# Prompt and Powerful Personal Firewalling with Shorewall

## Sith_Happens

Prompt and Powerful Personal Firewalling with Shorewall

```

Requirements for this tutorial:

Linux 2.4 or 2.6 kernel: 

          this should be most everybody, Shorewall requires Netfilter, 

          which is only in 2.4 and later kernels. (see section 2 for configuration instructions)

Shorewall:                

          Duh! In portage as "shorewall".  This tutorial is written 

          using the latest unmasked version, 2.0.7.  I'll update this tutorial as neccessary

          to fit with later versions as they become unmasked.

iptables:                   

          In portage under "iptables".  This tutorial is written using the latest unmasked version, 1.2.11-r3. See Section 3.

iproute2:

          In portage as "iproute2".  This tutorial is written using the latest unmasked version, 2.6.10.20050112-r1. See Section 3.

Breakdown of the Tutorial:

          Section 1: Introduction: Linux security and the Shoreline Firewall Utility (Shorewall)

          Section 2: Kernel Configuration

          Section 3: Emerging Shorewall

          Section 4: Configuring Shorewall

                       4.a: /etc/shorewall/interfaces

                       4.b: /etc/shorewall/policy

                       4.c: /etc/shorewall/rules

          Section 5: Finalization and Testing

          Section 6: Logging Shorewall Messages
```

Section 1: Introduction: Linux security and the Shoreline Firewall Utility (Shorewall)

One of the main reasons people switch to linux is "because it is more secure", however the truth is linux is only as secure as you make it.  What I find amazing is the amount of people who neglect setting up a proper firewall, and without one your super secure linux box is just a big bullseye.  So no more excuses, it's time to take the security of your system into your own hands, and set up an effective and useable personal firewall for your desktop.  I call this a "tutorial" instead of a "how-to" because I try to give some explanation while guiding you through firewall set up.  If you give a man a fish, he will eat for a day.....  :Wink:    As you may have guessed this tutorial is aimed at desktop users of linux who wan't to set up a personal firewall that works without much fuss.  If that's what your looking for, read on, this is for you.  If not, read on, you might learn something.  Either that or you'll see a mistake or some way to improve on what I'm about to say, in that case I'd appreciate your input.  

Now, down to business.  When it comes to a firewall utility that's simple to set up, easy to understand, and all powerful, I default to Shorewall.  What is Shorewall you ask?  Let's turn to the developers themselves:

 *Tom Eastep wrote:*   

> The Shoreline Firewall, more commonly known as Shorewall, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.

 

What does that mean?  It means that Shorewall provides you with a simplified way to configure the built-in packet filtering firewall capabilities of the linux kernel, making your linux box as secure as it's OS is cracked up to be.  It is important to realize however that although firewall is a great first line of defense, it isn't a garuntee of security.  Setting up a well configured firewall however will make you much more secure, and as you'll see it's very simple to do.  

Section 2: Kernel Configuration

Before we begin, let's make sure that you've compiled your kernel with the built in packet filtering capabilities Shorewall is supposed to take advantage of.  So, run:

```
cd /usr/src/linux

make menuconfig
```

Then check to make sure you have netfilter compiled into your kernel:

```
# For 2.6 kernels look under:

Device Drivers --->

     Networking support --->

           Networking options --->

                 [*] Network packet filtering (replaces ipchains) --->

                       IP: Netfilter Configuration --->

                             <*> Connection tracking (required for masq/NAT)  

                             <*> IP Tables Support (required for filtering/masq/NAT)

                                   # Include (<*> not <M>) all options and sub options under IP tables support

# For 2.4 kernels look under:

Networking options --->

      [*] Network packet filtering (replaces ipchains)

            IP: Netfilter Configuration --->

                  <*> Connection tracking (required for masq/NAT)  

                  <*> IP Tables Support (required for filtering/masq/NAT)

                        # Include (<*> not <M>) all options and sub options under IP tables support
```

If you don't have netfilter compiled into your kernel, then press "y" to add the option, and recompile/install your kernel just like you did when you first installed Gentoo.  For Genkernel users, you'll want to run genkernel --menuconfig kernel, verify that the netfilter option is included, then allow genkernel to recompile/install your kernel.

Section 3: Emerge Shorewall (Does this really need it's own section  :Confused:  )

Once you've verified that your kernel is configured to use netfilter, then we can start with Shorewall itself.  A wise man (Lao Tzu) once said "A journey of a thousand miles begins with one step" So, first step, emerge Shorewall (this will also emerge iptables and iproute2).  Are you done yet?  It's not that large of a compile...allright I'll give you a minute.  Done?  Good.  :Smile: 

Section 4: Configuring Shorewall

Setting up a personal firewall in Shorewall comes down to three configuration files, that's it.  There are more, however for this tutorial there are only three you need to be concerned with and all are contained within /etc/shorewall: /etc/shorewall/interfaces, /etc/shorewall/policy, and /etc/shorewall/rules.  

A central concept to the configuration of Shorewall is the zone.  A zone is an abstract group of computers that you can easially assign traffic rules to.  For this tutorial, the only zone we will concern ourselves with is the net zone, which consists of every computer but you  :Wink:  .  The net zone contains both possible legitimate and illegitimate connections, so we must find a way to strike a balance between protection and useablity when it comes to the policies and rules we create for it.  However, before we create any rules for this zone, we must first define it.  

4.a: /etc/shorewall/interfaces

This is where /etc/shorewall/interfaces comes in.  This part is very simple, so I won't give to much explanation outside of the relevant portion of the file itself.  The first portion of all the configuration files is a commented section explaining the use of the file in detail, so please, read it.  The last portion is the "business end" of the config file.  In this case, we assume that the computer is connected to the internet on the interface eth0.  The various options listed are explained further in the file itself, so add any options to your file that apply to your particular configuration.  For most people, simply adding the zone and interface will suffice.   

```
##############################################################################

#ZONE    INTERFACE      BROADCAST       OPTIONS

#

net      eth0           detect          dhcp,nosmurfs

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

4.b: /etc/shorewall/policy

Now that we've defined the net zone, we have to create some sort of overall policy telling shorwall how to handle traffic to and from your computer (designated by fw in the remaining config files) and the net zone.  This is done in /etc/shorewall/policy.  Basically, if you are using your computer as a desktop, you probably won't need to concern yourself with new connections to your computer from the internet.  So our first overall policy rule is to drop all new incoming connections from the internet.  The reason why we want to drop connections rather than simply reject them is simple.  If a connection is rejected, the connection is blocked, however a packet is sent back to the requesting computer.  This packet contains information which a hacker can use against you, and most importantly it let's them know you exist.  So why give them that edge?  Dropping packets as opposed to rejecting them makes you practically invisible to anyone who is scanning the internet looking for targets, which makes you a good measure safer.  Finally, we make a catchall policy, and tell Shorewall to reject all traffic from all sources, that is to block all traffic from the internet to your computer and visa versa  :Confused:   (this sounds stupid but just bear with me).  Here is how your /etc/shorewall/policy file should end up looking.  

