Shorewall config questions

[hea]

I am setting up shorewall on my computer. I have downloaded the one-interface example files and reading the docs; there are two things im not able to figure out:

 

1. Whats the norfc1918 entry in interfaces actually doing?

 

2. In the rules file theres a line:

 

ACCEPT net fw icmp 8

 

This line has no # in front so it is "activated" by default. What does it do?

 

Can anyone explain this?

[MottS]

Hi hea.

 

I don't know which version of Mdk you are using but in 9.0 and 9.1, there is a nice GUI to configure Shorewall in the Mandrake Control Center (MCC). That GUI works very well for one-interface computer. Also, I don't think you should erase the config files and put the shorewall ones. In other words, Shorewall comes pre-configured on Mdk. So you should modify the config files according to your needs but DO NOT erase them and put those from the Shorewall website instead.

 

This being said, I have no idea what norfs1918 is for. If it was there and it works then leave it there. for the line 'ACCEPT net fw icmp 8' this means the following: Accept all icmp requests from the net to your computer via port 8. Icmp means 'ping'. In real words, if you want to accept to be 'pinged' then put that line, otherwise put a # is front of it. Here is a nice tutorial about that:

 

http://www.shorewall.net/ping.html

 

HTH

 

MOttS

[Michel]

..rfc is possibly some kind of rfc-protocol standard I think.Saw it somewhere...

If there stands a "#" in front of a line it is comment...

 

I personally prefer setting shorewall up myself....because in previous versions Mandrake didn't do it well for me and the standard shorewall-file was also not so good(didn't let me contact to my ISP..)

 

 

If you don't want to the effort to learn shorewall, I advise you to use mandrakecontrolcenter.

 

 

If you want to set up yourself, you should surely read the webpages on teh shorewall website..It looks a litlle bit much in the beginning, but you don't need everuthing to start...Just read the policy and rules-part and the part about the file for general-setup....If there are any questions, post the line and I'll try to help(don't know everything ofcourse :), I've just managed to setup shorewall alittle bit myself..)

 

To begin you could just shutoff all communication and connect. Then, search /var/.log/messages or /var/log/syslog for shorewall errors...With me(I suppose also you) there are some UDP-connections...These should be the IP's your ISP gave you(if your using broadband, do you?). Those OUTWARD-connections you have to set open...surely, else you can't connect. Have fun :) and ask if you don't know

[hea]

Thnk for your replys . Sorry i didn give enough information. Im using MDK9.1 (very satisfied). My computer is connected to a switch along with three windows computers and were all connected to a ADSL modem wich also acts as a DHCPserver on the lan. I would ofcourse want the firewall to give access to the othes computers on the lan , but that shouldent be any problem, just allow a set of ip's in the rules file from the range the DHCP server uses?

 

Btw. the shorewall gui in mcc has never been popular before as i have read on the forum. Is 9.1 version better? It dosent give many choices. I guess i should leave all the fields blank as i dont want any access FROM the internet. The only problem then would be the lan ofcourse, but that could fixed by editing the config files. But i do think i will be more comfortable with setting this up manually.

[MottS]

My computer is connected to a switch along with three windows computers and were all connected to a ADSL modem which also acts as a DHCPserver on the lan.  

 

Most recent router/switch have a build in dhcp server and firewall (that you can configure by typing the address http://RouterIP in your browser). If your router have one then you don't need to set Shorewall since you are already protected. If you do set Shorewall, it will protect your computer against the 3 windows box on your LAN.

 

I would of course want the firewall to give access to the othes computers on the lan , but that shouldent be any problem, just allow a set of ip's in the rules file from the range the DHCP server uses?

 

I guess yes. Depending which service you want to run on your computer, you could use the following line in your /etc/shorewall/rules

 

ACCEPT net fw tcp XX

or

ACCEPT net fw udp XX

 

where XX is the port on which the service is running. For example, if you want to share files with the 3 windows boxes, you will have to run Samba. Samba uses ports 137, 138 and 139 both tcp and udp so I would include the following lines in my /etc/shorewall/rules:

 

ACCEPT net:IP fw tcp 137,138,139

ACCEPT net:IP fw udp 137,138,139

 

Notice that the computers on your LAN are treated like those from the internet so by putting net:IP, you give access only to the computer having that IP preventing the other one to connect to the service.

 

Btw. the shorewall gui in mcc has never been popular before as i have read on the forum. Is 9.1 version better? It dosent give many choices. I guess i should leave all the fields blank as i dont want any access FROM the internet. The only problem then would be the lan ofcourse, but that could fixed by editing the config files. But i do think i will be more comfortable with setting this up manually.

