**SUPPORT** Personal Firewall with Shorewall Tutorial

[Sith_Happens]

This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial. Haven't read it? Check it out and tell me what you think. If you've read it and need some help, post here and I'll see what I can do.

[WarMachine]

Would you consider expanding the tutorial to include instructions on how to configure shorewall for systems functioning as internet gateways?

[Sith_Happens]

Maybe I'll make a second tutorial to do that. This tutorial has a clear purpose and to expand upon it would take away from that. However, I wrote the tutorial with the hope that it not only gives a quick how-to that allows you to set up a personal firewall, but that it gives you enough of the basics of Shorewall that a more advanced configuration is eaisier to concieve and execute. The other nice thing about shorewall is their is a great deal of documentation that is available to you. Not only in man and info pages, but in the config files, and on their website. Check out this tutorial on setting up a bridge/router, and see if it helps you.

[Sheepdogj15]

i'm just posting to let you know if you do decide to write tutorial for setting up a firewall/gateway box, i'd use it. i actually tried setting up M0n0wall (like Smoothwall except based on FreBSD. site: http://m0n0.ch/wall) on a spare PC i had handy, but the install failed miserably.

i was thinking of switching to Smoothwall, but i like the idea of using Shorewall on Gentoo as it looks like it would give me more options. (i like bells and whistles.. ahem, i mean secured bells and whistles )

otherwise, i'll probably just check out the tutorial from the Shorewall website.

[Sith_Happens]

Here is a better tutorial from the site for setting up a simple two zone (loc and net) firewall/router. I was looking for this one earlier, but I could only find the first tutorial. I think if I were to create a tutorial for a two interface shorewall set up it would probably be a recreation of this only specifically for gentoo users. The other difference is this tutorial sets up a policy to accept all outgoing connections, as opposed to my approch which is to decide what outgoing connections I want to allow. See if this helps, if you have any questions from this two interface tutorial I can probably help you in this thread as well.

[rhill]

very nice. i'm just emerging shorewall now, after skimming over the tutorial. i just wanted to say thanks. it seems that everything written on the topic of linux and networking immediately assumes you have more than one box. i've been looking for a good guide applicable to a single pc setup for a while now.

[jdeane]

Thanks for the tutorial, just what I was looking for,
Jon

[Sheepdogj15]

excellent. thank you.

i might still use your tutorial for my local box as well. can never be too paranoid these days, eh?

[Sith_Happens]

I'm really pleased with the positive feedback. If you guys have any problems with the tutorial tell me your suggestions, if I can make it easier to understand or clearer in any part I'd like to know.

[spike_spiegel]

Shorewall seems pretty nice, but so far, Ive seen nothing that will help me set it up for my router and windows PC's.

Ill try and mess around with it some more, but any help would be great.
____
spike
Ircop at irc.Aniverse.net
#linux

[Sith_Happens]

Did you look at this tutorial?

[Sith_Happens]

Here is a tutorial on the Shorewall site for setting up a standalone firewall. Read my criticism of this how-to in the tutorial thread however before following it. Thanks to Krolden for posting the link.

[Dumphrey]

I apprecite the how-to. I had no idea shoewwall was out there till i stumbled on this thread. I had been trying to set up ip-tables manually. Gahh!
Shorewall is my new buddy.

[Sith_Happens]

Shorewall is certainly easier to understand than iptables by itself. Shorewall allows you to quickly and simply create a complex iptables setup in no time.

[Andersson]

I've only been using iptables until now, it's been working great. It never hurts trying new solutions, though. Shorewall might be a little quicker and give a little better overview. I'll try it for a while and see if I like it better.

Ok, how about this, I wish to have an ssh server running on port 22 (done), but drop connections to this port from the internet (done), then redirect internet connections addressed to port 2222, to port 22.

This is to avoid those annoying bots attempting to log in. So why not run the server on port 2222 and simply ACCEPT connections to that port? Well, I want to use port 22 to save me from typing "-p 2222" when I'm on the local network.

So anyway, this is my attempt but it does not work.

Code: Select all

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
REDIRECT net            22              tcp     2222    -          fw

I may have confused DEST, DEST PORT and ORIGINAL DEST, but I haven't been able to test since I get the following error:

Code: Select all

bash-2.05b# /etc/init.d/shorewall start
 * Starting firewall...
   Warning: Zone dmz is empty
iptables v1.2.11: host/network `fw' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/runscript.sh: line 532: 17543 Avslutad     /sbin/shorewall start >/dev/null                 [ !! ]

Suggestions?

[Sith_Happens]

Try

Code: Select all

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
REDIRECT net            22              tcp     2222 

[Andersson]

So a single port number means a port on the firewall itself?

I get no errors from shorewall using your rule. I still can't connect, but I must have misconfigured sshd somehow

[Sith_Happens]

Well, let's test it just to be sure the rule is working. Go to this site and have it scan port 2222 on your firewall. Then run dmesg, it should have an entry for the scan, post that shorewall message, and we'll see if it works.

[Andersson]

It works like a charm! And the sshd wasn't misconfigured -just not started

[Sith_Happens]

The thing about redirect is it implies you are talking about traffic to the firewall.

[Gripp]

hmm.. ofcoarse everything i do has a catch eh
at the line

Code: Select all

/etc/init.d/shorewall start

i get:

Code: Select all

modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do yo u need to insmod?)

then, after doing that several times it gives me:

Code: Select all

/sbin/runscript.sh: line 532:   877 Terminated              /sbin/shorewall star t >/dev/null                                                              [ !! ]

#$%^# root # 

i have kernel 2.4.28-r7 -- looking at the portage description of it, 2.4 is what it needs.
and it does have loadable module support...

i just ran emerge --sync today
the best i find in my kernel is "network packet filter (replaces IPTABLES)"
any ideas?

[trooper_ryan]

I'm being finicky, but perhaps the subject should not include the phrase "Personal firewall". This suggests an app that interacts with the user.

Got me all excited - bastards!

[Sith_Happens]

This suggests an app that interacts with the user.

I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity? A GUI? If that's the case maybe you should look into KMyFirewall. Personally, I think GUI's make it much more difficult to configure anything, but thats just me.

[trooper_ryan]

I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity?

Personal firewall products are generally desktop based and have a learning capability. e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.

I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc

[Sith_Happens]

I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network. Just so I know, what were you looking for as far as interactivity?

Personal firewall products are generally desktop based and have a learning capability. e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.

I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc

Well, the definition of a "personal firewall" is one which protects a single computer with one network connection. What you are looking for isn't so much a personal firewall as it is an "idiot firewall" . In that case I would still suggest you take a look at KMyFirwall.