Why do you call it "Shorewall"?
What distributions does it work with?
I added the following rule and now I can't surf the internet from my local systems
I've installed Shorewall and now I can't ping through the firewall
Where are the log messages written and how do I change the destination?
When I try to start Shorewall on RedHat 7.2, I get messages about insmod failing -- what's wrong?
Why does Shorewall only accept IP addresses as opposed to FQDNs?
The first example in the rules file documentation shows how to do port forwarding under Shorewall. Assuming that you have a dynamic external IP address, the format of a port-forwarding rule to a local system is as follows:
ACCEPT net local:<local IP address> <protocol> <port #> - all
So to forward UDP port 7777 to internal system 192.168.1.5, the rule is:
ACCEPT net local:192.168.1.5 udp 7777 - all
If you want to forward requests directed to a particular <external ip> to an internal system:
ACCEPT net local:<local IP address> <protocol> <port #> - <external ip>
That is usually the result of one of two things:
![]() |
You are trying to test from inside your firewall (no, that won't work -- see FAQ #2). |
![]() |
You have a more basic problem with your local system such as an incorrect default gateway configured (it should be set to the IP address of your firewall's internal interface). |
I have two objections to this setup.
![]() | Having an internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over cable, you can put your server in a DMZ such that it is isolated from your local systems - assuming that the Server can be located near the Firewall, of course :-) |
![]() | The accessibility problem is best solved using Bind Version 9 "views" such that www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's what I do here at shorewall.net for my local systems that use static NAT. |
If you insist on an IP solution to the accessibility problem rather than a DNS solution, then assuming that your internal interface is eth1 and your internal network is 192.168.1.0/24, do the following:
a) In /etc/shorewall/interfaces, specify "multi" as an
option for eth1.
b) In /etc/shorewall/masq, add:
eth1 192.168.1.0/24 c) In /etc/shorewall/rules, add:
ACCEPT local local:192.168.1.5 tcp www - 130.151.100.69
This is another problem that is best solved using Bind Version 9 "views". It allows both external and internal clients to access a NATed host using the host's DNS name.
Another good way to approach this problem is to switch from static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address.
If you don't like those solutions and prefer routing all Z->Z traffic through your firewall then:
a) Specify "multi" on the entry for Z's interface in
/etc/shorewall/interfaces.
b) Set the Z->Z policy to ACCEPT.
c) Masquerade Z to itself.
Example:
Zone: dmz
Interface: eth2
Subnet: 192.168.2.0/24
In /etc/shorewall/interfaces:
dmz eth2 192.168.2.255 multi
In /etc/shorewall/policy:
dmz dmz ACCEPT
In /etc/shorewall/masq:
eth2 192.168.2.0/24
There is an H.323 connection tracking/NAT module that may help. Also check the Netfilter mailing list archives at http://netfilter.samba.org.
That rule says that any traffic from the local network for TCP port 80 regardless of which host it is addressed to (yes, that's what the 'all' means) should be forwarded to system 10.0.0.5 in the DMZ. The solution is to remove the "all".
If you want your firewall to be totally open for "ping":
a) Do NOT specify 'noping' on any interface in
/etc/shorewall/interfaces.
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
c) Add the following to /etc/shorewall/icmpdef:
run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, "service syslog restart").
By default, Shorewall ratelimits log messages through settings in /etc/shorewall/shorewall.conf -- If you want to log all messages (beware of DOS attacks!), set:
LOGLIMIT="" LOGBURST=""
Here are a couple of links that may be helpful:
http://www.fireparse.com
http://cert.uni-stuttgart.de/projects/fwlogwatch
The 'stop' command is intended to place your firewall into a safe state whereby only those interfaces/hosts having the 'routestopped' option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want to totally open up your firewall, you must use the 'shorewall clear' command.
The output you will see looks something like this:
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
This is usually cured by the following sequence of commands:
service ipchains stop chkconfig --delete ipchains rmmod ipchains
Also, be sure to check the errata for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.
I'm trying to protect people from themselves. If your firewall rules include FQDN's then:
![]() |
If your /etc/resolv.conf is wrong then your firewall won't start. |
![]() |
If your /etc/nsswitch.conf is wrong then your firewall won't start. |
![]() |
If your Name Server(s) is(are) down then your firewall won't start. |
![]() |
Factors totally outside your control (your ISP's router is down for example), can prevent your firewall from starting. |
Shorewall works with any Linux distribution that includes the proper prerequisites.
See the Shorewall Feature List.
I'm working on one as time permits.
Shorewall is a concatenation of "Shoreline" (the city where I live) and "Firewall".
Last updated 3/9/2002 - Tom Eastep