An In­stant Guide to the Shore­wall Fire­wall

OpenSource For You - - Contents - By: Dr Anand Nay­yar The au­thor works at the Duy Tan Univer­sity in Viet­nam. He loves to work and re­search on open source tech­nolo­gies, sen­sor com­mu­ni­ca­tions, net­work se­cu­rity, In­ter­net of Things, etc. He can be reached at anand­nay­yar@duy­ YouTube

Fire­walls have gained im­por­tance due to the in­creas­ing num­ber of ma­li­cious at­tacks on net­works and com­put­ers. Shore­wall, a pow­er­ful of­fer­ing from the Linux world, is pri­mar­ily used to pro­tect net­works, as its strength lies in work­ing with zones.

Afire­wall pro­vides an ad­di­tional layer of de­fence, in­su­lat­ing the in­ter­nal sys­tems from ex­ter­nal net­works. The pri­mary task of a fire­wall is to ex­am­ine all the traf­fic routed be­tween two or more net­works ac­cord­ing to cer­tain de­fined rules and poli­cies. Only if the terms of the rules and poli­cies are com­plied with, is traf­fic routed be­tween the net­works; oth­er­wise, all the pack­ets are dropped. There are two ac­cess de­nial method­olo­gies fol­lowed by fire­walls, i.e., al­low traf­fic or deny/re­strict traf­fic. A fire­wall may al­low all traf­fic through be­cause it meets spec­i­fied cri­te­ria, or it may deny all the traf­fic un­less it meets cer­tain cri­te­ria. The type of cri­te­ria used to de­ter­mine whether the traf­fic is al­lowed through de­pends on how the user con­fig­ures the fire­wall set­tings. Fire­walls can also use com­plex rules as the ba­sis to an­a­lyse the ap­pli­ca­tion data, prior to de­ter­min­ing if the traf­fic should be al­lowed or re­jected.

A fire­wall plays a cru­cial role in pre­vent­ing unau­tho­rised ac­cess to de­vices or net­works. Its func­tion is to care­fully in­spect the data en­ter­ing or ex­it­ing the de­vice, based on user con­fig­u­ra­tions and deny ac­cess to data that comes from a sus­pi­cious net­work. It can also be used to log all at­tempts to en­ter the pri­vate net­work and trig­ger alerts when any sort of unau­tho­rised en­try is at­tempted.

Types of fire­walls

There are pri­mar­ily two main types of fire­walls – hard­ware fire­walls and soft­ware fire­walls.

Hard­ware fire­walls: These are sys­tems that are in­de­pen­dent of the com­put­ers that they pro­tect. They fil­ter in­for­ma­tion from the In­ter­net as it passes into a com­puter. Most of the Wi-Fi or In­ter­net routers have in­built fire­walls for packet fil­ter­ing. In gen­eral terms, hard­ware fire­walls work by ex­am­in­ing the data that flows in from the In­ter­net and ver­ify whether that in­for­ma­tion is safe. Sim­ple fire­walls, known as packet fil­ters, ex­am­ine the data it­self for in­for­ma­tion such as its lo­ca­tion and its source. Then the in­for­ma­tion the fire­wall gath­ers is com­pared to a set list of per­mis­sions in or­der to de­ter­mine whether the in­for­ma­tion should be dropped or al­lowed through.

Hard­ware fire­walls have be­come more ad­vanced these days, and are ca­pa­ble of analysing data on var­i­ous pa­ram­e­ters, in­clud­ing the time of en­try into a net­work, etc.

Soft­ware fire­walls: For in­di­vid­ual home users, the most pop­u­lar are soft­ware fire­walls. These can be in­stalled like any other com­puter soft­ware, al­low­ing users to con­trol the func­tions and choose pro­tec­tion poli­cies. A soft­ware fire­wall pro­tects the com­puter from out­side at­tempts to gain con­trol over the sys­tem and also con­tends with a wide va­ri­ety of Tro­jans, rootk­its, viruses, ma­li­cious soft­ware, worms and even ran­somware. Soft­ware fire­walls are equipped with pri­vacy con­trols, Web fil­ter­ing ca­pa­bil­i­ties and many other fea­tures. They run in the back­ground and use lim­ited re­sources.

There are many dif­fer­ences be­tween hard­ware and soft­ware fire­walls, but for the best pro­tec­tion of com­put­ers and net­works, most ad­min­is­tra­tors use both.

