Prompt and Powerful Personal Firewalling with Shorewall

[RTFMish]

[sfp-a7x]

Why must all the IP tables stuff be compiled into the kernel? Why can't I compile them as modules?

[SchrodingerPenguin]

Sith_Happens,

Thanks heaps for a tutorial which includes the why as well as just the what-to-do. I followed it as written and my firewall worked brilliantly - AND I had the bit of understanding required to then customise it to my requirements.

I had a small bit of trouble when I just upgraded to Shorewall 2.2, and think you should edit the tutorial to include the fact that in newer versions of Shorewall, you must change one of the first lines in /etc/shorewall/shorewall.conf to

[Zampf]

Thanks for this great, simple, tutorial and turning me on to Shorewall -- Iptables can be a royal pain to fudge with by hand.

*bow*

[rek2]

not bad.
_________________
http://www.dailyradical.org
http://www.binaryfreedom.info
use jabber!!! sing on now, register an account:
http://jabber.binaryfreedom.info

[asiB4]

Yeah...ok, this is an old thread, but I have been looking for a way to "secure" my boxes at home, and this tutorial fit the bill. Everything else I have been trying to experiment with was basically turning my main box into a honeypot, which would be just shooting myself in the foot. Reading the various iptables tutorials online made no sense to me, and frankly made my head hurt. With this tutorial iptables is starting to make a lot more sense to me now! Compiled the kernel with needed support, emerged everything I needed, config'd everything...customized it for what I needed and time will tell whether I was successful or not. Thanks a million!

Chad
_________________
Registered Linux User #332738

[rim]

Hi,
I am new to Gentoo and forums - so I ask for your patience.

I followed the Shorewall tutotial but upon running the final commands (rc-update etc)
I received the following message:

Error: Traffic shaping requires mangle support in kernel your kernel and iptables
/etc/init.d/shorewall: line 14: 9488 Terminated /sbin/shorewall start >/dev/null

I did amend my kernel as instructed though... Any ideas (please keep jargon to a minimum as I am still learning)

Cheers

[asiB4]

[rim]

Just wanted to thank asiB4 for the help. Works a treat now. Cheers

[manouchk]

I have a problem similar to the one rim had but in my kernel I couldn't find any mangle stuff related see my post if you wish to help me :

https://forums.gentoo.org/viewtopic-p-3367938.html#3367938

[orange_juice]

Hallo,

I had the same problem as manouchk and rim.
The problem occured after upgrading to gentoo-sources-2.6.16-r9 from gentoo-sources-2.6.14-gentoo-r5.
Actually, the last entry :

[manouchk]

Well find orange_juice! Now it seems to be Okay! Now just configuration problem!

I don't wy I can't ping when shorewall is started?
and I'm having a problem with printing on a windows shared printer of IP 152.84.250.x . ping. I use to be able to print on mandriva usin those 4 rules to accept all traffic from the computer :

ACCEPT net:152.84.250.x fw tcp - - - 2/sec:10
ACCEPT net:152.84.250.x fw udp - - - 2/sec:10
ACCEPT fw net:152.84.250.x tcp -
ACCEPT fw net:152.84.250.x udp -

but it doe not print here
my shorewall conf files are :

[code]
tail -v /etc/shorewall/interfaces;tail -v /etc/shorewall/policy;tail -n 28 -v /etc/shorewall/rules
==> /etc/shorewall/interfaces <==
#
# net ppp0 -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
==> /etc/shorewall/policy <==
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
net all DROP info
# LEVEL
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
==> /etc/shorewall/rules <==
ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
ACCEPT fw net tcp 21 #ftp
ACCEPT fw net tcp 53 #DNS
ACCEPT fw net udp 53 #DNS
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 5190 #AIM/ICQ
ACCEPT fw net tcp 5060 #openwengo
ACCEPT fw net tcp 10600 #openwengo
ACCEPT fw net tcp 10601 #openwengo
ACCEPT net fw tcp 5060 #openwengo
ACCEPT net fw tcp 10600 #openwengo
ACCEPT net fw tcp 10601 #openwengo
ACCEPT net:152.84.250.60 fw tcp - - - 2/sec:10
ACCEPT net:152.84.250.60 fw udp - - - 2/sec:10
ACCEPT fw net:152.84.250.60 tcp -
ACCEPT fw net:152.84.250.60 udp -
ACCEPT net fw udp 6881:6889 -
ACCEPT net fw tcp 22 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
[/code

I putted the iptable -L here http://emmanuelfavrenicolin.free.fr//Public/Divers/iptable_out

I think I missed something!

[kbps]

for ping add to "/etc/shorewall/rules"

[manouchk]

I switched to firestarter which was much easier to deal with. It is very practical (but maybe not as powerfull but my needs are simple, it's just a standalone computer). When the firestarter front-end is started, it shows connection which is very practical for me because I need to print on windows and port changes... so that I can open one more port if printing fails...

[Bizarro]

I love you

/heh

[carpman]

Hello, ok have small problem.

After following guide and trying to start shorewall i get: