|
9. Installing ShoreWall Firewall If you are a hardcore linux geek you don't need a user interface for your firewall. After all, all can be done with some iptables hacking, and it's a lot more flexible. But we want a knoppix installation for non linux geeks, don't we? Shorewall is the nicest firewall product I could find and it has a brilliant Webmin module, which is all we need and more. The documentation on the website is brilliant and the product is regularly maintainted. Maybe too regularly: I had to do several updates on this chapter already because of updates on the software. Don't worry though: minor updates. Installation and Configuration Since we know how to install a package, installing the shorewall package should be a straightforward process. From the webmin interface we can now configure shorewall. In the networking group, we find an entry for shorewall. If we go through them from left to write, top to bottom, we go through them in the most natural way possible, defining the basic things first and refining the settings as we go. First item on the list is Network Zones. Here we can safely delete the dmz entry, we are not going to install a dmz anyway. A demilitarized zone, stupid. Don't know about them? You don't need them in a simple setup, sweetie. Then, we can define the Network Interfaces. We have two interfaces, one of which will be connected to the internet and one of which will serve the local network. We accept all defaults, except for dhcp, which we select for each interface, as one will serve as a dhcp server and the other will act as a dhcp client. Both cases need the option selected.
Checking the Default Policies, one can see that the default policy is what you would like and expect: allow everything from your local network to the internet, disallow (DROP) anything in the other direction. Sounds safe enough hey? We need to at least add one firewall rule, i.e., one that will allow us to use the webmin interface. Otherwise, we will simply lock ourselves out after enabling the firewall. So we add a rule, to ACCEPT any traffic from Any zone (Source zone) to the firewall (Destination zone or port) with Protocol being TCP and Destination port being 10000 (select both the radiobutton and enter the destination port), and there we are.
We are going to leave the Types Of Service for what they are, there are some default values there, but they won't bother us. Straight on to Masquerading. There is a default rule there, you can just change it and leave most of the defaults, except that the Outgoing interface is eth0 and the Network to masquerade is the subnet on interface eth1.
When the firewall is stopped, the default behaviour is to disallow everything. That would mean we need to hook up a screen to our knoppix box whenever we want to stop the firewall, a situation we will try to avoid as much as possible. Especially since once in a while it might come in handy to stop the firewall, just to see if something is being blocked by it or not. Therefore, we define that the interface eth1 is still allowed to be connected to by adding this to the configuration for Edit Stopped Addresses in the When Stopped (routestopped) section.
The other categories, Proxy Arp, Static NAT, VPN Tunnels, Zone Hosts and Blacklist Hosts, we are going to leave set to their defaults. They are advanced settings which are not needed in the scope of this document. Change /etc/default/shorewall to have start=1 instead of start=0, since we want to start the firewall when the machine is booted. One more thing is still necessary since the debian package sets default masquerading behaviour to keep whatever masquerading state is already present, but we always want to enable masquerading. Therefore, change the value for IP_FORWARDING to "On" instead of "Keep" in /etc/shorewall/shorewall.conf. That is basically it. We should be ready to start the firewall. Press the button in the shorewall configuration window, and see... we have got our firewall running. Don't believe me? You're right, test it first, I like that mentality. Well, go and try to surf the web the way you used to. It should be unable to connect. The firewall is "REJECT"iing all packages, because we are on the firewall, connecting to the internet and the default policy is to REJECT all packages there, as can be deducted from the Default Policies list. As we're not in the Source Zone "loc" or "net", we fall back to the "any" source zone, which has as a rule to REJECT all traffic to any destination zone. Let's enable it. Let's add a Firewall Rule to ACCEPT all the traffic from the <Firewall> with destination port 80 (or destination port 8080 if you use a proxy), add a firewall rule to enable dns trafic to your nameserver from the firewall (port 53), and then... We "Apply the configuration", and after the shorewall firewall is restarted, and we are ready. We should be able to surf the internet again from the firewall. It's beyond the scope to describe all possible configuration decisions that can be made for your firewall. For now, we will just leave this default setup and refine every setting as we go through this document. One nice side effect of the configuration of this firewall is that now, you can configure a client on the intranet side of your firewall and start surfing on the clients. Further details on configuring the client will be given in the DNS and DHCP sections that are described next, so maybe it's better to wait with that test. |
|