```
###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

net             all             DROP            info

#

# THE FOLLOWING POLICY MUST BE LAST

#       

all             all             REJECT          info 

#LAST LINE -- DO NOT REMOVE

```

At this point you may be asking yourself, "If Shorewall is blocking everything, why don't I just unplug the network cable?  It'll have the same effect and I won't have to read your stupid tutorial.  :Evil or Very Mad:  "  If this is running through your mind, you are correct.  If we stopped right now, your computer would be absolutely useless, however creating this general policy is a good idea.  What we are in effect saying by creating this policy is we are only going to allow traffic to and from this computer that we specify.  The reason for resticting traffic from your computer as well is to prevent trojans from connecting out and compromising your security.  

4.c: /etc/shorewall/rules

As I said in the beginning of this tutorial, we have to find some middle ground between security and useablity.  We've taken care of the security part, in fact your computer is so secure it is impractical.  Now we need to add some useablity.  We do this in /etc/shorewall/rules.  As I said before, the only traffic you will probably need to allow are connections from your computer (fw) to specific ports of computers on the internet (net).  This example file contains some common entries that you may want to add to your /etc/shorwall/rules file.  For more rules examples, check out this page on the Shorewall site.  Here is an example /etc/shorewall/rules.

```
####################################################################################################

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL 

ACCEPT   fw             net             tcp     5190 #AIM/ICQ

DROP     net            fw              tcp     113 #AUTH/IDENT, I added this to show how to block a port

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

Section 5: Finalization/Testing

Now run rc-update add shorewall default && /etc/init.d/shorewall start, and your done!  :Very Happy:  Wasn't that simple.  In fact, it's so simple you probably can't belive you have a firewall running.  Don't trust me eh?  So test out your new firewall.  Here is a great computer security webpage.  It's aimed more at windows slaves, I mean users  :Wink:  , but it never the less contains some great information.  It also has a feature called "Shields Up" (the link is about halfway down the main page), that allows you to portscan your computer and test your firewall.  If it shows a port is closed and not stealthed (i.e. packets are being rejected not dropped), just add a line like the last one in the example /etc/shorewall/rules file to nip it in the bum. I hope this tutorial helps somebody, and I'd be happy to hear any feedback or constuctive comments ("Your tutorial sucks!!!  :Evil or Very Mad:  " is not a constructive comment  :Wink:  )

Section 6: Stopping and Starting Shorewall

One thing that people are often confused about when it comes to shorewall, is that issuing the command shorewall stop or /etc/shorewall/stop doesn't really "stop" shorewall.  When you stop shorewall with the stop command, the box locks down, blocking all incoming connections.  If you want to enable two way connections to another machine on the network when shorewall is stopped, you need to add the interface it connects to the firewall on as well as its IP to /etc/shorewall/routestopped.  If you really want to "stop" shorewall, that is to get netfilter to ACCEPT all incoming packets, you need to issue the clear command, with either /etc/init.d/shorewall clear or shorewall clear.

Section 7: Logging Shorewall Messages

This last part is for users of syslog-ng who want to log Shorewall messages to a seperate log file (you can also run shorewall logwatch to look at the latest shorewall messages).  Just add these lines to /etc/syslog-ng/syslog-ng.conf:

```

## You shouldn't need to add this line, 

## it's probably already there, however 

## I include it because the last line references it.

source src { unix-stream("/dev/log"); internal(); pipe ("/proc/kmsg"); };

## You do need to add these lines though

                                                                         

destination d_shorewall{ file ("/var/log/shorewall/shorewall.log"); };

filter f_shorewall { match ("Shorewall"); };

## If you don't want shorewall messages logged to 

## /var/log/messages anymore add this filter as well

filter f_not_shorewall { not match ("Shorewall"); };

## Then add this to log messages to your shorewall log

log { source(src); filter (f_shorewall); destination (d_shorewall); };

## If you don't want shorewall messages logged to

## any other destination, such as /var/log/messages

## just use the f_not_shorewall filter like so

log { source(src); filter (f_not_shorewall);destination(messages); };
```

EDITS:

03-26-05: Added kernel configuration section, minor grammatical edits.  :Embarassed: 

03-28-05: Added section headings.  It's a short how-to but what the hay.  :Wink: 

03-31-05: Fixed the kernel configuration section for 2.4 kernels

04-10-05: Removed norfc1918 from sample /etc/shorewall/interfaces file.

04-10-05: Moved Section 6 to Section 7, added Section 6: Stopping and Starting Shorewall.

04-26-05: Modified kernel configuration section for completeness. Modified the syslog-ng logging section.

----------

## Sith_Happens

Just a reminder to post comments and feedback in this topic and support requests in the support thread.  I'm looking foward to what people have to say.  :Smile: 

----------

## digital_

I'll testify to the fact that shorewall is powerful and easy to setup. I've been running it for 1.5 year plus by now. Great front-end for iptables.

----------

## krolden

http://www.shorewall.net/standalone.htm

For people who need more information, this is a very complete guide to setting up a firewall for a standalone system.

It helped me alot back in the days.

----------

## Sith_Happens

The Shorewall site does have some great how-to's, however I decided to create additional documentation because (just so you know I'm not providing rebuttal, I thank you for posting the link, it was a mistake on my part for ommiting it from the main body of the how to):

1) Although that is a good how-to, it is just that, a how-to, and is a little sparse on the "why".  I created this tutorial to give a little more explanation than is provided in the shorewall documentation.

2) The tutorial refers to various distros, and this can be confusing to someone who is new to linux and not experienced with any distro much less Gentoo.  This tutorial was therefore designed specifically for gentoo, and for those new to Gentoo and Linux in general.

3) The Shorewall how-to has a policy of allowing all outgoing connections from the standalone to the internet.  While this makes configuration easier, it is a bad idea from a security standpoint.  Therfore I show the opposite policy, defaulting to rejecting all connections, and then show how to selectively allow connections to make the box functional and secure.

