# **SUPPORT** Personal Firewall with Shorewall Tutorial

## Sith_Happens

This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial.  Haven't read it?  Check it out and tell me what you think.  If you've read it and need some help, post here and I'll see what I can do.  :Smile: 

----------

## WarMachine

Would you consider expanding the tutorial to include instructions on how to configure shorewall for systems functioning as internet gateways?

----------

## Sith_Happens

Maybe I'll make a second tutorial to do that.  This tutorial has a clear purpose and to expand upon it would take away from that.  However, I wrote the tutorial with the hope that it not only gives a quick how-to that allows you to set up a personal firewall, but that it gives you enough of the basics of Shorewall that a more advanced configuration is eaisier to concieve and execute.  The other nice thing about shorewall is their is a great deal of documentation that is available to you.  Not only in man and info pages, but in the config files, and on their website.  Check out this tutorial on setting up a bridge/router, and see if it helps you.

----------

## Sheepdogj15

i'm just posting to let you know if you do decide to write tutorial for setting up a firewall/gateway box, i'd use it. i actually tried setting up M0n0wall (like Smoothwall except based on FreBSD. site: http://m0n0.ch/wall) on a spare PC i had handy, but the install failed miserably. 

i was thinking of switching to Smoothwall, but i like the idea of using Shorewall on Gentoo as it looks like it would give me more options. (i like bells and whistles.. ahem, i mean secured bells and whistles  :Wink:  )

otherwise, i'll probably just check out the tutorial from the Shorewall website.

----------

## Sith_Happens

Here is a better tutorial from the site for setting up a simple two zone (loc and net) firewall/router.  I was looking for this one earlier, but I could only find the first tutorial.  I think if I were to create a tutorial for a two interface shorewall set up it would probably be a recreation of this only specifically for gentoo users.  The other difference is this tutorial sets up a policy to accept all outgoing connections, as opposed to my approch which is to decide what outgoing connections I want to allow.  See if this helps, if you have any questions from this two interface tutorial I can probably help you in this thread as well.

----------

## rhill

very nice.  i'm just emerging shorewall now, after skimming over the tutorial.  i just wanted to say thanks.  it seems that everything written on the topic of linux and networking immediately assumes you have more than one box.  i've been looking for a good guide applicable to a single pc setup for a while now.

----------

## jdeane

Thanks for the tutorial, just what I was looking for,

Jon

----------

## Sheepdogj15

excellent.  :Smile:  thank you.

i might still use your tutorial for my local box as well. can never be too paranoid these days, eh?  :Laughing: 

----------

## Sith_Happens

I'm really pleased with the positive feedback.  If you guys have any problems with the tutorial tell me your suggestions, if I can make it easier to understand or clearer in any part I'd like to know.

----------

## spike_spiegel

Shorewall seems pretty nice, but so far, Ive seen nothing that will help me set it up for my router and windows PC's.

Ill try and mess around with it some more, but any help would be great.

____

spike

Ircop at irc.Aniverse.net

#linux

----------

## Sith_Happens

Did you look at this tutorial?

----------

## Sith_Happens

Here is a tutorial on the Shorewall site for setting up a standalone firewall.  Read my criticism of this how-to in the tutorial thread however before following it.  Thanks to Krolden for posting the link.

----------

## Dumphrey

I apprecite the how-to.  I had no idea shoewwall was out there till i stumbled on this thread.  I had been trying to set up ip-tables manually.  Gahh!

Shorewall is my new buddy.

----------

## Sith_Happens

Shorewall is certainly easier to understand than iptables by itself.  Shorewall allows you to quickly and simply create a complex iptables setup in no time.

----------

## Andersson

I've only been using iptables until now, it's been working great. It never hurts trying new solutions, though. Shorewall might be a little quicker and give a little better overview. I'll try it for a while and see if I like it better.  :Smile: 

Ok, how about this, I wish to have an ssh server running on port 22 (done), but drop connections to this port from the internet (done), then redirect internet connections addressed to port 2222, to port 22.

This is to avoid those annoying bots attempting to log in. So why not run the server on port 2222 and simply ACCEPT connections to that port? Well, I want to use port 22 to save me from typing "-p 2222" when I'm on the local network.

So anyway, this is my attempt but it does not work.

```
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

REDIRECT net            22              tcp     2222    -          fw
```

I may have confused DEST, DEST PORT and ORIGINAL DEST, but I haven't been able to test since I get the following error:

```
bash-2.05b# /etc/init.d/shorewall start

 * Starting firewall...

   Warning: Zone dmz is empty

iptables v1.2.11: host/network `fw' not found

Try `iptables -h' or 'iptables --help' for more information.

/sbin/runscript.sh: line 532: 17543 Avslutad     /sbin/shorewall start >/dev/null                 [ !! ]
```

Suggestions?

----------

## Sith_Happens

Try

```
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

REDIRECT net            22              tcp     2222 
```

----------

## Andersson

So a single port number means a port on the firewall itself?

I get no errors from shorewall using your rule. I still can't connect, but I must have misconfigured sshd somehow  :Embarassed: 

----------

## Sith_Happens

Well, let's test it just to be sure the rule is working.  Go to this site and have it scan port 2222 on your firewall.  Then run dmesg, it should have an entry for the scan, post that shorewall message, and we'll see if it works.

----------

## Andersson

It works like a charm! And the sshd wasn't misconfigured -just not started  :Rolling Eyes: 

----------

## Sith_Happens

The thing about redirect is it implies you are talking about traffic to the firewall.

----------

## Gripp

hmm.. ofcoarse everything i do has a catch eh

 at the line

```
/etc/init.d/shorewall start

```

i get:

```
modprobe: Can't locate module ip_tables

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do yo u need to insmod?)

```

then, after doing that several times it gives me:

```
/sbin/runscript.sh: line 532:   877 Terminated              /sbin/shorewall star t >/dev/null                                                              [ !! ]

#$%^# root # 
```

i have kernel 2.4.28-r7 -- looking at the portage description of it, 2.4 is what it needs.

and it does have loadable module support... 

i just ran emerge --sync today

the best i find in my kernel is "network packet filter (replaces IPTABLES)"

any ideas?Last edited by Gripp on Wed Mar 23, 2005 5:39 am; edited 1 time in total

----------

## trooper_ryan

I'm being finicky, but perhaps the subject should not include the phrase "Personal firewall".  This suggests an app that interacts with the user.

Got me all excited - bastards!  :Very Happy: 

----------

## Sith_Happens

 *trooper_ryan wrote:*   

>  This suggests an app that interacts with the user. 

 I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network.  Just so I know, what were you looking for as far as interactivity?  A GUI?  If that's the case maybe you should look into KMyFirewall.  Personally, I think GUI's make it much more difficult to configure anything, but thats just me.  :Smile: 

----------

## trooper_ryan

 *Sith_Happens wrote:*   

> I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network.  Just so I know, what were you looking for as far as interactivity?

 

Personal firewall products are generally desktop based and have a learning capability.  e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.

I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc

----------

## Sith_Happens

 *trooper_ryan wrote:*   

>  *Sith_Happens wrote:*   I think "personal firewall" represents a firewall for a standalone machine as opposed to a dedicated firewall for a network.  Just so I know, what were you looking for as far as interactivity? 
> 
> Personal firewall products are generally desktop based and have a learning capability.  e.g if I initiate an FTP session the personal firewall will pop up a dialogue asking if FTP should be allowed temporarily or permanently.
> 
> I haven't seen any products like this for linux, but on Windoze there are many examples: Tiny, ISS, ZoneAlarm etc etc

 Well, the definition of a "personal firewall" is one which protects a single computer with one network connection.  What you are looking for isn't so much a personal firewall as it is an "idiot firewall"  :Wink:  .  In that case I would still suggest you take a look at KMyFirwall.

----------

## Gripp

ok, i've worked through what help i can find... but now i get a new error:

```
/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: /lib/module s/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_u nregister_sockopt

/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: /lib/module s/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_r egister_sockopt

/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib /modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o failed

/lib/modules/2.4.28-gentoo-r7/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do yo u need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

also:

```
# find * | xargs grep nf_unregister

Binary file ip_conntrack.o matches

Binary file ip_tables.o matches

Binary file iptable_filter.o matches

Binary file iptable_nat.o matches
```

ii can't really say i have tried much outside of simply searching....

this problem to be a commonly ignored problem...

the only answer i have found was basically that this issue arises with the 2.6 kernel, and to reinstall 2.4... but i have 2.4 already....

oh, and yes, my kernel is configured (to the best of my knowledge) correcty

----------

## Sith_Happens

Post the output of this command:

```
cat /usr/src/linux/.config | grep FILTER
```

It should look something like this:

```
CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

# CONFIG_FILTER is not set
```

----------

## Tipycol

Shorewall doesn't start for me. I /etc/init.d/shorewall start and just get 

```
* Starting firewall...                                                   [ !! ]
```

and there's nothing in shorewall logwatch or syslog. I'm pretty sure I did everything in the instructions, is there something else I have to do to get it started? (I'm using amd64 btw)

----------

## Sith_Happens

 *Tipycol wrote:*   

> Shorewall doesn't start for me. I /etc/init.d/shorewall start and just get 
> 
> ```
> * Starting firewall...                                                   [ !! ]
> ```
> ...

 Try starting shorewall manually as root with shorewall start, and post any errors it gives you.

----------

## Tipycol

Ah didn't set shorewall to start in /etc/shorewall/shorewall.conf, or defined the zones in /etc/shorewall/zones. Everything's working fine now. Thanks Sith_Happens

----------

## Sith_Happens

 *Tipycol wrote:*   

> Ah didn't set shorewall to start in /etc/shorewall/shorewall.conf, or defined the zones in /etc/shorewall/zones. Everything's working fine now. Thanks Sith_Happens

 Sure thing, glad it was something simple.  Did your confusion result from something in the tutorial that can be made clearer?  If so I would be interested to know what.

----------

## Silent1Mark

If any one is using Gaim

You need to add the folllwing rules to get it working. Or atleast I had to

tcp port 1863   for MSN  protocol, I got tis info from  http://www.hypothetic.org/docs/msn/general/connections.php

tcp port 5190  for AIM and ICQ ( who else still has a 6 digit ICQ number? )  THat one is on the shorewall hoem page and in the tutrotial

getting Yahoo to work takes more than a " smile and Handshake "

You have to look under your Tools   >          Accounts       >         (Yahoo account)       >      Modify    >      Show more options         >          

And then take a look at what port it's using, Mine says port 5050 and it works , the " known ports " it uses are  20  23 25 80 119 5050 8001 8002 

That information was posted on  http://gaim.sourceforge.net/faq.php#q63

Hope this Helps.

----------

## Sith_Happens

Thanks for the info Silent1Mark, it's much appreciated.  :Smile: 

----------

## clameo

```

/etc/init.d/iptables start

 * Loading iptables state and starting firewall...

 * Restoring iptables ruleset                                                         [ ok ]

user iptables # rc-update add shorewall default && /etc/init.d/shorewall start

 * shorewall already installed in runlevel default; skipping

 * Starting firewall...

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

/sbin/runscript.sh: line 532: 10647 Terminated              /sbin/shorewall start >/ 

```

How can I solve this problem?

----------

## Sith_Happens

 *clameo wrote:*   

> 
> 
> ```
> 
> /etc/init.d/iptables start
> ...

 Are you sure you followed the kernel configuration section correctly?  Post the output of cat /usr/src/linux/.config | grep FILTER.

----------

## Johnyp

I wonder why you needed to specify same rules twice (for tcp and UDP). As far as i know ( and i may be wrong) - all of those use TCP. Could you clarify or correct me?

Also - as i understand those are the rules for dropping all trafic from outside and allowing traffic from the inside to those specific services.

So, if one wanted to run web server, ftp and ssh on the machine running Shorewall they would have to use something like , right?

```

#ACTION   SOURCE    DESTINATION     PROTO  DEST PORT(S)     Service

ACCEPT     net              fw      tcp          80       #http

ACCEPT     net              fw      tcp          21       #ftp

ACCEPT     net              fw      tcp          22       #ssh
```

ThanksLast edited by Johnyp on Wed Mar 30, 2005 10:34 pm; edited 2 times in total

----------

## Sith_Happens

 *Johnyp wrote:*   

> I wonder why you needed to specify same rules twice (for tcp and UDP). As far as i know ( and i may be wrong) - all of those use TCP. Could you clarify or correct me?
> 
> Thanks

 No your right, I'm just covering all the bases.  :Smile: 

----------

## Johnyp

Cool. Nice tutorial man, just used it to setup my server. It helps when others write down what they know in a way that is easy to read and understand.

----------

## Sith_Happens

 *Johnyp wrote:*   

> Cool. Nice tutorial man, just used it to setup my server. It helps when others write down what they know in a way that is easy to read and understand.

 Exactly my point, I'm glad it came across that way.  :Very Happy: 

----------

## Johnyp

Here is a question for you:

I have a ping running against the gentoo box where i've just installed Shorewall ( i get replies ). Ping is going through, Shorewall has never been started on this machine. I start shorewall - i get  "destination unreachable" to my pings. At this point everything is working correctly. Now - if i STOP shorewall - icmp is still droped as if the Shorewall is running, but it's not!

What happened to the icmp then?

----------

## Sith_Happens

 *Johnyp wrote:*   

> Here is a question for you:
> 
> I have a ping running against the gentoo box where i've just installed Shorewall. Ping is going through, Shorewall has never been started on this machine. I start shorewall - i get no destination unreachable to my pings. At this point everything is working correctly. Now - if i STOP shorewall - icmp is still droped as if the Shorewall is running, but it's not!
> 
> What happened to the icmp then?

 Yeah, I get this with shorewall as well.  When you start shorewall, it configures iptables, however when you stop shorewall, it doesn't seem to flush all the ipchains rules.  Try running this after stopping shorewall:

```
iptables -F
```

See if that fixes the problem

----------

## Johnyp

Hmm... no. In fact - it drops all the communications (including existing SSH to the box, and even traffic originated from gentoo box to the outside machine). Just completely kills the network. If after this i start shorewall and run ping on gentoo box going to the outside - i get "operation not permited. x.x.x.x host is unreachable"

My rule set is very close to this. But only SSH is actually started on the box.

```

#ACTION   SOURCE    DESTINATION     PROTO  DEST PORT(S)     Service 

ACCEPT     net              fw      tcp          80       #http 

ACCEPT     net              fw      tcp          21       #ftp 

ACCEPT     net              fw      tcp          22       #ssh
```

1) update

it seems as the only way to get back the networking is to reboot the box. I would rather restart a service or 2 when i need to reapply rules, than restart the whole box.

2) UPDATE

Ok, when you stop shorewall and you want to have the machine wide open for bidirectional communications - run 

```
/etc/init.d/shorewall clear
```

This will flush all the rules. Otherwise firewall is stopped - but due to security reasons, it blocks all traffic rather than makes machine wide open to attacks. I guess this is good in case the firewall crashes/drops for some reason.Last edited by Johnyp on Wed Mar 30, 2005 11:51 pm; edited 1 time in total

----------

## Sith_Happens

I'd like to thank you for bringing this to my attention, otherwise I probably never would have figured this out.  We are all learning.  :Embarassed:  .  Check this out:

```
#

Shorewall is stopped using the shorewall stop command.

Important

The shorewall stop command does not remove all netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/routestopped file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf.

#

```

Setting some rules in /etc/shorewall/routestopped would be a good idea as well.

----------

## clameo

 *Sith_Happens wrote:*   

> Are you sure you followed the kernel configuration section correctly?  Post the output of cat /usr/src/linux/.config | grep FILTER.

 

```

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

# CONFIG_PPP_FILTER is not set

```

I recompiled my kernel with genkernel...

----------

## Sith_Happens

 *clameo wrote:*   

>  *Sith_Happens wrote:*   Are you sure you followed the kernel configuration section correctly?  Post the output of cat /usr/src/linux/.config | grep FILTER. 
> 
> ```
> 
> CONFIG_NETFILTER=y
> ...

 Ah, it looks like your using a 2.4 kernel, run cat /usr/src/linux/.config | grep IPTABLES.  I thought that the defaualt when netfilter was selected was to compile in iptables support, perhaps I was wrong.  If so I'll have to update the tutorial.

EDIT: Tutorial updated, check to make sure your kernel is configured with IP tables support as per the updated tutorial.

----------

## clameo

I got everything running, but how can I get amule working, I mean I opened tcp 4662 & udp 4672, but I can't connect to server. Any ideas?

----------

## deepHomer

 *clameo wrote:*   

> I got everything running, but how can I get amule working, I mean I opened tcp 4662 & udp 4672, but I can't connect to server. Any ideas?

 

From info in the  FAQ eD2K-Kademlia I tried these settings that seem to work:

```
#ACTION  SOURCE         DEST            PROTO   DEST PORT

ACCEPT   fw             net             tcp     4661 #for amule -- connection to server

ACCEPT   net            fw              tcp     4661 #for amule -- connection to server -- Required for HighID?

ACCEPT   fw             net             tcp     4662 #for amule -- client to client xfers

ACCEPT   net            fw              tcp     4662 #for amule -- client to client xfers

ACCEPT   fw             net             udp     4665 #for amule -- global search queries

ACCEPT   fw             net             udp     4672 #for amule -- Extended eMule protocol

ACCEPT   fw             net             tcp     4711 #for amule -- WebServer listening port
```

But other than being able to download/upload, I don't know what the security implications are for these settings.  If you can come up with a smaller set, please post.

BTW, thank you Sith_Happens for your efforts in tutoring us n00bs.

----------

## Sith_Happens

I don't know too much about how amule works, however p2p file sharing progs are going to want a two way connection like that to upload and download files.  As far as security implications, your going to need to allow some access from the net if you want to use a filesharing program, that's just a fact of life.  Really the best advice I can give you is to watch for security updates for amule, that way you can fix any vulneribilities in it before somebody xfers your system into oblivion.  :Wink:  If you wanted to make a smaller set cosmetically you could combine the two net->fw rules together like so:

```
ACCEPT   net            fw              tcp     4661:4662
```

This way, when you are not using amule, you can just comment out this line and restart shorewall (using /etc/init.d/shorewall restart), which will close off the unneccessary open ports.  Then just delete the comment, and restart shorewall if you want to use amule.

----------

## tomvollerthun

Unfortunately I configured my shorewall before you created the howto, which is really a shame, because it would have saved me some time: I think it is really good.

I got amule working with normal ID and everything by just adding to the rules

```
ACCEPT          net     fw      tcp     4662
```

But I have as well in my policy file:

```
fw              net             ACCEPT
```

because I wanted to be "just able" to connect.

Greetings, tom

----------

## big_D

I've followed your tutorial - Shorewall seems to start up fine, with no errors, thanks.

I'm probably missing something really obvious, but when I visit your link to check the firewall all the ports (bar 21, 23 & 80) are closed rather than stealthed.

I've set /etc/shorewall/policy as you indicated - where else should I look for info?

----------

## Sith_Happens

 *big_D wrote:*   

> I've followed your tutorial - Shorewall seems to start up fine, with no errors, thanks.
> 
> I'm probably missing something really obvious, but when I visit your link to check the firewall all the ports (bar 21, 23 & 80) are closed rather than stealthed.
> 
> I've set /etc/shorewall/policy as you indicated - where else should I look for info?

 Could you post your policy and rules files, I'm sure it's something simple.  :Smile:   Don't post the whole thing, just the tail end of the file (the same part I posted in the tutorial).

----------

## big_D

Here you go:

```
###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

net      all      DROP      info

all      all      DROP      info

#LAST LINE -- DO NOT REMOVE
```

```
#ACTION  SOURCE      DEST         PROTO   DEST    SOURCE      ORIGINAL   RATE      USER/

#                                     PORT    PORT(S)    DEST      LIMIT      GROUP

ACCEPT   fw   net   tcp   80 #http

ACCEPT   fw   net   udp   80 #http

ACCEPT   fw   net   tcp   443 #https

ACCEPT   fw   net   udp   443 #https

ACCEPT   fw   net   tcp   21 #ftp

ACCEPT   fw   net   tcp   53 #DNS

ACCEPT   fw   net   udp   53 #DNS

ACCEPT   fw   net   tcp   110 #unsecure Pop3

ACCEPT   fw   net   tcp   995 #Secure Pop3

ACCEPT   fw   net   tcp   873 #rsync

ACCEPT   fw   net   tcp   25 #Unsecure SMTP

ACCEPT   fw   net   tcp   465 #SMTP over SSL

ACCEPT   fw   net   tcp   5190 #AIM/ICQ

DROP   fw   net   tcp   113 #AUTH/IDENT

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

The DROP instruction in the last line of the policy was a bit of desperation - it has been set at REJECT previously.

----------

## Sith_Happens

Is this computer connected directly to the internet, or are you behind a fiewall/router appliance?

----------

## big_D

It's behind a combined router & modem.

----------

## Sith_Happens

 *big_D wrote:*   

> It's behind a combined router & modem.

 If that's the case, then the portscan is stopping at your router/modem, and you'll need to configure that if you want a stealthed firewall.

----------

## big_D

I told you it was something really obvious! 

It's sorted now, thanks for your help.

----------

## Sith_Happens

 *big_D wrote:*   

> I told you it was something really obvious! 
> 
> It's sorted now, thanks for your help.

 Sure thing.  :Smile:  The tutorial is really designed for people who are connected directly to a lan or modem.  If you are behind a router/firewall appliance, then you can use shorewall as a second line of defense, but configuring your router firewall should be your first.

----------

## arthurdent

Hi Sith,

Thanks for a most fantastic tutorial. I have been using Fedora Core for a couple of years now and I recently decided to try Gentoo to take my level of Linux understanding up a notch. Whilst I am reasonably PC-savvy I know absolutely nothing about networking so the idea of having to create my own firewall scared the bejasus out of me (Fedora does it all for you). Your tutorial rescued me and made the whole thing a breeze. Thank you!

I do have one question however. When I pop in an audio CD, my apps (eg gnome-cd-player) can't access the CDDB servers to display CD information (artist, title, tracks etc.). How do I set up Shorewall to allow them access to the servers? (Remember I am a networking dunce).

Thanks for a great resource.

Mark

----------

## Johnyp

Check what port is used by CDDB (can be 888, 8880 or anything else really) and then open that port just as you have opened all the rest). You should be able to check the port in the app itself or in the config file for it.

----------

## arthurdent

I'd already tried both 888 and 8880 but neither of them seemed to work. 

Do I need to stop and restart Shorewall after making changes to /etc/shorewall/rules? (because I didn't do that - I just editited the rules file and then re-tried the CD Player).

Mark

Edit: I've added both ports 888 and 8880 to /etc/shorewall/rules and stopped and restarted shorewall. Still no joy.

----------

## Johnyp

Yes, you need to restart the Shorewall and flush all the rules. One way to do it is to reboot your PC. second is this

```

/etc/init.d/shorewall stop

/etc/init.d/shorewall clear

/etc/init.d/shorewall start
```

this will stop the firewall, flush the current rules, start the firewall with the new rules.

Here is a simple test, run this

```
/etc/init.d/shorewall stop

/etc/init.d/shorewall clear
```

Then try to query the CDDB. If it works, look at the rules set - there must be mistake somewhere. Then start the firewall.

```
/etc/init.d/shorewall start
```

If after stoping and flushing rules, you still couldn't connect to CDDB - then the problem is not with Shorewall.

----------

## Sith_Happens

 *arthurdent wrote:*   

> Edit: I've added both ports 888 and 8880 to /etc/shorewall/rules and stopped and restarted shorewall. Still no joy.

 Show me the entries to your rules file, it could be you have the set up backwards (i.e. source net, dest. fw).

----------

## A.S. Pushkin

I, too, find shorewall very nice. I originally thought to use iptables, or even knetfilter or firestarter, but found all of these very complex, due, no doubt, to my lack of knowledge in this area.

I may attempt to use DTK in conjunction with shorewall and offer more confusion factor.

----------

## arthurdent

Sith & Johnyp,

Thanks very much for your help. Although I had tried stopping and re-starting shorewall I didn't realise that you had to run "clear". Having rebooted (or actually gone to bed and booted up the next day...) it worked!

Thanks again.

Great resource (again)!

Mark

----------

## kamagurka

Strange problem here: when I try starting shorewall, I get this output:

```
mq# /etc/init.d/shorewall start

 * Starting firewall...

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

/sbin/runscript.sh: line 532: 11461 Terminated              /sbin/shorewall start >/dev/null
```

Afterwards, all traffic to and from my box is stopped, and I have to issue "shorewall clear" to get it working again. Huh?

----------

## Johnyp

If you are not doing any NAT (network address translation. For example if your gentoo box does not serve as a firewall to a network) - comment out loc and dmz in your /etc/shorewall/zones file.

Most likely it will still fail after this, but at least we will get the first part resolved.

You may also want to provide your zone,policy and rules files.

----------

## Sith_Happens

 *kamagurka wrote:*   

> Strange problem here: when I try starting shorewall, I get this output:
> 
> ```
> mq# /etc/init.d/shorewall start
> 
> ...

 Try starting shorewall without the initscript, using shorewall start, the output should give us a better idea of what is wrong.  The two warnings issued before the iptables errors are harmless, and not related to why shorewall is crashing.

----------

## kamagurka

```
mq# shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Not available

   Packet Mangling: Not available

   Multi-port Match: Available

   Connection Tracking Match: Not available

Determining Zones...

   Zones: net loc dmz

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: eth0:0.0.0.0/0

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

Processing /etc/shorewall/init ...

Deleting user chains...

iptables: No chain/target/match by that name

Processing /etc/shorewall/stop ...

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

IP Forwarding Enabled

Processing /etc/shorewall/stopped ...

zsh: 13448 terminated  shorewall start
```

@Johnyp: my config files look just like Sith_Happens wrote in his howto; I didn't change anything there yet.

----------

## gifti

Hi,

I'm not sure this question belong here, but I will take a shot anyhow. I'm running shorewall and sshd with a number of users. I would like to restrict ssh access to one user at a time, unless it is myself. I should always be permitted to login disregarding other users. The user that is allowed to login should not necessarily be limited to one connection. Is this a firewall job or how can this be done?

thx

g

----------

## Johnyp

kamagurka

just looked at my output and Iptables/Netfilter featerus all read - Avaliable.

Are you sure you compiled your kernel with iptables/netfilter?

----------

## Johnyp

gifti

No, this may be an SSH feature, or you may want to look into  tcp_wrappers (tcpd). I really don't think you can set something like this with iptables/netfilter (shorewall). And even if it's possible - i think it may be very-very difficult to do it with firewall (if possible at all).

----------

## Sith_Happens

 *Johnyp wrote:*   

> kamagurka
> 
> just looked at my output and Iptables/Netfilter featerus all read - Avaliable.
> 
> Are you sure you compiled your kernel with iptables/netfilter?

 Agreed, go back through the how-to and make sure you've correctly configured your kernel (Section 2) then re-emerge iptables.

----------

## kamagurka

I have definetely enabled "Network packet filtering" in my kernel. Your howto doesn't provide information on this, but in there I enabled the following:

```
<M> Connection tracking (required for masq/NAT)   

<M> IP tables support (required for filtering/masq/NAT)       

<M>   limit match support                                

<M>   IP range match support                            

<M>   MAC address match support                        

<M>   Packet type match support        

<M>   netfilter MARK match support                              

<M>   Multiple port match support                

<M>   TOS match support                             

<M>   recent match support                            

<M>   ECN match support                         

<M>   DSCP match support                         

<M>   AH/ESP match support                                

<M>   LENGTH match support                

<M>   TTL match support                                      

<M>   tcpmss match support       

<M>   Owner match support                                 

<M>   Packet filtering                                 

<M>     REJECT target support                                                       

<M>   Full NAT
```

Did I miss anything or something?

----------

## Johnyp

M stands for - to install as a module. I belive you need to change it to *, so it's compiled normally into kernel and not as a module. But i may be wrong here.

----------

## Sith_Happens

 *kamagurka wrote:*   

> I have definetely enabled "Network packet filtering" in my kernel. Your howto doesn't provide information on this, but in there I enabled the following

 What do you mean my how-to "doesn't provide information" on how to do this?  :Evil or Very Mad:   *Sith_Happens wrote:*   

> Section 2: Kernel Configuration
> 
> Before we begin, let's make sure that you've compiled your kernel with the built in packet filtering capabilities Shorewall is supposed to take advantage of.  So, run:
> 
> ```
> ...

 Read the tutorial, follow it as it is written.  I wouldn't be so PO'ed, except I told you where to look for kernel configuration in the tutorial in the post right above yours!  :Mad:   Kernel modules need to be loaded separately from the kernel manually using modprobe or automatically at boot by adding them to /etc/modules.autoload.d/kernel-<2.6 or 2.4>.

 :Rolling Eyes: 

----------

## cade

I'v just finished setting up shorewall.  Great tutorial.  do you happen to know what ports are needed to emerge.  I can't seem to emerge anything. here is the error msg.  When it enters passive mode, the ports always change.  thanks

```

Resolving ftp.pangeia.com.br... 200.239.53.35

Connecting to ftp.pangeia.com.br[200.239.53.35]:21... connected.

Logging in as anonymous ... Logged in!

==> SYST ... done.    ==> PWD ... done.

==> TYPE I ... done.  ==> CWD /pub/seg/pac ... done.

==> PASV ... couldn't connect to 200.239.53.35:1845: Connection refused

```

----------

## Sith_Happens

That's odd, it shouldn't need to enter passive mode in order to download, only to upload.  :Confused:  Are you using wget or an alternate downloader?  Can you switch to an http mirror?

----------

## cade

thanks for the quick reply,  I am using wget, so I don't know why it goes into passive mode.  But I took your suggestion and switched to a http mirror and it work fine now.  Thanks again

----------

## kamagurka

 *Sith_Happens wrote:*   

>  *kamagurka wrote:*   I have definetely enabled "Network packet filtering" in my kernel. Your howto doesn't provide information on this, but in there I enabled the following What do you mean my how-to "doesn't provide information" on how to do this? :evil:  *Sith_Happens wrote:*   Section 2: Kernel Configuration
> 
> Before we begin, let's make sure that you've compiled your kernel with the built in packet filtering capabilities Shorewall is supposed to take advantage of.  So, run:
> 
> ```
> ...

 

OK, with "this" I meant "what is now going to follow this statement here" i.e. what I have to enable *in* the netfilter options. I mean, I certainly have iptables enabled, but I don't know if I need anything else... You didn't really mention the modprobe bit; it doesn't really help, tho, I mean, I already thought of that (it was pretty much the only idea I had...)

So basically, if iptables is the only thing I need enabled, I had that from the start, and either I'm being stupid and missed something really trivial, or there is some other problem here.

[edit] btw, I just noticed: the bit where you "explain" what to enable in the Network packet filtering options is in the 2.4 kernel section, so excuse me for not noticing it.

----------

## Sith_Happens

 *kamagurka wrote:*   

>  I certainly have iptables enabled, but I don't know if I need anything else...

 No you don't have iptables enabled, you have it compiled as a module, see: *kamagurka wrote:*   

> 
> 
> ```
> ...
> 
> ...

 You don't have it enabled until you actually load the module.  The reason I didn't talk about modprobe in my tutorial, is that if you followed my tutorial you wouldn't have to use it.  I also didn't mention any of the other options, because they aren't necessary for this application, and if you don't understand what they are then you shouldn't use them.  I'm not going to entertain support requests for this tutorial from people who don't follow the tutorial.  Go back and compile iptables into the kernel ( <*> not <M> ) as specified in the tutorial, reinstall it, and reboot.  Then you're problem should be solved.  You did miss something, although it's not trivial and it's not missing from the tutorial.  If the problem persists after you have followed the tutorial as it is written, then I'd be happy to help you.  

I'm not trying to be a jerk here, but I write the tutorial a certian way for a reason.  The reason being that if you don't follow it as it is written, and if you don't understand the changes your making, then you will run into problems.  I have no problem with you doing whatever you want with your kernel configuration, and changing my tutorial in a million different ways.  However, if you choose not to follow it, and choose not to listen when I tell you how to fix your problem, then don't post in this thread, and don't tell me that my tutorial doesn't work.  It could be that there is some other problem you are experiencing that shows an error or omission in my tutorial, however all I see now is that you didn't follow it, I'm telling you how to fix your problem according to my tutorial, and you are persistant in your refusal to do so.  If that's the case then I don't want to help you.  However, if you now see the error of your ways, and fix your kernel configuration, then I would be happy to help you with any future problems you may have with shorewall.

----------

## JoKo

Very useful guide indeed, but I have trouble configuring the access for BT.

I'm currently using Azureus configured on a high port ( > 50000 ). The problem is I can't tell which outgoing port I'll need to open since the peers don't always use the default ports (just like me  :Very Happy:  ). Is there any workaround?

----------

## kTmrider

~

Thanks Sith...awesome time saver. I look forward to following through with your's, Bob P's, et al's examples, of providing clear and concise tutorials for the community. IMO, it's desperately needed, open source wide. Maybe one day there will be an organized group effort. "The Open Source Documentation Project - Our goal is to provide unified, thorough, and illustrative documentation to the open source community." I have a dream, lol.

Ktm'r

~

----------

## gifti

cade

adding this line to /etc/shorewall/rules

```

ACCEPT     net                  fw                     tcp    20 #ftp

```

will probably solve the problem as the ftp server opens a connection to that port number. However I'm not sure to which degree it compromises security  :Confused:  .

----------

## kamagurka

FLC, are you trying to tell me that iptables won't work if I compile it as a module? I mean, why would that be (I have this problem where I really *hate* rebooting)?

BTW, you are of course right when you say that I didn't follow your tutorial to the letter; however, this is the first time that it actually made a difference that I enabled something as a module...

----------

## tomvollerthun

 *kamagurka wrote:*   

> FLC, are you trying to tell me that iptables won't work if I compile it as a module?

 

As I understood it, he said it doesn't work until you load the module. Which makes perfect sense to me.

But I think if you chose to compile iptables as a module, you are quite aware of how to handle them, aren't you?

If not, you should follow sith's advice and go back to the tutorial to recompile the kernel and follow his tutorial to the letter.

Be it as it might, if you choose not to follow the tutorial, I think this is the wrong thread to ask for help, because it specifically states that it is intended as support to said tutorial.

Regards, tom

----------

## Sith_Happens

@tom: Exactly, thank you.  :Smile: 

@gifti: Yes, opening port 20 would work if the ftp server supports Active connections, and if you don't mind having a port open to the world.  What you could also do, to make things simpler, is if you need to use an ftp client, then add this line to your policy file:

```

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                                  LEVEL   

fw           net       ACCEPT
```

Then restart shorewall.  This is generally a bad policy, however it's really the only workaround when it comes to passive ftp connections.  Then, when your finished, comment the line out of your policy file and restart shorewall.

@JoKo: If you have Azureus listening on some port number, than simply allowing incoming connections on that port should suffice.  I haven't used Azureus in a while, so I forget if you can specify the outgoing port as well.  If you can, then allow outgoing connections from that port, i.e.

```
####################################################################################################

#ACTION  SOURCE      DEST         PROTO   DEST    SOURCE      ORIGINAL   RATE      USER/

#                                         PORT    PORT(S)     DEST       LIMIT     GROUP

ACCEPT   fw          net          tcp      -      <outgoing_port>
```

That way you don't have to worry about what port the other clients are running on, just yours.  :Smile: 

----------

## kamagurka

Alright, so I went back and followed the tutorial. Now, when I try starting shorewall I get:

```
mq# /etc/init.d/shorewall start                                       qq(\o/)qj

 * Starting firewall...

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

/sbin/runscript.sh: line 532:  9902 Terminated              /sbin/shorewall start >/dev/null
```

I honestly don't know what to do anymore.

----------

## JoKo

 *Sith_Happens wrote:*   

> @JoKo: If you have Azureus listening on some port number, than simply allowing incoming connections on that port should suffice.  I haven't used Azureus in a while, so I forget if you can specify the outgoing port as well.  If you can, then allow outgoing connections from that port, i.e.
> 
> ```
> ####################################################################################################
> 
> ...

 

You are absolutely correct, sir! That solved the problem...

Now I have another question: Is it possible to make rules for certain programs only? eg. I want to open port 80 just for the browsers etc.

----------

## Sith_Happens

 *kamagurka wrote:*   

> Alright, so I went back and followed the tutorial. Now, when I try starting shorewall I get:
> 
> ```
> mq# /etc/init.d/shorewall start                                       qq(\o/)qj
> 
> ...

 Post the output of cat /usr/src/linux/.config | grep NF and cat /usr/src/linux/.config | grep FILTER.  Also, did you re-emerge iptables after correctly configuring your kerne, and of course install your new kernel bzImagel (there is a reason why kernel configuration is the first step).

----------

## Sith_Happens

 *JoKo wrote:*   

> Now I have another question: Is it possible to make rules for certain programs only? eg. I want to open port 80 just for the browsers etc.

 I belive what your looking for is Squid, however it's not nearly as simple to set up as shorewall.  Unfortunently there isn't any real Zone Alarm type firewall program for linux.  Sorry.  :Sad: 

----------

## kamagurka

Now, grepping the config for NF turns up a lot of stuff since CONFIG contains that (any way of excluding something from a grep?)

But FILTER turns this up:

```
CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_IP_NF_FILTER=y

# CONFIG_PPP_FILTER is not set
```

Afterthought:

I just grepped for "NF_", which should catch all the netfilter-stuff afaics:

```
CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

# CONFIG_IP_NF_FTP is not set

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

# CONFIG_IP_NF_MATCH_LIMIT is not set

CONFIG_IP_NF_MATCH_IPRANGE=y

# CONFIG_IP_NF_MATCH_MAC is not set

CONFIG_IP_NF_MATCH_PKTTYPE=y

# CONFIG_IP_NF_MATCH_MARK is not set

CONFIG_IP_NF_MATCH_MULTIPORT=y

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_DSCP is not set

# CONFIG_IP_NF_MATCH_AH_ESP is not set

# CONFIG_IP_NF_MATCH_LENGTH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_MATCH_TCPMSS is not set

# CONFIG_IP_NF_MATCH_HELPER is not set

# CONFIG_IP_NF_MATCH_STATE is not set

CONFIG_IP_NF_MATCH_CONNTRACK=y

# CONFIG_IP_NF_MATCH_OWNER is not set

# CONFIG_IP_NF_MATCH_ADDRTYPE is not set

# CONFIG_IP_NF_MATCH_REALM is not set

# CONFIG_IP_NF_MATCH_SCTP is not set

# CONFIG_IP_NF_MATCH_COMMENT is not set

# CONFIG_IP_NF_MATCH_CONNMARK is not set

# CONFIG_IP_NF_MATCH_HASHLIMIT is not set

CONFIG_IP_NF_FILTER=y

# CONFIG_IP_NF_TARGET_REJECT is not set

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_TARGET_TCPMSS is not set

# CONFIG_IP_NF_NAT is not set

CONFIG_IP_NF_MANGLE=y

# CONFIG_IP_NF_TARGET_TOS is not set

# CONFIG_IP_NF_TARGET_ECN is not set

# CONFIG_IP_NF_TARGET_DSCP is not set

# CONFIG_IP_NF_TARGET_MARK is not set

# CONFIG_IP_NF_TARGET_CLASSIFY is not set

# CONFIG_IP_NF_TARGET_CONNMARK is not set

# CONFIG_IP_NF_TARGET_CLUSTERIP is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

# CONFIG_IP_NF_COMPAT_IPCHAINS is not set

# CONFIG_IP_NF_COMPAT_IPFWADM is not set
```

----------

## GeorgeM

```
[04:45:10] + Attempting to send results

[04:45:10] - Couldn't send HTTP request to server

[04:45:10] + Could not connect to Work Server (results)

[04:45:10]     (171.65.103.100:8080)

[04:45:10]   Could not transmit unit 04 to Collection server; keeping in queue.
```

My Folding At Home stuff stopped being able to send. The error message above says its trying to use port 8080. That was not enabled in the rules file, so I added the line:

```
ACCEPT   fw             net             tcp     8080 #http FAH
```

I stopped, cleared, and started shorewall. I don't know when the FAH client will try to resend its work, but I'll post when it does.

EDIT: I should note that the client had been trying to send a unit that had been completed on 17 April, so it wasn't a matter of overloaded servers.

I checked the FAH web site and found options for the client startup command:

```
<your client executable> -send <work unit #>
```

So I tried sending 

```
./FAH502-Linux.exe -send 4
```

 having reconfigured shorewall, and it worked  :Very Happy: 

----------

## Sith_Happens

@kamagurka: Try re-emerging iptables.

----------

## kamagurka

 *Sith_Happens wrote:*   

> @kamagurka: Try re-emerging iptables.

 

I've been doing that more or less constantly; it doesn't help, tho.

[edit]Let me qualify that:

I still get that error on running shorewall, and I still get "Shorewall stopped" in my log, but now it seems to be working (I can do everything I'm used to doing - at least what I tried up to now - but I pass that security test you posted without a miss). Now whaddaya make of that? That damn error still bugs me, tho. especially the fact that the shorewall init script barfs on me and then reports "stopped" as status. Grr.

[edit]I have ADMINISABSENTMINDED=Yes set in my shorewall.conf, which is why traffic still works. But I mean, that's no damn solution!

[edit]I figured it out; the damn rule kept croaking on me because I didn't have REJECT in my kernel. Oh well. Everyting works now as advertised and I'm happy as a pig in the muck, except for one really small problem:

I have followed your instructions to get shorewall messages logged to another logfile, but now the messages get logged to *both* /var/log/messages and shorewall.log. I'd rather it not log to messages...

----------

## RecoilUK

Hello guys

Got my firewall sorted, took a bit of time, until I found extra settings in /usr/share/shorewall, anyway....

I have read some of the manual, and want to ask if its possible to update the rules, based on the outcome of a script?

Basically, I may want to open and close various ports based on what the pc is doing.

Anyhelp would be appreciated.

Thanks

----------

## kamagurka

NM, everything is peachy. Move along, please.

----------

## RecoilUK

Hi guys

I,m having a spot of bother now, hope someone can help.

I have a gameserver.

The server I want to run, is going to be using port 17777.

At the moment my policy rules are this 

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

net             fw              DROP            info

fw              net             ACCEPT

# THE FOLLOWING POLICY MUST BE LAST

#

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE

```

and my rules are this

```
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL    $

#                                               PORT    PORT(S)    DEST        $

ACCEPT  net     all     tcp     12222   #sshd

ACCEPT  net     fw      udp     17777   #bfvietnam

ACCEPT  net     all     udp     23000   #bfvgspy

ACCEPT  net     all     udp     22000   #bfvgspy

ACCEPT  net     all     udp     15690   #bfvase

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

This is obviously not good, as I want to restrict all outgoing traffic also.

So if I change my policy to this

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

# THE FOLLOWING POLICY MUST BE LAST

#

all             all            DROP        info

#LAST LINE -- DO NOT REMOVE

```

and have this as my rules

```
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL    $

#                                               PORT    PORT(S)    DEST        $

ACCEPT  net     all     tcp     12222   #sshd

ACCEPT  net     fw     udp     -      17777   #bfvietnam

ACCEPT  fw      net    udp     17777      -   #bfvietnam

ACCEPT  net     all     udp     23000   #bfvgspy

ACCEPT  net     all     udp     22000   #bfvgspy

ACCEPT  net     all     udp     15690   #bfvase

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

Then shouldnt that allow me to connect to the game server?

----------

## RecoilUK

Lmao i,m such a dumbass sometimes.

Forgot to allow DNS access  :Smile: 

Thats why no-one could connect, only need the one rule.

L8rs

----------

## Mod^

ok, I have same problem that clameo had:

```

 * Starting firewall...

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip_tables not found.

iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

/sbin/runscript.sh: line 532: 20147 Terminated              /sbin/shorewall start >/dev/null

```

I followed the tutorial exactly, so my files are exact the same(interfaces, policy, rules)

and I have kernel-2.6.11-gentoo-r6, compiled with genkernel

I have adsl (eth0), and direct connection to internet through router.

# cat /usr/src/linux/.config | grep FILTER

gives..

```

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

# CONFIG_IP_NF_FILTER is not set

# CONFIG_PPP_FILTER is not set

```

tell me if u need more info

----------

## Johnyp

tripple check your kernel config. You need IP tables, Netfilter, NAT and more....

```
Module ip_tables not found.
```

 <- o would think this is the problem.

----------

## Sith_Happens

 *Mod^ wrote:*   

> I followed the tutorial exactly

 This tells me you didn't:

```
# CONFIG_IP_NF_FILTER is not set 
```

You didn't complete section two correctly, look again:

```
# For 2.6 kernels look under:

Device Drivers --->

     Networking support --->

           Networking options --->

                 [*] Network packet filtering (replaces ipchains) --->

                       IP: Netfilter Configuration --->

                             <*> IP Tables Support (required for filtering/masq/NAT)
```

You didn't complete the last step, which is adding IP Tables Support under IP: Netfilter Configuration.  :Rolling Eyes: 

----------

## lmcogs

Hi 

I posted my prob to https://forums.gentoo.org/viewtopic-t-308153.html and you directed me to here.  First let me say I am totally new to firewalling and would classify myself as a newbie when it comes to linux.

I followed your tutorial to the letter, I believe but the iptable modules were not found.  I then search the kernel again and compiled IP:Netfilter <*>Connection tracking(required for masq/NAT) as well as IP tables support, also I compiled as module IPv6:Netfilter Configuration and chose Ip6 Tables support(required for filtering/masq/NAT) and chose some other modules in this field as modules.  I am not sure what I was doing other than trying to find the iptables module.

After rebooting it seemed to work and there was no 'can't find iptables module.    This is the final part of dmesg

Disabled Privacy Extensions on device c03a5b20(lo)

IPv6 over IPv4 tunneling driver

eth0: no IPv6 routers present

Below is part of lsmod

Module                  Size  Used by

ipv6                  190752  6

sg                     25504  0

iptable_nat            17340  0

iptable_filter          1984  1

The firewall seem to work so well I was not able to access the internet.  So I issued the following 

shorewall clear

shorewall clear

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Clearing Shorewall...Processing /etc/shorewall/stop ...

Disabling IPV6...

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

IP Forwarding Enabled

Processing /etc/shorewall/stopped ...

done.

I then was able to access the internet.  I originally followed your tutorial and had already inserted the lines you gave into the files /etc/shorewall/interfaces, policy and rules.

I again issued the following

# shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Not available

   Multi-port Match: Not available

   Connection Tracking Match: Not available

Determining Zones...

   Zones: net loc dmz

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: eth0:0.0.0.0/0

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

Processing /etc/shorewall/init ...

Deleting user chains...

iptables: No chain/target/match by that name

Processing /etc/shorewall/stop ...

Disabling IPV6...

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

IP Forwarding Enabled

Processing /etc/shorewall/stopped ...

Terminated

Again I was not able to access the internet.  Sorry for being long winded but it's hard to explain without being so.  Can you advise?  Is the firewall working, there seems to be some problem with IPV6.  This was inserted originally with genkernel when installing.  I use an adsl modem router Safecom and my isp is UTV.  I also need to have access to bittorent which I managed to get working.  Finally can you tell me how to disable Shorewall if I can't get it working properly.

Thanks Lmcogs

----------

## Johnyp

All the required kernel options should be selected to be included into kernel with * and not to be used as a module ( M ). The guide specifically states to select all the options wtih * and not M.

----------

## Sith_Happens

 *Johnyp wrote:*   

> All the required kernel options should be selected to be included into kernel with * and not to be used as a module ( M ). The guide specifically states to select all the options wtih * and not M.

 I'll give him/her a little leeway since they seem to have loaded the modules correctly.  When you say you can't access the internet, are you trying to connect to an IPv6 or IPv4 address?  My tutorial only covers IPv4 setups (it isn't explicitly stated, but it is implied).  However, if you are having trouble connecting to the internet, I would suggest you go back through and check your rules file.  Make sure you've allowed outgoing DNS requests as well as HTTP requests.

----------

## lmcogs

Hi

Thanks for giving me a little leeway.  I had compiled all modules as stated in the tutorial but I checked again and it is compile with * as stated.  However I removed IPV6 protocol which was selected, then recompiled the kernel, rebooted, reemerged shorewall, iptables and iproute2.  The I ran 

shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Not available

   Connection Tracking Match: Not available

Determining Zones...

   Zones: net loc dmz

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: eth0:0.0.0.0/0

   Warning: Zone loc is empty

   Warning: Zone dmz is empty

Processing /etc/shorewall/init ...

Deleting user chains...

iptables: No chain/target/match by that name

Processing /etc/shorewall/stop ...

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

IP Forwarding Enabled

Processing /etc/shorewall/stopped ...

Terminated

I then was not able to access the internet.  I ran shorewall clear and then I was able to access the internet.  

shorewall clear

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Clearing Shorewall...Processing /etc/shorewall/stop ...

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

IP Forwarding Enabled

Processing /etc/shorewall/stopped ...

done.

The firewall seems to be loaded on boot up.  I followed your instructions re files /etc/shorewall/interfaces, policy and rules. I included the rules which your tutorial gave.  I don't know if that is ok.  Was not too sure about (fw).

You asked me if I am trying to connect to an IPv6 or IPv4 address,  I dont know.  All I can figure out from my safcom config is the account is PVC0 and uses a simple ppp  mode is PPPoE.

Can you tell me if the above command ie shorewall start/clear seem ok?  What about the warnings?  Also how do I stop shorewall from loading on boot.

Must go to bed now since I was on night duty last night and I'm exhausted.

Lmcogs

----------

## Johnyp

I belive you do need to connection tracking also which is disable/not working.

```
Multi-port Match: Not available 

Connection Tracking Match: Not available 
```

----------

## Sith_Happens

 *Johnyp wrote:*   

> I belive you do need to connection tracking also which is disable/not working.
> 
> ```
> Multi-port Match: Not available 
> 
> ...

 Agreed, I'll update the tutorial.

EDIT: Ok, the kernel configuration section has been updated for completeness.  I also modified the syslog-ng logging section to allow you to filter out shorewall messages from, say, /var/log/messages.

----------

## lmcogs

Hi

That message was a bit cryptic but I gathered that you updated the tutorial so I followed the update and compiled as * all under IP Tables support which seemed a bit of overkill to me.  Anyway I rebooted and low and behold I can access the internet now and use email.  I have'nt tried downloading any bittorrent files but I will tomorrow.

I am getting these messages re preemtible kernel in dmesg which is new since I have started shorewall.  Any ideas the last bit is definately shorewall related but I dont know about the preemtible bit.

dmesg

Attached scsi generic sg0 at scsi3, channel 0, id 0, lun 0,  type 0

Attached scsi generic sg1 at scsi0, channel 0, id 0, lun 0,  type 0

Attached scsi generic sg2 at scsi2, channel 0, id 0, lun 0,  type 0

Attached scsi generic sg3 at scsi1, channel 0, id 0, lun 0,  type 5

BUG: using smp_processor_id() in preemptible [00000001] code: dhcpcd/7563

 [<c0210f23>]

 [<c02f521f>]

 [<c0302c5e>]

 [<c02f5487>]

 [<c0302c5e>]

 [<c0302c58>]

 [<c0302c5e>]

 [<c011f957>]

 [<c02e8f87>]

 [<c02e98ff>]

 [<c02eb4a6>]

 [<c030de85>]

 [<c02af256>]

 [<c01533d0>]

 [<c01536fc>]

 [<c0153735>]

 [<c010227f>]

BUG: using smp_processor_id() in preemptible [00000001] code: dhcpcd/7563

 [<c0210f23>]

 [<c02f5247>]

 [<c0302c5e>]

 [<c02f5487>]

 [<c0302c5e>]

 [<c0302c58>]

 [<c0302c5e>]

 [<c011f957>]

 [<c02e8f87>]

 [<c02e98ff>]

 [<c02eb4a6>]

 [<c030de85>]

 [<c02af256>]

 [<c01533d0>]

 [<c01536fc>]

 [<c0153735>]

 [<c010227f>]

Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:20:ed:6a:0b:3c:00:06:4f:15:34:35:08:00 SRC=10.0.0.2 DST=10.0.0.6 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=468 PROTO=ICMP TYPE=8 CODE=0 ID=42097 SEQ=512

Thanks lmcogs

----------

## lmcogs

Hi

Still getting above message in dmesg.  

However it seems I have success after following your updated tutorial.  I did not get bittorrent working until I added in /etc/shorewall/rules (don't know where I got it)

ACCEPT  net             fw              tcp     6881:6889,6969

and I was able to download and upload ok.  I don't know what the code means or if it is optimal etc, perhaps you could explain.

Here's the result of the Shield's up test what do you think?  What do you think,  I am happy with a reasonable secure standalone systmem.

Shields Up Port Test

GRC Port Authority Report created on UTC: 2005-04-27 at 10:22:31

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 

                            119, 135, 139, 143, 389, 443, 445, 

                            1002, 1024-1030, 1720, 5000

    1 Ports Open

   22 Ports Closed

    3 Ports Stealth

---------------------

   26 Ports Tested

The port found to be OPEN was: 21

Ports found to be STEALTH were: 23, 25, 80

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,

                   - NO unsolicited packets were received,

                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

thanks 

lmcogs

----------

## ruxpin

perhaps you want to include a few rules to the tutorial, like allowing ping and http-proxy and irc through.  :Smile: 

----------

## nichocouk

Hello,

I've installed shorewall and set it up following your instructions. Thanks, that looks good!... However I cannot start shorewall  :Sad: 

When I do /etc/init.d/shorewall start, I get: 

```
 * Starting firewall ...

LOGFILE (/var/log/messages) does not exist!                                                                                                                        [ !! ]
```

And I'm using metalog, btw... Should I just create this file? 

(and sorry if the answer is obvious, I'm tired!)

I've got another question: I'm 99% of the time connected to the internet via a VPN connection, using pptpclient (not OpenVPN). What lines should I add in my config files? I'm often connected with a wireless connection so the interfaces shown by ifconfig are ath0 and ppp0. I've already added a line similar to eth0 for ath0 in the interfaces file, but I'm not sure what to do with the ppp0 that is up with VPN on.

Last question: I've tried you suggested site to test my computer vulnerability. When I'm online and connected directly to the internet, it seems to be perfectly safe (without shorewall running as I get the above problem!). All test are passed, all ports are stealth, etc. Should I really need shorewall in this case? 

HOwever when I'm online with my VPN connection, with all routes to tunnel enabled, then it seems that my computer is not safe: several ports are closed and some other problems arise. So, here I would need a good config for shorewall, right?

Thanks for your help!

----------

## kamagurka

 *nichocouk wrote:*   

> Hello,
> 
> I've installed shorewall and set it up following your instructions. Thanks, that looks good!... However I cannot start shorewall :( 
> 
> When I do /etc/init.d/shorewall start, I get: 
> ...

 

As I understand it, when you are connected to the 'net via VPN, all test results that site returns are actually indicative of your VPN host. And if that's insecure that's just not cool.

As to your log problem, the tutorial tells you how to setup shorewall+syslog; Since you use metalog, you will have to set it up in some other way (and /var/log/messages probably doesn't exist since metalog uses some other file; set LOGFILE in /etc/shorewall/shorewall.conf to a file that *does* exist).

----------

## kamagurka

Maybe you remember how I had everything running beautifully, after some initial problems. Well, I made a mistake: I *rebooted*. Seriously, I rebooted and now shorewall throws a really strange error:

[/code]mq# /etc/init.d/shorewall start                                         qq(\o/)qj

 * Starting firewall...

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A smurfs -s 255.255.255.255  -j  LOG  --log-level info --log-prefix "Shorewall:smurfs:DROP:"" Failed

iptables-restore v1.2.11: iptables-restore: unable to initializetable 'nat'

Error occurred at line: 15

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

/sbin/runscript.sh: line 532:  2706 Terminated              /sbin/shorewall start >/dev/null[/code]

I don't even know where to start looking on this one.

----------

## Sith_Happens

Try going back in and recompiling your kernel according to the updated kernel configuration section in the tutorial.  It looks to me like you still have something modularized that shouldn't be, and that upon reboot that module wasn't loaded, causing you to get this error.

----------

## kamagurka

Nevermind, it works now, I went in and enabled (as per your updated instructions) everything under iptables. Whatever the problem was, it doesn't exist anymore.

Oh, just a heads up: I have all iptables and netfilter stuff compiled as a module. All modules are loaded by shorewall (or maybe hotplug, not sure) as needed, and full functionality is there. The great emphasis you put on "in-kernel" vs. modules is not necessary.

----------

## Bob P

Sith, I just want to give you a pat on the back for knocking yourself out on these support threads.  You've been working on this one, on the Stage 1/3 thread, and on the Jackass! project all at the same time, and I think everyone should know just how much time you're spending helping people out.  :Cool: 

----------

## Sith_Happens

 *Bob P wrote:*   

> Sith, I just want to give you a pat on the back for knocking yourself out on these support threads.  You've been working on this one, on the Stage 1/3 thread, and on the Jackass! project all at the same time, and I think everyone should know just how much time you're spending helping people out. 

 I'm blushing.  :Embarassed:   :Wink: 

----------

## nichocouk

 *kamagurka wrote:*   

> As I understand it, when you are connected to the 'net via VPN, all test results that site returns are actually indicative of your VPN host. And if that's insecure that's just not cool.
> 
> As to your log problem, the tutorial tells you how to setup shorewall+syslog; Since you use metalog, you will have to set it up in some other way (and /var/log/messages probably doesn't exist since metalog uses some other file; set LOGFILE in /etc/shorewall/shorewall.conf to a file that *does* exist).

 

I agree it's not cool. I've made some enquiries about that.

As for the log problem... I think I'll switch to syslog as I'm too lazy and too noob to find out how to set it up with metalog. Sorry! I know it would have been nice to have someone doing it and explaining to the others...  :Confused: 

----------

## Sith_Happens

 *nichocouk wrote:*   

>  *kamagurka wrote:*   As I understand it, when you are connected to the 'net via VPN, all test results that site returns are actually indicative of your VPN host. And if that's insecure that's just not cool.
> 
> As to your log problem, the tutorial tells you how to setup shorewall+syslog; Since you use metalog, you will have to set it up in some other way (and /var/log/messages probably doesn't exist since metalog uses some other file; set LOGFILE in /etc/shorewall/shorewall.conf to a file that *does* exist). 
> 
> I agree it's not cool. I've made some enquiries about that.
> ...

 syslog-ng is very easy to use and configure, check out the gentoo wiki entry and you'll see what I mean.

----------

## nichocouk

Thanks a lot for pointing me to this link, that's very nice of you!

it's installed now, but I will try to properly start shorewall when my brain will have some rest  :Wink: 

Cheers mate!

----------

## MaDmAsTeR

Hi!

thnx for ur nice HowTo, this helped me alot, but i´ ve on problem with ACTIVE FTP connections...

i try to get FTP access to an FTP Server outside from my FW or LOC zone...

i´ ve already read the FTP HowTo on shorewall.net, but it seems not my problem...

ip_conntrack Modules in the kernel and are loaded on startup of shorewall...

heres my FTP rule:

```

ACCEPT:info:ftp         net             fw     tcp     ftp,20

ACCEPT:info:ftp         fw              net     tcp     1024:                                   20

```

when i connect from my Firewall to an FTP Server, the connect has success, but an "ls" times out, while in my syslog is the following:

```

Apr 29 09:34:59 heimdall Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=xx.xxx.xx.x LEN=60 TOS=0x08 REC=0x00 TTL=55 ID=20443 DF PROTO=TCP SPT=20 DPT=37104 WINDOW=5840 RES=0x00 SYN URGP=0 

```

This messages repeats many times, until the FTP times out...

My Policy for net2all IS DROP, thats right, but my rule is to accept FTP traffic, why shorewall DROPS this connection?

Can anyone help me out here??

----------

## nichocouk

I did a quick test of my shorewall install this morning, and it runs fine when I'm directly connected to the internet, but prevents my VPN connection to be established. So I've got something more to do to get it working.

I've made an enquiry regarding the policy of my VPN admins, here is their answer:

 *Quote:*   

> the difference in the way we block ports is nothing to worry 
> 
> about. The port is blocked so nothing will come through. It does not 
> 
> matter whether they respond or not. The reason we do respond it because it 
> ...

 

I must say that considering the following:

1) ShieldsUp! (does it really sucks??) says I'm perfectly safe when I connect directly to the internet

2) It seems that I am secure also when I'm connected via the encrypted VPN of my college

I'm quite tempted to give up and to forget about a firewall...

Any advice?

Thanks for your time.

----------

## kamagurka

Problem with the logs:

I put what you wrote in the syslog conf, but for some reason shorewall messages still get logged to messages.

here's the shorewall part of my conf:

```
##Shorewall bits:

destination d_shorewall{ file ("/var/log/shorewall.log"); };

filter f_shorewall { match ("Shorewall"); };

## If you don't want shorewall messages logged to

## /var/log/messages anymore add this filter as well

filter f_not_shorewall { not match ("Shorewall"); };

## Then add this to log messages to your shorewall log

log { source(src); filter (f_shorewall); destination (d_shorewall); };

## If you don't want shorewall messages logged to

## any other destination, such as /var/log/messages

## just use the f_not_shorewall filter like so

log { source(src); filter (f_not_shorewall);destination(messages); };
```

----------

## Sith_Happens

Don't add this part:

```
log { source(src); filter (f_not_shorewall);destination(messages); };
```

Your supposed to modify the existing log statement log { source(src); destination(messages); }; that defines what is logged to /var/log/messages to include the filter f_not_shorewall, which will filter out shorewall messages.

----------

## {{Azrael}}

#netstat -tap

 *Quote:*   

> 
> 
> Active Internet connections (servers and established)
> 
> Proto Recv-Q Send-Q Local Address           Foreign Address         State PID/Program name
> ...

 

topography:

I'm using a Laptop with one Wireless card and two ethernet cards to connect to a switch and then to a router using DHCP. There's nothing fancy,  quite straight forwards, usually I just have one ethernet cable plugged in or if I want to roam I have my Wireless on.  I want to be stealthed from any network I join, but I also want to be able to use Samba, I also want to be completly stealthed from the internet. I'm unsure howto setup an appropraite zone/s for this. 

Cheers!  :Cool: 

----------

## Sith_Happens

 *{{Azrael}} wrote:*   

> #netstat -tap
> 
>  *Quote:*   
> 
> Active Internet connections (servers and established)
> ...

 Why exactly do you have two ethernet cards, and are all of your interfaces being used simultaneously?  Or do you use one or another of the interfaces depending on what situation your in?

----------

## {{Azrael}}

One's a Wireless NIC [eth2], the other is a Ethernet NIC (which kinda counts as two because I have a docking station) [eth0,eth1]. I'm always using one, but it's always changing, because it's a laptop. I travel around and never in a seccure network, so I guess one zone will work? 

But your post made me wonder something, when I DO have two NICs up, which one am I actually using? Is it both, or does the traffic go down the fastest one or something?

----------

## Sith_Happens

 *{{Azrael}} wrote:*   

> One's a Wireless NIC [eth2], the other is a Ethernet NIC (which kinda counts as two because I have a docking station) [eth0,eth1]. I'm always using one, but it's always changing, because it's a laptop. I travel around and never in a seccure network, so I guess one zone will work? 
> 
> But your post made me wonder something, when I DO have two NICs up, which one am I actually using? Is it both, or does the traffic go down the fastest one or something?

 I belive in your case, defining all interfaces on the net zone in /etc/shorewall/interfaces should work, like so:

```
net      eth0           detect          dhcp

net      eth1           detect          dhcp

net      wlan0          detect          dhcp
```

----------

## lousyd

 *Sith_Happens wrote:*   

> This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial.  Haven't read it?  Check it out and tell me what you think.  If you've read it and need some help, post here and I'll see what I can do. :)

 The link to the tutorial is actually to a forums posting.  You provide another link in your signature, but 1) your signature may change in the future, and it'll go away, and b) it's a tinyurl, so I don't know what it leads to.  What happens when the TinyURL service goes away or gets bought by someone who will use all those links out there to provide advertising?  TinyURLs are nice when you're short on space (emails, say) but you're not short on space here.  And TinyURLs should always be accompanied by the real URL, for posterity's sake.

Back to the point, can you provide the link to your tutorial?  Did I just overlook it?

----------

## kamagurka

 *lousyd wrote:*   

>  *Sith_Happens wrote:*   This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial.  Haven't read it?  Check it out and tell me what you think.  If you've read it and need some help, post here and I'll see what I can do. :) The link to the tutorial is actually to a forums posting.  You provide another link in your signature, but 1) your signature may change in the future, and it'll go away, and b) it's a tinyurl, so I don't know what it leads to.  What happens when the TinyURL service goes away or gets bought by someone who will use all those links out there to provide advertising?  TinyURLs are nice when you're short on space (emails, say) but you're not short on space here.  And TinyURLs should always be accompanied by the real URL, for posterity's sake.
> 
> Back to the point, can you provide the link to your tutorial?  Did I just overlook it?

 

Scroll up, you genius.

----------

## Sith_Happens

 *kamagurka wrote:*   

> Scroll up, you genius.

  :Rolling Eyes: 

I fixed the link in the first post of this thread, it now points to the first post as opposed the the second post of the tutorial thread, hopefully that will be less...confusing. However, for the record the link in my sig has and alway will redirect you to the forums page, and you can then bookmark that if you wish. *lousyd wrote:*   

> it's a tinyurl, so I don't know what it leads to

 Did you try clicking on it?  :Confused:   *lousyd wrote:*   

> TinyURLs are nice when you're short on space (emails, say) but you're not short on space here.  And TinyURLs should always be accompanied by the real URL, for posterity's sake

 But I am short on space, we are all limited to a 255 character limit in your signiture, and that includes BB tags and urls, unless you have some deal with the forum mods I don't know about.  So using the real url or accompanying it with the url is not really an option, and sort of defeats the purpose of making it "tiny" in the first place.  Besides, like I said before, it will redirect you to the correct page, and you can then bookmark that if you want, or engrave it into a diamond and carry it around in some body cavity....for "posterity's sake".  :Wink:  Then again the diamond will sublimate over time, so that might want to find something a bit more permanent..... :Laughing: 

----------

## {{Azrael}}

 *lousyd wrote:*   

>  *Sith_Happens wrote:*   This is the support thread for the Prompt and Powerful Firewalling with Shorewall tutorial.  Haven't read it?  Check it out and tell me what you think.  If you've read it and need some help, post here and I'll see what I can do.  The link to the tutorial is actually to a forums posting.  You provide another link in your signature, but 1) your signature may change in the future, and it'll go away, and b) it's a tinyurl, so I don't know what it leads to.  What happens when the TinyURL service goes away or gets bought by someone who will use all those links out there to provide advertising?  TinyURLs are nice when you're short on space (emails, say) but you're not short on space here.  And TinyURLs should always be accompanied by the real URL, for posterity's sake.
> 
> Back to the point, can you provide the link to your tutorial?  Did I just overlook it?

 

Hey man stop being a turd, this guy is doing a great job.

----------

## Sith_Happens

 *{{Azrael}} wrote:*   

> Hey man stop being a turd, this guy is doing a great job.

 Hey, no personal attacks.  :Sad:   I'm going to personally ask any moderator who sees this comment to overlook it, I was being a bit sarcastic in my response to lousyd, and I feel I may have provoked some flaming.  He/she made a comment that had, shall we say, perplexing logic, and I think we've all made fun of it enough.  I'm not offended or perturbed by it, so lets all just move on ok?  :Smile: 

----------

## kamagurka

ffs, I still get my /var/log/messages chock full of shorewall stuff, although it is strangely missing the "Shorewall" part. Looks like this:

[code[May  2 21:01:18 kumquad IN=ppp0 OUT= MAC= SRC=*** DST=*** LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=80 DPT=60826 WINDOW=5840 RES=0x00 ACK SYN URGP=[/code]

What is going on? This doesn't even look like it was a blocked or dropped packet (I get lots and lots of this); Here's my syslog-ng.conf:

```
filter f_not_shorewall { not match ("Shorewall"); };

log { source(src); filter (f_not_shorewall);destination(messages); };

log { source(src); destination(console_all); };

destination d_shorewall{ file ("/var/log/shorewall.log"); };

filter f_shorewall { match ("Shorewall"); };

log { source(src); filter (f_shorewall); destination (d_shorewall); };
```

----------

## Sith_Happens

Hmm, maybe the log format in your config file differs from the default and is missing the Shorewall part, making the filter useless.  Post the output of cat /etc/shorewall/shorewall.conf | grep LOGFORMAT=.

----------

## kamagurka

```
#   LOGFORMAT="fp=%s:%d a=%s "

# If not specified or specified as empty (LOGFORMAT="") then the value

LOGFORMAT="Shorewall:%s:%s:"
```

This looks right to me...

----------

## MaDmAsTeR

Hi!

i've the following problem with my setup here:

On the Firewall itself runs a little WebServer (internal IP 192.168.1.1) - (external IP: dynamic trough PPPOE)

my clients can surf the www and also the local webserver, so masquerading works fine..

But!

When a local clinet surfs my local WWW-Server, the internal Net IP (192.168.1.5) is reported to this, i need to report the external IP Address to my WWW Server.

The FAQ in shorewall.net and documentation doenst helped me outa here  :Sad: 

What i've tried:

/etc/shorewall/masq

eth0 is my internal if

```

ppp0      eth0

```

/etc/shorewall/rules

```

DNAT            loc     loc:192.168.1.1 tcp     www     -       $PPP0_IP

```

$PPP0_IP is defned in the shorewall init script and is reported back correct. This DNAT rule is from the FAQ on their site, but didnt helped me out...

I'va absolutly no idea how i can change this...

