User Tools

Site Tools


build:firewall

Firewall

We decided to go with Shorewall, which is relatively popular. It also has the advantage that we don't need to provide the IP addresses of the system – it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall.

Requirements

All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going through the system.) We want to allow all outbound connections, and allow inbound connections to only the following ports:

  • 22 – SSH
  • 53 – DNS (UDP and TCP)
  • 80 – HTTP
  • 123 – NTP (UDP)
  • 443 – HTTPS

Installation

Install shorewall (and its documentation):

sudo apt-get -y install shorewall shorewall-doc

Configuration

In /etc/default/shorewall, set shorewall to run by changing the startup line:

sudo sed -i -e 's/startup=0/startup=1/' /etc/default/shorewall

Install the default config files for systems with one interface:

sudo cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/
cd /etc/shorewall/
sudo gunzip -f *.gz

In /etc/shorewall/shorewall.conf, we need to enable startup; we also change the log file and set the log rate limits:

sudo sed -i /etc/shorewall/shorewall.conf -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|'
sudo sed -i /etc/shorewall/shorewall.conf -e 's|^LOGFILE=.*|LOGFILE=/var/log/shorewall.log|'
sudo sed -i /etc/shorewall/shorewall.conf -e 's|^LOGRATE=.*|LOGRATE=10/minute|'
sudo sed -i /etc/shorewall/shorewall.conf -e 's|^LOGBURST=.*|LOGBURST=5|'

Rules

Add rules to /etc/shorewall/rules allowing various ports inbound:

sudo sh -c 'cat >> /etc/shorewall/rules' <<'EOF'
 
# Allow inbound SSH.
ACCEPT net $FW tcp 22
 
# Allow inbound DNS (including TCP, for AFXRs).
ACCEPT net $FW udp 53
ACCEPT net $FW tcp 53
 
# Allow inbound NTP.
ACCEPT net $FW udp 123
 
# Allow inbound HTTP and HTTPS.
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 443
EOF

Startup

Start Shorewall:

sudo touch /var/log/shorewall.log
sudo /etc/init.d/shorewall start

Testing

To check whether Shorewall is running, check what IP Tables are configured:

sudo iptables -L -vn

This should show a large number of tables.

If Shorewall is not running, check the /var/log/shorewall-init.log file for details.

Ensure that you can establish a new SSH session inbound. If not, stop Shorewall and try again.

TODO

  • We might want to open up additional ports for other services.
  • How much ICMP do we block? How much do we want to block?
  • Is Shorewall configured to start on boot at the proper time?
    • Is there a window of time where the network starts up (and there are services running) before Shorewall is protecting the system?
build/firewall.txt · Last modified: 2012/12/10 22:41 (external edit)