0.2.177. On the firewall, run tcpdump
as follows:</para>
<para><programlisting><command>tcpdump -nei eth0 icmp</command></programlisting></para>
<para>Now from 192.0.2.177, ping the ISP's gateway (which we will
assume is 192.0.2.254):</para>
<para><programlisting><command>ping 192.0.2.254</command></programlisting></para>
<para>We can now observe the tcpdump output:</para>
<para><programlisting>13:35:12.159321 <emphasis role="bold">0:4:e2:20:20:33</emphasis> 0:0:77:95:dd:19 ip 98:
192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 <emphasis role="bold">0:c0:a8:50:b2:57</emphasis> ip 98:
192.0.2.254 > 192.0.2.177 : icmp: echo reply</programlisting>Notice
that the source MAC address in the echo request is different from the
destination MAC address in the echo reply!! In this case
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ 1
rather than with the firewall's eth0.</para>
</section>
<section id="NAT">
<title>One-to-one NAT</title>
<para>With one-to-one NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination
Network Address Translation) occurs. Let's go back to our earlier
example involving your daughter's web server running on system Local
3.</para>
<graphic align="center" fileref="images/dmz6.png" />
<para>Recall that in this setup, the local network is using SNAT and
is sharing the firewall external IP (192.0.2.176) for outbound
connections. This is done with the following entry in
<filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections.
You would do that by adding an entry in <filename><ulink
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
<para>With this entry in place, you daughter has her own IP address
and the other two local systems share the firewall's IP
address.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Once the relationship between 192.0.2.179 and 192.168.201.4 is
established by the nat file entry above, it is no longer appropriate
to use a DNAT rule for you daughter's web server -- you would rather
just use an ACCEPT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<para>A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with one-to-one NAT,
it will probably be HOURS before that system can communicate with the
Internet. There are a couple of things that you can try:</para>
<orderedlist>
<listitem>
<para>(Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP
Illustrated, Vol 1 reveals that a</para>
<blockquote>
<para><quote>gratuitous</quote> ARP packet should cause the
ISP's router to refresh their ARP cache (section 4.7). A
gratuitous ARP is simply a host requesting the MAC address for
its own IP; in addition to ensuring that the IP address isn't a
duplicate,...</para>
<para><quote>if the host sending the gratuitous ARP has just
changed its hardware address..., this packet causes any other
host...that has an entry in its cache for the old hardware
address to update its ARP cache entry
accordingly.</quote></para>
</blockquote>
<para>Which is, of course, exactly what you want to do when you
switch a host from being exposed to the Internet to behind
Shorewall using one-to-one NAT. Happily enough, recent versions of
Redhat's iputils package include <quote>arping</quote>, whose
<quote>-U</quote> flag does just that:</para>
<para><programlisting><command>arping -U -I <net if> <newly proxied IP>
</command>
<command>arping -U -I eth0 66.58.99.83</command> # for example</programlisting>Stevens
goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for <quote>arping -U</quote> seems
to support the idea that it works most of the time.</para>
</listitem>
<listitem>
<para>You can call your ISP and ask them to purge the stale ARP
cache entry but many either can't or won't purge individual
entries.</para>
</listitem>
</orderedlist>
<para>You can determine if your ISP's gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has
a stale ARP cache entry for 192.0.2.177. On the firewall, run tcpdump
as follows:</para>
<para><programlisting><command>tcpdump -nei eth0 icmp</command></programlisting></para>
<para>Now from 192.0.2.177, ping the ISP's gateway (which we will
assume is 192.0.2.254):</para>
<para><programlisting><command>ping 192.0.2.254</command></programlisting></para>
<para>We can now observe the tcpdump output:</para>
<para><programlisting>13:35:12.159321 <emphasis role="bold">0:4:e2:20:20:33</emphasis> 0:0:77:95:dd:19 ip 98:
192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 <emphasis role="bold">0:c0:a8:50:b2:57</emphasis> ip 98:
192.0.2.254 > 192.0.2.177 : icmp: echo reply</programlisting>Notice
that the source MAC address in the echo request is different from the
destination MAC address in the echo reply!! In this case
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ 1
rather than with the firewall's eth0.</para>
</section>
</section>
<section id="Rules">
<title>Rules</title>
<note>
<para>Shorewall has a <ulink url="Macros.html">macro facility</ulink>
that includes macros for many standard applications. This section does
not use those macros but rather defines the rules directly.</para>
</note>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the Internet and the
DMZ can't access any other host (including the firewall). With the
exception of DNAT rules which cause address translation and allow the
translated connection request to pass through the firewall, the way to
allow connection requests through your firewall is to use ACCEPT
rules.</para>
<note>
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
