Anoduck's Das Wiki
Pages (Latest 10 updated) :
Menu (Edit):
Posts (Latest 10 updated) : Read all
Link List (Edit):
Contents:
  1. Shorewall Firewall Management System
    1. Preliminaries
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMXO0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMXocONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMXl,;o0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMKl,,,:dKWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMKl,;c;,ckXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMXl,:llc;;lONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMXl,:lool:;;o0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMMMMMMMMXl,:looooc:,:xXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWWWMMMMMMMMMMMMMMMMMMMMMMMMMMMWWWMMMMMMMWWWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWWWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMMMMMMMMMMWWWWWWWKl,:looooolc;;ckNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNOkXMMMMMMMMMMMMWWNWMMMMMMMMMMWKxONMMMMMWKxONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNOx0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
# MMMMMMMMMMMMWNXKOkxddooollllc;,:looooooolc;;lONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK00000000KWMMMMMMMMMMMMMMMMMMMMMMMMWK0XWWNNWNXNNWMWKkx0NWMNNXXNWMW0dxXNXNWMW0okNMMWNXNWMMMWNXXNWMMMMWNNNNXNWNNNNMMMWNXXNWMMMWNXNKxoOWMWWNXNWMMMMMMMWNXNWMMWNNXXNWMMMWNXXWWNNNWMWNNWMMWK0OOOKWMMNKO00O
# MMMMMMMMWN0kdl:;;;;;:::::::::::cloooooooool:;;oKWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXkooooooookNMMMMMMMMMMMMMMMMMMMMMMMMXkxKW0dxOOxxxOXXkdox0NN0OOkxONW0odkOxxkXW0okNWKkkOkk0WNOxkOKNMMMW0xxkkxxOOkxxKWWKOOkxkXMNOxxkkdoOWN0kOOkkXWMMMW0kkOkkKWN0OOkxONWKkxOOXN0xkXW0dONMMXo,,,,oXMM0c,,,,
# MMMMMWN0dc;;;:ccllloooooooooooooooooooooooolc:,:xXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXxooooooookNMMMMMMMMMMMMMMMMMMMMMMMMXxd0WOoxKWXxooOWKxdKWMNKOOkddKW0oxKWXkoON0okXKxdk0kdxKXkdk0XWMMMW0dxXNOoxXNkokNWKOOkdo0N0dxXWXxoON0ddOOxokNMMMKddkOkdkXNKOOkdd0WKxdk0NWNkdOKxdKWMMXo,,,,oXMM0c,,,,
# MMMMXkl;;:clloooooooooooooooooooooooooooooooolc;;cONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXkooooooookNMMMMMMMMMMMMMMMMMMMMMMMMXxd0W0oxKNKxod0WXxdONNOdx0Odd0W0odKNKxd0N0okXXxdkO00KNWXKkdxKWMMW0dkNW0okNWOokNKdd00xoON0dxKNKxoON0ddO000XWMMWKddk000KN0dx00dd0WNX0xdkNMXkdxd0WMMMXo,,,,oXMM0c,,,,
# MMWOl;;clooooooooooooooooooooooooooooooooooooool:;;o0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXkooooooookNMMMMMMMMMMMMMMMMMMMMMMMMNOxKW0odkkkkO0NMW0xxOXKkxOOkxKWKxkOkkk0NWKxONWKOkkOOKWXOOkkONMMMWKxONWKxONW0xONXkxkOkx0WN0kkkOkx0WN0kkkOOXMMMMWKOkkOOXWKkxOOkxKNKOOkk0NMWKdoONMMMMXo,,,,oXMM0c,,,,