----------

## think4urs11

Hi,

so you have two different webservers, correct? .1 on the firewall machine + .5 on annother machine?

maybe a dirty little trick helps out:

- register a dyndns name

- point that to your pppoe address (e.g. ez-ipupdate)

- configure access rules+port forwarding on the firewall to the .5 server

- use the dyndns name to connect to this webserver

HTH

T.

----------

## MaDmAsTeR

Thnx for ur answer...

Not 2 webservers, only one on .1...

I already regged and DynDNS service, but it seems that shorewall sees that i will connect from .5 to the shorewall external IP and and says, this is mine, and uses local IP...

Cause i always get with my local IP reported on the WebServer, and thats not good..

----------

## tibbyla

Forgive my infamiliarity with this subject, but I followed your guide, and everything works fine... except for games.  When I try to connect to America's Army servers, I can't get a list.  I can log into my account from the Personel tab, but no servers appear.

I found the list of ports needed, and added them to /etc/shorewall/rules:

```
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

ACCEPT   fw             net             udp     1716 #AmericasArmy

ACCEPT   fw             net             udp     1717 #AmericasArmy - gamequery

ACCEPT   fw             net             udp     1718 #AmericasArmy - master server query

ACCEPT   fw             net             udp     8777 #AmericasArmy - standard UT query

ACCEPT   fw             net             tcp     20045 #AmericasArmy - Auth server

ACCEPT   fw             net             udp     27900 #AmericasArmy - gamespy
```

My guess is that's it's something to do with this line in /etc/shorewall/policy:

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

net             all             DROP            info
```

but I don't know how to securely allow just the above ports without defeating the purpose of shorewall in the first place.  Anyone have any pointers?  TIA.

----------

## Sith_Happens

Try to connect to the servers, then post some lines from dmesg (if you want to objusticate the IP's, just be sure to identify them for me somehow so I know which is your computer and which is a server).

----------

## travlr

Hi,

I've been trying  to figure this out for hours, and I now need to ask for help. I have an interface that transmits and recieves data. There is a stand alone UI app that sits on my desktop. Booting this app requires a login to connect. 

```
bash-2.05b# cd /home/tmp/IBJts

bash-2.05b# java -cp jts.jar:jcommon-0.9.0.jar:jfreechart-0.9.15.jar jclient.LoginFrame .

12:39:02 JTS-Main: Cannot reach the web server to check if the upgrade version is available.

12:39:02 JTS-Main: Build 845.5, 2005/04/13 16:00

12:39:13 JTS-Login-1: Error: creating socket failed

java.net.ConnectException: Connection refused

        at java.net.PlainSocketImpl.socketConnect(Native Method)

        at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)

        at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)

        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)

        at java.net.Socket.connect(Socket.java:452)

        at java.net.Socket.connect(Socket.java:402)

        at java.net.Socket.<init>(Socket.java:309)

        at java.net.Socket.<init>(Socket.java:124)

        at jconnection.c.K(c.java:114)

        at jconnection.j.run(j.java:36)

12:39:15 JTS-Login-1: Error: creating socket failed
```

Here is how I config'd /etc/shorewall/rules 

```
####################################################################################################

#ACTION  SOURCE      DEST         PROTO   DEST    SOURCE      ORIGINAL   RATE      USER/

#                                     PORT    PORT(S)    DEST      LIMIT      GROUP

ACCEPT   fw      net      tcp   80 #http

ACCEPT  fw              net             udp     80 #http

ACCEPT  fw              net             tcp     443 #https

ACCEPT  fw              net             udp     443 #https

ACCEPT  fw              net             tcp     21 #ftp

ACCEPT  fw              net             tcp     53 #DNS

ACCEPT  fw              net             udp     53 #DNS

ACCEPT  fw              net             tcp     110 #unsecure Pop3

ACCEPT  fw              net             tcp     995 #Secure Pop3

ACCEPT  fw              net             tcp     873 #rsync

ACCEPT  fw              net             tcp     25 #unsecure SMPT

ACCEPT  fw              net             tcp     465 #SMPT over SSL

ACCEPT  fw              net             tcp     5190 #AIM/ICQ

ACCEPT  net:208.245.107.4    fw      tcp   4000

ACCEPT  net:208.245.107.6    fw      tcp   4000         

ACCEPT  fw      net:208.245.107.4    tcp   -   4000         

ACCEPT  fw      net:208.245.107.6    tcp   -   4000   

DROP    net             fw              tcp     113 #AUTH/IDENT, added to show how to block a port

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

Here's /etc/shorewall/policy

```
###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

#loc      net      ACCEPT

net      all      DROP      info

#

# THE FOLLOWING POLICY MUST BE LAST

#   

all      all      REJECT      info 

#LAST LINE -- DO NOT REMOVE
```

Here's the dmesg

```
eth1: register usbnet at usb-0000:00:1d.3-2, CDC Ethernet Device

usbcore: registered new driver usbnet

parport: PnPBIOS parport detected.

parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP(,...)]

Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=69.139.56.33 DST=208.245.107.6 LEN=60TOS=0x00 PREC=0x00 TTL=64 ID=6099 DF PROTO=TCP SPT=32769 DPT=4000 WINDOW=5840 RES=0x00 SYN URGP=0

bash-2.05b#      
```

I'm trying to understand and resolve this, so I appreciate your help very much. Also SSL is not to be configured in at this time, but would like to have this option. Does SSL use also need to be configured into shorewall.

.Last edited by travlr on Fri May 06, 2005 7:02 am; edited 1 time in total

----------

## tibbyla

 *Sith_Happens wrote:*   

> Try to connect to the servers, then post some lines from dmesg (if you want to objusticate the IP's, just be sure to identify them for me somehow so I know which is your computer and which is a server).

 

I get a bunch of lines that look like this:

```
May  5 21:10:34 all2all:REJECT:IN= OUT=eth0 SRC=my.int.ip.add DST=my.own.bdcst.add LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=96 DF PROTO=UDP SPT=32768 DPT=7874 LEN=16
```

where my.int.ip.add is my internal/private IP address, ala 10.0.0.3 or whatever and my.own.bdcst.add is my broadcast.  It may be overkill to hide these, but oh well.  The DPT number also ranges between 7778 and 8777, depending on the line of output from dmesg.

----------

## Sith_Happens

@tibbyla: Then you need to add a rule that says:

```
ACCEPT          fw            net              udp         7778:8777
```

Is this internal network traffic though?  If you have more than one computer on your network, you should consider setting up a dedicated firewall, which (as pointed out by an angry poster in the documentation thread) is much more secure, and will allow you to control internal network traffic separatley from external network traffic.

@travlr: Your problem is you have the source ports and destination reports wrong.  It seems that the server is both sending and receiving data on port 4000.  So data from the server (net->fw) should have the source port of 4000, and data from your computer to the server (fw->net) should have a destination port of 4000.  So switch those around and you should be fine.

----------

## lin00b

hi, i'm having problems

1. setting up p2p (bittorrent) from my firewall. bittorrent client is set to listening to port 9000 to 9005

2. getting my local network (well, a network of 1 laptop) connected to the net through the firewall

system setup:

1 pc (firewall) connected to the net via pppoe through nas0 and to the local network through eth0 with dhcp and dnsmasq enabled as per the home router guide

ifconfig

```

eth0      Link encap:Ethernet  HWaddr 00:08:A1:6F:7F:A9  

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1146 errors:0 dropped:0 overruns:0 frame:0

          TX packets:764 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:118887 (116.1 Kb)  TX bytes:71997 (70.3 Kb)

          Interrupt:19 Base address:0xd800 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1012 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1012 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:45492 (44.4 Kb)  TX bytes:45492 (44.4 Kb)

nas0      Link encap:Ethernet  HWaddr 00:E0:95:50:39:F8  

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:46047 errors:0 dropped:0 overruns:0 frame:0

          TX packets:36163 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:30562356 (29.1 Mb)  TX bytes:4135564 (3.9 Mb)

ppp0      Link encap:Point-to-Point Protocol  

          inet addr:219.95.188.142  P-t-P:219.93.218.177  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:29457 errors:0 dropped:0 overruns:0 frame:0

          TX packets:22672 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3 

          RX bytes:18204202 (17.3 Mb)  TX bytes:2220098 (2.1 Mb)

```

/etc/shorewall/masq

```

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)

ppp0                    eth0

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

```

/etc/shorewall/policy

```

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

loc             net             ACCEPT

net             all             DROP            info

#             

# THE FOLLOWING POLICY MUST BE LAST

#             

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE

```

/etc/shorewall/rules

```

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL    $

#                                               PORT    PORT(S)    DEST        $

ACCEPT  fw              net             tcp     80              #http

ACCEPT  fw              net             udp     80              #http

ACCEPT  fw              net             tcp     443             #https

ACCEPT  fw              net             udp     443             #https

ACCEPT  fw              net             tcp     53              #DNS

ACCEPT  fw              net             udp     53              #DNS

ACCEPT  fw              net             tcp     873             #rsync

ACCEPT  fw              net             tcp     5190            #ICQ AIM OSCAR

ACCEPT  fw              net             tcp     1863            #MSN messenger

ACCEPT  fw              net             tcp     6667            #IRC

ACCEPT  fw              net             tcp     9000:9005       #bittorrent

ACCEPT  fw              net             udp     9000:9005       #bittorrent

ACCEPT  net             fw              tcp     9000:9005       #bittorrent

ACCEPT  net             fw              udp     9000:9005       #bittorrent

ACCEPT  fw              net             tcp     6969            #bittorrent

DNAT    net             loc:192.168.0.1 tcp     9000:9005       #bittorrent

DNAT    net             loc:192.168.0.1 udp     9000:9005       #bittorrent

DNAT    net             loc:192.168.0.1 tcp     6969            #bittorrent

```

----------

## Sith_Happens

Well, your second problem is outside the scope of my tutorial, but I will try to help you with it just the same.  I'm just a nice guy I guess.  :Smile:   As far as that goes, I suggest you take a look at this tutorial, since you need to set up some extra rules to handle the actual routing of traffic between loc and net through the firewall.  As far as your first problem goes, is bittorrent running on the firewall, or is it running on some computer behind the firewall?  I see some dnat rules there as well as some fw->net rules, so I'm a little confused.

----------

## lin00b

 *Quote:*   

> Well, your second problem is outside the scope of my tutorial, but I will try to help you with it just the same.I'm just a nice guy I guess. 

 

well, i guess u can be a nicer guy and post up another well-requested tutorial on 2 interface firewalling  :Smile: 

 *Quote:*   

>  I suggest you take a look at this tutorial,

 

i did, and the result of my research is those rules you see up there  :Confused: 

 *Quote:*   

>  is bittorrent running on the firewall, or is it running on some computer behind the firewall?

 

i'm trying to get the bittorrent running on both. can they sharethe same ports though? or would i need to specify another set of ports for my laptop?

----------

## Sith_Happens

 *lin00b wrote:*   

> i'm trying to get the bittorrent running on both. can they sharethe same ports though? or would i need to specify another set of ports for my laptop?

 You can't have packets hitting your firewall on ports 9000-9005 both received by bittorent listening on the firewall, while at the same time redirected to your laptop.  You'll have to run one or the other on different ports, and change your firewall rules accordingly.  As far as your second problem, I don't see any rules handling DNS, I don't see a /etc/interfaces file, so perhaps you should give the shorewall two interface tutorial a once over again, and make sure you've covered all the bases.  Then post some more info, such as what computer your DNS server is on, etc.

----------

## lin00b

/etc/shorewall/interfaces

```

#ZONE   INTERFACE       BROADCAST       OPTIONS

net     ppp0            -               dhcp,routefilter,tcpflags

loc     eth0            detect           tcpflags

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

bittorrent now works from my firewall. modified and commented my /etc/shorewall/rules as follows

```

#       Accept connections from the firewall to the internet

#--------------------------------------------------------------

ACCEPT          fw              net             tcp     53              #DNS

ACCEPT          fw              net             udp     53

ACCEPT          fw              net             tcp     80              #HTTP

ACCEPT          fw              net             udp     80

ACCEPT          fw              net             tcp     443             #HTTPs

ACCEPT          fw              net             udp     443

ACCEPT          fw              net             tcp     873             #rsync

ACCEPT          fw              net             tcp     5190            #ICQ AIM oscar

ACCEPT          fw              net             tcp     1863            #MSN messenger

ACCEPT          fw              net             tcp     6667            #IRC

ACCEPT          fw              net             tcp     9000:9005       #bittorrent

ACCEPT          fw              net             udp     9000:9005

#       Accept connections from the internet tp the firewall

#--------------------------------------------------------------

ACCEPT          net             fw              tcp     9000:9005       #bittorrent

ACCEPT          net             fw              udp     9000:9005

#       DNAT rules

#--------------------------------------------------------------

DNAT            net     loc:192.168.0.250       tcp     9006:9010       #bittorrent

DNAT            net     loc:192.168.0.250       udp     9006:9010 

```

result of shorewall start

```

shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Not available

   Multi-port Match: Available

   Connection Tracking Match: Available

Determining Zones...

   Zones: net loc

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: ppp0:0.0.0.0/0

   Local Zone: eth0:0.0.0.0/0

Processing /etc/shorewall/init ...

Deleting user chains...

Setting up Accounting...

Creating Interface Chains...

Configuring Proxy ARP

Setting up NAT...

Setting up NETMAP...

Adding Common Rules

Processing /etc/shorewall/initdone ...

Adding rules for DHCP

Setting up TCP Flags checking...

Setting up Kernel Route Filtering...

IP Forwarding Enabled

Processing /etc/shorewall/tunnels...

Pre-processing Actions...

   Pre-processing /usr/share/shorewall/action.DropSMB...

   Pre-processing /usr/share/shorewall/action.RejectSMB...

   Pre-processing /usr/share/shorewall/action.DropUPnP...

   Pre-processing /usr/share/shorewall/action.RejectAuth...

   Pre-processing /usr/share/shorewall/action.DropPing...

   Pre-processing /usr/share/shorewall/action.DropDNSrep...

   Pre-processing /usr/share/shorewall/action.AllowPing...

   Pre-processing /usr/share/shorewall/action.AllowFTP...

   Pre-processing /usr/share/shorewall/action.AllowDNS...

   Pre-processing /usr/share/shorewall/action.AllowSSH...

   Pre-processing /usr/share/shorewall/action.AllowWeb...

   Pre-processing /usr/share/shorewall/action.AllowSMB...

   Pre-processing /usr/share/shorewall/action.AllowAuth...

   Pre-processing /usr/share/shorewall/action.AllowSMTP...

   Pre-processing /usr/share/shorewall/action.AllowPOP3...

   Pre-processing /usr/share/shorewall/action.AllowIMAP...

   Pre-processing /usr/share/shorewall/action.AllowTelnet...

   Pre-processing /usr/share/shorewall/action.AllowVNC...

   Pre-processing /usr/share/shorewall/action.AllowVNCL...

   Pre-processing /usr/share/shorewall/action.AllowNTP...

   Pre-processing /usr/share/shorewall/action.AllowRdate...

   Pre-processing /usr/share/shorewall/action.AllowNNTP...

   Pre-processing /usr/share/shorewall/action.AllowTrcrt...

   Pre-processing /usr/share/shorewall/action.AllowSNMP...

   Pre-processing /usr/share/shorewall/action.AllowPCA...

   Pre-processing /usr/share/shorewall/action.Drop...

   Pre-processing /usr/share/shorewall/action.Reject...

Processing /etc/shorewall/rules...

   Rule "ACCEPT fw net tcp 53" added.

   Rule "ACCEPT fw net udp 53" added.

   Rule "ACCEPT fw net tcp 80" added.

   Rule "ACCEPT fw net udp 80" added.

   Rule "ACCEPT fw net tcp 443" added.

   Rule "ACCEPT fw net udp 443" added.

   Rule "ACCEPT fw net tcp 873" added.

   Rule "ACCEPT fw net tcp 5190" added.

   Rule "ACCEPT fw net tcp 1863" added.

   Rule "ACCEPT fw net tcp 6667" added.

   Rule "ACCEPT fw net tcp 9000:9005" added.

   Rule "ACCEPT fw net udp 9000:9005" added.

   Rule "ACCEPT net fw tcp 9000:9005" added.

   Rule "ACCEPT net fw udp 9000:9005" added.

   Rule "DNAT net loc:192.168.0.250 tcp 9006:9010" added.

   Rule "DNAT net loc:192.168.0.250 udp 9006:9010" added.

Processing Actions...

Processing /usr/share/shorewall/action.Drop...

   Rule "RejectAuth" added.

   Rule "dropBcast" added.

   Rule "dropInvalid" added.

   Rule "DropSMB" added.

   Rule "DropUPnP" added.

   Rule "dropNotSyn" added.

   Rule "DropDNSrep" added.

Processing /usr/share/shorewall/action.Reject...

   Rule "RejectAuth" added.

   Rule "dropBcast" added.

   Rule "dropInvalid" added.

   Rule "RejectSMB" added.

   Rule "DropUPnP" added.

   Rule "dropNotSyn" added.

   Rule "DropDNSrep" added.

Processing /usr/share/shorewall/action.RejectAuth...

   Rule "REJECT - - tcp 113" added.

Processing /usr/share/shorewall/action.DropSMB...

   Rule "DROP - - udp 135" added.

   Rule "DROP - - udp 137:139" added.

   Rule "DROP - - udp 445" added.

   Rule "DROP - - tcp 135" added.

   Rule "DROP - - tcp 139" added.

   Rule "DROP - - tcp 445" added.

Processing /usr/share/shorewall/action.DropUPnP...

   Rule "DROP - - udp 1900" added.

Processing /usr/share/shorewall/action.DropDNSrep...

   Rule "DROP - - udp - 53" added.

Processing /usr/share/shorewall/action.RejectSMB...

   Rule "REJECT - - udp 135" added.

   Rule "REJECT - - udp 137:139" added.

   Rule "REJECT - - udp 445" added.

   Rule "REJECT - - tcp 135" added.

   Rule "REJECT - - tcp 139" added.

   Rule "REJECT - - tcp 445" added.

Processing /etc/shorewall/policy...

   Policy REJECT for fw to net using chain all2all

   Policy DROP for net to fw using chain net2all

   Policy DROP for net to loc using chain net2all

   Policy ACCEPT for loc to net using chain loc2net

Masqueraded Networks and Hosts:

   To 0.0.0.0/0 (all) from 192.168.0.0/24 through ppp0

Activating Rules...

Processing /etc/shorewall/start ...

Shorewall Started

```

additinal information, my router is on 192.168.0.1, my laptop is at 192.168.0.250 via dhcp, my broadcast is 192.168.0.255

DNS server is on 202.188.0.133 and 202.188.1.5, but i dont see the revelence since i can connect to the net from my firewall just fine

##EDIT - solved, i think, from the output above i found out that i dont have mangling, so i recompiled mangling in, then set ACCEPT loc -> fw in policy and i'm ok. question being, is there any security risk in setting ACCEPT loc -> fw in policy or should i just specify specific ports in rules?

----------

## detz

* Restarting firewall...

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.                                                                                [ ok ]

I've [*] 'd all the modules under iptables but I still get this.  THe firewall works fine but I want to get rid of this before I autostart it.

---Update

Device Drivers ---> 

     Networking support ---> 

           Networking options ---> 

                 [*] Network packet filtering (replaces ipchains) ---> 

                       IP: Netfilter Configuration ---> 

                             <*> Connection tracking (required for masq/NAT)  

                             <*> IP Tables Support (required for filtering/masq/NAT) 

                                   # Include (<*> not <M>) all options and sub options under IP tables support

                              ---There is a section under this that has ip6table stuff, check all of that too.

----------

## petlab

I have a couple questions that you may want to incorporate into the HOWTO.  BTW, Thanks, like one and a half million for the help!

1.  I noticed that iptables doesn't get added with rc-update.  I figure it isn't necessary, since shorewall "uses the iptables program for you."  Is that right?  I'm not a super noob, but I am installing remotely, so I can't mess up!  :Very Happy: 

2.  And am I right that we don't need to configure any scripts/files for iptables?  This is implied, but it worries me to imply stuff.

That's all.  Thanks again. :Very Happy: 

----------

## Sith_Happens

Well, the purpose of shorewall is to create scripts that configure iptables.  So configuring it and adding its initscript to startup takes care of everything as far as iptables is concerned.  Thanks for you question though.  As far as detz's question is concerned, my how to is strictly ipv4, you should post to another thread if you are having trouble with ipv6.

----------

## kamagurka

I have a very weird problem with shorewall (mostly it's logging, but I honestly can't tell whether there is more):

after I boot, with shorewall in default runlevel everything is spiffy, no errors and all, except for one thing: it seems all my traffic (not just the dropped stuff) gets logged to messages, although I have specified a different logfile. I only have to issue "/etc/init.d/shorewall restart" to make everything like it is supposed to be, but that's just a workaround. Is this a bug or what?

----------

## Sith_Happens

Did you specify a loglevel your policy file?  I only have messages that are dropped or rejected logged, so I have a loglevel set to info in my policy file, like so:

