Shorewall ist ein Firewall-Script, das den Inhalt der Konfiguration-Dateien unter /etc/shorewall/... einliest und dann aus diesen Einstellungen entsprechende iptables-Befehle generiert.
Installationsprotokoll
root@OpenWrt:~# ipkg install /tmp/shorewall_3.0.5-1_mipsel.ipk Installing shorewall (3.0.5-1) to root... Installing ip (2.6.11-050330-1) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/ip_2.6.11-050330-1_mipsel.ipk Installing iptables-utils (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-utils_1.3.3-2_mipsel.ipk Installing iptables-extra (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-extra_1.3.3-2_mipsel.ipk Installing kmod-iptables-extra (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-iptables-extra_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-conntrack (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-conntrack_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-extra (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-extra_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-filter (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-filter_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-ipopt (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-ipopt_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-ipsec (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-ipsec_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-nat (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-nat_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-nat-extra (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-nat-extra_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-queue (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-queue_2.4.30-brcm-5_mipsel.ipk Installing kmod-ipt-ulog (2.4.30-brcm-5) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/kmod-ipt-ulog_2.4.30-brcm-5_mipsel.ipk Installing iptables-mod-conntrack (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-conntrack_1.3.3-2_mipsel.ipk Installing iptables-mod-extra (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-extra_1.3.3-2_mipsel.ipk Installing iptables-mod-filter (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-filter_1.3.3-2_mipsel.ipk Installing iptables-mod-ipopt (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-ipopt_1.3.3-2_mipsel.ipk Installing iptables-mod-ipsec (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-ipsec_1.3.3-2_mipsel.ipk Installing iptables-mod-nat (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-nat_1.3.3-2_mipsel.ipk Installing iptables-mod-ulog (1.3.3-2) to root... Downloading http://downloads.openwrt.org/whiterussian/packages/iptables-mod-ulog_1.3.3-2_mipsel.ipk Configuring ip Configuring iptables-extra Configuring iptables-mod-conntrack Configuring iptables-mod-extra Configuring iptables-mod-filter Configuring iptables-mod-ipopt Configuring iptables-mod-ipsec Configuring iptables-mod-nat Configuring iptables-mod-ulog Configuring iptables-utils Configuring kmod-ipt-conntrack Configuring kmod-ipt-extra Configuring kmod-ipt-filter Configuring kmod-ipt-ipopt Configuring kmod-ipt-ipsec Configuring kmod-ipt-nat Configuring kmod-ipt-nat-extra Configuring kmod-ipt-queue Configuring kmod-ipt-ulog Configuring kmod-iptables-extra Configuring shorewall No previous configuration found, trying to setup a simple default. The autoconfig has set up a very basic configuration that may work. Anyway, this configuration is just a guess, you MUST read the file: /etc/shorewall/README.OpenWRT Before trying to start shorewall. Successfully terminated. root@OpenWrt:~#
(Quelle: /etc/shorewall/README.OpenWRT, Fabio Longarai, Tue Jan 10 23:49:17 BRT 2006)
Shorewall should run fine with the ‘basic’ packages of whiterussian (the ones listed as dependency) but extra modules can make miracles. Some of shorewall features will demand specific kernel and/or iptables modules. If you have enough space, install and load them on /etc/shorewall/modules.
Example: if you plan to deploy a stealth firewall (bridged) you will need ebtables support.
Take a look at the shorewall documentation if you think you need any specific configuration.
IMPORTANT: Since 3.0.4, shorewall comes with a very complete /etc/shorewall/modules file. I´ve commented many modules in this file because most people do not need them. Please double check it if you have any problem.
Shorewall was made to simplify big firewall’s deployment, but it’s far away from being simplistic! There’s a lot of documentation in the website: http://www.shorewall.net/, please read it before try to start the script.