this section, they won't be shown</para>
</note>
<para>You probably want to allow ping between your zones:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request
ACCEPT loc dmz icmp echo-request</programlisting>
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
Web Server on DMZ 1. The rules that you would need are:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
#Internet
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
#Internet
ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local
#Network
ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local
#Network
ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the
#Firewall
ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the
#Internet
ACCEPT net dmz:192.0.2.177 tcp http #WWW from
#Internet
ACCEPT net dmz:192.0.2.177 tcp https #Secure WWW
#from Internet
ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
#from local
#Network</programlisting>
<para>If you run a public DNS server on 192.0.2.177, you would need to
add the following rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
#Internet
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
#Internet
ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from
#Local Network
ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from
#Local Network
ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from
#the Firewall
ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from
#the Firewall
ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to
#the Internet
ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
#the Internet</programlisting>
<para>You probably want some way to communicate with your firewall and
DMZ systems from the local network -- I recommend SSH which through its
scp utility can also do publishing and software update
distribution.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net $FW tcp ssh #SSH to the
#Firewall</programlisting>
</section>
<section id="OddsAndEnds">
<title>Odds and Ends</title>
<para>The above discussion reflects my personal preference for using
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have its own public IP.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>If you haven't already, it would be a good idea to browse through
<ulink
url="manpages/shorewall.conf.htmlig"><filename>/etc/shorewall/shorewall.conf</filename></ulink>
just to see if there is anything there that might be of interest. You
might also want to look at the other configuration files that you
haven't touched yet just to get a feel for the other things that
Shorewall can do.</para>
<para>In case you haven't been keeping score, here's the final set of
configuration files for our sample network. Only those that were
modified from the original installation are shown.</para>
<para><filename>/etc/shorewall/interfaces</filename> (The
<quote>options</quote> will be very site-specific).</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter
loc eth1 detect
dmz eth2 detect</programlisting>
<para>The setup described here requires that your network interfaces be
brought up before Shorewall can start. This opens a short window during
which you have no firewall protection. If you replace
<quote>detect</quote> with the actual broadcast addresses in the entries
above, you can bring up Shorewall before you bring up your network
interfaces.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.0.2.255
loc eth1 192.168.201.7
dmz eth2 192.168.202.7</programlisting>
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename> - DMZ</para>
<programlisting>#ADDRESS EXTERNAL INTERFACE HAVE ROUTE
192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No</programlisting>
<para><filename>/etc/shorewall/nat</filename>- Daughter's System</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
<para><filename>/etc/shorewall/rules</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request
ACCEPT loc dmz icmp echo-request
ACCEPT net loc:192.168.201.4 tcp www #Daughter's
#Server
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
#Internet
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
#Internet
ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local
#Network
ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local
#Network
ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the
#Firewall
ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the
#Internet
ACCEPT net dmz:192.0.2.177 tcp http #WWW from
#Internet
ACCEPT net dmz:192.0.2.177 tcp https #Secure WWW
#from Internet
ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
#from local
#Network
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
#Internet
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
#Internet
ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from
#Local Network
ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from
#Local Network
ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from
#the Firewall
ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from
#the Firewall
ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to
#the Internet
ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
#the Internet
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net $FW tcp ssh #SSH to the
#Firewall</programlisting>
</section>
</section>
<section id="DNS">
<title>DNS</title>
<para>Given the collection of RFC 1918 and public addresses in this setup,
it only makes sense to have separate internal and external DNS servers.