```
###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL   

net             all             DROP            info

#

# THE FOLLOWING POLICY MUST BE LAST

#       

all             all             REJECT          info 

```

If you don't want those messages logged, you simple don't set a loglevel.

----------

## kamagurka

I have a loglevel set. Once I restart shorewall everything works just as advertised; and even if I hadn't any loglevel specified, it'd hardly be acceptable that the thing behaves however the damn hell it pleases everytime I restart it.

----------

## petlab

I did it!  A successful install.  My machine is a dual AMD64.  Works great -  I forgot to add FTP, and it didn't connect.  I added it, restarted shorewall, and now it works.  Thanks again.

AMD64 Dual Opterons, 2.0 GHz, 6GB ram,

Hardened 2.6.11-r1 (PaX, grsec)

net-firewall/iptables-1.3.1-r4

iproute2-2.6.11.20050310-r1

shorewall-2.2.4

And I managed not to lock myself out...   :Twisted Evil: 

I think that the tutorial really DID help me!

----------

## Gentoo_You

Cool Moniker!

I just updated my kernel for the IP Tables support, etc... BUT, after I was done compiling the new kernel I moved it to /boot and then rebooted the computer without emerging Shorewall and continuing with the configuration. (AND I deleted the old kernel.)  :Mad: 

SO, my system won't boot anymore, it hangs at loading ath0(wireless interface), and spits out weird text to the screen and stops dead before going to the login prompt. I'm assuming that the "weird text" when bringing up ath0 is the IP tables stuff that was just compiled into the kernel, but won't work since I rebooted.

I'm posting from Windows now.  :Razz: 

How do I get back to the point where I can log into linux and have a connection to emerge shorewall and complete this?

----------

## kamagurka

 *Gentoo_You wrote:*   

> Cool Moniker!
> 
> I just updated my kernel for the IP Tables support, etc... BUT, after I was done compiling the new kernel I moved it to /boot and then rebooted the computer without emerging Shorewall and continuing with the configuration. (AND I deleted the old kernel.) :x 
> 
> SO, my system won't boot anymore, it hangs at loading ath0(wireless interface), and spits out weird text to the screen and stops dead before going to the login prompt. I'm assuming that the "weird text" when bringing up ath0 is the IP tables stuff that was just compiled into the kernel, but won't work since I rebooted.
> ...

 

1. Strictly speaking, this does not really belong in this thread

2. While hindsight is always meh, consider this next time you recompile a kernel: you can never be sure that a new kernel works; therefore, *never* delete your old, known-to-be-working kernel, instead move it to /boot/kernel.old or something, this way you can hit "e" at the boot prompt and boot with your old kernel if anything goes wrong).

3. Boot with the Gentoo LiveCD (or Knoppix or any other LiveCD with chroot on it, really), chroot over to your / and recompile your kernel.

----------

## Gentoo_You

 *kamagurka wrote:*   

> 
> 
> 1. Strictly speaking, this does not really belong in this thread
> 
> 2. While hindsight is always meh, consider this next time you recompile a kernel: you can never be sure that a new kernel works; therefore, *never* delete your old, known-to-be-working kernel, instead move it to /boot/kernel.old or something, this way you can hit "e" at the boot prompt and boot with your old kernel if anything goes wrong).
> ...

 

Thank you for your answer kamagurka, I'll patch my ethernet cable back in to boot with the LiveCD when I get back from work, since I'm using wireless. Have the mods move it if it bothers you that much.  :Very Happy: 

----------

## scruff

Nice tutorial! I also had the issue with norfc1918 for a minute but got that worked out. My question is related to filtering after allowing incoming traffic on say, port 80 for instance. When I run

#  nmap -v -sS -0 sfsullivan.homelinux.org

It shows 80 and 22 as OPEN rather than FILTERED. Is that normal? Does SPI still apply even after allowing traffic? Here are my rules:

ACCEPT          net     fw      tcp     22

ACCEPT          net     fw      tcp     80

Is there anything I need to do to make sure these ports are open, but remain monitored for shady looking traffic?

Thanks for any info. Being behind a router I never bothered with iptables, but I'm running a webserver now so the router forwards ALL traffic on 80 to my box. I spent some time securing Apache and setting up mod_security but I know I still need a good firewall  :Smile: 

edit: Also, trying to set up access for Samba. I entered the rules as shown in the Shorewall docs but it said 'Zone loc

is undefined'. When I added it to zones it said ath0 was already defined, which is was as 'net'. So how do I specify I want to allow local traffic access to Samba ports when I only have one interface?

-Sean

----------

## Sith_Happens

 *scruff wrote:*   

> Nice tutorial! I also had the issue with norfc1918 for a minute but got that worked out. My question is related to filtering after allowing incoming traffic on say, port 80 for instance. When I run
> 
> #  nmap -v -sS -0 sfsullivan.homelinux.org
> 
> It shows 80 and 22 as OPEN rather than FILTERED. Is that normal? Does SPI still apply even after allowing traffic? Here are my rules:
> ...

 If you are running a webserver behind a router, you should consider putting it into a dmz (a seperate "demilitarized zone") either through your internet router or some router on your local network.  That's much better than using shorewall on the webserver itself.

----------

## scruff

I would, but I am running it on my primary machine at the moment. Security is my primary concern here  :Wink: 

I'm working on building another box from spare parts. When it is complete it will serve no other purpose than web/mail server. Easy install, easy backups, and easy restore in the event of an attack. Until then though...

----------

## Sith_Happens

 *scruff wrote:*   

> I would, but I am running it on my primary machine at the moment. Security is my primary concern here 
> 
> I'm working on building another box from spare parts. When it is complete it will serve no other purpose than web/mail server. Easy install, easy backups, and easy restore in the event of an attack. Until then though...

 We'll then, as to your original question, yes, those ports should be open not filtered.  If you are really interested in additional information on the kind of traffic headed towards your webserver, I would suggest setting up a some sort of an IDS system (see the snort website for different deployment ideas).  If you combine snort with apache and either ACID or BASE, you can look at detailed graphical reports of your internal network traffic.  Pretty cool eh?

----------

## scruff

Very cool. Even cooler, I managed to grub an old HP 1200mhz celeron off some family to dedicate to a webserver/mail server  :Very Happy:  So I'm installing now and will see about wrapping that stuff in with Apache. Thanks!

----------

## mach.82

Hello, Sith_Happens

As of May 17, 2005, Tom Eastep had stepped down from Shorewall development and support. I really appreciate your Prompt and Powerful Personal Firewalling with Shorewall tutorial. With your knowledge with Shorewall, would you consider joining the new Shorewall team?

Thanks!

----------

## Bob P

 *mach.82 wrote:*   

> Hello, Sith_Happens
> 
> As of May 17, 2005, Tom Eastep had stepped down from Shorewall development and support. I really appreciate your Prompt and Powerful Personal Firewalling with Shorewall tutorial. With your knowledge with Shorewall, would you consider joining the new Shorewall team?
> 
> Thanks!

 

i'm going to poke my nose into my buddy Sith's business for a minute ... 

i would have never expected a credible effort to recruit a specific individual for a development team to be made via a post in an open forum.  i would have expected first contact in situations like that to be made in person -- or at least via an email from one of the project's known developers.   :Rolling Eyes: 

one certainly has to be skeptical when invitations like that come from forum n00bs with whom you're not familiar and for whom no detailed contact information is available.  in cases like these its often helpful to review their forum post activity to get an idea of their track record: 

https://forums.gentoo.org/search.php?search_author=mach.82

----------

## twardozrally

Follwed the tutorial, great write-up, easy to use, and thanks for explaining things. I have only run into one problem. I cannot get my NFS share to mount now. I found (or at least I think I did) that NFS pretty much uses random port numbers, so how do I work around this?

----------

## Sith_Happens

 *twardozrally wrote:*   

> Follwed the tutorial, great write-up, easy to use, and thanks for explaining things. I have only run into one problem. I cannot get my NFS share to mount now. I found (or at least I think I did) that NFS pretty much uses random port numbers, so how do I work around this?

 How is your network set up?  If this is a machine on a local network, then I would suggest creating a true firewall/bridge that seperates your local network from the internet, and drop the firewalls on your local network.  If this is a standalone machine and your trying to mount shares across the internet, I would suggest you try some other protocol for file transfer such as sftp or us the shfs network filesystem.  If you still insist on using NFS and having a packet filtering firewall on this system, then you'll have to run netstat -utap or rpcinfo -p localhost on the firewall to find what ports the nfs server proccesses are bound to and modify your firewall settings.  Good news about that is you should only have to do that each time you restart nfs, so if you never restart, it could be a one time thing.  Anyway, long and short of it is you should really set up a standalone firewall if you want to run an NFS server on your local network.

----------

## wazoo42

Good tutorial.  I ran into a little trouble b/c /etc/shorewall/zones has everything commented out in my version (2.2.4).  After I edited it, as well as changing "STARTUP_ENABLED=No" to yes in /etc/shorewall/shorewall.conf everything was fine.

----------

## Sith_Happens

 *wazoo42 wrote:*   

> Good tutorial.  I ran into a little trouble b/c /etc/shorewall/zones has everything commented out in my version (2.2.4).  After I edited it, as well as changing "STARTUP_ENABLED=No" to yes in /etc/shorewall/shorewall.conf everything was fine.

 Yeah, this tutorial is written for the latest stable version (2.0.7).  I'll keep an eye out for that when 2.2.4 becomes stable though, thanks.  :Smile: 

----------

## kambrian

Well, following your guide went fairly smooth until it came time to start the firewall.  when i do "shorewall start"  it hangs at "Loading Modules".  Any ideas or suggestions?

----------

## casiso

Greetingts. I have shorewall, syslog-ng and logwatch up and running, but while Shorewall logs appears in "/var/log/messages", logwatch shows nothing about it. I used to have a redhat 9 with shorewall and logwatch that reported something like this:

```

Dropped 299 packets on interface eth1

   From 4.252.28.74 - 2 packets

      To 201.243.128.236 - 2 packets

         Service: 15118 (tcp/15118) (Shorewall:net2all:DROP:,eth1,none) - 2 packets

   From 24.82.12.195 - 2 packets

      To 201.243.128.236 - 2 packets

         Service: 15118 (tcp/15118) (Shorewall:net2all:DROP:,eth1,none) - 2 packets

....

```

I have been goggling around for this and found nothing, so I would like to know if this problem presents to somebody else and if somebody has any hints on how to enable this on logwatch.

TIA,

----------

## <3

Hello all. Thank you Sith_Happens for writing that tutorial, but now that I got shorewall up and running it seems that Shields UP is reporting that I still have a few open ports, and is claiming that I failed some of the test! Did I do something wrong? Its only 6 ports that are open, so should I be worried? This is the message Shields UP is giving me.

 *Shields UP! wrote:*   

> Solicited TCP Packets: RECEIVED (FAILED)  As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
> 
> Unsolicited Packets: PASSED  No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
> 
> Ping Reply: RECEIVED (FAILED)  Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

 

the ports were 135, 137, 138, 139, 445, 593.

Anyone know what I can do about this?

----------

## Sith_Happens

What do your rules and policy files look like?  Also are you behind a router/firewall or a modem that you connect to via a network cable?

----------

## <3

I just copied/paste the rules/policy file that you posted. 

Here is my /etc/shorewall/policy file

```

###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

net      all      DROP      info

# THE FOLLOWING POLICY MUST BE LAST

#       

all             all             REJECT          info 

#LAST LINE -- DO NOT REMOVE
```

here is my /etc/shorewall/rules file

```

####################################################################################################

#ACTION  SOURCE      DEST         PROTO   DEST    SOURCE      ORIGINAL   RATE      USER/

#                                     PORT    PORT(S)    DEST      LIMIT      GROUP

#

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL

ACCEPT   fw             net             tcp     5190 #AIM/ICQ

DROP     net            fw              tcp     113 #AUTH/IDENT, I added this to show how to block a port 

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

and lastly the /etc/shorewall/interfaces file even though you didn't ask for it

```

##############################################################################

#ZONE    INTERFACE   BROADCAST   OPTIONS

#

net   eth0      detect      dhcp,nosmurfs

net   eth1      detect      dhcp,nosmurfs

net   eth2      detect      dhcp,nosmurfs

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

Did I do something wrong?

----------

## Sith_Happens

What about my second question? *Sith_Happens wrote:*   

> Also are you behind a router/firewall or a modem that you connect to via a network cable?

 

----------

## Sith_Happens

The Shoreline Firewall v. 2.2.3 is now stable in portage.  I'll be updating the guide soon to reflect the changes in this version.

----------

## <3

 *Sith_Happens wrote:*   

> What about my second question? *Sith_Happens wrote:*   Also are you behind a router/firewall or a modem that you connect to via a network cable? 

 

Sorry about not including that in my original post. And Thanks for taking the time to help me with my problem.

To answer your question, I am neither behind a firewall nor a router. My computer is connected from my ethernet card directly into my cable modem which is plugged directly into the cable line.

----------

## Sith_Happens

 *<3 wrote:*   

>  *Sith_Happens wrote:*   What about my second question? *Sith_Happens wrote:*   Also are you behind a router/firewall or a modem that you connect to via a network cable?  
> 
> Sorry about not including that in my original post. And Thanks for taking the time to help me with my problem.
> 
> To answer your question, I am neither behind a firewall nor a router. My computer is connected from my ethernet card directly into my cable modem which is plugged directly into the cable line.

 Thats your problem.  If you are connected to the cable modem via your ethernet card, then your modem is also acting as a router.  The portscan is reading the ports on your modem, not your computer.  You can probably connect to the modem and configure it to block those ports, but you'll have to read the manual that came with your modem to determine that.

----------

## <3

Thank you for your help  :Cool: 

----------

## Bob P

hmmmm.  upgraded shorewall and now i'm getting this error at bootup:

```
* Starting firewall ...

   Error: No Zones Defined

/etc/init.dshorewall:  line 13:  9278 Terminated             /sbin/shorewall start >/dev/null
```

fwiw, the zone appears to be configured in my interfaces file, but not in the zones file:

```
 # cat interfaces

# Shorewall 2.0 -- Interfaces File

#

# /etc/shorewall/interfaces

#

#       You must add an entry in this file for each network interface on your

#       firewall system.

#

# Columns are:

#

#       ZONE            Zone for this interface. Must match the short name

#                       of a zone defined in /etc/shorewall/zones.

#

#                       If the interface serves multiple zones that will be

#                       defined in the /etc/shorewall/hosts file, you should

#                       place "-" in this column.

#

#       INTERFACE       Name of interface. Each interface may be listed only

#                       once in this file. You may NOT specify the name of

#                       an alias (e.g., eth0:0) here; see

#                       http://www.shorewall.net/FAQ.htm#faq18

#

#                       You may specify wildcards here. For example, if you

#                       want to make an entry that applies to all PPP

#                       interfaces, use 'ppp+'.

#

#                       There is no need to define the loopback interface (lo)

#                       in this file.

#

#       BROADCAST       The broadcast address for the subnetwork to which the

#                       interface belongs. For P-T-P interfaces, this

#                       column is left black.If the interface has multiple

#                       addresses on multiple subnets then list the broadcast

#                       addresses as a comma-separated list.

#

#                       If you use the special value "detect", the firewall

#                       will detect the broadcast address for you. If you

#                       select this option, the interface must be up before

#                       the firewall is started, you must have iproute

#                       installed.

#

#                       If you don't want to give a value for this column but

#                       you want to enter a value in the OPTIONS column, enter

#                       "-" in this column.

#

#       OPTIONS         A comma-separated list of options including the

#                       following:

#

#                       dhcp         - Specify this option when any of

#                                      the following are true:

#                                      1. the interface gets its IP address

#                                         via DHCP

#                                      2. the interface is used by

#                                         a DHCP server running on the firewall

#                                      3. you have a static IP but are on a LAN

#                                         segment with lots of Laptop DHCP

#                                         clients.

#                                      4. the interface is a bridge with

#                                         a DHCP server on one port and DHCP

#                                         clients on another port.

#

#                       norfc1918    - This interface should not receive

#                                      any packets whose source is in one

#                                      of the ranges reserved by RFC 1918

#                                      (i.e., private or "non-routable"

#                                      addresses. If packet mangling or

#                                      connection-tracking match is enabled in

#                                      your kernel, packets whose destination

#                                      addresses are reserved by RFC 1918 are

#                                      also rejected.

#

#                       nobogons    -  This interface should not receive

#                                      any packets whose source is in one

#                                      of the ranges reserved by IANA (this

#                                      option does not cover those ranges

#                                      reserved by RFC 1918 -- see above).

#

#                       routefilter  - turn on kernel route filtering for this

#                                      interface (anti-spoofing measure). This

#                                      option can also be enabled globally in

#                                      the /etc/shorewall/shorewall.conf file.

#

#       .       .       blacklist    - Check packets arriving on this interface

#                                      against the /etc/shorewall/blacklist

#                                      file.

#

#                       maclist      - Connection requests from this interface

#                                      are compared against the contents of

#                                      /etc/shorewall/maclist. If this option

#                                      is specified, the interface must be

#                                      an ethernet NIC and must be up before

#                                      Shorewall is started.

#

#                       tcpflags     - Packets arriving on this interface are

#                                      checked for certain illegal combinations

#                                      of TCP flags. Packets found to have

#                                      such a combination of flags are handled

#                                      according to the setting of

#                                      TCP_FLAGS_DISPOSITION after having been

#                                      logged according to the setting of

#                                      TCP_FLAGS_LOG_LEVEL.

#

#                       proxyarp     -

#                               Sets

#                               /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

#                               Do NOT use this option if you are

#                               employing Proxy ARP through entries in

#                               /etc/shorewall/proxyarp. This option is

#                               intended soley for use with Proxy ARP

#                               sub-networking as described at:

#                               http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet

#

#                       newnotsyn    - TCP packets that don't have the SYN

#                                      flag set and which are not part of an

#                                      established connection will be accepted

#                                      from this interface, even if

#                                      NEWNOTSYN=No has been specified in

#                                      /etc/shorewall/shorewall.conf. In other

#                                      words, packets coming in on this interface

#                                      are processed as if NEWNOTSYN=Yes had been

#                                      specified in /etc/shorewall/shorewall.conf.

#

#                                      This option has no effect if

#                                      NEWNOTSYN=Yes.

#

#                                      It is the opinion of the author that

#                                      NEWNOTSYN=No creates more problems than

#                                      it solves and I recommend against using

#                                      that setting in shorewall.conf (hence

#                                      making the use of the 'newnotsyn'

#                                      interface option unnecessary).

#

#                       routeback    - If specified, indicates that Shorewall

#                                      should include rules that allow filtering

#                                      traffic arriving on this interface back

#                                      out that same interface.

#

#                       arp_filter   - If specified, this interface will only

#                                      respond to ARP who-has requests for IP

#                                      addresses configured on the interface.

#                                      If not specified, the interface can

#                                      respond to ARP who-has requests for

#                                      IP addresses on any of the firewall's

#                                      interface. The interface must be up

#                                      when Shorewall is started.

#

#                       nosmurfs     - Filter packets for smurfs

#                                      (packets with a broadcast

#                                      address as the source).

#

#                                      Smurfs will be optionally logged based

#                                      on the setting of SMURF_LOG_LEVEL in

#                                      shorewall.conf. After logging, the

#                                      packets are dropped.

#

#                       detectnets   - Automatically taylors the zone named

#                                      in the ZONE column to include only those

#                                      hosts routed through the interface.

#

#                       WARNING: DO NOT SET THE detectnets OPTION ON YOUR

#                                INTERNET INTERFACE.

#

#                       The order in which you list the options is not

#                       significant but the list should have no embedded white

#                       space.

#

#       Example 1:      Suppose you have eth0 connected to a DSL modem and

#                       eth1 connected to your local network and that your

#                       local subnet is 192.168.1.0/24. The interface gets

#                       it's IP address via DHCP from subnet

#                       206.191.149.192/27. You have a DMZ with subnet

#                       192.168.2.0/24 using eth2.

#

#                       Your entries for this setup would look like:

#

#                       net     eth0    206.191.149.223 dhcp

#                       local   eth1    192.168.1.255

#                       dmz     eth2    192.168.2.255

#

#       Example 2:      The same configuration without specifying broadcast

#                       addresses is:

#

#                       net     eth0    detect          dhcp

#                       loc     eth1    detect

#                       dmz     eth2    detect

#

#       Example 3:      You have a simple dial-in system with no ethernet

#                       connections.

#

#                       net     ppp0    -

##############################################################################

#ZONE   INTERFACE       BROADCAST       OPTIONS

#

net     eth0            detect          dhcp,routefilter,tcpflags

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

```
# cat zones

#

# Shorewall 2.2 /etc/shorewall/zones

#

# This file determines your network zones. Columns are:

#

#       ZONE            Short name of the zone (5 Characters or less in length).

#       DISPLAY         Display name of the zone

#       COMMENTS        Comments about the zone

#

# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR

# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.

#

# See http://www.shorewall.net/Documentation.htm#Nested

#--------------------------------------------------------------------------------

# Example zones:

#

#    You have a three interface firewall with internet, local and DMZ interfaces.

#

#       #ZONE   DISPLAY         COMMENTS

#       net     Internet        The big bad Internet

#       loc     Local           Local Network

#       dmz     DMZ             Demilitarized zone.

#

#ZONE                   DISPLAY         COMMENTS

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

```

is the zones file something that's new with the new version of shorewall, or did i step on a config file during the upgrade?

----------

## Bob P

fwiw, this seems to fix the problem in a single-ended application:

```
# cat /etc/shorewall/zones

#ZONE   DISPLAY         COMMENTS

net     Net             Internet

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

```

----------

## <3

 *Sith_Happens wrote:*   

> Thats your problem.  If you are connected to the cable modem via your ethernet card, then your modem is also acting as a router.  The portscan is reading the ports on your modem, not your computer.  You can probably connect to the modem and configure it to block those ports, but you'll have to read the manual that came with your modem to determine that.

 

Hmmm I just took the same test on the same computer booted in Windows XP. Using ZoneAlarm I got a perfect score on the shields up test. All ports were reported in stealth mode. I have not made any changes to the cable modem since the last test. I think maybe I didn't set up shorewall correctly.

----------

## Sith_Happens

 *Bob P wrote:*   

> fwiw, this seems to fix the problem in a single-ended application:
> 
> ```
> # cat /etc/shorewall/zones
> 
> ...

 Yeah I'm aware of this problem: *Sith_Happens wrote:*   

>  *wazoo42 wrote:*   Good tutorial.  I ran into a little trouble b/c /etc/shorewall/zones has everything commented out in my version (2.2.4).  After I edited it, as well as changing "STARTUP_ENABLED=No" to yes in /etc/shorewall/shorewall.conf everything was fine. Yeah, this tutorial is written for the latest stable version (2.0.7).  I'll keep an eye out for that when 2.2.4 becomes stable though, thanks. 

 I'm incorporating it into the updated guide.  However, I'm working one job full time and training to be a campus bus driver (good job, great pay, great hours, not related to my major  :Wink: ) so don't expect too much too soon.  However, this change in /etc/shorewall/zones seems to be the biggest change I've encountered so far thats relavent to the guide, so if everybody keeps this in mind, that should tide them over till I finish the guide.

----------

## <3

OK once I re-read what shields up was saying, it was telling me that those ports were the only ones that were in stealth mode not that those were the only ports that were open. Here is an exact wuote of what the text summary gave me on:

Windows XP with Zone Alarm

 *Quote:*   

> ----------------------------------------------------------------------
> 
> GRC Port Authority Report created on UTC: 2005-06-24 at 03:28:12
> 
> Results from scan of ports: 0-1055
> ...

 

Here is the same test done in Gentoo with shorewall

 *Quote:*   

> ----------------------------------------------------------------------
> 
> GRC Port Authority Report created on UTC: 2005-06-24 at 03:11:43
> 
> Results from scan of ports: 0-1055
> ...

 

I really don't think it is the modem that is acting as a router else I would have the same problem in windows. Something is wrong with the way I setup shorewall and I can't figure out what it is.

I don't know if this is important but I do not have syslog-ng installed so I skipped the last part of the tutorial. I have metalog installed instead. This is what I get when I start shorewall:

```

#/etc/init.d/shorewall start

 * Starting firewall ...

LOGFILE (/var/log/messages) does not exist!
```

----------

## Sith_Happens

For the logging problem, you'll have to look at your metalog config file and see what file it logs to by default, then edit the LOGFILE variable in /etc/shorewall/shorewall.conf to point to that file:

```
################################################################################

#

# LOG FILE LOCATION

#

# This variable tells the /sbin/shorewall program where to look for Shorewall

# log messages. If not set or set to an empty string (e.g., LOGFILE="") then

# /var/log/messages is assumed.

#

# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to

#          look for Shorewall messages.It does NOT control the destination for

#          these messages. For information about how to do that, see

#

#              http://www.shorewall.net/shorewall_logging.html

LOGFILE=/var/log/messages

```

As far as your other problem, could you post your /etc/shorewall/zones file, as well as the version of shorewall that you are using?

----------

## <3

Again thank you for helping me with this.

Here is my /etc/shorewall/zones file

 *Quote:*   

> 
> 
> #
> 
> # Shorewall 2.2 /etc/shorewall/zones
> ...

 

I don't ever remeber editing this file. Was I supposed to add something here?

and here are the version numbers:

net-firewall/iptables-1.2.11-r3

sys-apps/iproute2-2.6.10.20050112-r1

net-firewall/shorewall-2.2.0_rc5Last edited by <3 on Sat Jun 25, 2005 4:52 am; edited 1 time in total

----------

## cubchai

 *Quote:*   

> Starting firewall ...
> 
>    Error: No Zones Defined
> 
> /etc/init.d/shorewall: line 13: 11530 Terminated              /sbin/shorewall start >/dev/null

 

 *Quote:*   

> 
> 
> can anyone tell me what's happening? after following the guide, do i need to edit shorewall.conf?