Again thank you for posting the link and for your feedback.

----------

## Sith_Happens

Just another note if anyone uses a logger other than syslog-ng and would like to make an addition to the how-to on logging shorewall messages, post it and I'll add it to the main body of the tutorial with a thanks to the author.  :Smile: 

----------

## nford

Thanks for the tutuorial - I managed to get a firewall running quite painlessly  :Very Happy: 

----------

## Sith_Happens

 *nford wrote:*   

> Thanks for the tutuorial - I managed to get a firewall running quite painlessly 

 Glad I could help.  :Smile:  Be sure to test your firewall to make sure it's working properly and post any support requests to the support thread.

----------

## Crete

I really enjoy tutorials where the WHY is definitely clearly stated so I really appreciate you taking the time to document your tutorial on shorewall.  I do like to know why this is a good idea rather than knowing it's a good idea, but not knowing why.  I will implement it ASAP.

----------

## quantumwire

Sorry guys but I would like to know which module/s I have to compile in the kernel 2.6.x.

Thanks.

----------

## Sith_Happens

 *quantumwire wrote:*   

> Sorry guys but I would like to know which module/s I have to compile in the kernel 2.6.x.
> 
> Thanks.

 All support requests should be posted in this topic, the documentation forum is NOT a support forum.  However, since you already asked, look at the top of the how-to for kernel configuration instructions.

----------

## GeorgeM

I've installed Shorewall per your tutorial on 2 of my Gentoo boxes. I run the Folding@Home clients and was wondering how to allow access. When I started a new install of FAH, it said it was using http, and downloaded a new core and work unit, so the firewall isn't going to impede FAH functioning.

Thanks for your tutorial/how-to. I also appreciate some of the 'whys'.

George

----------

## Sith_Happens

 *GeorgeM wrote:*   

> I've installed Shorewall per your tutorial on 2 of my Gentoo boxes. I run the Folding@Home clients and was wondering how to allow access. When I started a new install of FAH, it said it was using http, and downloaded a new core and work unit, so the firewall isn't going to impede FAH functioning.
> 
> Thanks for your tutorial/how-to. I also appreciate some of the 'whys'.
> 
> George

 Most distributed computing programs use http to download workunits (I know seti@home which I use is the same way).  Allowing outgoing connections to destination port 80 as described in the tutorial should allow these programs to function.

----------

## Sith_Happens

Just a reminder, I'd like to expand on Section 6: Logging Shorewall Messages, so if anybody uses a system logger besided syslog-ng and wants to post or pm me an additional section on setting up that logger to log shorewall messages to a sepearate file, I would much appreciate it.  I'll also put "by" and a link to your profile next to the section heading, how cool is that.  :Cool: 

----------

## OhSh33t

Hey Sith_Happens,

Can't wait to see you in the new movie..  :Cool: 

Thanks for the nice tutorial. Shorewall indeed rocks the dome. Sorry but iptables manually is just to dry for me. Good learning expirence but thats where it ends. Shorewall makes configuring iptables so easy and seems much more intuitive. Not only that but Shorewalls site is really well documented and intuitive as well.

Is there any way that you could tell us, "Oh pretty please", how you yourself incorparate Snort with Shorewall? I think that would be a great addtion to this tutorial. What I like best about your tutorial is you Show by example. I think many people respond better to learning when they are given simple examples instead of dry man page fill in the blank examples. Thanks for taking the time to write this out.

I also think that having this link in you Kernel config section will be most helpful. http://www.shorewall.net/kernel.htm

Although Tom shows using modules for everything I mostly have everything builtin myself and don't use any of the IPv6 stuff he's selected.

As far as logging I only use Syslog-ng just like you have, to have it log a separate log file for Shorewall only messages instead of sifting through /var/log/messages to look at shorewall related info. This is a good place to start though. Possiblities are endless from here.

http://www.nightbrawler.com/code/shorewall-stats/

Shorewall's site also has this stuff listed. Again, I only use syslog-ng right now.

Quoted for Shorewalls FAQ's:

(FAQ 6a) Are there any log parsers that work with Shorewall?

Answer: Here are several links that may be helpful:

http://www.shorewall.net/pub/shorewall/parsefw/

http://www.fireparse.com

http://cert.uni-stuttgart.de/projects/fwlogwatch

http://www.logwatch.org

http://gege.org/iptables

http://home.regit.org/ulogd-php.html

I myself don't use this because I'm to busy doing other fun things like Qmail, Djbdns, Apchae yadda, yadda, yadda. But once I go live with some public servers I will most definitely be using some sort of logging, graphing, reporting tool.

I was hoping for more of a tcp/ip and udp portocol statistics html reporting engine that graphs Drops, Rejects, Accepts by ip address with totals and such. This ofcourse can be done with MRTG but I'm lazy right now..

Some nice tips of shorewall commands that I use quite a bit. Say your setting up your new web or ftp server and need to setup a port-forwarding (DNAT in most cases) rule to allow people from the internet to connect to your server. If your like me, I wanna see if the desired web or ftp server client traffic is actually getting through the firewall, or atleast being Accepted by it.  "INFO" is your friend. Lets say I just setup Apache on one of my internal pc's at say, 192.168.10.5. So I would add an entry like this to my /etc/shorewall/rules file. **NOTICE THE ":info" part appened to my DNAT STATEMENT.

```
                                                                                   

DNAT:info  net  loc:192.168.10.5  tcp  80

```

The little ":info" part will log that DNAT rule and the INFO level which will show up in your logs to help trouble shoot if need be.

Although if your like me and have just configured your Apache web server for the first time you should tighten the above rule up to only allow your friends given ip address to connect with. It's better to do it like this because you really need to make sure apache is setup correctly before you allow the world, (which is "net" by itself) to have access to this server. It's not a good feeling to be OWNED by some stupid Script Kiddy. But if that's what it takes, so beit.