The Shorewall GUI sucks when it comes the time to configure a 2 or 3 interfaces firewall. In those situations, if you open (let's say) port 22 from the GUI then this port will be opened on ALL interfaces. This is probably not what you want. But for a one-interface machine, this do the job pretty well. For the choice I admit that there is not much there. But there is a check box for pretty much most common services (telnet, ssh, nfs..). If the port you are looking for isn't there then clic the 'Advanced' button and enter it there (ex: 137/tcp 137/udp ..).

 

Hope this helps

 

MOTtS

[Earny]

What do you mean with an easy to use Mandrake Control Centre? The only way Mandrake 9,1 allows you to use the internet is to check "all, no firewall" in the MCC Security chapter. Any other combination blocks internet connections. I just have a stand alone pc trying to use the internet hidden behind a firewall, but this seems to be an impossible challenge for a newby like myself. Any suggestions?

[Michel]

I don't know if this is a good config-file, but it works...I'll give you mine here..you have to change the <ISP-ip> with the ip your ISP gave you...(I've ADSL)...if you don't know it...start shorewall..look at the time...then start your internetconnection...look in /var/log/syslog for the time and you possibly (hopely ..with me anyway) see the IP, your ISP gave you...it's a UDP-connection with me...

It's a work in progress:).

 

/etc/shorewall/rules:

 

ACCEPT all net:ISP-ip udp

ACCEPT all net:ISP-ip udp

#web browsen

ACCEPT fw net tcp 80

#ftp

ACCEPT fw net tcp 20,21

#mail

ACCEPT fw net tcp smtp,pop3

#newsgroups

ACCEPT fw net tcp nntp

ACCEPT fw net tcp

#msn-protocol: voice not included, no filetransfer

ACCEPT fw net tcp 1863

#for bzflag-if you want to pay it...on ducati:) and some others

ACCEPT fw net udp 5155,5156

#connections that I certainly don't want - relate connection are always passed

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

#identification-port

DROP net fw tcp 113

DROP net fw udp 113

DROP net fw tcp 135

DROP net fw udp 135

#for my local computer....for any other udp

REJECT loc fw udp

 

--------------------------------------------

/etc/shorewall/policy:

 

loc fw ACCEPT

all all DROP info

 

-------------------------------------------

/etc/shorewall/interfaces(I'm using ppp0, if you've adsl I think this is good..., you can see this info by typing "ifconfig" as root ):

 

net ppp0 - dropunclean,tcpflags

loc localhost

 

----------------------------------------------

 

/etc/shorewall/shorewall.conf:

 

change some thinsg if you use ADSL, or other high-speed-connections(if they aren't like this):

 

look for "CLAMPMSS" and set it to Yes

look for "ROUTE_FILTER" and set it to Yes

look for ALLOWRELATED and set it to Yes

---------------------------------------------

 

Hopefully it works now....If there are any comments on this configuration, I'm always open to imrpovements...or a total change :).

[Michel]

With this config, you can only do active ftp, not passive one(it's mostley an option)..The only difference between them to my knowledge is that active use other ports than passive, for the rest it's the same.

[Michel]

This is aconfig where the firewall is on the same computer that I use...I think you have to change fw to localhost, but that's for networks and I've never setup networks...

[Earny]

Sorry for the late reply. But thanks anyway. I'lll try later (it will take me some tie as a relative newbe) and let you know.

[Earny]

Michel,

I did everything you recommended me to do, but It didn't work. I may have put your lines on the wong spot tin these files. Is there any possiblility to transfer the config files electronicly in one way or another, so that I can replace them? By the way I have adsl. So that doesn explain the lack of succes.

[Michel]

I'm not at home at the moment, but I'll place them tonight (for say a week) om lumumba.luc.ac.be/~michel. You can access them through http.

 

It's in about 8 hours from now......I'll place allt he file sI changed...

[Michel]

Had no time yesterday, sorry, will sureley place them tonight on teh server.

Don't forget to type 'shorewall restart' as root after you've chenged the files to actiivate the changes....restart also your browser.

[Michel]

I placed the files on the server..don't forget the change the ip to your ISP's ip (or the one you can detect in /var/log/syslog, like I expalined..(I think)).. it are the 2 first entriies..I placed <ISP-address> instead of the 2 ip's...The files on your harddrive are normally located in /etc/shorewall(back them up first!!) You see 2 entries, becaus eI got 2 ip's of my isp.

 

 

if it doesn not work you coudl try top lety through all udp traafic for now...

for this delete one rule with <ISP-address> (you only need only 1 for this)

and remove :<ISP-address> after "net" in the other...this will allow all upgoing udp-traffic.

 

Hopefully it works.