You can combine the two into a single BIND 9 server using Views. If you
are not interested in Bind 9 views, you can go to the next section.</para>
<para>Suppose that your domain is foobar.net and you want the two DMZ
systems named www.foobar.net and mail.foobar.net and you want the three
local systems named "winken.foobar.net, blinken.foobar.net and
nod.foobar.net. You want your firewall to be known as firewall.foobar.net
externally and its interface to the local network to be know as
gateway.foobar.net and its interface to the dmz as dmz.foobar.net. Let's
have the DNS server on 192.0.2.177 which will also be known by the name
ns1.foobar.net.</para>
<para>The <filename>/etc/named.conf </filename>file would look like
this:</para>
<programlisting>
options {
directory "/var/named";
listen-on { 127.0.0.1 ; 192.0.2.177; };
transfer-format many-answers;
max-transfer-time-in 60;
allow-transfer {
// Servers allowed to request zone transfers
<secondary NS IP>; };
};
logging {
channel xfer-log {
file "/var/log/named/bind-xfer.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
#
# This is the view presented to our internal systems
#
view "internal" {
#
# These are the clients that see this view
#
match-clients { 192.168.201.0/29;
192.168.202.0/29;
127.0.0.0/8;
192.0.2.176/32;
192.0.2.178/32;
192.0.2.179/32;
192.0.2.180/32; };
#
# If this server can't complete the request, it should use
# outside servers to do so
#
recursion yes;
zone "." in {
type hint;
file "int/root.cache";
};
zone "foobar.net" in {
type master;
notify no;
allow-update { none; };
file "int/db.foobar";
};
zone "0.0.127.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.127.0.0";
};
zone "201.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.201";
};
zone "202.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.202";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.206.124.146.179";
};
};
#
# This is the view that we present to the outside world
#
view "external" {
match-clients { any; };
#
# If we can't answer the query, we tell the client so
#
recursion no;
zone "foobar.net" in {
type master;
notify yes;
allow-update {none; };
file "ext/db.foobar";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
file "db.192.0.2.179";
};
};</programlisting>
<para>Here are the files in <filename
class="directory">/var/named</filename> (those not shown are usually
included in your bind distribution).</para>
<para><filename>db.192.0.2.176</filename> - This is the reverse zone for
the firewall's external interface</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
; Filename: db.192.0.2.176
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting>
<para><filename>db.192.0.2.177</filename> - Reverse zone www server</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
; Filename: db.192.0.2.177
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting>
<para><filename>db.192.0.2.178</filename> - Reverse zone for the mail
server</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
; Filename: db.192.0.2.178
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
<para><filename>db.192.0.2.179</filename> - Reverse zone for Daughter's
public web server</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
; Filename: db.192.0.2.179
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting>
<para><filename>int/db.127.0.0</filename> - Reverse zone for
localhost</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
; Filename: db.127.0.0
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001092901 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR localhost.foobar.net.</programlisting>
<para><filename>int/db.192.168.201</filename> - Reverse zone for the local
network. This is only shown to internal clients.</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
; Filename: db.192.168.201
; ############################################################
@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
2002032501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR gateway.foobar.net.
2 86400 IN PTR winken.foobar.net.
3 86400 IN PTR blinken.foobar.net.
4 86400 IN PTR nod.foobar.net.</programlisting>
<para><filename>int/db.192.168.202</filename> - Reverse zone for the
firewall's DMZ Interface</para>
<programlisting>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
; Filename: db.192.168.202
; ############################################################
@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
2002032501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Inverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR dmz.foobar.net.</programlisting>
<para><filename>int/db.foobar </filename>- Forward zone for internal
clients.</para>
<programlisting>;##############################################################
; Start of Authority for foobar.net.
; Filename: db.foobar
;##############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2002071501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ); minimum (1 day)
;############################################################
; foobar.net Nameserver Records (NS)
;############################################################
@ 604800 IN NS ns1.foobar.net.
;############################################################
; Foobar.net Office Records (ADDRESS)
;############################################################
localhost 86400 IN A 127.0.0.1
firewall 86400 IN A 192.0.2.176
www 86400 IN A 192.0.2.177
ns1 86400 IN A 192.0.2.177
mail 86400 IN A 192.0.2.178
gateway 86400 IN A 192.168.201.1
winken 86400 IN A 192.168.201.2
blinken 86400 IN A 192.168.201.3
nod 86400 IN A 192.168.201.4
dmz 86400 IN A 192.168.202.1</programlisting>
<para><filename>ext/db.foobar </filename>- Forward zone for external
clients.</para>
<programlisting>;##############################################################
; Start of Authority for foobar.net.