Ok so.. you need your friends ip address to tighten the above rule up so that he is the only person that has access to your server while your testing it out. Simple enough, but what if your friend doesn't know their ip address or they're being natted with a fake address like some ISP's do. Well, the easiest way is to have your friend try and connect to your external ip address on a port that you know your not allowing. Look in /var/log/messages for a Dropped or Rejected connection from your friends IP address on the port that your friend tried to connect on.  WAlaw.. you now know the ip address needed to tighten up your portforwarding DNAT rule.... So now to tighten the above DNAT rule you would simply do this assuming your friends ip is 1.2.3.4 :

```

DNAT:info  net:1.2.3.4  loc:192.168.10.5  tcp  80

```

This alows you to securely test your web server with your friends ip only, instead of hanging your arse out in the wind before its secure. That's as long as you trust your friend. Well if he doesn't know his own IP addy, then your probably safe.. heh..  :Very Happy: 

Ok.. so now..Then you have to start and stop or simply restart Shorewall so that it rereads its rules config file and loads the new DNAT rule. Shorewall is really simple. Any changes you make anywhere in shorewal will require Shorewall to be restarted or stopped and then started again to read your newly added rule. I prefer "restart" myself.

```

# shorewall restart

```

Then have your buddy connect to a dns name that resolves to your external interface ip address or just give them your external ip address and have them manually put that in their web browser http://5.6.7.8

Then run the following command below when your buddy is connecting.

```

# shorewall logwatch

```

This basically shows your logs nearly in realtime. Use "Ctrl-c" to stop it from running. I use this when setting up and testing portforwarding rules or just want to take a look at traffic on the Shorewall box. If everything is setup correct your buddy should be able to connect to your web server and you will see a DNAT entry in your output of "shorewall logwatch" confirming that the traffic is being properly passed by shorewall. But sometimes shorewall show's a successful DNAT entry but your buddy can't pull up you web pag.. well thats when you install Ethereal on that particular host server and sniff to see if the traffic is getting to your web server. 9 times out of 10 the traffic is getting there but its a server misconfiguration. AnyWho...  

One of the really nice things that I like about Shorewall is the ability to "Dynamically" Blacklist/drop or Blacklist/reject someones stupid infected computer that is port scanning me for what ever reason. Go here to learn more about Static Blacklisting 

http://www.shorewall.net/blacklisting_support.htm

```

The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf controls the degree of blacklist filtering:

1.) BLACKLISTNEWONLY=No --  All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections. Versions of Shorewall prior to 1.4.8 behave in this manner.

2.) BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections. Only the source address is checked against the blacklists.

```

Have a look at the difference between ACCEPT, DROP, and REJECT.

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

So lets say your friend that is connected to your web server just told you how stupid your web site was but likes sucking down your mp3's and mpeg movies. Having spent the last two sleepness nights configuring Apache for the first time in your life you Take Offense to this ignorant gesture. So in the middle of his download of his favorite song you banish this Bizzatchs connection by doing...

```

# shorewall drop 1.2.3.4

```

Dohp... what happened to my connection..  :Shocked: 

This assumes that you have BLACKLISTNEWONLY=No set in /etc/shorewall.conf.

Two other tips that I find usefull are DNAT(port forwarding) with port redirection and SSH tunneling. Using the example above with the DNAT rule, lets say that I want to pratice a little security by obscurity and make people connect to tcp port 8181 externally but once the connection hits the external interface on Shorewall you have Shorewall rewrite the destination port to be on 80, which is what apache listens on by default. That would look like this:

Port Forwarding with Redirection:

```
                                                                              

DNAT:info  net  loc:192.168.10.5:80  tcp  8181

```

His browser would look something similar to: http://my.domain.com:8181

The client has no idea that your server is running on tcp port 80 (which is really meaningless except for the fact that anyone trying to connect to your machine on well known ports won't find your shorewall box listening on them). When your web server responds back to the clients original request the packet will enter shorewalls interface with a source port of 80 and a destination port of the clients original source port. When that packet traverses through shorewall back to the client the packet is rewritten with the tcp port 8181 transparently.

[Edit 03/30/2005 01:53am] This was entitled REDIRECT. But my REDIRECT directions weren't correct. I've sense changed this. I will show how this is done using Putty which is an SSH client that is available in Portage. The directions listed in the link I appened assume that SSHD and the VNCserver are running on the same box. My directions are for SSHD running on shorewall and allowing tunneled vnc traffic from shorewall to a box on the local lan. Sorry for any confusion. Putty directions will follow shortly. Ok.. here they are. Read carefully.

http://pigtail.net/LRP/vnc/

SSH Tunneling:

If any of you have messed with SSHD and portfowarding through the ssh tunnel you'll find this helpful. I like VNC. But its not the most secure protocol to run in its natural state. SSH provides encryption and authentication with the ability to tunnel/foreward other services/protocols/applications through the initial SSH tunnel which makes this as secure as you can get without using a full blown ipsec client. I'm assuming that you have SSHD running on the shorewall box listening on the internal interface ipaddress not on the Apache server. (If SSHD was running on Apache then you wouldn't have to write this ACCEPT rule. But this is the whole point right. I also assume that you have some form of Xserver running on the Apache server. Xfree, Xorg with Gnome, KDE, XFCE4.. whatever you use.

So anyways, you decided to install libvncserver on the same box running the Apache server internally so that you can connect to it and control it over the internet as if you were sitting in the same room as the server. (libvncserver by the way is probably the easiest vncserver setup you will ever run into. Even easier than installing it on Windows. Heh..  :Very Happy:  Go Here for some direction. Trust me.. this is nice and easy. Ok.. so vncserver is running and listening for incoming requests on the standard tcp port. (Usually tcp 5901). At work I use Windows XP with Putty's ssh client and I have the tightvnc client running as well. Configure putty as described Here.

Ok. On Shorewall we need to make two rules: One that allows us to SSH in on and One that takes the tcp 5901 traffic that we push throught the ssh tunnel and allows the vnc traffic coming through the tunnel  to the Apache box with the VNCserver installed on it. You will have to explicity allow vnc traffic from the FW zone to the LOC zone in your "rules" file. The following scenario below assumes that the firewall internal nic is192.168.10.1 and SSHD is configured to listen on that ip address. Here we go:

```

DNAT:info  net  fw:192.168.10.1  tcp  22

ACCEPT:info  fw  loc  tcp  5901

```

Restart Shorewall and the pretend your now at work.. or somewhere external out on the internet.

At work once the ssh Putty client is configured correctly and you connect to Shorewall which is also running the SSHD service and you authenticate, then minimize Putty and pull up the Tight VNC client and type in localhost:1 for the Server then type your Password then Connect. WAlaw... That's the shizz if you ask me. You can do all kinds of stuff with SSH tunneling that I could go on forever talking about. Google is your friend here if your looking for any additonal info related to SSH Tunneling.

Now if the SSHD server were running on the Apache server we would only need a DNAT rule that portforwarded ssh on tcp 22 to the internal Apache machine. No Redirects neccessary at this point. Connect with SSH, fireup the vnc client and connect as before.. 

