Update of /cvsroot/leaf/doc/guide/install-bering-uclibc
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30495
Added Files:
buci-shorwall.xml
Log Message:
new chapter about configuring shorewall.
adopted from Jacques Bering Guide
This is not the final version.
--- NEW FILE: buci-shorwall.xml ---
<?xml version="1.0" encoding="UTF-8"?>
<chapter id="buci-shorwall">
<title>Configure Shorewall</title>
<para>One of the distinctive feature of LEAF Bering-uClibc (introduced with
Bering) is, that it relies on <ulink
url="http://www.shorewall.net/";>Shorewall</ulink>
to provide it's firewall facility.</para>
<para>The reasons behind this choice are numerous:</para>
<itemizedlist>
<listitem>
<para><ulink url="http://www.shorewall.net/";>Shorewall</ulink> is an
<ulink url="http://www.netfilter.org/";>iptables</ulink> based firewall
which offers many features (Masquerading/SNAT, Port forwarding, Static
NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are
described in greater detail <ulink
url="http://www.shorewall.net/shorewall_features.htm";>here.</ulink></para>
</listitem>
<listitem>
<para>It is a very powerful tool with which it is "simple to do
simple things" but which also offers a great flexibility.</para>
</listitem>
<listitem>
<para>It is very well documented. I strongly recommend that you print
out the full documentation available in pdf format in the Shorewall
<ulink url="http://www.shorewall.net/pub/shorewall";>download area</ulink>
and that you spend the time to understand the concept behind it. A
worthwhile effort !</para>
</listitem>
<listitem>
<para>It has a nice <ulink
url="http://www.shorewall.net/shorewall_quickstart_guide.htm";>QuickStart
Guide</ulink> which will allow the reader to quickly grasp the basics. A
prerequisite reading !</para>
</listitem>
<listitem>
<para>It has a tremendous support from it's developper, Tom Eastep,
who replies very quickly to requests addressed to the <ulink
url="http://www.shorewall.net/mailing_list.htm";>shorewall user's
mailing list</ulink>. Mail archives are also available and searchable.</para>
</listitem>
</itemizedlist>
<para>The shorwall.lrp package provided on the Bering-uClibc distro is built
as follow:</para>
<itemizedlist>
<listitem>
<para>Download the latest shorewall-x.y.lrp package from Tom's
<ulink url="http://www.shorewall.net/pub/shorewall/";>download area</ulink>
and rename it shorwall.lrp.</para>
</listitem>
<listitem>
<para>Download either the <ulink
url="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz";>Two-interfaces</ulink>
Masquerading Firewall or the <ulink
url="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz";>Three-interfaces</ulink>
Masquerading Firewall with DMZ depending on your own situation. They
will provide you with default setup for the interfaces, masq, policy,
rules and zones files that will be used in replacement of those provided
in Tom's original package.</para>
</listitem>
<listitem>
<para>Add two statements in the "rules" file in order to allow
query to dnscache and weblet servers from the internal network. See
below.</para>
</listitem>
<listitem>
<para>Replace the info entry in the Rules and Config file by ULOG as
explained <ulink
url="http://www.shorewall.net/shorewall_logging.html";>here</ulink>
to redirect Shorewall output through ulogd daemon</para>
</listitem>
<listitem>
<para>The four previous steps will allow you to update shorwall.lrp on
your own Bering distro whenever a more recent Shorewall version is
released.</para>
</listitem>
</itemizedlist>
<important>
<para>Bering-uClibc's shorwall.lrp package is provided by default with
the Two-interfaces Masquerading Firewall and the two extra rules
mentionned earlier. This setup assumes that eth0 is connected to the
Internet via a dynamic IP and that your local network is interfaced
through eth1.</para>
</important>
<para>To configure Shorewall, start the LEAF packages configuration menu and
choose shorwall. The following menu will appear:</para>
<screen>
shorwall configuration files
1) <ulink
url="http://www.shorewall.net/Documentation.htm#Variables";>Params</ulink> Assign
parameter values
2) <ulink url="http://www.shorewall.net/Documentation.htm#Zones";>Zones</ulink>
Partition the network into Zones
3) <ulink
url="http://www.shorewall.net/Documentation.htm#Interfaces";>Ifaces</ulink>
Shorewall Networking Interfaces