Like many people who contribute to open projects, I did this port at spare times and probably didn’t covered all kinds of tests that a script like this deserves. So, it’s very important that bugs get reported. If you found some bug - and can’t fix it - let me know about: sfl.openwrt@terra.com.br
Do NEVER set it to startup automatically on system’s boot via /etc/init.d/ scripts! Instead of it, use shorewall as a ‘second-stage’ firewall. This recommendation is not only healthy with shorewall, it can save you a lot of work if something goes wrong.
First, boot up a simple and safe 1st stage firewall (the default /etc/init.d/S45firewall is a excelent choice). This 1st stage should do, at last, 2 things:
As I said, the /etc/init.d/S45firewall is perfect; if you have a /etc/firewall.user you should disable it since all your new settings will be done by a 2nd stage (and that will be shorewall). Warning: DO NOT try to make your /etc/firewall.user call shorewall directly! If you do so, any error in shorewall’s configuration can lock your system and make you need to use the failsafe boot. You have been warned.
Now that your system have booted in a safe state, you can start shorewall.
There’s 2 ways to do this safely (maybe more. If you know another, mail me :)
A delayed start can be simply implemented with a script like this:
#!/bin/sh # Delay time in seconds sleep 120 # Lockfile, use a volatile area (like /tmp) LOCK=/tmp/myshorewall.lock if [ ! -f /tmp/myshorewall.lock ]; then /sbin/shorewall start fi
In the example above, you have 2 minutes to login into your router and place a lock if you need to recover from some misconfiguration. After that, the second stage is loaded. The down side is that your firewall rules take a little more time to be valid, most people I know can live with it. Of course, you can tune the delay as you wish.
The second method is useful when your WAN is configured with a dhcp client or by ppp. You can make a ‘shorewall start’ using /etc/udhcpdc.user or /etc/ppp/ip-up:
#!/bin/sh if [ ! -f /tmp/myshorewall.lock ]; then touch /tmp/myshorewall.lock /sbin/shorewall start rm -f /tmp/myshorewall.lock fi
If anything goes wrong, you can just unplug the WAN port and reboot. Since there’s no communication with the dhcp/pppoe server the script will not be loaded (Yes, you will be able to go there and fix anything you need). Said that, I suggest that you take a very good look on how your WAN interface behaves, most of them has so many up-down activity that restarting shorewall on every signal can pose as a problem. Most of the time (it depends on your setup) you can just start shorewall once and forget about it. Simply removing the rm -f /tmp/myshorewall.lock on the last example can do a lock-and-run-it-once-until-I-reboot which is fine for most people, me included.
Face it: shorewall takes time to restart. The performance of the ‘shorewall (re)start’ has been heavily improved since whiterussian RC4, but still isn’t near to what you get from a modern personal computer.
First recommendation is to upgrade to RC4. If you can’t, upgrading your busybox should be enough. If load time is REALLY important, you can strip down all comments from configurations files as well as action.* and macro.* in the /usr/share/shorewall/. If you are paranoid, also consider compiling a new shell (and other shell goodies) with some ‘by-hand’ optimizations. Good Luck...
As said before, the shorewall restart can be slow enough to drive some dhcpc/pppd scripts crazy, I recommend watching your WAN behavior very close, logread is your friend.
I also recommend to try shorewall refresh or save/restore commands.
If you are running your openwrt with standard settings and have no prior shorewall configuration, It’s very likely that the installation script have guessed a configuration that offers a similar behavior of the /etc/init.d/S45firewall, so you can just do a ‘shorewall start’.
Anyway, It’s damn good to see that you have spend some time reading this file. I recommend to take a look at the rest of the shorewall documentation and visit the mailing lists at shorewall.net
shorewall check /etc/shorewall
Loading /usr/share/shorewall/functions...
Processing ./params ...
Processing ./shorewall.conf...
Loading Modules...