Have fun..

----------

## Sith_Happens

Thanks OhSh33t, your post is longer than my entire tutorial.  :Shocked: 

There's a lot of good information in there, thanks for posting it.  It goes a little outside of what I was trying to accomplish with my tutorial but it is good information none the less.  I'd just like to say right now though that while I encourage people to read his post and perhaps even play around with what's in there, please don't post support requests for the information contained within the preceeding post.  Feel free to pm me about it, but I'd like to keep the support thread focused on the body of the how-to.  Again, thanks for the how-to, my only problem is the nightbrawler.com link doesn't seem to work.  Not only that its hosted on a Red Hat Server (I hope that's not yours  :Razz:  ).

----------

## OhSh33t

 *Sith_Happens wrote:*   

> Thanks OhSh33t, your post is longer than my entire tutorial. 

 

Ya. Kinda long. My bad. I didn't realize how long it was until I looked at it again after reading your last posting. 

 *Sith_Happens wrote:*   

> 
> 
> Again, thanks for the how-to, my only problem is the nightbrawler.com link doesn't seem to work.  Not only that its hosted on a Red Hat Server (I hope that's not yours  ).

 

Doesn't work as in the actual web page doesn't render or is down? I get to the site just fine with Firefox.

Nope, not my Redhat server. I'm a Gentoo only guy. 

If I'm not understanding you please let me know and I will remove the link if your referring to the directions on that webpage being Redhat Centric. Anyways. I shouldn't of posted this to your HowTo. Sorry about that. If you would like I can move it. Just let me know. Thanks Sith.

----------

## Sith_Happens

About the link, it's up now, it was giving me a 404 last time I tried it.  I knew it was a redhat server because when I went to http://www.nightbrawler.com/ , I got the default Redhat Enterprise Server modified Apache2 index page.  Somebody hadn't properly configured their apache server.  :Wink: 

As far as keeping your post here, feel free to if you want.  You could also move it and make your own how-to, "Shorewall Tips" or something like that, and edit your above post to be a link to it if you want, it's up to you.  :Smile: 

----------

## Bob P

Thanks, Ryan, for the very helpful Tutorial.  I followed this Guide and the result was a rock-solid firewall that wouldn't let any unwanted traffic pass through.   :Wink: 

It seems that this Guide is optimized for a standalone linux box with an ethernet connection to the internet.  Although this Guide works very well for supporting that type of installation, I encountered a couple of problems using this Guide to install a single-ended firewall on a Gentoo box that exists on a LAN (behind an appliance firewall/router) with a group of Windows and Gentoo computers.  I'd like to suggest a tip that will be helpful in enabling Shorewall to function properly in this type of environment.

 *Sith_Happens wrote:*   

> 
> 
> 4.a: /etc/shorewall/interfaces
> 
> This is where /etc/shorewall/interfaces comes in.  This part is very simple, so I won't give to much explanation outside of the relevant portion of the file itself.  The first portion of all the configuration files is a commented section explaining the use of the file in detail, so please, read it.  The last portion is the "business end" of the config file.  In this case, we assume that the computer is connected to the internet on the interface eth0.  The various options listed are explained further in the file itself, so add any options to your file that apply to your particular configuration.  For most people, simply adding the zone and interface will suffice.   
> ...

 

The norfc1918 parameter can be a little tricky to implement if you're not aware of exactly what it does.  This parameter instructs Shorewall to prohibit traffic involving packets that bear an RFC 1918-compliant IP address.  This may or not be what you want, so we should probably review what the RFC 1918 standard means and how it will effect the function of Shorewall.

RFC 1918 is an IP address standard that reserves several IP address ranges for use on private networks.  These addresses are:

```
10.0.0.0    - 10.255.255.255

172.16.0.0  - 172.31.255.255

192.168.0.0 - 192.168.255.255
```

Because these addresses are "reserved" by the RFC 1918 standard, they are considered non-routable.  By non-routable, I mean that the Internet backbone routers will not forward any packets which contain a destination address that is reserved by the RFC-1918 definitions.  If norfc1918 is specified in your interface options, you are instructing Shorewall to "just say no" to all packets that bear an RFC 1918-compliant IP address.  In doing so, Shorewall will not respond to any packets that contain IP addresses that lie within the range of values defined by RFC 1918.

What this means is that if you use the norfc1918 option in your interfaces file, you have instructed your router to never respond to any packets bearing an RFC 1918-compliant address.  In practical terms, if you are on a LAN that uses RFC 1918-compiliant routing addresses (such as a home network that uses a firewall/router to allow your boxes to share a DSL connection), then Shorewall will render your box totally unresponsive to ALL of the other boxes on your network.  No matter how you configure your rules table or your policy table, Shorewall absolutely WILL NOT respond to the other machines on your LAN.

In the event that you are planning on using Shorewall as a personal firewall on your box, and your box sits on a LAN that uses RFC 1918-compliant addressing, remember that if you "just say no" to RFC 1918 by specifying the norfc1918 option in your interfaces file, then you will effectively insulate your box from the rest of the boxes on your LAN.  If you want to be an isolationist on your LAN, then norfc1918 is exactly what you need!  :Wink: 

OTOH, if you want to be able to communicate with other boxes on your LAN, you MUST remove the norfc1918 option in your interfaces file.  After doing that, Shorewall will respond to policies and rules that permit communication between other PCs on your network that present packets containing RDC 1918-compliant IP addresses.  :Very Happy: 

I hope this helps.  This problem was a real head-scratcher for me, as everyone I talked to seemed to agree that there had to be a problem with my configuration of the rules table, when the real problem was that I had unwittingly used norfc1918 in defining my firewall's interface table.

edit: added the word "containing" in the second to the last paragraph.  :Embarassed: 

----------

## woZa

Does that not make norfc1918 ideal for adding to your internet connection in the interfaces file just not to your lan connection?

eg my interfaces file

```
#ZONE   INTERFACE       BROADCAST       OPTIONS

net         ppp0                -                        routefilter,norfc1918,tcpflags

loc          eth0                detect               tcpflags
```

Please correct me if I am wrong!

----------

## Sith_Happens

If you have an interface that should not be recieving rfc 1918 traffic, such as a modem, then defining that interface with the norfc1918 option describes that interface to shorewall.  If you have an interface that will be recieving both internal network traffic (with rfc 1918 addresses) and externel network traffic on the same interface, such as a computer behind a router with port fowarding set up, then norfc1918 doesn't fit your interface, so you shouldn't define that interface with the norfc1918 option.  It's that simple.

