The first featured tool is the shoreline firewall or shorewall. You can find the project at: http://www.shorewall.net/

Shorewall basically is a set of nice configuration files for iptables. Another benefit of shorewall is that it has no runtime part. You just fire up the tool, it configures your iptables and quits. This reduces the load and increases security. Additionally to the technical features there is one thing that makes shorewall really stand out: It has extensive, well-written and understandable documentation. You rarely find a use-case which is not already described in the documentation.

Read on to find out how to set up shorewall in minutes.

Setting up shorewall

In this section I will describe how to secure a single server directly connected to the internet. There is no hardware firewall or DMZ involved.

First you have to install shorewall on your server. Since I use Ubuntu 8.04 there is already a prepackaged version in the repository.

aptitude install shorewall

Then you have to copy some of the example configuration files to your /etc/shorewall directory.

cp -prv /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall
cp -prv /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall
cp -prv /usr/share/doc/shorewall-common/default-config/modules /etc/shorewall
cp -prv /usr/share/doc/shorewall-common/default-config/interfaces /etc/shorewall
cp -prv /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall

To understand the meaning I will first give a very short explanation of the shorewall terminology (the terms are pretty standard): Shorewall sees the network as a collection of zones (your local network, the internet, the firewall host itself, …). Network interfaces (eth0, eth1, …) are connected to the zones and allow traffic to move in and out. If traffic want’s to move between zones the firewall checks the configured rules wether there is a rule allowing or denying the traffic flow. If there is no rule for the specific case it applies a policy (default rule).

With this in mind the filenames should be straightforward to understand. The modules file loads shorewall specific modules (for example enables the ftp connection tracking). You don’t have to modify the modules file for a basic setup.

Lets first define the zones in the zones file.

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

As you can see there are only two zones defined: The internet (net) and the server itself (fw).

We now connect the network interfaces to the zones using the interfaces file.

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          norfc1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

That’s it. If you have more interfaces you of course have to connect these to the zones too. But if this is the case it’s very likely that you are striving for a more complex configuration anyway.

After defining the traffic sources we will now implement the default policy using the policy file.

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             fw              DROP
all             all             DROP
#LAST LINE -- DO NOT REMOVE

This policy allows the firewall to access all internet services and drops all incoming connections silently. Since this is not very useful for a server we now allow public access to some specific services by defining some rules in the rules file.

#############################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE
#                                                       PORT    PORT(S)
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT          net             fw              icmp    echo-request
ACCEPT          net             fw              tcp     22
ACCEPT          net             fw              tcp     80
ACCEPT          net             fw              tcp     443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

As cou can see we allowed our server to reply to pings, incoming SSH connections and to serve up websites through HTTP and HTTPS.

In Ubuntu you now have to set the startup variable in /etc/default/shorewall to 1 and run /etc/init.d/shorewall start. Be sure to check that everything works as expected before you close your SSH session!.

That’s it. Visit the shorewall website for more information.