Types of soft­ware fire­walls

The fol­low­ing are the types of soft­ware fire­walls:

ƒ Packet fil­ter­ing fire­walls

ƒ Cir­cuit level gateways

ƒ Ap­pli­ca­tion level gateways

ƒ State­ful multi-layer in­spec­tion fire­walls

Packet fil­ter­ing fire­walls: These ap­ply a set of rules, and ex­am­ine each packet to de­ter­mine whether to for­ward or drop a packet to­wards a par­tic­u­lar des­ti­na­tion. The fire­wall is con­fig­ured to fil­ter the pack­ets go­ing in both di­rec­tions – in­bound and out­bound. Packet fil­ter­ing fire­walls permit or deny net­work traf­fic on the ba­sis of the fol­low­ing in­for­ma­tion:

ƒ Source IP ad­dress and des­ti­na­tion IP ad­dress

ƒ Pro­to­cols like UDP and TCP

ƒ Source and des­ti­na­tion ports

ƒ Di­rec­tion – in­bound or out­bound

ƒ A phys­i­cal in­ter­face with packet flow

Cir­cuit level gateways: Cir­cuit level gateways work at the ses­sion layer of the OSI or Open Sys­tems In­ter­con­nec­tion model. They mon­i­tor the TCP hand­shake be­tween the pack­ets to de­ter­mine if a re­quested ses­sion is le­git­i­mate and whether the in­for­ma­tion passed through a cir­cuit level gate­way, to the In­ter­net, ap­pears to have come from the cir­cuit level gate­way. So, for in­stance, there is no way for a re­mote com­puter or a host to de­ter­mine the in­ter­nal pri­vate IP ad­dresses of the or­gan­i­sa­tion. This tech­nique is termed as net­work ad­dress trans­la­tion, whereby the pri­vate IP ad­dresses orig­i­nat­ing from the dif­fer­ent clients in­side the net­work are all mapped to the pub­lic IP ad­dress avail­able via ISP and sent to the out­side world.

Ap­pli­ca­tion level gate­way fire­walls: These de­cide whether to drop a packet or send it based on the in­for­ma­tion about the ap­pli­ca­tion. This is done by set­ting up prox­ies on a sin­gle fire­wall for dif­fer­ent ap­pli­ca­tions. Both the client and server con­nect to the prox­ies in­stead of con­nect­ing di­rectly to each other. So, any sort of sus­pi­cious data is dropped by prox­ies and com­plex pro­to­cols like H.323, SIP, etc, can also be han­dled. Ap­pli­ca­tion level fire­walls can look in to in­di­vid­ual ses­sions and de­cide to drop a packet based on in­for­ma­tion in the ap­pli­ca­tion pro­to­col head­ers or in the ap­pli­ca­tion pay­load.

State­ful multi-layer in­spec­tion fire­walls: State­ful multi-layer in­spec­tion fire­walls com­bine the as­pects of all the above types of fire­walls. They fil­ter pack­ets at the net­work layer, trans­port layer and ap­pli­ca­tion layer, al­low­ing the pack­ets to pass through if these lay­ers pass all of them, in­di­vid­u­ally. Some of them al­low di­rect con­nec­tion be­tween the client and the server, as they rely on al­go­rithms to recog­nise and process ap­pli­ca­tion layer data in­stead of re­ly­ing on ap­pli­ca­tion spe­cific prox­ies. These of­fer more se­cu­rity, per­for­mance and trans­parency to end users.

Linux based fire­walls

A Linux based fire­wall is con­trolled by a pro­gram called ipt­a­bles, which han­dles packet fil­ter­ing. It is an ad­min­is­tra­tion pro­gram built in­side the Linux op­er­at­ing sys­tem. It works at the trans­port layer and pro­tects the sys­tem by mak­ing rout­ing de­ci­sions af­ter fil­ter­ing the pack­ets, based on in­for­ma­tion in the IP packet header. Ipt­a­bles re­quires root based ad­min­is­tra­tive priv­i­leges to op­er­ate and can only be ex­e­cuted by the root user.

It is used to set up, main­tain and in­spect packet fil­ters in the Linux kernel. Every ta­ble con­tains user-de­fined chains, and each chain con­sists of lists of rules ap­plied to in­com­ing pack­ets. Every rule spec­i­fies what to do with a packet that fol­lows the rules. The rules are re­lated to ac­cept­ing or drop­ping the packet en­ter­ing the pri­vate net­work from the out­side world.

In or­der to se­lect a fire­wall for Linux, there are var­i­ous con­cerns with re­gard to in­stal­la­tion, con­fig­u­ra­tion, doc­u­men­ta­tion, fea­tures, op­er­a­tion and even sup­port.

There are a large num­ber of fire­walls avail­able, like IPCop, Shore­wall, Monowall, etc. Shore­wall is re­garded as one of the most pow­er­ful fire­walls in Linux.