# MNx:,:looooooooooooooooooooooooooooooooooooooooool:,:dKWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXkooooooookNMMMMMMMMMMMMMMMMMMMMMMMMMWWWW0dkXNNWMMMMMWWNWWMWNNWWWWMWWWWNNWMMMWNWMMMWWNNNWMWWNNWWMMMMMWWWMMWWWMMWNWWMWNNWWNWMMMWNWWWWWMMMWWNNWWMMMMMMWWNNWWMMWNNWWWWMWNNNWWMMW0xONMMMMMXo,,,,oXMM0c,,,,
# Nx;;cloooooooooooooooooooooooooooooooooooooooooooolc;,:kXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWWWMMMMMMMMMXkooooooookNMMMMMMMWWMMMMMMMMMMMMMMMMMMMWNXNWWWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWWWWWWWWWWWWWWWWWMMMMMMMMMMMNXXXXXXNWMMMMMMMMMMMWNXXXXNWMMMMMMMMMMMMMMMMMMMMMMWWNXKKK0KKXNNNNWMMMMMMXo,,,,oXMM0c,,,,
# O:,:looooooooooooooooooooooooooooooooooooooooooooooolc;;lONMMMMMMMMMMMMMMMMMMMMMMMMWNK0OOkkkkkOO0KXNWWXkooooooookNMWXK0OkkkkO0KNWMMMMMMMMMWNXK0OOkkkkOOO0KXNWMMMMMMMMMNK000000KNWMWNK0OkkkkkkkkkkkkkkkkkkOO0KXWMMMMM0l:::::oKMMMMMMMMMMWOl::::l0WMMMMMMMMMMMMMMMMWN0kdolc:;;;;;;:cldkKWMMMMMXo,,,,oXMM0c,,,,
# o,;looooooooooooooooooooooooooooooooooooooooooooooooool:;;o0WMMMMMMMMMMMMMMMMMMMWX0kdooooooooooooodOWWXkooooooookK0kdooooooooooxOXWMMMMWX0kdoooooooooooooooxk0XWMMMMMWKdooooood0NXOxooooooooooooooooooooooooodk0XWMMNd,,,,,;xNMMMMMMMMMKl,,,,,,oXMMMMMMMMMMMMMWXkoc;,,,,,,,,,,,,,,,,,:o0WMMMXo,,,,oXMM0c,,,,
# :,:looooooooooooooooolc:;::clloooooooooooooooooooooooooll:,:xXWMMMMMMMMMMMMMMMMN0doooooooooooooooodKWMXkoooooooodddooooooooooooood0WWWKkdooooooooooooooooooooodOXWMMMMKxoooooodO0xoooooooooooooooooooooooooooooodONWW0c,,,,,c0WMMMMMMMNx;,,,,,,;xWMMMMMMMMMMWKd:,,,,,,,;clooddoc:,,,,,,:kNMMXo,,,,oXMM0c,,,,
# ;;cooooooooooooooooooc;,,,,,;:cclllllllllllllllllcllcllllc:,,ckKKKKKKKKXNMMMMMNOoooooooodxkOOkkxdokNMMXxooooooooooooooooooooooooooONNOdoooooooooxkkkxdooooooooood0NMMMKxoooooooddooooooooooooooooooxO000OxdoooooookXWWk;,,,,,dNMMMMMMWO:,,,,,,,,c0MMMMMMMMWXx:,,,,,;lxOKNWWWWWWNKx:,,,,,:OWMXo,,,,oXMM0c,,,,
# ,;coooooooooooooooooolc:;;;,,,,;;;;;;;;;;;;;;;;;;;;;;;;;;;;,,,;;::::::;cOWMMMWKdoooooooxKNWWWWWNXKNWMMXkoooooooooox0KXXK0xoooooooONXkoooooooookKNWWWWXK0xooooooood0NMMXxoooooooooooxO0K0koooooooox0NWMMMWNKxoooooookNMXl,,,,,c0WMMMMMXo,,,,,,,,,,dNMMMMMMW0c,,,,,:d0NWMMMMMMMMMMMWk;,,,,,oXMXo,,,,oXMM0c,,,,
# ;,cooooooooooooooooooooolllllcccccccccccccccccccccccccccccccccccccccc:,;kWMMMW0doooooood0XWMMMMMMMMMMMXkoooooooodONWMMMMWXkoooooxXNOoooooooodONWMMMMMMMWKxoooooooodKWWXxoooooooood0NWMWNOoooooooxKWWMMMMMMW0dooooood0WWO:,,,,,dNMMMMWx;,,,;oc,,,,:OWMMMMWk:,,,,;dKWMMMMMMMMWNNXKKKk:,,,,,c0MXo,,,,oXMM0c,,,,
# :,:loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMWXxooooooooodkO0XNWMMMMMMXkooooooookXWMMMMMMWKdooooONKxooooooookXMMMMMMMMMMW0dooooooookNWXxooooooood0WMMMWKxoooooooxO000000000OdoooooookNWNd,,,,,:OWMMM0c,,,,lKk:,,,,lKMMMWO:,,,,:kNMMMMMWXOkdocc:;;;,,,,,,,:OWXo,,,,oXMM0c,,,,
# d;;coooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMMWKxoooooooooooodxk0XWMMMXkooooooookNMMMMMMMWXxoood0N0dooooooooONMMMMMMMMMMWXxooooooooxXWXxooooooookNMMMMW0ooooooooooooooooooooooooooooxXMW0c,,,,,oXMMXo,,,,:OWXo,,,,;xNMMKl,,,,;kWMMMWKxl:,,,,,,,,,,,,,,,,,:OWXo,,,,oXMM0c,,,,