 

----------

## Bob P

 *cubchai wrote:*   

>  *Quote:*   Starting firewall ...
> 
>    Error: No Zones Defined
> 
> /etc/init.d/shorewall: line 13: 11530 Terminated              /sbin/shorewall start >/dev/null 
> ...

 

scroll up 7 or 8 messages on this page and you'll see that this question has already been asked and answered.   :Wink: 

----------

## cubchai

 *Bob P wrote:*   

>  *cubchai wrote:*    *Quote:*   Starting firewall ...
> 
>    Error: No Zones Defined
> 
> /etc/init.d/shorewall: line 13: 11530 Terminated              /sbin/shorewall start >/dev/null 
> ...

 

thank you. but do i need to edit shorewall.conf?

----------

## southpaw

Hey sith,

    I'm still a little green when it comes to troubleshooting certain things under linux, but I was hoping you might be able to point me the right direction. When I "emerge shorewall", everything looks fine until the end of the process, I get this...

```
 >>> Regenerating /etc/ld.so.cache...

 * Caching service dependencies ...

 *  Service 'firestarter' already provided by 'firewall'!;

 *  Not adding service 'shorewall'...                                    [ ok ]

>>> net-firewall/shorewall-2.2.3 merged.

```

...now I've already unmerged firestarter, I never use it anyway, but I don't understand if I unmerged this package why is the "service still being provided"  :Confused:   ??? Unfortunately, I'm still accustomed to the "Windows Way" of doing things, such as delete & empty the recycle bin, I'm still getting used to the portage language. Oh btw, I know I probably should have posted this in "Portage and Programming", but I figured since I was dealing with installing and setting up "Shorewall", than I should probably address you first  :Cool:  ...

    ...Any help is always appreciated, thanx in advance  :Wink: 

----------

## <3

So I guess no one knows what is wrong with my shorewall install =/

----------

## Sith_Happens

 *<3 wrote:*   

> So I guess no one knows what is wrong with my shorewall install =/

 Make the end of your /etc/shorewall/zones file look like this and see if that fixes the problem:

```
#ZONE   DISPLAY         COMMENTS

net     Net             Internet

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
```

----------

## <3

That didn't work =/.

I don't know if this is any help but I get this message when I type "shorewall status". I have no idea what this means but the output seems to be telling me something is wrong. I am sure I compiled everything in the kernel that you specified and I emerged iptables, iproute2, and shorewall without any error messages.

```
# shorewall status

Shorewall-2.2.0-RC5 Status at ramb00000000000 - Mon Jun 27 07:55:55 CDT 2005

iptables v1.2.11: can't initialize iptables table `filter': Table does not exist

Perhaps iptables or your kernel needs to be upgraded.

NAT Table

iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (d

Perhaps iptables or your kernel needs to be upgraded.

Mangle Table

iptables v1.2.11: can't initialize iptables table `mangle': Table does not exist

Perhaps iptables or your kernel needs to be upgraded.

//<Some other stuff I left out>

Routing Rules

RTNETLINK answers: Invalid argument

Dump terminated

RTNETLINK answers: Invalid argument

Dump terminated

Modules
```

----------

## LaoTzuTao

Well I just have a simple question (great tutorial btw  :Smile:  ) I can't seem to ping anything anymore...I get 

PING gentoo.org (204.74.99.100) 56(84) bytes of data.

From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable

From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable

From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable

From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable

From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable

From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable

ping: sendmsg: Operation not permitted

--- gentoo.org ping statistics ---

1 packets transmitted, 0 received, +6 errors, 100% packet loss, time 325ms

I assume this is normal, but if I wanted to be able to ping someone/allow myself to be pinged, what would I have to add to rules.conf?

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL

ACCEPT   fw             net             tcp     5190 #AIM/ICQ

DROP     net            fw              tcp     113 #AUTH/IDENT, I added this to show how to block a port 

I tried adding ACCEPT fw net icmp but left port blank, but then ping returned nothing and just sat there. 

Thanks!

----------

## kcy29581

Hi all,

I followed your guide Sith_Happens, but I cant ping anything and cant connect to any webpages, basically useless my pc has become.  :Sad: 

Here are the files I changed according to the guide:

/etc/shorewall/interfaces

 *Quote:*   

> #ZONE	 INTERFACE	BROADCAST	OPTIONS			GATEWAY
> 
> #
> 
> net	eth0		detect		
> ...

 

/etc/shorewall/policy

 *Quote:*   

> #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
> 
> #						LEVEL
> 
> net		all		DROP		info
> ...

 

/etc/shorewall/rules

 *Quote:*   

> #ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE		USER/
> 
> #                       	        	PORT    PORT(S)    DEST		LIMIT		GROUP
> 
> ACCEPT	fw		net		tcp	80
> ...

 

I connect to the net via a Linksys WAG54G ADSL Modem/Router. I have my pc using a static IP, but my ISP provides me with a dynamic one to connect to the net (basically I have created a home network via the Router but assigned 192.168.1.xxx type IP's to my pc's)

Any help? Anything else you need from me? It's like the rules aren't obeyed...

Oh and my system is fully ~x86 and the installed shorewall version is 2.4.0 and iptables version is 1.3.1-r4

Thanks

EDIT!!! : I think you can ignore the above post as I just realised that I forgot to include the DNS ports in the rules... Now I can connect to Google and the forums with the firewall on! Sorry...

----------

## Fenster

Hmm. I've had a lot of problems with Shorewall recently, I'm setting it up on my laptop right now and I get the following message with shorewall start:

```
tehpwn root # shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Not available

   Multi-port Match: Available

   Extended Multi-port Match: Not available

   Connection Tracking Match: Available

   Packet Type Match: Available

   Policy Match: Not available

   Physdev Match: Not available

   IP range Match: Available

   Recent Match: Available

   Owner Match: Available

   Ipset Match: Not available

   ROUTE Target: Not available

   Extended MARK Target: Not available

   CONNMARK Target: Not available

   Connmark Match: Not available

Determining Zones...

   Zones: net loc

Validating interfaces file...

   Error: Invalid zone (b) in record "b   "

Terminated
```

----------

## Bob P

now this is wierd.  i've had shorewall up and running for months.  i've kept an eye on glsa-check, and i saw the shorewall security problem, so i "upgraded" shorewall on my boxes -- that was a mistake!  now I'm getting the dreaded [  !!  ] when trying to start shorewall.  it looks like the "updates" are b0rked.

has anyone else encountered this problem?  i've got it on several boxes following the emerge of the new ebuild.

----------

## Hack_Benjamin

i had all of the modules selected as * in kernel 2.6.12r6 (and rebooted after recompiling the kernel) and since emerge iptables and iproute2, when i try /etc/init.d/shorewall start i get this:

```
 disdain linux # /etc/init.d/shorewall start

 * Starting firewall ...

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

   Error: Invalid Action in rule "USER/"

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

/etc/init.d/shorewall: line 14: 28630 Terminated              /sbin/shorewall start >/dev/null                
```

now, im pretty damn sure im not using ipv6. i have tried it with and without them selected in the kernel and it still keeps doing it.

Whats wrong with it?

----------

## southpaw

Hey Bob,

I'm not sure if this is the same thing, but I recently updated shorewall and I have been getting this upon boot-up:

```
firewall                                                                                   [!!]
```

    Any ideas???

----------

## Bob P

sounds like the same problem to me.   :Evil or Very Mad: 

----------

## Bob P

OK, i've got it fixed:

 *hari wrote:*   

> A change needs to be made in /etc/shorewall.conf
> 
> ```
> ##############################################################################
> 
> ...

 

note that his path to the config file seems incorrect.  for me, the file is /etc/shorewall/shorewall.conf.

hth.

 :Cool: 

----------

## StarDragon

 *kcy29581 wrote:*   

> Hi all,
> 
> I followed your guide Sith_Happens, but I cant ping anything and cant connect to any webpages, basically useless my pc has become. 
> 
> Here are the files I changed according to the guide:
> ...

 

What DNS rules did you set? I seem to have the same problem...

----------

## Arno Nymous

Maybe this helps:

```

#----------------------DNS------------------------------- ON

ACCEPT      fw   net   tcp   domain

ACCEPT      fw   net   udp   domain

```

----------

## StarDragon

I guess I'm pretty confused on how to set this up. I'm behind a router AND a DSL box. My config is as follows:

```
/etc/shorewall/interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS

#

loc      eth0           detect          dhcp

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

```
/etc/shorewall/policy

###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

dmz             all             DROP            info

#

# THE FOLLOWING POLICY MUST BE LAST

#

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE

```

```
/etc/shorewall/zones

#ZONE                   DISPLAY         COMMENTS

loc                     Local           Local Network

dmz                     DMZ             Demilitarized zone

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

```

```
/etc/shorewall/rules

####################################################################################################

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL    RATE             USER/

#                                               PORT    PORT(S)    DEST        LIMIT            GROUP

ACCEPT  fw              dmz             tcp     80 #http

ACCEPT  fw              dmz             udp     80 #http

ACCEPT  fw              dmz             tcp     443 #https

ACCEPT  fw              dmz             udp     443 #https

ACCEPT  fw              dmz             tcp     5190 #AIM/ICQ

ACCEPT  dmz             fw              tcp     22 #ssh

ACCEPT  fw              dmz             tcp     5050 #Yahoo! Messenger

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

When I run the firewall my dmesg says:

```
Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=32499 DF PROTO=UDP SPT=32769 DPT=53 LEN=45

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=32499 DF PROTO=UDP SPT=32769 DPT=53 LEN=45

```

I realize the configuration is nothing like its on the tutorial, but I have been fiddling around with this trying to get it to work, but not even that configuration works. It simply locks down all access to the outside, I know this has to do with the fact that I'm behind a router that serves as a dhcp server.

----------

## kcy29581

@StarDragon:

You need to use the DNS settings for your particular ISP. Ask them if you don't know the settings.

Good luck

----------

## StarDragon

 *kcy29581 wrote:*   

> @StarDragon:
> 
> You need to use the DNS settings for your particular ISP. Ask them if you don't know the settings.
> 
> Good luck

 

Yikes! Sounds like we are getting too complex already, could you elaborate what the heck DNS settings are? I'm lost, ussually when I ask technical questions to my ISP their normal response is like: we do not support linux. So I have to be VERY specific when I ask questions.  :Cool: 

----------

## kcy29581

 *StarDragon wrote:*   

>  *kcy29581 wrote:*   @StarDragon:
> 
> You need to use the DNS settings for your particular ISP. Ask them if you don't know the settings.
> 
> Good luck 
> ...

 don't worry mate, I might be able to help you quickly here! Your DNS settings are the servers that translate addresses such as 216.239.59.99 to "human readble form". In this case the number I just a gave you is Google, for example.

Since obviously you've been connected to the internet before and browsed pages (I'm right, right?), you're DNS settings should be in the file /etc/resolv.conf. You'll see something like:

```
nameserver 212.254.89.21
```

 perhaps once or twice. (the number I just put there is random so don't worry if it's not the same)

If still you cannot find the settings, simple ask your ISP customer service (actually technical support might be better!) to tell you their DNS settings. It should be as simple as that.

Good luck!

----------

## StarDragon

kcy29581,

Here is my setup:

```
leamonde camilo # cat /etc/resolv.conf

nameserver 192.168.0.1

leamonde camilo #

```

I take it my linux box is using the router as a DNS server, now when I take a look at the settings of the DSL box the DNS settings there are as follows:

```

DNS Servers   68.94.156.1  dnsr1.sbcglobal.net

              151.164.30.104  dnscache1.rcsntx.sbcglobal.net
```

Now my question is, what do I do with these settings, in which files do I put them?

Thanks for trying to get me out of the water with this problem. :Wink: 

----------

## kcy29581

@StarDragon:

After paying closer attention to your /etc/shorewall/rules config, I think I've seen something you missed. Try putting the below rules in that file:

 *Quote:*   

> 
> 
> ACCEPT   fw             net             tcp     53 #DNS
> 
> ACCEPT   fw             net             udp     53 #DNS

 

Also I'd suggest  look at this link: https://forums.gentoo.org/viewtopic-p-2187309.html and look closely at the /etc/shorewall/rules part in the first post. You might need more from there as well such as ftp port opening, for your particular needs.

I hope the above helps!

Good luck.

EDIT: StarDragon, have you tried putting the address for Google in your browser, which I gave you in a previous post whilst having the firewall enabled? That will help.The address was 216.239.59.99.

----------

## StarDragon

I guess everything is green now, except I can't quite ping.  :Embarassed:  So I am not sure if it's REALLY in green light, however I can browse the net and block some apps from accessing the net so it must be at least doing something.  :Cool: 

----------

## taipan67

Hi Sith,

I enjoyed reading the tutorial - thanks for taking the trouble to write it.  :Wink: 

I've tried searching this forum & also 'D, T & T' for posts by yourself containing variations on shorewall, iptables, modules, & modular, & the only hit i got was on page 3 of this thread, which re-iterated the need for the iptables components to be built-in to the kernel, rather than as modules, but didn't explain why...

Back along, i read a wiki guide on just using the bare iptables userspace app, & (for modular configurations) i recall the importance of getting the modules loaded in the right sequence. If this is the reasoning behind having them built-in in your tutorial, could i suggest adding the point for clarity? Or possibly exploring the notion of udev-rules to account for a modular build?

Regardless of whether or not you think either idea has merit, i'd very much like to have the reason explained, either in reply to this post, or with a referral to such an explanation. Thanks in advance.  :Smile: 

----------

## kcy29581

 *StarDragon wrote:*   

> I guess everything is green now, except I can't quite ping.  So I am not sure if it's REALLY in green light, however I can browse the net and block some apps from accessing the net so it must be at least doing something. 

 glad to hear that you can browse the net now! What exactly do you mean, you cant quite ping? If there's anything else I can help with, just ask away.

Great work on getting it all working!

----------

## StarDragon

kcy29581,

Never mind I got it to work.  :Cool: 

Thanks for the help my good chum,

```
camilo@leamonde ~ $ ping -c 3 www.google.com

PING www.l.google.com (64.233.179.104) 56(84) bytes of data.

64 bytes from 64.233.179.104: icmp_seq=1 ttl=242 time=27.5 ms

64 bytes from 64.233.179.104: icmp_seq=2 ttl=242 time=27.8 ms

64 bytes from 64.233.179.104: icmp_seq=3 ttl=242 time=28.4 ms

--- www.l.google.com ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2001ms

rtt min/avg/max/mdev = 27.586/27.961/28.437/0.354 ms

camilo@leamonde ~ $

```

----------

## kcy29581

 *StarDragon wrote:*   

> kcy29581,
> 
> Never mind I got it to work. 
> 
> Thanks for the help my good chum,
> ...

 You're welcome. Glad I could help! :Very Happy: 

----------

## southpaw

Hey Bob,

 I took your advice and adjusted my  "/etc/shorewall/zones" file accordingly but now I get a fatal error when I reboot that says something about not being able to find iptables, this doesn't make much sense to me   :Confused:  ...any ideas???

----------

## clameo

I got a new PC and I installed a brand new Gentoo. I compiled all the neccesary modules into the kernel, everything seems to be ok, but I can use the net only for a few minutes after starting shorewall, and then there's no internet access. How can I fix this?

e: solved

----------

## clameo

I've got a new problem: how do I config shorewall for use with bittorrent (bittornado), I have no idea how to do this, since bittorrent uses random ports, any ideas?

----------

## DocterD

I got Shorewall too running with the help of your Guide. Thank you so far...

But i have some Problems with KDE and Firefox now. It seems there is a DCOP Error (Takes years to start and with Shorewall) while starting KDE with Shorewall active. And Firefox crashes while opening a Download. Maybe you can take a quick look in my config:

 *Interfaces wrote:*   

> #ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
> 
> net      ppp0           -               routefilter,tcpflags
> 
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 

 *policy wrote:*   

> 
> 
> net            all             DROP            info
> 
> all             all             REJECT          info
> ...

 

 *rules wrote:*   

> 
> 
> ACCEPT   fw             net             tcp     80
> 
> ACCEPT   fw             net             udp     80
> ...

 

----------

## ketema

Hi, i've read your tutorial, and I definitely think shorewall is easy and powerful.  I think I will be able to glean most of what I need from your tutorial, but I was wondering if  I could get some help on tweaking your tutorial to fit the following situation:

My Current Setup:

ISP -> netgear rp114 (decent, does nat, content filter, but no logging, and no ability to block) -> servers & desktops

everything works great, but i would like to move to the following setup because of some security issues I'm having...

ISP -> Gentoo Box Firewall -> netgear rp114 -> servers & desktops.

The box I have to make the firewall is old, but functional.  It has two nics.  All I want it to do is take all traffic from internet, log it, process what ever rules i want, then forward eveerything to the rp114.  no nat, no dhcp.  Just the ability to log all incoming (& outgoing if I wanted it) traffic and block certain IPs if I designate it.

What is the best way to use the great tools you have described to accomplish this goal?  Are these the right tools? What other options are there?

Thank You.[/i]

----------

## PiRmD

Hi Sith,

reading your HOW-TO and the enthusiastics comments on this thread lead me to give a try to Shorewall. Waouhh  !!  :Shocked:  I really don't know how to thank you for such a nice guide.

I wonder anyway why the ports 111 and 113 are still seen as Closed instead as Stealth by the SHieldsUp! scanner, considering the policy rule:

```
net all drop
```

Not that is so important but just that I can't get it.

----------

## wazoo42

I am having a problem with the latest version (2.4.1) where ssh does not work.  When I try to ssh into the box it says that port 22 was rejected (closed), but http works fine.  In my rules file I changed the ftp one from the tutorial to port 22 so I don't understand what I am doing wrong.  This used to work with an older version (2.2.4) which confuses me even more.

edit: I added another line copying the first with net and fw switched: ACCEPT net fw 22 #ssh

        and that seemed to do it.  I am guessing I remembered wrong before when I thought it worked.

----------

## Specialized

I got a little Problem with an ntp-client and shorewall. 

I can't set the clock while the firewall is running.

How should the rule look like to get it working? The ntp-server is:pool.ntp.org

----------

## RlC

hi

followed exactly the tutorial, and compiled in all the kernel features that are requiered.

this is what i get when i:

```
ric shorewall # shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Extended Multi-port Match: Not available

   Connection Tracking Match: Available

   Packet Type Match: Available

   Policy Match: Not available

   Physdev Match: Not available

   IP range Match: Available

   Recent Match: Available

   Owner Match: Not available

   Ipset Match: Not available

   ROUTE Target: Not available

   Extended MARK Target: Not available

   CONNMARK Target: Not available

   Connmark Match: Not available

Determining Zones...

   Zones: net

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Internet Zone: eht0:0.0.0.0/0

Processing /etc/shorewall/init ...

Pre-processing Actions...

   Pre-processing /usr/share/shorewall/action.DropSMB...

   Pre-processing /usr/share/shorewall/action.RejectSMB...

   Pre-processing /usr/share/shorewall/action.DropUPnP...

   Pre-processing /usr/share/shorewall/action.RejectAuth...

   Pre-processing /usr/share/shorewall/action.DropPing...

   Pre-processing /usr/share/shorewall/action.DropDNSrep...

   Pre-processing /usr/share/shorewall/action.AllowPing...

   Pre-processing /usr/share/shorewall/action.AllowFTP...

   Pre-processing /usr/share/shorewall/action.AllowDNS...

   Pre-processing /usr/share/shorewall/action.AllowSSH...

   Pre-processing /usr/share/shorewall/action.AllowWeb...

   Pre-processing /usr/share/shorewall/action.AllowSMB...

   Pre-processing /usr/share/shorewall/action.AllowAuth...

   Pre-processing /usr/share/shorewall/action.AllowSMTP...

   Pre-processing /usr/share/shorewall/action.AllowPOP3...

   Pre-processing /usr/share/shorewall/action.AllowICMPs...

   Pre-processing /usr/share/shorewall/action.AllowIMAP...

   Pre-processing /usr/share/shorewall/action.AllowTelnet...

   Pre-processing /usr/share/shorewall/action.AllowVNC...

   Pre-processing /usr/share/shorewall/action.AllowVNCL...

   Pre-processing /usr/share/shorewall/action.AllowNTP...

   Pre-processing /usr/share/shorewall/action.AllowRdate...

   Pre-processing /usr/share/shorewall/action.AllowNNTP...

   Pre-processing /usr/share/shorewall/action.AllowTrcrt...

   Pre-processing /usr/share/shorewall/action.AllowSNMP...

   Pre-processing /usr/share/shorewall/action.AllowPCA...

   Pre-processing /usr/share/shorewall/action.Drop...

   Pre-processing /usr/share/shorewall/action.Reject...

Deleting user chains...

Processing /etc/shorewall/continue ...

Processing /etc/shorewall/routestopped ...

Setting up Accounting...

Creating Interface Chains...

Configuring Proxy ARP

Setting up NAT...

Setting up NETMAP...

Adding Common Rules

Processing /etc/shorewall/initdone ...

Adding rules for DHCP

IP Forwarding Enabled

Processing /etc/shorewall/tunnels...

Processing /etc/shorewall/ipsec...

Processing /etc/shorewall/rules...

   Rule "ACCEPT fw net tcp 80" added.

   Rule "ACCEPT net fw tcp 80" added.

   Rule "ACCEPT fw net udp 80" added.

   Rule "ACCEPT fw net tcp 443" added.

   Rule "ACCEPT fw net udp 443" added.

   Rule "ACCEPT fw net tcp 21" added.

   Rule "ACCEPT fw net tcp 53" added.

   Rule "ACCEPT fw net udp 53" added.

   Rule "ACCEPT fw net tcp 110" added.

   Rule "ACCEPT fw net tcp 995" added.

   Rule "ACCEPT fw net tcp 873" added.

   Rule "ACCEPT fw net tcp 25" added.

   Rule "ACCEPT fw net tcp 465" added.

   Rule "ACCEPT fw net tcp 5190" added.

   Rule "DROP net fw tcp 113" added.

   Rule "ACCEPT fw net tcp domain" added.

   Rule "ACCEPT fw net udp domain" added.

Processing Actions...

   Generating Transitive Closure of Used-action List...

Processing /usr/share/shorewall/action.Drop for Chain Drop...

   Rule "RejectAuth" added.

   Rule "dropBcast" added.

   Rule "AllowICMPs - - icmp" added.

   Rule "dropInvalid" added.

   Rule "DropSMB" added.

   Rule "DropUPnP" added.

   Rule "dropNotSyn - - tcp" added.

   Rule "DropDNSrep" added.

Processing /usr/share/shorewall/action.Reject for Chain Reject...

   Rule "RejectAuth" added.

   Rule "dropBcast" added.

   Rule "AllowICMPs - - icmp" added.

   Rule "dropInvalid" added.

   Rule "RejectSMB" added.

   Rule "DropUPnP" added.

   Rule "dropNotSyn - - tcp" added.

   Rule "DropDNSrep" added.

Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...

   Rule "REJECT - - tcp 113" added.

Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...

   Rule "ACCEPT - - icmp fragmentation-needed" added.

   Rule "ACCEPT - - icmp time-exceeded" added.

Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...

   Rule "DROP - - udp 135" added.

   Rule "DROP - - udp 137:139" added.

   Rule "DROP - - udp 445" added.

   Rule "DROP - - tcp 135" added.

   Rule "DROP - - tcp 139" added.

   Rule "DROP - - tcp 445" added.

Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...

   Rule "DROP - - udp 1900" added.

Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...

   Rule "DROP - - udp - 53" added.

Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...

   Rule "REJECT - - udp 135" added.

   Rule "REJECT - - udp 137:139" added.

   Rule "REJECT - - udp 445" added.

   Rule "REJECT - - tcp 135" added.

   Rule "REJECT - - tcp 139" added.

   Rule "REJECT - - tcp 445" added.

Processing /etc/shorewall/policy...

   Policy REJECT for fw to net using chain all2all

   Policy DROP for net to fw using chain net2all

Masqueraded Networks and Hosts:

Processing /etc/shorewall/tos...

Processing /etc/shorewall/ecn...

Activating Rules...

Processing /etc/shorewall/start ...

Shorewall Started

Processing /etc/shorewall/started ...
```

this are my /etc/shorewall/rules,interfaces,policy files:

```
ric shorewall # grep -v ^[#] rules interfaces policy 

rules:ACCEPT   fw             net             tcp     80 #http

rules:ACCEPT     net            fw              tcp     80

rules:ACCEPT   fw             net             udp     80 #http

rules:ACCEPT   fw             net             tcp     443 #https

rules:ACCEPT   fw             net             udp     443 #https

rules:ACCEPT   fw             net             tcp     21 #ftp

rules:ACCEPT   fw             net             tcp     53 #DNS

rules:ACCEPT   fw             net             udp     53 #DNS

rules:ACCEPT   fw             net             tcp     110 #unsecure Pop3

rules:ACCEPT   fw             net             tcp     995 #Secure Pop3

rules:ACCEPT   fw             net             tcp     873 #rsync

rules:ACCEPT   fw             net             tcp     25 #unsecure SMTP

rules:ACCEPT   fw             net             tcp     465 #SMTP over SSL

rules:ACCEPT   fw             net             tcp     5190 #AIM/ICQ

rules:DROP     net            fw              tcp     113 #AUTH/IDENT, I added this to show how to block a port 

rules:

rules:ACCEPT      fw   net   tcp   domain

rules:ACCEPT      fw   net   udp   domain 

rules:

rules:

interfaces:net  eht0            detect          dhcp

policy:net              all             DROP            info

policy:

policy:all              all             REJECT          info

```

the problem is if the firewall is turned on, i cannot connect to the internet (firefox says connection refused)

when turned off, it works ;)

my network:

cable modem

 - router

    -me and all the other clients

the internal network is managed by dhcp

what have i done wrong; or do i need another configuration for this network?

thanks, ric

----------

## wazoo42

In your interfaces file it looks like you have "eht0" instead of "eth0".

