Update of /cvsroot/leaf/doc/guide/install-bering-uclibc In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30495
Added Files: buci-shorwall.xml Log Message: new chapter about configuring shorewall. adopted from Jacques Bering Guide This is not the final version. --- NEW FILE: buci-shorwall.xml --- <?xml version="1.0" encoding="UTF-8"?> <chapter id="buci-shorwall"> <title>Configure Shorewall</title> <para>One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is, that it relies on <ulink url="http://www.shorewall.net/">Shorewall</ulink> to provide it's firewall facility.</para> <para>The reasons behind this choice are numerous:</para> <itemizedlist> <listitem> <para><ulink url="http://www.shorewall.net/">Shorewall</ulink> is an <ulink url="http://www.netfilter.org/">iptables</ulink> based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail <ulink url="http://www.shorewall.net/shorewall_features.htm">here.</ulink></para> </listitem> <listitem> <para>It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.</para> </listitem> <listitem> <para>It is very well documented. I strongly recommend that you print out the full documentation available in pdf format in the Shorewall <ulink url="http://www.shorewall.net/pub/shorewall">download area</ulink> and that you spend the time to understand the concept behind it. A worthwhile effort !</para> </listitem> <listitem> <para>It has a nice <ulink url="http://www.shorewall.net/shorewall_quickstart_guide.htm">QuickStart Guide</ulink> which will allow the reader to quickly grasp the basics. A prerequisite reading !</para> </listitem> <listitem> <para>It has a tremendous support from it's developper, Tom Eastep, who replies very quickly to requests addressed to the <ulink url="http://www.shorewall.net/mailing_list.htm">shorewall user's mailing list</ulink>. Mail archives are also available and searchable.</para> </listitem> </itemizedlist> <para>The shorwall.lrp package provided on the Bering-uClibc distro is built as follow:</para> <itemizedlist> <listitem> <para>Download the latest shorewall-x.y.lrp package from Tom's <ulink url="http://www.shorewall.net/pub/shorewall/">download area</ulink> and rename it shorwall.lrp.</para> </listitem> <listitem> <para>Download either the <ulink url="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">Two-interfaces</ulink> Masquerading Firewall or the <ulink url="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">Three-interfaces</ulink> Masquerading Firewall with DMZ depending on your own situation. They will provide you with default setup for the interfaces, masq, policy, rules and zones files that will be used in replacement of those provided in Tom's original package.</para> </listitem> <listitem> <para>Add two statements in the "rules" file in order to allow query to dnscache and weblet servers from the internal network. See below.</para> </listitem> <listitem> <para>Replace the info entry in the Rules and Config file by ULOG as explained <ulink url="http://www.shorewall.net/shorewall_logging.html">here</ulink> to redirect Shorewall output through ulogd daemon</para> </listitem> <listitem> <para>The four previous steps will allow you to update shorwall.lrp on your own Bering distro whenever a more recent Shorewall version is released.</para> </listitem> </itemizedlist> <important> <para>Bering-uClibc's shorwall.lrp package is provided by default with the Two-interfaces Masquerading Firewall and the two extra rules mentionned earlier. This setup assumes that eth0 is connected to the Internet via a dynamic IP and that your local network is interfaced through eth1.</para> </important> <para>To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:</para> <screen> shorwall configuration files 1) <ulink url="http://www.shorewall.net/Documentation.htm#Variables">Params</ulink> Assign parameter values 2) <ulink url="http://www.shorewall.net/Documentation.htm#Zones">Zones</ulink> Partition the network into Zones 3) <ulink url="http://www.shorewall.net/Documentation.htm#Interfaces">Ifaces</ulink> Shorewall Networking Interfaces 4) <ulink url="http://www.shorewall.net/Documentation.htm#Hosts">Hosts</ulink> Define specific zones 5) <ulink url="http://www.shorewall.net/Documentation.htm#Policy">Policy</ulink> Firewall high-level policy 6) <ulink