[opensuse] Shorewall (was; Re: [opensuse] Martin Glötzl-Koch STOP BOUNCING LIST MAIL)

On Sat, 03 Mar, 2007 at 12:23:10 +0100, Sandy Drobic wrote:

<snip>

Can you set up rules for outgoing traffic in Shorewall?

Certainly, and quite easily too. I'll refrain from quoting documentation
(too much) and instead you try to give a short high-vantagepoint view:

Shorewall uses the concept of 'zones'. Nothing works without them, but you
can basically make as many as you want.

Interfaces are associated with a zone, and traffic can be
allowed/dropped/rejected/nat'ed/proxyarp'ed/etc'ed between zones in more or
less any fashion you can think of.

Usually a 'single-interface' installation would have just two zones; 'net'
and 'fw'. A typical two-interface 'router' setup would have three zones;
net, fw and lan.

Basically you define a set of policies, and then set up exceptions in the
'rules' file, which has a pretty simple and (to me at least) intuitive
layout:

<quote>
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and
# 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 $FW tcp 22
</quote>

So to permanently drop specific 'outgoing' traffic it would be something
like;

DROP lan net tcp 1863

-in /etc/shorewall/rules, followed by

shorewall restart

As such Shorewall is 'just' a bunch of shell-scripts which parse the
config-files to 'compile' iptables statements. This means that it will run
on just about anything, even if it may take a while to complete on 'skinny'
hardware.

In order to alleviate this, Shorewall now includes a 'just read the config
and output the iptables statements to a file' option. This way you can have
Shorewall create the actual configuration. The created file can then be
reused on subsequent boots, where it will just be executed without any
parsing at all.

I'm by no means an iptables authority, and I'll probably never become one
either.

This doesn't mean that I don't sometimes want or need firewall
configurations more complex than what SuSEfirewall (f.x.) has to offer. What
is *does* mean, however, is that the need to add custom iptables rules to
some local firewall file invariably makes me shake my head and wonder:

"What's the point of having something like SuSEfirewall, if it *still* means
that I have to write 'raw' iptables?"

Personally I wish SuSE would just drop SuSEfirewall, and include Shorewall
instead. I don't expect it to happen anytime soon though, so I recently went
ahead and repackaged the rpm to match the SuSE environment.

Since I'm no rpm expert either I'm not going to 'publish' said rpms, as they
probably contain packaging errors. Still, if someone wants to check them
out, contact me privately.

/Jon
--
YMMV
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages

  • Re: Two elementary questions on LANs
    ... I am running shorewall on my server, ... and I forgot to turn iptables off. ... and specify the name servers. ... The application, NM, isn't editing a config file without your ...
    (Fedora)
  • Re: Two elementary questions on LANs
    ... I am running shorewall on my server, ... and I forgot to turn iptables off. ... Whenever I see mentions of "turning firewall off," that's a red flag, to ... or is it a configurator for ...
    (Fedora)
  • Re: Starting shorewall
    ... You also need to "chkconfig shorewall on", ... "chkconfig iptables off", ... service iptables start ...
    (Fedora)
  • Re: some reality about iptables, please
    ... > iptables directly IMHO. ... I've also used SuSE, which is great, but the same or worse than Red Hat. ... How much study does it take for me to know enough about shorewall, ... fwbuider, firestarter, etc. to know it will solve my problems, how to ...
    (Debian-User)
  • Re: some reality about iptables, please
    ... >> iptables directly IMHO. ... firewall than to use shorewall. ... > vmnet1 as a bridge to the host filesystem via samba. ...
    (Debian-User)