Using /lib/modules/2.4.30/ipt_LOG.o
Using /lib/modules/2.4.30/ipt_owner.o
Using /lib/modules/2.4.30/ipt_physdev.o
Using /lib/modules/2.4.30/ipt_pkttype.o
Using /lib/modules/2.4.30/ipt_recent.o
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Not available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Not available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Not available
CLASSIFY Target: Not available
Verifying Configuration...
Determining Zones...
IPv4_Zones: dmz net loc
Firewall Zone: fw
Setting up IPSEC...
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
dmz Zone: br0:0.0.0.0/0
net Zone: ppp0:0.0.0.0/0
loc Zone: lo:0.0.0.0/0
Validating policy file...
Policy for fw to dmz is ACCEPT using chain fw2all
Policy for fw to net is ACCEPT using chain fw2all
Policy for fw to loc is ACCEPT using chain fw2all
Policy for dmz to net is ACCEPT using chain dmz2all
Policy for dmz to loc is ACCEPT using chain dmz2all
Policy for dmz to fw is ACCEPT using chain dmz2all
Policy for net to dmz is DROP using chain net2all
Policy for net to loc is DROP using chain net2all
Policy for net to fw is DROP using chain net2all
Policy for loc to dmz is REJECT using chain all2all
Policy for loc to net is REJECT using chain all2all
Policy for loc to fw is REJECT using chain all2all
Checking Black List...
Validating Proxy ARP
Validating NAT...
Pre-validating Actions...
Pre-processing /usr/share/shorewall/action.Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Validating rules file...
Rule "ACCEPT net fw tcp 22 " checked.
Rule "ACCEPT fw net udp 53 " checked.
Rule "ACCEPT fw net tcp 53 " checked.
Rule "ACCEPT fw net tcp 23 " checked.
Rule "ACCEPT fw net tcp ntp " checked.
Rule "ACCEPT fw net tcp 443 " checked.
Rule "ACCEPT fw net tcp 80 " checked.
Rule "ACCEPT fw net udp ntp " checked.
Rule "ACCEPT fw net tcp 22 " checked.
Rule "ACCEPT fw dmz tcp 22 " checked.
Rule "ACCEPT fw net tcp ftp " checked.
Rule "ACCEPT fw net icmp " checked.
Rule "ACCEPT fw dmz icmp " checked.
Rule "ACCEPT fw dmz tcp 80 " checked.
Rule "ACCEPT dmz net icmp " checked.
Rule "ACCEPT dmz net udp 53 " checked.
Rule "ACCEPT dmz fw udp 53 " checked.
Rule "ACCEPT dmz net tcp 80 " checked.
Rule "ACCEPT dmz fw tcp 80 " checked.
Rule "ACCEPT dmz fw icmp " checked.
Validating Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" checked.
..End Macro
Rule "dropBcast " checked.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" checked.
Rule "ACCEPT - - icmp time-exceeded - -" checked.
..End Macro
Rule "dropInvalid " checked.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "DROP - - udp 135,445 - -" checked.
Rule "DROP - - udp 137:139 - -" checked.
Rule "DROP - - udp 1024: 137 -" checked.
Rule "DROP - - tcp 135,139,445 - -" checked.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" checked.
..End Macro
Rule "dropNotSyn - - tcp " checked.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" checked.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" checked.
..End Macro
Rule "dropBcast " checked.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" checked.
Rule "ACCEPT - - icmp time-exceeded - -" checked.
..End Macro
Rule "dropInvalid " checked.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "REJECT - - udp 135,445 - -" checked.
Rule "REJECT - - udp 137:139 - -" checked.
Rule "REJECT - - udp 1024: 137 -" checked.
Rule "REJECT - - tcp 135,139,445 - -" checked.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" checked.
..End Macro
Rule "dropNotSyn - - tcp " checked.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" checked.
..End Macro
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 192.168.1.0/24 through ppp0
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Configuration Validated
Notice: The 'check' command is provided to catch
obvious errors in a Shorewall configuration.
It is not designed to catch all possible errors
so please don't submit problem reports about
error conditions that 'check' doesn't find