url="http://www.shorewall.net/Documentation.htm#Rules">Rules</ulink> Exceptions to policy 7) <ulink url="http://www.shorewall.net/Documentation.htm#Maclist">Maclist</ulink> MAC Verification 8) <ulink url="http://www.shorewall.net/Documentation.htm#Masq">Masq</ulink> Internal MASQ Server Configuration 9) <ulink url="http://www.shorewall.net/Documentation.htm#ProxyArp">ProxyArp</ulink> Proxy ARP Configuration 10) <ulink url="http://www.shorewall.net/Documentation.htm#Routestopped">Stopped</ulink> Hosts admitted after 'shorewall stop' 11) <ulink url="http://www.shorewall.net/Documentation.htm#Nat">Nat</ulink> Static NAT Configuration 12) <ulink url="http://www.shorewall.net/Documentation.htm#Tunnels">Tunnels</ulink> Tunnel Definition (ipsec) 13) <ulink url="http://www.shorewall.net/traffic_shaping.htm#tcrules">TCRules</ulink> FWMark Rules 14) <ulink url="http://www.shorewall.net/Documentation.htm#Conf">Config</ulink> Shorewall Global Parameters 15) <ulink url="http://www.shorewall.net/Documentation.htm#Modules">Modules</ulink> Netfilter modules to load 16) <ulink url="http://www.shorewall.net/Documentation.htm#TOS">TOS</ulink> Type of Service policy 17) <ulink url="http://www.shorewall.net/Documentation.htm#Blacklist">Blacklist</ulink> Blacklisted hosts 18) <ulink url="http://www.shorewall.net/Documentation.htm#ECN">ECN </ulink> Disable ECN to hosts and networks 19) <ulink url="http://www.shorewall.net/shorewall_extension_scripts.htm">Init</ulink> Commands executed before [re]start 20) <ulink url="http://www.shorewall.net/shorewall_extension_scripts.htm">Start</ulink> Commands executed after [re]start 21) <ulink url="http://www.shorewall.net/shorewall_extension_scripts.htm">Stop </ulink> Commands executed before stop 22) <ulink url="http://www.shorewall.net/shorewall_extension_scripts.htm">Stopped</ulink> Commands executed after stop 23) <ulink url="http://www.shorewall.net/Accounting.htm">Account</ulink> Traffic Accounting Rules 24) <ulink url="http://www.shorewall.net/User_defined_Actions.html">Actions</ulink> Define user actions q) quit ---------------------------------------------------------------------------- Selection: </screen> <para>Check the hyperlinks above, the <ulink url="http://www.shorewall.net/shorewall_quickstart_guide.htm">Quickstart Guide</ulink> or the Shorewall <ulink url="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">documentation</ulink> to have a full explanation on those configuration files.</para> <para>Four files must be checked absolutely to make sure they fit your needs:</para> <para>A) The <filename>zone</filename> file (entry 2). For a two interfaces setting - Bering-uClibc's default - it looks like:</para> <screen> #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE a> </screen> <para>B) The <filename>interfaces</filename> file (entry 3) defines your interfaces. Default in Bering-uClibc is:</para> <screen> (...) #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </screen> <para>C) The <filename>rules</filename> file (entry 6) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:</para> <screen> (...) ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 # # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # allow loc to fw tcp/80 for weblet to work # ACCEPT loc fw udp 53 ACCEPT loc fw tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </screen> <para>As you can notice from above, two rules have been added to the two-interfaces file. They allow:</para> <itemizedlist> <listitem> <para>UDP requests from the local network (loc) to the firewall (fw) on port 53. This is the port used by dnsmasq to listen at dns requests coming from the internal network.</para> </listitem> <listitem> <para>TCP requests from the local network (loc) to the firewall (fw) on port 80. This is the port used by weblet for its web server.</para> </listitem> </itemizedlist> <para>D/ Finally the <filename>masq</filename> file (entry 7). In Bering it looks like:</para> <screen> (...) #INTERFACE SUBNET eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE </screen> <important> <para>If you change any of the shorewall parameters, remember to backup shorwall.lrp !</para> </important> </chapter> ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ leaf-cvs-commits mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-cvs-commits