In­tro­duc­ing Shore­wall

Linux se­cu­rity is based on the Net­fil­ter sys­tem, which is a pow­er­ful frame­work pro­vided by the Linux kernel to per­form all types of net­work op­er­a­tions like packet fil­ter­ing, NAT, port trans­la­tion and packet block­ing from ex­ter­nal sources. Net­fil­ter is im­ple­mented via user-space ap­pli­ca­tions and ipt­a­bles. The lat­ter is pow­er­ful, yet com­plex to work with. So, to make Linux sys­tems more se­cure, the Shore­wall fire­wall has emerged as a good choice.

Shore­wall is a gate­way/fire­wall con­fig­u­ra­tion tool for Linux and is re­garded as a high-level tool for con­fig­ur­ing Net­fil­ter. All the fire­wall re­quire­ments are en­tered by users in con­fig­u­ra­tion files. These con­fig­u­ra­tion files are read by Shore­wall, and with the sup­port of ipt­a­bles, ipt­a­bles-re­store, ip and tc util­i­ties, the fire­wall con­fig­ures Net­fil­ter in the Linux kernel. Shore­wall can be used as a ded­i­cated fire­wall sys­tem or a multi-func­tional gate­way/router/server in the Linux sys­tem. Shore­wall is a Perl based wrap­per for IP ta­bles.

The main ob­jec­tive be­hind the de­vel­op­ment of the Shore­wall fire­wall was to cre­ate an ab­strac­tion in the con­fig­u­ra­tion of the fire­wall of a higher level, as com­pared to stan­dard ipt­a­bles. The ad­van­tage of this mech­a­nism is that it di­vides the in­ter­faces into zones with dif­fer­ent lev­els of ac­cess, so that the user can op­er­ate on a group of com­put­ers, in­stead of ad­dresses, con­nected to the in­ter­face. In the Shore­wall sys­tem, users can de­ploy poli­cies for the zone in an easy and com­pre­hen­sive man­ner.

Shore­wall is not a dae­mon run­ning in the back­ground, but is bet­ter known as a shell script, which con­verts con­fig­u­ra­tion files into the ipt­a­bles com­mands.

Lat­est ver­sion:

Of­fi­cial web­site: http:// www.shore­ Li­cence: GPLv2

Cre­ator: Thomas M. Eastep

Shore­wall fire­wall con­fig­u­ra­tion files

The fol­low­ing files op­er­ate the over­all Shore­wall fire­wall: ƒ /etc/shore­wall/shore­wall.conf – This con­fig­ures global fire­wall pa­ram­e­ters.

ƒ /etc/Shore­wall/params -- This is the file that sets shell vari­ables to ex­pand in other files. It is pro­cessed by /bin/sh or by the shell spec­i­fied via SHOREWALL_SHELL in the /etc/shore­wall/Shore­wall.conf file.

ƒ /etc/shore­wall/zones – This par­ti­tions the fire­wall’s view of the world into zones.

ƒ /etc/shore­wall/pol­icy – This es­tab­lishes the fire­wall’s high-level pol­icy.

ƒ /etc/shore­wall/init­done – This is an op­tional Perl script, which is ex­e­cuted by the Shore­wall rules com­piler af­ter fi­nal­is­ing in­stal­la­tion.

ƒ /etc/shore­wall/in­ter­faces – This ex­plains the in­ter­faces on the fire­wall sys­tem.

ƒ /etc/shore­wall/hosts – This file helps users to de­fine zones in terms of in­di­vid­ual hosts and sub-net­works. ƒ /etc/shore­wall/masq – This file di­rects the fire­wall when to use many-to-one (Dy­namic) NAT and

Source NAT (SNAT).

ƒ /etc/shore­wall/man­gle – This file con­tains rules for packet mark­ing, TTL, prox­ies, etc.

ƒ /etc/shore­wall/rules – This file lists ex­cep­tional rules to over­all poli­cies in /etc/shore­wall/pol­icy. ƒ /etc/shore­wall/nat – This de­fines one-to-one NAT rules. ƒ /etc/shore­wall/prox­yarp – This de­fines rules with re­gard to proxy ARP.

ƒ /etc/shore­wall/tcrules – This is used for traf­fic con­trol­ling/shap­ing and pol­icy rout­ing. ƒ /etc/shore­wall/tun­nels – This de­fines VPN based rules. ƒ /etc/shore­wall/blrules -- This is for a set of ma­chines that are black­listed.

ƒ /etc/shore­wall/init – This is for the com­mands to be ex­e­cuted at the start of Shore­wall.

ƒ /etc/shore­wall/start – This is for com­mands ex­e­cuted af­ter the start of Shore­wall.

