Shorewall Quickstart Guide by Bob Proulx ================================================================ Setting up a static IP DMZ Another very common configuration is to be routed a small subnet such as an eight IP address static subnet. This can be used to create a DMZ where all inbound services are hosted. This is typically coupled with a local private NAT network as previously described. This network with three NICs is commonly referred to as a three-legged firewall. This section builds upon the above standalone configuration and the above NAT configuration and configures a triple NIC system for NAT/masquerading a private network and routing of a static subnet for a DMZ. This builds upon the previous sections and as you will see the changes are very small. So there will be very little explanation. Also the configuration is much more complicated in general. So while this will point you in the right direction and should get you going some points will be left as a exercise for the reader. If that bothers you then get help because you should not be setting up a DMZ in that case. Don't start here. Start with the first section and walk through it to set up a standalone system. Do that first. Then the second section with NAT. Then enable the DMZ. Edit the /etc/shorewall/zones file and add a 'dmz' zone for your local private network. This definition may already exist in the file by default. Edit /etc/shorewall/zones and specify your zones. net Net Internet loc Local Local networks dmz DMZ Demilitarized zone Edit the /etc/shorewall/interfaces file and add the interface hosting the 'dmz zone. But notice now the change in the WAN interface. If you have a static subnet you almost certainly have a static WAN IP as well. You will not be using DHCP. So make sure you remove the dhcp option if you had it specified previously. Edit /etc/shorewall/interfaces and specify your network interfaces. #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth1 detect dmz eth2 detect Edit the /etc/shorewall/policy file and specify your default policies for the dmz network. You previously had a policy to allow all connections between the local network and the global network. Add another one to allow local network connections to the DMZ. Edit /etc/shorewall/policy and specify your default policies. #SOURCE DEST POLICY LOG LIMIT:BURST fw net ACCEPT loc net ACCEPT loc dmz ACCEPT net all DROP info all all REJECT info The DMZ is normally a draconian place and I recommend you keep it that way. It is where incoming connections are hosted and the most likely place that a crack will happen if it is to happen. I recommend that all traffic out of the DMZ onto the Internet be rejected by default. That way if you are unfortunate enough to have an intrusion incident it might be more contained by preventing unlimited outbound access. For example some exploits count on being able to use IRC ports for backchannel communication. The local network is a better place for full outbound access. However, your particular needs may be different and you may wish to allow all outbound from the DMZ the same as from the local network. If so then the following lines will allow this. dmz net ACCEPT Edit the /etc/shorewall/rules file and specify what network connections you will allow into your DMZ. If you have a DMZ you will not need any of the previous discussed firewall hosted services. Best is to keep all of those services off of your firewall and located on a DMZ host. Also you will need to specify what connections from your DMZ are allowed into your private network. Edit /etc/shorewall/rules and specify your allowed connections. #ACTION SOURCE DEST PROTO DEST ACCEPT dmz loc udp domain ACCEPT dmz loc tcp domain ACCEPT dmz loc udp ntp ACCEPT dmz loc tcp smtp ACCEPT dmz loc tcp ssh ACCEPT net dmz tcp http ACCEPT net dmz tcp https ACCEPT net dmz tcp smtp ACCEPT net dmz tcp ssh If you desire to allow ping and traceroute then you will need to add a ACCEPT line for each of those. Be aware that the upstream policies for those have changed from release to release. Double check that this is still required in case this documentation is out of date. ACCEPT net dmz icmp echo-request ACCEPT net dmz icmp time-exceeded If you left the default policy from the DMZ to the Internet as reject then you will want to specify at least some of these outgoing services. Of course if you set the default policy to accept then all of these are allowed by the default policy anyway and are redundant. These are other common services which you also may, or may not, wish to allow from your DMZ to the global Internet. This will need to be customized and visited by you to handle your specific configuration. ACCEPT dmz net udp domain ACCEPT dmz net tcp domain ACCEPT dmz net udp ntp ACCEPT dmz net tcp ntp ACCEPT dmz net tcp http ACCEPT dmz net tcp https ACCEPT dmz net tcp rsync ACCEPT dmz net tcp cvspserver ACCEPT dmz net tcp telnet ACCEPT dmz net tcp whois ACCEPT dmz net tcp finger ACCEPT dmz net tcp dict ACCEPT dmz net tcp 2703 # razor2 ACCEPT dmz net tcp ping # razor2 uses ping ACCEPT dmz net tcp 11371 # GPG keyserver lookup Edit the /etc/shorewall/routestopped file and specify any networks which you want accessible when your firewall is stopped. Edit /etc/shorewall/routestopped file and specify any routes to keep up when your firewall is stopped. #INTERFACE HOST(S) eth1 eth2 Test your configuration using 'shorewall check' then 'shorewall start' or 'shorewall restart'. shorewall check shorewall restart You are done! ================================================================ Bob Proulx http://www.proulx.com/~bob/