4) <ulink url="http://www.shorewall.net/Documentation.htm#Hosts";>Hosts</ulink>
Define specific zones
5) <ulink
url="http://www.shorewall.net/Documentation.htm#Policy";>Policy</ulink> Firewall
high-level policy
6) <ulink url="http://www.shorewall.net/Documentation.htm#Rules";>Rules</ulink>
Exceptions to policy
7) <ulink
url="http://www.shorewall.net/Documentation.htm#Maclist";>Maclist</ulink> MAC
Verification
8) <ulink url="http://www.shorewall.net/Documentation.htm#Masq";>Masq</ulink>
Internal MASQ Server Configuration
9) <ulink
url="http://www.shorewall.net/Documentation.htm#ProxyArp";>ProxyArp</ulink> Proxy ARP
Configuration
10) <ulink
url="http://www.shorewall.net/Documentation.htm#Routestopped";>Stopped</ulink> Hosts
admitted after 'shorewall stop'
11) <ulink url="http://www.shorewall.net/Documentation.htm#Nat";>Nat</ulink>
Static NAT Configuration
12) <ulink
url="http://www.shorewall.net/Documentation.htm#Tunnels";>Tunnels</ulink> Tunnel
Definition (ipsec)
13) <ulink
url="http://www.shorewall.net/traffic_shaping.htm#tcrules";>TCRules</ulink> FWMark
Rules
14) <ulink
url="http://www.shorewall.net/Documentation.htm#Conf";>Config</ulink> Shorewall
Global Parameters
15) <ulink
url="http://www.shorewall.net/Documentation.htm#Modules";>Modules</ulink> Netfilter
modules to load
16) <ulink url="http://www.shorewall.net/Documentation.htm#TOS";>TOS</ulink>
Type of Service policy
17) <ulink
url="http://www.shorewall.net/Documentation.htm#Blacklist";>Blacklist</ulink>
Blacklisted hosts
18) <ulink url="http://www.shorewall.net/Documentation.htm#ECN";>ECN </ulink>
Disable ECN to hosts and networks
19) <ulink
url="http://www.shorewall.net/shorewall_extension_scripts.htm";>Init</ulink>
Commands executed before [re]start
20) <ulink
url="http://www.shorewall.net/shorewall_extension_scripts.htm";>Start</ulink>
Commands executed after [re]start
21) <ulink
url="http://www.shorewall.net/shorewall_extension_scripts.htm";>Stop </ulink>
Commands executed before stop
22) <ulink
url="http://www.shorewall.net/shorewall_extension_scripts.htm";>Stopped</ulink>
Commands executed after stop
23) <ulink url="http://www.shorewall.net/Accounting.htm";>Account</ulink>
Traffic Accounting Rules
24) <ulink
url="http://www.shorewall.net/User_defined_Actions.html";>Actions</ulink> Define user
actions
q) quit
----------------------------------------------------------------------------
Selection:
</screen>
<para>Check the hyperlinks above, the <ulink
url="http://www.shorewall.net/shorewall_quickstart_guide.htm";>Quickstart
Guide</ulink> or the Shorewall <ulink
url="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation";>documentation</ulink>
to have a full explanation on those configuration files.</para>
<para>Four files must be checked absolutely to make sure they fit your
needs:</para>
<para>A) The <filename>zone</filename> file (entry 2). For a two interfaces
setting - Bering-uClibc's default - it looks like:</para>
<screen>
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE a>
</screen>
<para>B) The <filename>interfaces</filename> file (entry 3) defines your
interfaces. Default in Bering-uClibc is:</para>
<screen>
(...)
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</screen>
<para>C) The <filename>rules</filename> file (entry 6) is one of the most
important files in Shorewall. Here is the one from Bering-uClibc:</para>
<screen>
(...)
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</screen>
<para>As you can notice from above, two rules have been added to the
two-interfaces file. They allow:</para>
<itemizedlist>
<listitem>
<para>UDP requests from the local network (loc) to the firewall (fw) on
port 53. This is the port used by dnsmasq to listen at dns requests
coming from the internal network.</para>
</listitem>
<listitem>
<para>TCP requests from the local network (loc) to the firewall (fw) on
port 80. This is the port used by weblet for its web server.</para>
</listitem>
</itemizedlist>
<para>D/ Finally the <filename>masq</filename> file (entry 7). In Bering it
looks like:</para>
<screen>
(...)
#INTERFACE SUBNET
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</screen>
<important>
<para>If you change any of the shorewall parameters, remember to backup
shorwall.lrp !</para>
</important>
</chapter>
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
leaf-cvs-commits mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-cvs-commits