# Kl,;looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooc,;kWMMMMMWN0xdooooooooooooodkKWWXkooooooookNMMMMMMMMXxooodKN0ooooooooo0WMMMMMMMMMMWXxooooooooxXWXxooooooooOWMMMMWOooooooooooooooooooooooooooooxXMMWk;,,,,:OWWk;,,,,dNMW0c,,,,c0WNx;,,,,oXMMWKo:,,,,,,:coddxxd:,,,,,:OMXo,,,,oXMM0c,,,,
# W0l,;coooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMMMMMWWX0kxdoooooooooood0NXkooooooookNMMMMMMMMXxoood0N0dooooooooONMMMMMMMMMMWKxooooooooxXWXxooooooooOWMMMMWOoooooooodxxxxxxxxxxxxxxxxxxxONMMMXo,,,,,dNKl,,,,lKMMMNx;,,,,dX0c,,,,c0WMWOc,,,,,:dOXNWMMMMXo,,,,,:OMXo,,,,oXMM0c,,,,
# MWKo;;:loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMMMMMMMMMWWNK0kdooooooooxKXkooooooookNMMMMMMMMXxooooONKxooooooooxXWMMMMMMMMMWOdooooooooONWXxooooooooOWMMMMWKdoooooooxKNNNNNNNNNNNNNNNNNNWMMMMWO:,,,,ckd;,,,:kWMMMMXl,,,,:kd;,,,;xWMM0c,,,,,cOWMMMMMMMMXo,,,,,:OMXo,,,,oXMM0c,,,,
# MMMNkc;;:llooooooooooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMMMWWMMMMMMMMMW0doooooood0XkooooooookNMMMMMMMMXxooooxKNOoooooooookXWMMMMMMMW0dooooooooxXWWXxooooooooOWMMMMMNkooooooookKWMMMMMMMMMMMMMMMMMMMMMMNd,,,,,:;,,,;dNMMMMMWO:,,,,:;,,,,lKMMWk;,,,,,dNMMMMMMMMW0c,,,,,:OMXo,,,,oXMM0c,,,,
# MMMMWXkl;;;clloooooooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMMN0kOKXXNWWWNXOdoooooooxKXkooooooookNMMMMMMMMXxoooookXNOoooooooooxOKNNNXK0kdooooooooxKWMWXxooooooooOWMMMMMWXkoooooooodkO0KXXXXXXKK0OOXMMMMMMMMKc,,,,,,,,,lKMMMMMMMNd;,,,,,,,,:OWMMWk;,,,,,lKWMMMMMMNOc,,,,,,:OWXo,,,,oXMM0c,,,,
# MMMMMMMN0xl:;;:ccllooooooooooooooooooooooooooooooooooooooooooooooooooc;;kWMMMWKdoooodxxxxxdooooooood0NXkooooooookNMMMMMMMMXxooooookXN0doooooooooodxxdoooooooooodkXWMMWXxooooooooOWMMMMMMWXOdooooooooooodddddooooooOWMMMMMMMWk;,,,,,,,:OWMMMMMMMMKl,,,,,,,,dNMMMMKl,,,,,,cx0KK0Oxl;,,,,,,,:OWXo,,,,oXMM0c,,,,
# MMMMMMMMMWNKkdl:;;;;::cccllllllloooooooooooooooooooooooooooooooloololc;;kWMMMNkoooooooooooooooooookKWWXkooooooookNMMMMMMMMXxoooooooxKNXOxoooooooooooooooooooodkKNMMMMWXxooooooooOWMMMMMMMMWKkdooooooooooooooooooooxXMMMMMMMMXo,,,,,,;dNMMMMMMMMMWO:,,,,,,c0MMMMMW0l,,,,,,,;;;;,,,,,;,,,,,;kWXo,,,,oXMM0c,,,,
# MMMMMMMMMMMMMWWX0Oxdoc::;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,;kWMMMN0kddoooooooooooddxOKNMMMNkooooooooONMMMMMMMMNkooooooooONMWNKOkdoooooooooooodxk0XWMMMMMMMXxooooooodOWMMMMMMMMMMWX0OxddooooooooooooddxONMMMMMMMMWOc;,,;;lKMMMMMMMMMMMNd;,;,,:kWMMMMMMWXkl;,,,,,,,,,,:okkc,,,,;xNXo,,,,oXMM0c,,,,
# MMMMMMMMMMMMMMMMMMMWWXK0Oxdollcc:::::::::::::::::::::::::::::::::::::::cOWMMMMWNXKOkkxxxxxxkO0XNWMMMMMWK00000000XWMMMMMMMMWK00000000XWMMMMWNX0OkxxxxxkkO0KNWWMMMMMMMMMNK00000000XWMMMMMMMMMMMMMWNX0OkkxxxxxkkO0KXNWMMMMMMMMMMN0kkkkkKWMMMMMMMMMMMMXkkkkkOXMMMMMMMMMWXOoc;,,,;:lx0NWNkoooooOWNkllllkNMMKdllll