----------

## RlC

 :Embarassed:   :Embarassed: 

thank you

----------

## StarDragon

Ever since I installed shorewall I see these weird rejections in my dmesg file:

```

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.181.68.115 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5787 DF PROTO=TCP SPT=38565 DPT=6348 WINDOW=5840 RES=0x00 SYN URGP=0

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.110.181.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23173 DF PROTO=TCP SPT=49223 DPT=6348 WINDOW=5840 RES=0x00 SYN URGP=0

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.151.233.226 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40173 DF PROTO=TCP SPT=57351 DPT=6349 WINDOW=5840 RES=0x00 SYN URGP=0

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.153.2.180 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18765 DF PROTO=TCP SPT=49391 DPT=6348 WINDOW=5840 RES=0x00 SYN URGP=0

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.168.178.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15102 DF PROTO=TCP SPT=57104 DPT=6348 WINDOW=5840 RES=0x00 SYN URGP=0

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=224.0.0.251 LEN=110 TOS=0x00 PREC=0x00 TTL=255 ID=10 DF PROTO=UDP SPT=5353 DPT=5353 LEN=90

```

I have no idea what could be causing this.  :Embarassed: 

----------

## Specialized

I got it working. For ntp-clients and ntpd you need to open the udp-Port 123.

----------

## piraeus

Got gxine working w/ bbc radio streams etc. (RTSP), just wanted to add it here in case someone's looking for it.  I'd assume it'd be the same for mplayer etc.  See http://www.cs.columbia.edu/~hgs/rtsp/

/etc/shorewall/rules:

```

ACCEPT   fw             net             tcp     554 #Real Time Stream Control Protocol

ACCEPT   fw             net             udp     554  

```

----------

## slackthumbz

How would I set up shorewall to allow me to run traceroutes? my current rules file looks like this:

```
####################################################################################################

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL

ACCEPT   fw             net             tcp     5190 #AIM/ICQ

ACCEPT   fw             net             tcp     6667 #IRC

ACCEPT   fw             net             udp     6667 #IRC

ACCEPT   fw             net             tcp     1863 #MSN

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

----------

## Matteo Azzali

I've read the tutorial and I have just a question: 

rules seems pretty easy, how do shorewall "resists" to:

SYN Flooding,

Ping of death ,

invalid state flag combinations (scans),

etc.etc.?

there are rules "behind the userspace" doin this, or there aren't at all?

(just to know if I'm protected with this setup...)

----------

## winston_nolan

good day guys, please xcuse this long post by i got my ass in a sling here that i cant seem to get out of.

#some info relating to my setup

i have a gentoo gateway with 3 interfaces

eth0=internel interface[10.1.30.252]

eth1=isp1externel interface[10.1.30.252]--->initial gateway (isp1) 10.1.30.254

eth2=isp2 wireless interface[192.168.1.22]--->second gateway (isp2) 196.*.*.*

my lan computers have a gateway of 10.1.30.252 and they get this via dhcp. the gateway have a gateway of 10.1.30.254 (my first isp's router). 

i have also in /etc/sysctl.conf --> net.ipv4.ip_forward = 1

i have shorewall and squid(3128, transparent proxy) setup on the gateway and it's working fine, the workstations can surf and all is sweet.

#what i want to do - here is where it gets dodgy %-/

i want to drop(leave) isp1 and push all my traffic through isp2 (over my wireless line)

now i figure i can do this with two ways.

1.use shorewall and its routing capabilities (http://www.shorewall.net/Shorewall_and_Routing.html)

2.i can set the gateway of my gateway to the ip of a box on the otherside of the wireless.

#this is what i have done on my "to be gateway" (box on the otherside of the wireless

i have set /etc/sysctl.conf --> net.ipv4.ip_forward = 1

installed shorewall and iptables and used the two-interface example (http://www.shorewall.net/two-interface.htm)

shorewall starts fine i will include the status at the end of this post.

added the ip of this machine as the gateway of my gateway to my lan pc's

i also checked the route and all seems fine but i cannot ping anything except the internel ip of this machine(the new gateway)

i am not sure if i am correct here, please feel free to add advice  :Smile: 

guys, i have been hitting my head against a brick wall for the past week  :Sad:  i seriously would appreciate it if the gurus out there could not tell me if there is a gentoo specific way of doing this, or, has anyone done this with shorewall?

#shorewall status 

root@elcubano ~ # shorewall status

Shorewall-2.4.2 Status at elcubano - Mon Sep 26 21:01:41 SAST 2005

Counters reset Mon Sep 26 20:26:34 SAST 2005

Chain INPUT (policy DROP 139 packets, 9204 bytes)

 pkts bytes target     prot opt in     out     source               destination

  177 13015 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

    7  1506 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  eth0   *       192.168.1.0/24       0.0.0.0/0

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            192.168.1.0/24

    0     0 ACCEPT     all  --  eth0   eth1    192.168.1.0/24       0.0.0.0/0

Chain OUTPUT (policy ACCEPT 132 packets, 14853 bytes)

 pkts bytes target     prot opt in     out     source               destination

NAT Table

Chain PREROUTING (policy ACCEPT 5899 packets, 436K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 37 packets, 2793 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 37 packets, 2793 bytes)

 pkts bytes target     prot opt in     out     source               destination

Mangle Table

Chain PREROUTING (policy ACCEPT 9229 packets, 677K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 8531 packets, 510K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7175 packets, 887K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 7175 packets, 887K bytes)

 pkts bytes target     prot opt in     out     source               destination

tcp      6 431652 ESTABLISHED src=192.168.1.10 dst=192.168.1.22 sport=57733 dport=445 packets=19435 bytes=11072913 src=192.168.1.22 dst=192.168.1.10 sport=445 dport=57733 packets=19938 bytes=11663290 [ASSURED] mark=0 use=1

tcp      6 425153 ESTABLISHED src=192.168.1.22 dst=192.168.1.255 sport=41164 dport=80 packets=1 bytes=40 [UNREPLIED] src=192.168.1.255 dst=192.168.1.22 sport=80 dport=41164 packets=0 bytes=0 mark=0 use=1

tcp      6 431999 ESTABLISHED src=192.168.1.22 dst=192.168.1.10 sport=58179 dport=22 packets=22017 bytes=1341560 src=192.168.1.10 dst=192.168.1.22 sport=22 dport=58179 packets=19619 bytes=3373022 [ASSURED] mark=0 use=1

tcp      6 425146 ESTABLISHED src=192.168.1.22 dst=192.168.1.0 sport=41165 dport=80 packets=1 bytes=40 [UNREPLIED] src=192.168.1.0 dst=192.168.1.22 sport=80 dport=41165 packets=0 bytes=0 mark=0 use=1

tcp      6 425146 ESTABLISHED src=192.168.1.22 dst=192.168.1.0 sport=41164 dport=80 packets=1 bytes=40 [UNREPLIED] src=192.168.1.0 dst=192.168.1.22 sport=80 dport=41164 packets=0 bytes=0 mark=0 use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:08:a1:7a:b5:44 brd ff:ff:ff:ff:ff:ff

    inet 196.36.166.122/25 brd 196.36.166.129 scope global eth0

3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:08:a1:45:54:bf brd ff:ff:ff:ff:ff:ff

    inet 192.168.1.10/24 brd 192.168.1.255 scope global eth1

4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000

    link/ether 00:0d:61:40:dc:09 brd ff:ff:ff:ff:ff:ff

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    RX: bytes  packets  errors  dropped overrun mcast

    3584       8        0       0       0       0

    TX: bytes  packets  errors  dropped carrier collsns

    3584       8        0       0       0       0

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:08:a1:7a:b5:44 brd ff:ff:ff:ff:ff:ff

    RX: bytes  packets  errors  dropped overrun mcast

    20302710   74499    0       0       0       0

    TX: bytes  packets  errors  dropped carrier collsns

    42324779   40717    0       0       0       0

3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:08:a1:45:54:bf brd ff:ff:ff:ff:ff:ff

    RX: bytes  packets  errors  dropped overrun mcast

    33650191   85698    0       0       0       0

    TX: bytes  packets  errors  dropped carrier collsns

    27614176   74105    0       0       0       1

4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000

    link/ether 00:0d:61:40:dc:09 brd ff:ff:ff:ff:ff:ff

    RX: bytes  packets  errors  dropped overrun mcast

    0          0        0       0       0       0

    TX: bytes  packets  errors  dropped carrier collsns

    0          0        0       0       0       0

/proc

   /proc/sys/net/ipv4/ip_forward = 1

   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0

   /proc/sys/net/ipv4/conf/all/proxy_arp = 0

   /proc/sys/net/ipv4/conf/all/arp_filter = 0

   /proc/sys/net/ipv4/conf/all/rp_filter = 1

   /proc/sys/net/ipv4/conf/all/log_martians = 1

   /proc/sys/net/ipv4/conf/default/proxy_arp = 0

   /proc/sys/net/ipv4/conf/default/arp_filter = 0

   /proc/sys/net/ipv4/conf/default/rp_filter = 0

   /proc/sys/net/ipv4/conf/default/log_martians = 1

   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0

   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0

   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0

   /proc/sys/net/ipv4/conf/eth0/log_martians = 1

   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0

   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0

   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1

   /proc/sys/net/ipv4/conf/eth1/log_martians = 0

   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0

   /proc/sys/net/ipv4/conf/lo/arp_filter = 0

   /proc/sys/net/ipv4/conf/lo/rp_filter = 0

   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0:      from all lookup local

32766:  from all lookup main

32767:  from all lookup default

Table default:

Table local:

broadcast 192.168.1.0 dev eth1  proto kernel  scope link  src 192.168.1.10

broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1

broadcast 196.36.166.0 dev eth0  proto kernel  scope link  src 196.36.166.122

broadcast 196.36.166.129 dev eth0  proto kernel  scope link  src 196.36.166.122

broadcast 192.168.1.255 dev eth1  proto kernel  scope link  src 192.168.1.10

local 196.36.166.122 dev eth0  proto kernel  scope host  src 196.36.166.122

local 192.168.1.10 dev eth1  proto kernel  scope host  src 192.168.1.10

broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1

broadcast 196.36.166.127 dev eth0  proto kernel  scope link  src 196.36.166.122

local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1

local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

196.36.166.0/25 dev eth0  proto kernel  scope link  src 196.36.166.122

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.10

127.0.0.0/8 via 127.0.0.1 dev lo  scope link

default via 196.36.166.1 dev eth0

ARP

? (192.168.1.22) at 00:02:6F:35:60:67 [ether] on eth1

Modules

ipt_REJECT              4544  0

ipt_pkttype             1856  0

ipt_CONNMARK            2368  0

ipt_connmark            1920  0

ipt_owner               3584  0

ipt_recent              9996  0

ipt_iprange             1984  0

ipt_multiport           2624  0

ipt_conntrack           2496  0

ip_nat_irc              2560  0

ip_nat_tftp             1984  0

ip_nat_ftp              3200  0

ip_conntrack_irc       71184  1 ip_nat_irc

ip_conntrack_tftp       3664  1 ip_nat_tftp

ip_conntrack_ftp       71952  1 ip_nat_ftp

ipt_REDIRECT            2176  0

ipt_LOG                 6848  0

ipt_limit               2432  0

ipt_state               1984  2

ipt_MASQUERADE          3136  0

root@elcubano ~ #                                                                                       

thanks to all,

----------

## Matteo Azzali

Ok, I had to admit, I choosed kmyfirewall since it allows me

to define sourceports and destports for any connection.

But I'm using your method to log to a separate file with syslog-ng,

and I have a question: is it safe to use chmod to lower the permissions

on the firewall logfile? (read permissions to all users...)

----------

## Bob P

 *StarDragon wrote:*   

> Ever since I installed shorewall I see these weird rejections in my dmesg file:
> 
> ```
> 
> Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.181.68.115 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5787 DF PROTO=TCP SPT=38565 DPT=6348 WINDOW=5840 RES=0x00 SYN URGP=0
> ...

 

give this a shot and see if it helps:

```
/bin/ls /etc/init.d/net.eth* | xargs -n1 ln -sfvn net.lo
```

----------

## cpu

 *StarDragon wrote:*   

> Ever since I installed shorewall I see these weird rejections in my dmesg file:
> 
> ```
> 
> Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.102 DST=12.181.68.115 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5787 DF PROTO=TCP SPT=38565 DPT=6348 WINDOW=5840 RES=0x00 SYN URGP=0
> ...

 

Same problem here  :Sad: 

----------

## Bob P

 *Bob P wrote:*   

> give this a shot and see if it helps:
> 
> ```
> /bin/ls /etc/init.d/net.eth* | xargs -n1 ln -sfvn net.lo
> ```
> ...

 

be careful to properly differentiate between the lowercase "L" and the number "one", or the solution won't help you.   :Exclamation: 

here's the text enlarged for clarity:

/bin/ls /etc/init.d/net.eth* | xargs -n1 ln -sfvn net.lo

----------

## slyyls

Hey,

  Quick question, I have a loptop that connects via router to the internet.  I want to install shorewall on the laptop in case i visit someone or i case i want to put myselft in the Routers DMZ.  The same network card (could be eth0 --wired or eth1 --wireless) will be used to access the internet and the local network.  If i want to allow total access to my laptop from the local network (samba, ssh, etc), but not the internet, how do i build this rule.  I think it's something along the lines:

```
ACCEPT   net:192.168.0.0/24             fw             -     -
```

Can anyone help me out?

Thanks,

Sly

----------

## Stormkings

Hi everyone,

I would like to enable multicast streaming through my firewall. Any suggestions how to do that? There is only very few information available. 

Thanks in advance, dk

----------

## krolden

 *slyyls wrote:*   

> Hey,
> 
>   Quick question, I have a loptop that connects via router to the internet.  I want to install shorewall on the laptop in case i visit someone or i case i want to put myselft in the Routers DMZ.  The same network card (could be eth0 --wired or eth1 --wireless) will be used to access the internet and the local network.  If i want to allow total access to my laptop from the local network (samba, ssh, etc), but not the internet, how do i build this rule.  I think it's something along the lines:
> 
> ```
> ...

 

Have you set norfc1918 in your interfaces list?

```

This interface should not receive any packets whose source is in one of the ranges reserved by RFC 1918 (i.e., private or "non-routable" addresses. If packet mangling is enabled in shorewall.conf, packets whose destination addresses are reserved by RFC 1918 are also rejected.
```

----------

## Dr_Stein

Whoops.. I made a new thread here: https://forums.gentoo.org/viewtopic-p-2860121.html

If anyone could take a look at that one and help me solve it, I'd be a happy human.  :Smile: 

----------

## My_World

Have a similar problem to winston_nolan, so if anyone can please help me sort this I would be very gratefull indeed!

My Setup-

Firewall/router/gateway machine with the following setup:

ppp0 internet (modem connection)

eth0 wired lan (gateway for wired network)

wlan0 wireless network (wireless card configured to be access point)

The problem, as soon as I start the firewall I have no access to the wireless network or an internet connection for wireless network. I cannot even ping the router/firewall PC! The wired network works 100%.

I have tried numours config options and still no joy. Here is what I currently have:

```

/etc/shorewall/interfaces

net     ppp0            -               routefilter,norfc1918,tcpflags

loc     eth0            detect          tcpflags

wlan    wlan0           detect          maclist

```

```

/etc/shorewall/zones

net     Net             Internet

loc     Local           Local Networks

wlan    Wlan            Wireless Lan

```

```

/etc/shorewall/rules

ACCEPT          fw              net             tcp     53

ACCEPT          fw              net             udp     53

#

#       Accept SSH connections from the local network for administration

#

ACCEPT          loc             fw              tcp     22

ACCEPT          wlan            fw              tcp     22

#

#       Allow Ping To And From Firewall

#

ACCEPT          loc             fw              icmp    8

ACCEPT          wlan            fw              icmp    8

ACCEPT          net             fw              icmp    8

ACCEPT          fw              loc             icmp

ACCEPT          fw              wlan            icmp

ACCEPT          fw              net             icmp

```

```

/etc/shorewall/masq

ppp0                    eth0

ppp0                    wlan0

```

Is there something I'm missing here?

Or how would I then go about defining the wlan0 adapter in shorewall?

 :Sad: 

----------

## My_World

I have had another look at the Shorewall documantation and reverted back to the default two-interface mode found here:

http://www.shorewall.net/two-interface.htm

My setup now looks almost identical to that one, but the same problem, the wireless lan is not allowed access to and from the internet or the router (cannot ping router, firewall blocks the traffic).

According to the documentation all that I should need is this:

 *Quote:*   

> 
> 
> There are only two changes that need to be made to the Shorewall configuration:
> 
>     * An entry needs to be added to /etc/shorewall/interfaces for the wireless network interface. If the wireless interface is wlan0, the entry might look like:
> ...

 

I have done this and still no go. Anyone else here wanna take a shot at this problem?

 :Crying or Very sad: 

----------

## Tatewaki

I got a question about the zones that shorewall uses. I like to block all the traffic from the lan, so i have added this in policy:

```

net      all      DROP      info

loc      all      DROP

#

#THE FOLLOWING POLICY MUST BE LAST

all      all      DROP      info

```

but when i do nmap -sV from my laptop i still get thes info:

```

All 1667 scanned ports on 192.168.1.2 are: filtered

MAC Address: 00:11:D8:03:05:E1 (Asutek computer)

Nmap finished: 1 IP address (1 host up) scanned in 55.377 seconds

```

So i started to read some more about the standalone firewall guid in the shorewall website and then i got confused about the interface part.

```

#ZONE   INTERFACE   BROADCAST   OPTIONS

net   eth0      detect      nosmurfs,blacklist,tcpflags,routefilter,logmartians

loc   eth1      192.168.1.255   nosmurfs,blacklist,arp_ignore,routefilter

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

So like i see it my net is on eth0 and my lan is on eth1, but i use my eth0 to lan too. trying to put it simpel, i only use 1 network card and that is connectet to a switch that then again are connectet to a router. So is my interface part correct or is it something else that is wrong?

(oh yeah i'm using shorewall 3.x)

----------

## slyyls

Hello,

  I want to allow local area network traffic to my computer.  I have the following rule in my /etc/shorewall/rules file.

```
ACCEPT  net:192.168.1.0/24   fw      all

```

It works.

Lately, I change my router and now it get the ip 192.168.123.x  So for a couple of weeks i kept wondering what was going on and finaly i figured out that my firewall was blocking lan traffic.  My question is, 

Is there a way to use BASH functions inside the rules file, something like

```
ifconfig | awk '/192.168./ {print $2}' | sed 's#^.*:##g' | awk 'BEGIN{FS="."}END{print $1 "." $2 "." $3}'
```

This way it would automatically get the first 3 digits of my lan ip address.

Also, I got caught once switching from Wireless card to Lan card, during the switch, the firewall was stoped, i guess because there was no NET component on, I didn't notice and spent quite a while trouble shooting VNC afterwards.  Is there a small applet or desklet that shows if Shorewall is ON or OFF.  That would be very handy, even like a RED/GREEN light icon somewhere.

Thanks,

Sly

----------

## Qu4rk

Ok, so I've searched & I guess no one else has encountered this.  I can't load yahoo games like chess & what not.  Every time I try to click on a game it gives me the "you must be behind a firewall" error msg.  So, I stopped shorewall & sure enough the game room opened.  Someone in an earlier thread had port 5050 for yahoo msger, but that doesn't work for the games.  Anyone know which port to open for Yahoo games?

Thanks

----------

## krolden

Have you checked your logs to see what port it wants to connect to?

----------

## Qu4rk

 *Krolden wrote:*   

> Have you checked your logs to see what port it wants to connect to?

 

Thanks!  Yahoo Games port 11999 for all searchers.

----------

## Bear The Barbarian

I apologize for revisiting a topic that's been hit on before, but I just can't seem to get this to work.

Whenever I try /etc/init.d/shorewall start, I get

```
/etc/init.d/shorewall start

 * Starting firewall ...

FATAL: Module ip_tables not found.

iptables v1.3.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

   ERROR: Command "/sbin/iptables -P INPUT DROP" Failed

FATAL: Module ip6_tables not found.

ip6tables v1.3.4: can't initialize ip6tables table `filter': Module is wrong version

Perhaps ip6tables or your kernel needs to be upgraded.

FATAL: Module ip6_tables not found.

ip6tables v1.3.4: can't initialize ip6tables table `filter': Module is wrong version

Perhaps ip6tables or your kernel needs to be upgraded.

... The error repeats a lot in here, and then ...

iptables v1.3.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

/etc/init.d/shorewall: line 14: 26201 Terminated              /sbin/shorewall start >/dev/null

```

In terms of the common search:

```
cat /usr/src/linux/.config | grep FILTER

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

# CONFIG_NETFILTER_NETLINK is not set

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP6_NF_FILTER=y

CONFIG_BT_BNEP_MC_FILTER=y

CONFIG_BT_BNEP_PROTO_FILTER=y

CONFIG_PPP_FILTER=y

```

I'm using genkernel. I've checked to make sure that all the options under IP Tables Support were checked (compiled into the kernel, not as modules), and I've even checked everything under IP: Netfilter Configuration submenu just for good measure. Am I just missing an option somewhere? I'm kind of noobish for this, so it could be an incredibly simple mistake.