----------

## lmcogs

Hi

Getting this error message

rc-update add shorewall default && /etc/init.d/shorewall start

 * shorewall already installed in runlevel default; skipping

 * Starting firewall...

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

I have emerged iptables, shorewall and iproute2.  I changed the config file as you mentioned and I compiled the kernel with packet filtering.  I originally compiled the kernel with 'genkernel --udev --all'  so I recompiled as you mentioned 'genkernel --menuconfig kernel'  but I got this message.  This did not produce an initrd file so after I got the above error I again recompiled the kernel using 'genkernel --menuconfig --udev all'.  However I got the above error message again.

Not as easy as you mentioned.  Can you advise.

Lmcogs

----------

## Sith_Happens

First, this is a documentation thread, not a support thread.  All support requests need to be posted in the support thread.  That said, I suggest you go back and make sure you completed Section 2 of the tutorial, also make sure the options in the menuconfig have <*> next to them and not <M>.  If you still have trouble, post to the support thread, not to this thread though.   :Wink: 

----------

## manicman

i cant delete my superfluous posting...:\Last edited by manicman on Mon Apr 25, 2005 4:05 pm; edited 1 time in total

----------

## Sith_Happens

 *manicman wrote:*   

> Hi there
> 
> perhaps it would be useful to mention that there are many action files in /usr/share/shorewall which are perhaps not really wanted to be loaded.
> 
> therefor one have to edit the CONFIG_PATH variable in the /etc/shorewall/shorewall.conf to /etc/shorewall only. then all actions listed in /usr/share/shorewall wont be loaded...
> ...

 I suppose preventing shorewall from loading the actions would save some load time, however, the actions are only "pre-processed", they aren't actually used unless you specify them.

----------

## manicman

hm... but if i start my shorewall first my defined rules will be loaded and after that the rules in /usr/share/shorewall will be loaded... and then samba wont work fine and somehow i cant surf anymore...

but this toppic would be something for the support thread...

but iam trying a bit more before i ask for support.. :Smile: 

----------

## manicman

since you cited my post, i get error messages from the pre processor:

```

root@manicman-mobile - Mo Apr 25 18:03:43 - /var/log

>shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Connection Tracking Match: Available

Determining Zones...

   Zones: net

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: eth0:0.0.0.0/0

Processing /etc/shorewall/init ...

Deleting user chains...

Setting up Accounting...

Creating Interface Chains...

Configuring Proxy ARP

Setting up NAT...

Setting up NETMAP...

Adding Common Rules

Processing /etc/shorewall/initdone ...

IP Forwarding Disabled!

Processing /etc/shorewall/tunnels...

Pre-processing Actions...

   Error: Missing Action File: action.DropSMB

Processing /etc/shorewall/stop ...

IP Forwarding Disabled!

Processing /etc/shorewall/stopped ...

```

and i can not imagine why

sry ive seen your reply too late.

----------

## Shotpiece

Amazing tutorial. Someone told me to set up iptables one day and the attempt blew my mind.

Having ONE problem though, i can't get FTP to work properly. With shorewall up, I am able to log in and navigate, but when i try to PUT a file, i get this:

```
Remote system type is UNIX.

Using binary mode to transfer files.

ftp> put

(local-file) /home/john/screenshot.png

(remote-file) ./screenshot.png

local: /home/john/screenshot.png remote: ./screenshot.png

200 PORT command successful. 
```

 and then it just freezes there. When i take shorewall down, everything works fine. Here's the applicable part of my "rules": 

```
ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             udp     21 #ftp 
```

Any insight?

EDIT: I just noticed the SUPPORT page for this... sorry for posting in the wrong place  :Sad: 

----------

## ChojinDSL

You know what would be really cool? If someone could post a tutorial on setting up shorewall in combination with QOS. So that you can do things like: playing Enemy Territory online with a nice low ping and still have edonkey or bittorrent or other downloads running in the background.

I have been unsuccessfully trying to set that up for ages, but I just cant get my head around it, since most tutorials and howtos Ive seen regarding this are about using iptables scripts and not using shorewall.

----------

## pjp

Split off Why on earth do you need a PFW with Linux?

----------

## Bob P

 *pjp wrote:*   

> Split off Why on earth do you need a PFW with Linux?

 

That was a good idea!  :Idea: 

----------

## {{Azrael}}

Hey, what's the best way to configure three NICs to all use the same zone? So far I'm using three zones for each one, but I think it would be better to just use one zone for all of them.

And for some weird reason FTP and some file sharing service is open. All other common ports are good, and I'm not sure why. I'm new to all this Linux security stuff, and my laptop has been running with no firewall for a good six months. Is it possible someone has hacked my box? Because I certainly am not running a file sharing app or using FTP.

21 	

FTP 	

OPEN! 	FTP servers have many known security vulnerabilities and the payoff from exploiting an insecure FTP server can be significant. This system's open FTP port is inviting intruders to examine your system more closely.

Attempting connection to your computer. . .

Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!

From GRC shields up.

----------

## Sith_Happens

Post the output of netstat -tap in the support thread, and let's see what is listening on port 21.  As far as the samezone on multiple interfaces, give me a little information on your network topography, I'll help you set it up.  Again, post in the support thread, not this thread.

----------

## Lejban

This looks really neat, but I have some questions:

How is this better than iptables?

Isn't this, by adding one more software which could contain bugs, less secure?

----------

## Sith_Happens

 *Lejban wrote:*   

> This looks really neat, but I have some questions:
> 
> How is this better than iptables?
> 
> Isn't this, by adding one more software which could contain bugs, less secure?

 That is a good point, and in fact there have been security flaws in older versions of shorewall (see GLSA 200407-07).  However, that was a local exploit (i.e., the attacker needed to have local user privileges before he could exploit it), and it was a while and several versions of shorewall ago.  It is interesting to note however that around the same time another more serious bug was discovered in iptables (GLSA 200407-12) that was a remote bug only requiring the attacker to send a malformed TCP packet to send the CPU into an infinite loop, consuming all resources resulting in a DOS.  So while you are correct that as a rule relying on additional programs increases the potential for bugs, you have too keep things in perspective.  The real advantage of using Shorewall over simply iptables is that it makes firewall/router settings easier to configure, easier to modify, and easier to transfer to between networks.