Shorewall Firewall Management System

Yes, it is true that Conanical’s Uncomplicated Firewall incorporates a PF-like syntax to it’s commands, but being primarily a CLI, it falls very short of acquiring the same feel as PF. For Linux users, there is only one solution that provides a similar feel, and lucky for them, it actually pretty damn good. Obviously, what we are talking about it Shorewall.

Shorewall can be used for very small firewalls, but where it really performs exceptionally is in large complex firewalls. This is because shorewall allows the user to plan out the firewall in several plain text files without having to learn any new syntax, from there shorewall does most of the work for you.

Shorewall is available for every distrobution of linux we have encountered, and not even once have we had compile it. Just simply install from your distrobution’s package manager.

Preliminaries

Assuming you have already enable packet forwarding, the first decision you need to make is whether to use annotated configuration files or not. If this is your first or even second time using Shorewall, then go ahead and use them, as they are extremely informative. If there are just too many comments in there for you, you might want to at least keep them handy, as they are perfect cheat sheats.

Creating a blank slate

We reccommend creating an empty folder somewhere on your system for both saving a copy of your configuration files and providing a workspace to allow you to edit the files using your favorite text editor without the requirement of having root permissions. For us, we have adopted the method of using a folder in our home directory named “Sandbox” to store such directories. So we will make our directory, “mkdir -p ~/Sandbox/shorewall” then we will copy the example configuration files provided for us in the shorewall package to this folder for editing. These configuration file are normally stored in /usr/share/doc/shorewall/examples/ and broken down by number of interfaces. Each example folder contains two copies of each configuration file, one that is annotated and one that is not. You only need to copy one of each to your empty workspace folder. After editing, you will then copy the entire contents of this folder into /etc/shorewall/ and enable the system service. Also, not all files are required, and more than likely will not be used. You can just exclude these or remove them from the workspace dir.

Editing your configuration

The params file is where you enter custom macros/variables. If you have none you need to declare, then you can remove this file. If this is a firewall for a single machine, you will not need the snat file, otherwise you will need it to setup masquerading.