ƒ /etc/shore­wall/stop – This is for com­mands ex­e­cuted when Shore­wall is stopped.

ƒ /etc/shore­wall/ac­cou­t­ing – This is for IP traf­fic ac­count­ing rules.

ƒ /etc/shore­wall/providers – This is for al­ter­nate rout­ing ta­bles.

ƒ /etc/shore­wall/vardir – This de­ter­mines the di­rec­tory that will main­tain the state of Shore­wall.

Fea­tures of Shore­wall

ƒ Ac­count­ing: This ap­pro­pri­ately counts the pack­ets and bytes, us­ing cat­e­gories and rules spec­i­fied by net­work ad­min­is­tra­tors. It is a pow­er­ful tool that pro­vides all sorts of in­for­ma­tion about in­bound and out­bound traf­fic. ƒ Sup­ports many types of router/fire­wall ap­pli­ca­tions: Shore­wall is highly ef­fi­cient in cus­tomis­ing all the pref­er­ences of users via con­fig­u­ra­tion files, and there are no lim­i­ta­tions in net­work in­ter­faces. It al­lows ad­min­is­tra­tors to par­ti­tion the net­work into zones and pro­vides full ad­min­is­tra­tive con­trol over con­nec­tions, per­mit­ted by every pair of zones.

ƒ Tun­nelling: Shore­wall is ef­fi­cient in cre­at­ing tun­nels for VPNs, like IPSec, PPTP, GRE, IPIP, OpenVPN, IPv6over-IPv4, IPv4-over-IPv4 and oth­ers.

ƒ Cen­tralised ad­min­is­tra­tion: It can be mon­i­tored and ad­min­is­tered via any net­work con­nected sys­tem. It sup­ports Win­dows and even Mac OS X.

ƒ Sup­port for ad­dress/rout­ing man­age­ment: It is equipped with tons of fea­tures which en­able mas­querad­ing, port for­ward­ing, one-to-one NAT, proxy ARP, NETMAP, mul­ti­ple ISP sup­port, etc.

ƒ Sup­port for vir­tu­al­i­sa­tion: Shore­wall can ef­fi­ciently work with a range of vir­tu­al­i­sa­tion soft­ware like KVM, XEN, Linux-VServer, Vir­tu­alBox, LXC and even Docker

(for which sup­port was re­cently added).

ƒ Other fea­tures: Shore­wall pro­vides many other fea­tures like traf­fic ac­count­ing, IPv6, MAC ver­i­fi­ca­tion, lots of RPM/De­bian pack­ages, and even black­list­ing of in­di­vid­ual IP ad­dresses or sub­nets.

How Shore­wall works

Shore­wall works through con­fig­u­ra­tion files lo­cated in /etc/ shore­wall as men­tioned ear­lier.

In or­der to work ef­fec­tively, the fol­low­ing files are used. 1. In­ter­faces: These give de­tailed in­for­ma­tion of the phys­i­cal in­ter­face be­ing used for fil­ter­ing the in­bound and out­bound traf­fic.

2. Pol­icy: This de­fines the poli­cies for con­nec­tions be­tween zones.

3. Rules: These de­fine the con­nec­tion es­tab­lish­ment via ex­cep­tions to the main pol­icy file.

4. Zones: All net­work zones are de­fined here.

Shore­wall pro­cesses run in the back­ground and are able to han­dle mul­ti­ple IPs at a sin­gle point of time.

Shore­wall pack­ages

The fol­low­ing are the six main pack­ages avail­able as part of the Shore­wall fire­wall.

• Shore­wall-Core: This is the core pack­age to in­stall Shore­wall, Shore­wall6, Shore­wall-lite or Shore­wall6-lite. • Shore­wall-Com­pre­hen­sive: This pack­age con­sists of ev­ery­thing needed to cre­ate the IPv4 fire­wall. • Shore­wall6-Com­pre­hen­sive: This pack­age con­sists of ev­ery­thing needed to cre­ate the IPv6 fire­wall. • Shore­wall-lite: This is a lightweight Shore­wall ver­sion to run fire­wall scripts gen­er­ated via the sys­tem that is al­ready run­ning Shore­wall.

• Shore­wall6-lite: This is a lightweight Shore­wall6 ver­sion to run fire­wall scripts gen­er­ated via a sys­tem al­ready run­ning Shore­wall6.

• Shore­wall-init: This is used to place the fire­wall in safe mode be­fore run­ning up the net­work in­ter­face.


[1] http://shore­ [2] http://shore­­u­men­ta­tion_In­dex.html [3]­wall

Fig­ure 1: Overview of a fire­wall

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.