----------

## gary

I'd like to add my apprecation for this tut. I know essentially nothing about iptables or security, but I was able to set up shorewall and get a "Perfect TruStealth" score from Gibson's ShieldsUp page in about half an hour. 

No such thing as perfect security, of course, but this is about as good as I am likely to get on my home machine. 

Now, on to...what used to be called IP Masquerading...what is it called now? Port forwarding? 

Thanks again.

----------

## monotux

 *gary wrote:*   

> Now, on to...what used to be called IP Masquerading...what is it called now? Port forwarding? 

 

I believe you're talking about NAT  :Smile: 

----------

## gary

 *Quote:*   

> I believe you're talking about NAT

 

It seems so. After checking out the shorewall site it seems that what I am after is SNAT, or, since I use DHCP from my ISP, it is actually still called IP Masqureading. 

I have set it up according to the tut there, but it dosen't actually work yet. On to the support forums! :Surprised: 

----------

## monotux

SNAT is useable only when having a fixed address - if you have DHCP, you have to use MASQ (it's a bit slower in theory, since the firewall has to check it's own IP every time it translates a package in and out from the LAN)...  :Smile: 

----------

## rbiswarup

I want to know whether the built-in firewall of rp-pppoe is sufficient or not?  :Confused: 

----------

## Sith_Happens

 *rbiswarup wrote:*   

> I want to know whether the built-in firewall of rp-pppoe is sufficient or not? 

 For a single ended setup on a strictly client system it probably has all of the options you'll need.  Not having any experience with it though, I can't give you any advice beyond that.  :Sad: 

----------

## tshelt

This tutorial really was good.  I got everything up and running with a minimum of fuss.  So, now all is joy.

Thank You!

Tom

----------

## <3

 *nford wrote:*   

> Thanks for the tutuorial - I managed to get a firewall running quite painlessly 

 

I couldnot have said it better myself. Setting up iptables w/o shorewall is mindblowing. Thx for the tutorial. The best thing this tutorial has is examples that I could follow. Someone should add this to the Gentoo Security Documentation site.

----------

## Sith_Happens

The Shoreline Firewall v. 2.2.3 is now stable in portage.  I'll be updating the guide soon to reflect the changes in this version.

----------

## 96140

Thanks Ryan for the great tutorial; it's a good start on a desktop firewall. The default rules you've provided only gives two failed tests at Shields Up!, neither of which are critical. So it's a very good basic firewall.

----------

## prolific

is there any point in using shorewall if i'm behind a router already ? (netgear mr814)

----------

## hari

Thanks for the nice tutorial.  I did have a few problems though:

A change needs to be made in /etc/shorewall.conf

```
##############################################################################

#                      S T A R T U P   E N A B L E D

##############################################################################

# Once you have configured Shorewall, you may change the setting of

# this variable to 'Yes'

STARTUP_ENABLED=No
```

This needs to be "Yes" for shorewall to work!

Also, the default /etc/shorewall/zones file has no zones defined by default.  

```
# /etc/init.d/shorewall start

 * Starting firewall ...

   Error: No Zones Defined

/etc/init.d/shorewall: line 13: 32442 Terminated              /sbin/shorewall start >/dev/null                                [ !! ]
```

So I added

```
#ZONE         DISPLAY      COMMENTS

net        Net            Internet

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
```

This is with shorewall 2.2.3.

----------

## jonny bravo

First off Sith I,d like to thank you for your time and effort for the Shorewall tutorial and Jackass/Gentoo project. I

have one question though. I'm still kind of a newbie (but if you don't ask you'll never know) I followed the Shorewall tutorial and then did a check on the Shields up site all my ports are stealthed but they were able to get an ICMP ping is there a way to stealth this? Or something I missed , also the other night I tried to get an iso from an ftp site all of the ftp links I couldn't connect to eccept for the http links. I'm not sure if it was just bad timming or if it's something to do with Shorewall. once again Thanks keep up the good work.

----------

## lonrot_m

HI:

I followed everyword of this tutorial but

```
etc/init.d/shorewall start

 * Starting firewall ...                                                            [ !! ]

```

i recieve this when i try to start and like it doesnt return me any error i dont know what to do, by the way there is nothing on /var/log/messages

i am using gentoo sources 2.6.12-r6

thank you

----------

## lonrot_m

hi again : 

i guess is because metalog isn't configured for shorewall, how do i do that can someone tell me?

----------

## RTFMish

 *lonrot_m wrote:*   

> HI:
> 
> I followed everyword of this tutorial but
> 
> ```
> ...

 

you need to set a zone in the "zones" file

----------

## sfp-a7x

Why must all the IP tables stuff be compiled into the kernel?  Why can't I compile them as modules?

----------

## SchrodingerPenguin

Sith_Happens,

Thanks heaps for a tutorial which includes the why as well as just the what-to-do.  I followed it as written and my firewall worked brilliantly - AND I had the bit of understanding required to then customise it to my requirements.

I had a small bit of trouble when I just upgraded to Shorewall 2.2, and think you should edit the tutorial to include the fact that in newer versions of Shorewall, you must change one of the first lines in  /etc/shorewall/shorewall.conf to

```

STARTUP_ENABLED=Yes

```

before the firewall will start up.

----------

## Zampf

Thanks for this great, simple, tutorial and turning me on to Shorewall -- Iptables can be a royal pain to fudge with by hand.

*bow*

----------

## rek2

not bad.

----------

## asiB4

Yeah...ok, this is an old thread, but I have been looking for a way to "secure" my boxes at home, and this tutorial fit the bill. Everything else I have been trying to experiment with was basically turning my main box into a honeypot, which would be just shooting myself in the foot. Reading the various iptables tutorials online made no sense to me, and frankly made my head hurt. With this tutorial iptables is starting to make a lot more sense to me now! Compiled the kernel with needed support, emerged everything I needed, config'd everything...customized it for what I needed and time will tell whether I was successful or not. Thanks a million!   :Cool: 

Chad

----------

## rim

Hi,

 I am new to Gentoo and forums - so I ask for your patience.

I followed the Shorewall tutotial but upon running the final commands (rc-update etc)

I received the following message:

Error: Traffic shaping requires mangle support in kernel your kernel and iptables

/etc/init.d/shorewall: line 14: 9488 Terminated /sbin/shorewall start >/dev/null

I did amend my kernel as instructed though... Any ideas (please keep jargon to a minimum as I am still learning)

Cheers

----------

## asiB4

 *rim wrote:*   

> Hi,
> 
>  I am new to Gentoo and forums - so I ask for your patience.
> 
> I followed the Shorewall tutotial but upon running the final commands (rc-update etc)
> ...