----------

## cherring

I have been putting off installing a firewall on my server as I was intimidated by the process. I always understood the concept, but not the mechanics of it. Luckily for me I had a server that I was just tinkering with, doing a little email serving, but really just learning a lot about running my own server.  But as I started to set up all my services and started to get them configured to my liking the need for a firewall was all too apparent to me.

I searched around the net looking for something that could explain iptables to me, but as I didn't understand what it was doing properly I didn't even try to muddle through.  Then I stumbled on this tutorial and it explained the whole process brilliantly and I now have a working firewall and I am very happy.

Many thanks for such a well written well documented tutorial that held my hand perfectly every step of the way, I am very grateful to great users such as yourself who pass on their knowledge and understanding of technology to others.

Cheers.   :Very Happy: 

----------

## Old School

I'm getting this error:

```
greg@badboy ~ $ sudo /etc/init.d/shorewall start

 * Starting firewall ...

   ERROR: No ipv4 or ipsec Zones Defined

/etc/init.d/shorewall: line 14: 10420 Terminated              /sbin/shorewall st                                                                                                                                

art >/dev/null                                                            [ !! ]
```

This is the third box I've installed shorewall on, and have never run into this before.

Any ideas?

----------

## supernick_84

I'm having trouble connecting to an FTP server with my laptop. I've installed shorewall on my desctop computer according to your HOWTO (which is very nice!) and it works fine there.

Could it be that the problem is that I have 2 interfaces?

Anyway, this is the error i get :

```
ftp users.pandora.be

Connected to users.pandora.be.

220 Telenet-ops FTP Server

Name (users.pandora.be:nick): xxxxxx

500 AUTH not understood

SSL not available

331 Password required for xxxxxx

Password:

230 User xxxxxx logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful

425 Unable to build data connection: Connection timed out

```

Here's my /etc/shorewall/rules

```
ACCEPT   fw             net             tcp     80   #http

ACCEPT   fw             net             udp     80   #http

ACCEPT   fw             net             tcp     443  #https

ACCEPT   fw             net             udp     443  #https

ACCEPT   fw             net             tcp     21,20   #ftp

ACCEPT   fw             net             tcp     53   #DNS

ACCEPT   fw             net             udp     53   #DNS

ACCEPT   fw             net             tcp     110  #unsecure Pop3

ACCEPT   fw             net             tcp     995  #Secure Pop3

ACCEPT   fw             net             tcp     873  #rsync

ACCEPT   fw             net             tcp     25   #unsecure SMTP

ACCEPT   fw             net             tcp     465  #SMTP over SSL

ACCEPT   fw             net             tcp     6667 #IRC

ACCEPT   fw             net             tcp     1863 #GAIM

```

here's the /etc/shorewall/interfaces

```
#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY

#

net     eth0            detect          dhcp,nosmurfs

net     wlan0           detect          dhcp,nosmurfs

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

the policy says

```
###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

net             all             DROP            info

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE
```

and the zones 

```
#ZONE                   DISPLAY         COMMENTS

net                     internet        the big and bad internet
```

Does anyone have an idea why I can't connect to FTP servers? (Using gFTP or the ftp command)

Thanks in advance!

----------

## nagual

After following the tutorial, I get this

```
gentoo ~ # shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Extended Multi-port Match: Available

   Connection Tracking Match: Available

   Packet Type Match: Available

   Policy Match: Not available

   Physdev Match: Not available

   IP range Match: Available

   Recent Match: Available

   Owner Match: Available

   Ipset Match: Not available

   CONNMARK Target: Not available

   Connmark Match: Not available

   Raw Table: Available

   CLASSIFY Target: Available

Determining Zones...

   ERROR: No ipv4 or ipsec Zones Defined

Terminated

```

Any suggestions?

----------

## nagual

Should I just add in the REDIRECT?  I am only trying to open port 80 on that box, since it just sits there and folds.

----------

## supernick_84

did you define a zone in /etc/shorewall/zones ?

----------

## nagual

I'm pretty sure I did.  I will post my configs when I get home.

----------

## davmonster

After following this personal internet firewall HOWTO I struggled for a bit trying to get bittorrent to work.

This is how I got it working:

/etc/shorewall/policy:

```

###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

fw              net            ACCEPT

net             all             DROP            info

all              all             REJECT          info

#LAST LINE -- DO NOT REMOVE

```

I realise this is a security risk in that it allows outbound connections, but it seems that the standard bittorrent client connects to unpredicatable high-level ports on the other bt clients, and so this cannot be helped.

You'll also have to put this in your /etc/shorewall/rules file:

```

..

BitTorrent/ACCEPT       net     fw

..

```

This is a macro to accept connections on tcp ports 6881:6889 which is also needed for a bit-torrent client. Please let me know if you find a way of running BT without letting all outbound connections through.

- Dav

----------

## pressenter

I have such a problem with my shorewall:

```
 * Starting firewall ...

   ERROR: No ipv4 or ipsec Zones Defined

/etc/init.d/shorewall: line 14: 24479 Zakoñczony              /sbin/shorewall start >/dev/nu  [ !! ]
```

What to do ??

----------

## patroy

If you are using shorewall 3.x a few things have changed since the "tutorial" was written.

I'm still trying to figure them all out.

though that error was the fixed by adding the following to  /etc/shorewall/zones

```
net     ipv4
```

I just inserted that after the 

```
fw      firewall
```

hope that helps.

----------

## to_kallon

hello everyone.

sith great guide, thanks mate.

i've run into a problem, i've seen a few people post about it but nothing i've tried has worked. i hit a few of the upgrade problems everyone has mentioned, but once shorewall got started everything seemed ok, i could ssh in and out just like i wanted to. but it turned out that was the only thing i could do. i cannot ping servers/view webpages, which may be the central problem, i also cannot emerge anything. i get this error:

```

Resolving gentoo.chem.wisc.edu... failed: Temporary failure in name resolution.

```

here is my /etc/shorewall/rules file:

```

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/

#                                               PORT    PORT(S)         DEST            LIMIT           GROUP

ACCEPT  fw              net             tcp     80      #http-out

ACCEPT  fw              net             udp     80

ACCEPT  fw              net             tcp     443     #https-out

ACCEPT  fw              net             udp     443

ACCEPT  net             fw              tcp     80      #http-in

ACCEPT  net             fw              udp     80

#

ACCEPT  fw              net             tcp     22      #ssh-out

ACCEPT  net             fw              tcp     22      #ssh-in

#

ACCEPT  net             fw              udp     8767    #teamspeak

ACCEPT  net             fw              tcp     14534   #ts webadmin

#

ACCEPT  fw              net             tcp     873     #rsync-out

#

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

since i'm able to ssh my assumption is i've made an error here somewhere. strangely it is allowing 8767 through to my teamspeak server. at this point i've not tried to hit a served web page so i can't speak to in-bound http working.

does anything jump out as being wrong? thanks in advance.

----------

## patroy

I 've just recently set-up and configured my firewall via shorewall. I had numerous problems and figured them all out by going to the shorewall website and reading through almost all of their docs. I was having a problem with connecting to the net untill I changed my policy to

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

fw              net             ACCEPT

net             all             DROP            info

#

# THE FOLLOWING POLICY MUST BE LAST

#

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE
```

This essentially allows all connections from my firewall to the net to exist, and drops all incoming connections not setup in rules.

My rules are simply.

```
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/

#                                               PORT    PORT(S)         DEST            LIMIT           GROUP

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

DROP     net            fw              tcp     113     #AUTH/IDENT

ACCEPT   net            fw              tcp     ****    #Secure Shell

ACCEPT   net            fw              tcp     13269   #Gtk-Gnutella

ACCEPT   net            fw              udp     13269   #Gtk-Gnutella

ACCEPT   net            fw              tcp     1863    #Gaim

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

 I remember reading something about how if you are upgrading from a 2.X shorewall to the 3.X you need to decide if you are going to use the ipsec or zones info, my zones are

```
#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

net     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

```

I've tested it all and everything is running smoothly.

Hope this helps.

----------

## to_kallon

that seems to have done the trick. thanks!

----------

## arabis

With my notebook, I want to be able to use a dialup connection with Shorewall. So far I succeeded, but recently after some update, when I start my laptop with no ethernet cable plugged in, I get:

```
* WARNING:  shorewall is scheduled to start when net.eth0 has started.
```

When the dial-up connection is established, and if I try to start manually Shorewall, it gives the same answer and refuses to start and I get an unsecured ppp connection.

What can I do to correct this situation?

----------

## iusebash

I am on the first part, and I am already stuck.

From tut:

 *Quote:*   

> # For 2.6 kernels look under:
> 
> Device Drivers --->
> 
>      Networking support --->
> ...

 

My IP: Netfilter Configuration:

```
  lqqqqqqqqqqqqqqqqqqqqqqq IP: Netfilter Configuration qqqqqqqqqqqqqqqqqqqqqqqqk

  x x <*> Connection tracking (required for masq/NAT)                        x x  

  x x [ ]   Connection tracking flow accounting                              x x  

  x x [ ]   Connection mark tracking support                                 x x  

  x x [ ]   Connection tracking events (EXPERIMENTAL)                        x x  

  x x < >   SCTP protocol connection tracking support (EXPERIMENTAL)         x x  

  x x < >   FTP protocol support                                             x x  

  x x < >   IRC protocol support                                             x x  

  x x < >   NetBIOS name service protocol support (EXPERIMENTAL)             x x  

  x x < >   TFTP protocol support                                            x x  

  x x < >   Amanda backup protocol support                                   x x  

  x x < >   PPTP protocol support                                            x x  

  x x <*> IP Userspace queueing via NETLINK (OBSOLETE)
```

There is no 'IP Tables Support (required for filtering/masq/NAT)'!

I did a search:

```
  lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Search Results qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk

  x Symbol: IP_NF_TARGET_MASQUERADE [=n]                                       x  

  x Prompt: MASQUERADE target support                                          x  

  x   Defined at net/ipv4/netfilter/Kconfig:407                                x  

  x   Depends on: NET && INET && NETFILTER && IP_NF_NAT                        x  

  x   Location:                                                                x  

  x     -> Networking                                                          x  

  x       -> Networking support (NET [=y])                                     x  

  x         -> Networking options                                              x  

  x           -> Network packet filtering (replaces ipchains) (NETFILTER [=y]) x  

  x             -> IP: Netfilter Configuration                                 x  

  x               -> IP tables support (required for filtering/masq/NAT) (IP_N x  

  x                 -> Full NAT (IP_NF_NAT [=n])     
```

It says there is 'IP tables support' under IP: Netfilter Configuration.  As as you see from the first code, it isn't on the list.  WTF?

----------

## NotQuiteSane

I'm trying to follow the guide, but am stuck on section 2.  Since the kernel outline has changed since the guide was written, I'm a bit confused.

Here is what I have under "Networking"

```

#

# Networking

#

CONFIG_NET=y

#

# Networking options

#

# CONFIG_NETDEBUG is not set

CONFIG_PACKET=y

# CONFIG_PACKET_MMAP is not set

CONFIG_UNIX=y

# CONFIG_NET_KEY is not set

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_ASK_IP_FIB_HASH=y

# CONFIG_IP_FIB_TRIE is not set

CONFIG_IP_FIB_HASH=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_FWMARK=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_IP_ROUTE_MULTIPATH_CACHED=y

CONFIG_IP_ROUTE_MULTIPATH_RR=m

CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m

CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m

CONFIG_IP_ROUTE_MULTIPATH_DRR=m

CONFIG_IP_ROUTE_VERBOSE=y

# CONFIG_IP_PNP is not set

CONFIG_NET_IPIP=m

# CONFIG_NET_IPGRE is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_ARPD is not set

# CONFIG_SYN_COOKIES is not set

# CONFIG_INET_AH is not set

# CONFIG_INET_ESP is not set

# CONFIG_INET_IPCOMP is not set

# CONFIG_INET_TUNNEL is not set

CONFIG_INET_DIAG=y

CONFIG_INET_TCP_DIAG=y

CONFIG_TCP_CONG_ADVANCED=y

#

# TCP congestion control

#

CONFIG_TCP_CONG_BIC=y

CONFIG_TCP_CONG_CUBIC=m

CONFIG_TCP_CONG_WESTWOOD=m

CONFIG_TCP_CONG_HTCP=m

# CONFIG_TCP_CONG_HSTCP is not set

# CONFIG_TCP_CONG_HYBLA is not set

# CONFIG_TCP_CONG_VEGAS is not set

# CONFIG_TCP_CONG_SCALABLE is not set

#

# IP: Virtual Server Configuration

#

# CONFIG_IP_VS is not set

# CONFIG_IPV6 is not set

CONFIG_NETFILTER=y

CONFIG_NETFILTER_DEBUG=y

#

# Core Netfilter Configuration

#

# CONFIG_NETFILTER_NETLINK is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y

CONFIG_NETFILTER_XT_TARGET_CONNMARK=y

CONFIG_NETFILTER_XT_TARGET_MARK=y

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y

CONFIG_NETFILTER_XT_TARGET_NOTRACK=y

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y

CONFIG_NETFILTER_XT_MATCH_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_DCCP=y

CONFIG_NETFILTER_XT_MATCH_HELPER=y

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MAC=y

CONFIG_NETFILTER_XT_MATCH_MARK=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

CONFIG_NETFILTER_XT_MATCH_REALM=y

CONFIG_NETFILTER_XT_MATCH_SCTP=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STRING=y

CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

CONFIG_IP_NF_FTP=y

CONFIG_IP_NF_IRC=y

# CONFIG_IP_NF_NETBIOS_NS is not set

CONFIG_IP_NF_TFTP=y

CONFIG_IP_NF_AMANDA=y

CONFIG_IP_NF_PPTP=y

CONFIG_IP_NF_QUEUE=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_MULTIPORT=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_DSCP=y

CONFIG_IP_NF_MATCH_AH_ESP=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_MATCH_HASHLIMIT=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_IP_NF_TARGET_NETMAP=y

CONFIG_IP_NF_TARGET_SAME=y

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_IRC=y

CONFIG_IP_NF_NAT_FTP=y

CONFIG_IP_NF_NAT_TFTP=y

CONFIG_IP_NF_NAT_AMANDA=y

CONFIG_IP_NF_NAT_PPTP=y

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_ECN=y

CONFIG_IP_NF_TARGET_DSCP=y

CONFIG_IP_NF_TARGET_TTL=y

# CONFIG_IP_NF_TARGET_CLUSTERIP is not set

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

#

# DCCP Configuration (EXPERIMENTAL)

#

# CONFIG_IP_DCCP is not set

#

# SCTP Configuration (EXPERIMENTAL)

#

# CONFIG_IP_SCTP is not set

#

# TIPC Configuration (EXPERIMENTAL)

#

# CONFIG_TIPC is not set

CONFIG_ATM=m

# CONFIG_ATM_CLIP is not set

# CONFIG_ATM_LANE is not set

# CONFIG_ATM_BR2684 is not set

# CONFIG_BRIDGE is not set

# CONFIG_VLAN_8021Q is not set

# CONFIG_DECNET is not set

# CONFIG_LLC2 is not set

# CONFIG_IPX is not set

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_NET_DIVERT is not set

# CONFIG_ECONET is not set

# CONFIG_WAN_ROUTER is not set

#

# QoS and/or fair queueing

#

# CONFIG_NET_SCHED is not set

CONFIG_NET_CLS_ROUTE=y

#

# Network testing

#

# CONFIG_NET_PKTGEN is not set

# CONFIG_HAMRADIO is not set

# CONFIG_IRDA is not set

# CONFIG_BT is not set

# CONFIG_IEEE80211 is not set
```

Are the options correctly set (and I can go ahead and compile), or are changes needed (and if so, where)?

I've left kernel items marked "EXPERIMENTAL" unselected.

IF it matters for kernel setup, I'm building a 4 legged firewall/router: Red (internet), Green (filtered to linux boxes) Orange (unfiltered (DMZ) to windows boxes*) and Black to print server (accessable by Green and Orange only)

NQS

* Doze boxes belong to roommate and he has explicitly stated he wants no firewall of any kind.

----------

## NotQuiteSane

Found a gotcha.  don't think it's been reported.

on my firewall, I have use flag "minimal" set.  this needs to be deactivated for iproute2.  putting it in package.use worked.

NQS

----------

## Netfeed

im getting this error when im trying to start shorewall

```

root@nakor[~]: /etc/init.d/shorewall start

 * Caching service dependencies ...                                       [ ok ]

 * Starting firewall ...

iptables: Unknown error 4294967295

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

iptables: Unknown error 4294967295

iptables: Unknown error 4294967295

/etc/init.d/shorewall: line 14: 19546 Terminated              /sbin/shorewall -f start >/dev/null    

```

anyone that has an idea how to fix it?

----------

## Beefrum

 Re to netfeed:

Current iptables options in kernel-configuration are probably missing some abilities.

----------

## Netfeed

 *Beefrum wrote:*   

>  Re to netfeed:
> 
> Current iptables options in kernel-configuration are probably missing some abilities.

 

yeap, works like a charm now

ty

----------

## happyduck

 *Bear The Barbarian wrote:*   

> I apologize for revisiting a topic that's been hit on before, but I just can't seem to get this to work.
> 
> Whenever I try /etc/init.d/shorewall start, I get
> 
> ```
> ...

 

(This is my first post so please bare with me.)

I also had the problem with ip6_tables with my 2.6.10-r6 kernel. As far as I remember I did the following to solve it, after having followed sith_happens guide to the letter:

1. Entirely removed ipv6 support from the kernel.

2. Told Shorewall *not* to ignore ipv6 support in the kernel.

3. Rebooted.

In more detail:

1. Remove ipv6 stuff from the kernel:

```

Device drivers --->

  Networking support --->

    [ ] The IPv6 protocol (EXPERIMENTAL)

```

Exit and save the configuration.

 *Quote:*   

> 
> 
> I'm using genkernel. I've checked to make sure that all the options under IP Tables Support were checked (compiled into the kernel, not as modules), and I've even checked everything under IP: Netfilter Configuration submenu just for good measure. Am I just missing an option somewhere? I'm kind of noobish for this, so it could be an incredibly simple mistake.
> 
> 

 

I do not use genkernel, but the steps in the Gentoo Handbook (x86), chapter 7 if I am not mistaken, should carry you through if you do. (Remember to point your boot loader to the new kernel.)

Now, step 2: In /etc/shorewall/shorewall.conf, set

```

DISABLE_IPV6=No

```

This tells Shorewall that it should *not* ignore ipv6 support in the kernel. Since there is no longer support in the kernel Shorewall should not expect support, and thus not try to ignore it. Actually, I do not remember if this step is necessary, but that's the way my config file looks currently, and it works.

Step 3:

Reboot and see whether "firewall" has stopped complaining about ip6_tables.

I hope this sketched solution  helps.

----------

## Alchera

For any one needing a graphical guide to setting up their kernel for Shorewall: Kernel Configuration

More information: Ports Required for Various Services/Applications

Logging: Configuring a Separate Log for Shorewall Messages (ulogd)

NB: The above configuration works to keep Shorewall information out of /var/log/messages. My policy is below.

 *Quote:*   

> ###############################################################################
> 
> #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
> 
> #                                               LEVEL
> ...

 

shorewall (of course) has to be stopped, cleared and then fired up again.

----------

## nabla²

Which ports do I have to open for printer which uses a print server.  I configured cups with 

```
URI: lpd://192.168.0.100/binary_p1
```

 and included 

```
ACCEPT   fw             net             tcp     631 #CUPS

ACCEPT   net             fw             tcp     631 #CUPS
```

 in the rules file.  It does not work when printing in kde.

thx

----------

## Karim

Hi!

I tried to follow the tutorial with the latest kernel 2.6.19, but the network configuration har really changed a lot.

Is there an uptodate genkernel configuration guide anywhere?

Anyone has a useful pointer?

Thanks!

/Karim

----------

## manouchk

I was using firestarter for simplicity and because it can be use to dynamically accept connection but as it ends up behing unsecure, I had to switch, I tried kmyfirewall which was not very good for me (standart desktop configuration was not allowing traffic over loopback and kmyfirewall has almost no documentation etc...)

Well i ended up trying shorewall and well the documentation is good! ! (3 minutes to setup a standalone shorewall, loved that!)

I have some comment, I hope it is okay to post here?

I had 1 problem, I missed one thing from the first post of https://forums.gentoo.org/viewtopic-t-308153.html (Prompt and Powerful Personal Firewalling with Shorewall). I had to had one line in /etc/shorewall/zones

net ipv4

I mean with that instead of 3mn, it could have been 2mn30...

I also liked to use the "new" syntax of /etc/shorewall/rules :

```

 DNS/ACCEPT   fw         net 

 FTP/ACCEPT   fw         net 

 POP3/ACCEPT  fw         net 

 POP3S/ACCEPT fw         net 

 IMAP/ACCEPT  fw         net 

 IMAPS/ACCEPT fw         net 

 SMTP/ACCEPT  fw         net 

 SMTPS/ACCEPT fw         net 

 Trcrt/ACCEPT fw         net #traceroute 

 Rsync/ACCEPT fw         net 

 HTTP/ACCEPT  fw         net 

 HTTPS/ACCEPT fw         net 

 SSH/ACCEPT   fw         net 

 BitTorrent/ACCEPT fw    net 

 NTP/ACCEPT   fw         net 

 PCA/ACCEPT   fw         net #pcanywhere 

 #ICQ/ACCEPT  fw         net#ICQ/AIM 

 #SVN/ACCEPT  fw         net 

```

Those 2 links also were helpfull during setup :

http://www.shorewall.net/ports.htm

http://www.shorewall.net/standalone.htm

----------

## trikolon

hi.

i have a server/home-router with 3 eth interfaces. eth0 is my lan with ip range 192.168.0.255, eth1 is connected with my dsl modem and eth2 is connected with my wlan-accesspoint with the subnet 192.168.1.255. lan and internet is working! but i cant ping from or to the eth2-net from or to lan nor surfing. the two subnets are not communicating and i cant enter the internet form the eth2 subnet.

here are my configs:

```

interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS

net     ppp0    -       norfc1918,routefilter,tcpflags

loc     eth0    192.168.0.255   routeback,tcpflags

wifi    eth2    192.168.1.255   dhcp,routeback,tcpflags

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

```

masq

#INTERFACE              SUBNET          ADDRESS

##eth1  eth0

ppp0 eth0

ppp0 eth2

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

```

```

policy

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

wifi            all             ACCEPT

net             all             ACCEPT

loc             all             ACCEPT

fw              all             ACCEPT

#LAST LINE -- DO NOT REMOVE

```

```

rules - only the wifi part

#Wifi

ACCEPT  loc     wifi    all

ACCEPT  wifi    loc     all

ACCEPT  wifi  net  icmp  8

#ACCEPT  net  $FW  icmp  8

ACCEPT  $FW  wifi  icmp

ACCEPT  wifi  $FW  icmp

ACCEPT  wifi  loc  icmp  8

ACCEPT  loc  wifi  icmp  8

DROP    net  wifi  icmp

DROP    net  wifi  icmp  8
```

```

zones

fw      firewall

net     ipv4

loc     ipv4

wifi    ipv4

```

files like nat, routes.. are empty.

hope somebody can help me, i cant get it work after hours of reading, searching and trying.

greets ben

----------