; Filename: db.foobar
;##############################################################
@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2002052901 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ); minimum (1 day)
;############################################################
; Foobar.net Nameserver Records (NS)
;############################################################
@ 86400 IN NS ns1.foobar.net.
@ 86400 IN NS <secondary NS>.
;############################################################
; Foobar.net Foobar Wa Office Records (ADDRESS)
;############################################################
localhost 86400 IN A 127.0.0.1
;
; The firewall itself
;
firewall 86400 IN A 192.0.2.176
;
; The DMZ
;
ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177
mail 86400 IN A 192.0.2.178
;
; The Local Network
;
nod 86400 IN A 192.0.2.179
;############################################################
; Current Aliases for foobar.net (CNAME)
;############################################################
;############################################################
; foobar.net MX Records (MAIL EXCHANGER)
;############################################################
foobar.net. 86400 IN A 192.0.2.177
86400 IN MX 0 mail.foobar.net.
86400 IN MX 1 <backup MX>.</programlisting>
</section>
<section id="Other">
<title>Some Things to Keep in Mind</title>
<itemizedlist>
<listitem>
<para><emphasis role="bold">You cannot test your firewall from the
inside</emphasis>. Just because you send requests to your firewall
external IP address does not mean that the request will be associated
with the external interface or the <quote>net</quote> zone. Any
traffic that you generate from the local network will be associated
with your local interface and will be treated as loc->$FW
traffic.</para>
</listitem>
<listitem>
<para><emphasis role="bold">IP addresses are properties of systems,
not of interfaces</emphasis>. It is a mistake to believe that your
firewall is able to forward packets just because you can ping the IP
address of all of the firewall's interfaces from the local network.
The only conclusion you can draw from such pinging success is that the
link between the local system and the firewall works and that you
probably have the local system's default gateway set correctly.</para>
</listitem>
<listitem>
<para><emphasis role="bold">All IP addresses configured on firewall
interfaces are in the $FW (fw) zone</emphasis>. If 192.168.1.254 is
the IP address of your internal interface then you can write
<quote><emphasis role="bold">$FW:192.168.1.254</emphasis></quote> in a
rule but you may not write <quote><emphasis
role="bold">loc:192.168.1.254</emphasis></quote>. Similarly, it is
nonsensical to add 192.168.1.254 to the <emphasis
role="bold">loc</emphasis> zone using an entry in
<filename>/etc/shorewall/hosts</filename>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Reply packets do NOT automatically follow
the reverse path of the one taken by the original request</emphasis>.
All packets are routed according to the routing table of the host at
each step of the way. This issue commonly comes up when people install
a Shorewall firewall parallel to an existing gateway and try to use
DNAT through Shorewall without changing the default gateway of the
system receiving the forwarded requests. Requests come in through the
Shorewall firewall where the destination IP address gets rewritten but
replies go out unmodified through the old gateway.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall itself has no notion of inside
or outside</emphasis>. These concepts are embodied in how Shorewall is
configured.</para>
</listitem>
</itemizedlist>
</section>
<section id="StartingAndStopping">
<title>Starting and Stopping the Firewall</title>
<para>The <ulink url="Install.htm">Installation procedure</ulink>
configures your system to start Shorewall at system boot.</para>
<para>The firewall is started using the <quote>shorewall start</quote>
command and stopped using <quote>shorewall stop</quote>. When the firewall
is stopped, routing is enabled on those hosts that have an entry in
<filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
A running firewall may be restarted using the <quote>shorewall
restart</quote> command. If you want to totally remove any trace of
Shorewall from your Netfilter configuration, use <quote>shorewall
clear</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Edit the <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
file and configure those systems that you want to be able to access the
firewall when it is stopped.</para>
<caution>
<para>If you are connected to your firewall from the Internet, do not
issue a <quote>shorewall stop</quote> command unless you have added an
entry for the IP address that you are connected from to <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
Also, I don't recommend using <quote>shorewall restart</quote>; it is
better to create an <ulink
url="starting_and_stopping_shorewall.htm"><emphasis>an alternate
configuration</emphasis></ulink> and test it using the <quote><ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
try</command></ulink></quote> command.</para>
</caution>
</section>
</article>
|