 

Welcome....

in your kernel config you will have had to enabled packet mangling support....

```
#make menuconfig

[]Networking --->[]Networking Options --->[]Network packet filtering (replaces ipchains) --->[]IP Netfilter Configuration ---><*>Packet mangling
```

...look in /usr/src/linux/.config to verify this has been added...should see an entry similar to...

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_ARP_MANGLE=y

hope that helps...

----------

## rim

Just wanted to thank asiB4 for the help. Works a treat now. Cheers

----------

## manouchk

I have a problem similar to the one rim had but in my kernel I couldn't find any mangle stuff related see my post if you wish to help me :

https://forums.gentoo.org/viewtopic-p-3367938.html#3367938

----------

## orange_juice

Hallo, 

I had the same problem as manouchk and rim. 

The problem occured after upgrading to gentoo-sources-2.6.16-r9 from gentoo-sources-2.6.14-gentoo-r5.

Actually, the last entry : 

```
IP Tables Support (required for filtering/masq/NAT)
```

 ... quoted at the beggining of the tutorial had disappeared! 

 *Shorewall Tutorial wrote:*   

> 
> 
> ```
> Networking support --->
> 
> ...

 

However, above "IP: Netfilter Configuration entry"... 

```
Networking support --->

            Networking options --->

                 [*] Network packet filtering (replaces ipchains) --->

                      ---> H E R E !!! 

                      IP: Netfilter Configuration --->
```

...another entry has appeared called 

```
Core Netfilter Configuration --->
```

Clicking inside I found : 

```
[ ] Netfilter netlink interface

[*] Netfilter Xtables support (required for ip_tables)
```

When I marked it (as shown above), the missing entry... 

```
<*> IP Tables Support (required for filtering/masq/NAT)
```

...appeared again with all the necessary options and sub options at its expected place defined at this tutorial. 

Since I did not know why this change has occured and since under... 

```
[*] Netfilter Xtables support (required for ip_tables)
```

...there are some options that reffer to Mangle etc, I have also checked all options and suboptions under it. I am not sure whether this is accurate or not but Shorewall -now- works again as usual.

I hope that I helped somehow.

Kind regards,

orange_juice

----------

## manouchk

Well find orange_juice! Now it seems to be Okay! Now just configuration problem!

I don't wy I can't ping when shorewall is started?

and I'm having a problem with printing on a windows shared printer of IP 152.84.250.x . ping. I use to be able to print on mandriva usin those 4 rules to accept all traffic from the computer :

ACCEPT   net:152.84.250.x fw           tcp     -           -       - 2/sec:10

ACCEPT   net:152.84.250.x fw           udp     -           -       - 2/sec:10

ACCEPT   fw             net:152.84.250.x tcp -

ACCEPT   fw             net:152.84.250.x udp -

but it doe not print here

my shorewall conf files are :

[code]

tail -v /etc/shorewall/interfaces;tail -v /etc/shorewall/policy;tail -n 28 -v /etc/shorewall/rules

==> /etc/shorewall/interfaces <==

#

#                       net     ppp0    -

#

# For additional information, see

# http://shorewall.net/Documentation.htm#Interfaces

#

###############################################################################

#ZONE   INTERFACE       BROADCAST       OPTIONS

net      eth0           detect

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

==> /etc/shorewall/policy <==

# See http://shorewall.net/Documentation.htm#Policy for additional information.

#

###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

net             all             DROP            info

#                                               LEVEL

# THE FOLLOWING POLICY MUST BE LAST

#

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE

==> /etc/shorewall/rules <==

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL

ACCEPT   fw             net             tcp     5190 #AIM/ICQ

ACCEPT   fw             net             tcp     5060 #openwengo

ACCEPT   fw             net             tcp     10600 #openwengo

ACCEPT   fw             net             tcp     10601 #openwengo

ACCEPT   net            fw              tcp     5060 #openwengo

ACCEPT   net            fw              tcp     10600 #openwengo

ACCEPT   net            fw              tcp     10601 #openwengo

ACCEPT   net:152.84.250.60 fw           tcp     -           -       - 2/sec:10

ACCEPT   net:152.84.250.60 fw           udp     -           -       - 2/sec:10

ACCEPT   fw             net:152.84.250.60 tcp -

ACCEPT   fw             net:152.84.250.60 udp -

ACCEPT   net            fw              udp     6881:6889       -

ACCEPT   net            fw              tcp     22      -

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

[/code

I putted the iptable -L here http://emmanuelfavrenicolin.free.fr//Public/Divers/iptable_out

I think I missed something!

----------

## kbps

for ping add to "/etc/shorewall/rules"

```

Ping/ACCEPT    fw      net

```

or

```

ACCEPT          net     fw      icmp    8

ACCEPT          fw      net     icmp    8

```

 :Wink: 

----------

## manouchk

I switched to firestarter which was much easier to deal with. It is very practical (but maybe not as powerfull but my needs are simple, it's just a standalone computer). When the firestarter front-end is started, it shows connection which is very practical for me because I need to print on windows and port changes... so that I can open one more port if printing fails...

----------

## Bizarro

I love you

/heh

----------

## carpman

Hello, ok have small problem.

After following guide and trying to start shorewall i get:

```

# /etc/init.d/shorewall start

 * Starting firewall ...

   ERROR: No ipv4 or ipsec Zones Defined

/sbin/shorewall: line 529: 10386 Terminated              $SHOREWALL_SHELL ${SHAREDIR}/compiler                    $debugging $nolock compile ${VARDIR}/.start
```

So edited /etc/shorewall/zones

```

#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

net     ipv4

```

Restarting firewall  gave following message and locked me out for ssh and webmin:

```

/etc/init.d/shorewall restart

 * Restarting firewall ...

   Shorewall is not running

iptables: Invalid argument

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

iptables: Invalid argument

iptables: Invalid argument

/sbin/shorewall: line 786: 11592 Terminated              $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart

```

shorewall rules

```

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL  $

#                                               PORT(S) PORT(S)         DEST      $

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

#ACCEPT   fw             net             tcp     21 #ftp

#ACCEPT   fw             net             tcp     53 #DNS

#ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL

ACCEPT   fw             net             tcp     993 #IMAP over SSL

ACCEPT   fw             net             tcp     10000 # webmin ssl

ACCEPT   fw             net             tcp     22 # ssh

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

any ideas

cheers

----------

