OpenSource For You

An Instant Guide to the Shorewall Firewall

- By: Dr Anand Nayyar The author works at the Duy Tan University in Vietnam. He loves to work and research on open source technologi­es, sensor communicat­ions, network security, Internet of Things, etc. He can be reached at anandnayya­ YouTube

Firewalls have gained importance due to the increasing number of malicious attacks on networks and computers. Shorewall, a powerful offering from the Linux world, is primarily used to protect networks, as its strength lies in working with zones.

Afirewall provides an additional layer of defence, insulating the internal systems from external networks. The primary task of a firewall is to examine all the traffic routed between two or more networks according to certain defined rules and policies. Only if the terms of the rules and policies are complied with, is traffic routed between the networks; otherwise, all the packets are dropped. There are two access denial methodolog­ies followed by firewalls, i.e., allow traffic or deny/restrict traffic. A firewall may allow all traffic through because it meets specified criteria, or it may deny all the traffic unless it meets certain criteria. The type of criteria used to determine whether the traffic is allowed through depends on how the user configures the firewall settings. Firewalls can also use complex rules as the basis to analyse the applicatio­n data, prior to determinin­g if the traffic should be allowed or rejected.

A firewall plays a crucial role in preventing unauthoris­ed access to devices or networks. Its function is to carefully inspect the data entering or exiting the device, based on user configurat­ions and deny access to data that comes from a suspicious network. It can also be used to log all attempts to enter the private network and trigger alerts when any sort of unauthoris­ed entry is attempted.

Types of firewalls

There are primarily two main types of firewalls – hardware firewalls and software firewalls.

Hardware firewalls: These are systems that are independen­t of the computers that they protect. They filter informatio­n from the Internet as it passes into a computer. Most of the Wi-Fi or Internet routers have inbuilt firewalls for packet filtering. In general terms, hardware firewalls work by examining the data that flows in from the Internet and verify whether that informatio­n is safe. Simple firewalls, known as packet filters, examine the data itself for informatio­n such as its location and its source. Then the informatio­n the firewall gathers is compared to a set list of permission­s in order to determine whether the informatio­n should be dropped or allowed through.

Hardware firewalls have become more advanced these days, and are capable of analysing data on various parameters, including the time of entry into a network, etc.

Software firewalls: For individual home users, the most popular are software firewalls. These can be installed like any other computer software, allowing users to control the functions and choose protection policies. A software firewall protects the computer from outside attempts to gain control over the system and also contends with a wide variety of Trojans, rootkits, viruses, malicious software, worms and even ransomware. Software firewalls are equipped with privacy controls, Web filtering capabiliti­es and many other features. They run in the background and use limited resources.

There are many difference­s between hardware and software firewalls, but for the best protection of computers and networks, most administra­tors use both.

Types of software firewalls

The following are the types of software firewalls:

ƒ Packet filtering firewalls

ƒ Circuit level gateways

ƒ Applicatio­n level gateways

ƒ Stateful multi-layer inspection firewalls

Packet filtering firewalls: These apply a set of rules, and examine each packet to determine whether to forward or drop a packet towards a particular destinatio­n. The firewall is configured to filter the packets going in both directions – inbound and outbound. Packet filtering firewalls permit or deny network traffic on the basis of the following informatio­n:

ƒ Source IP address and destinatio­n IP address

ƒ Protocols like UDP and TCP

ƒ Source and destinatio­n ports

ƒ Direction – inbound or outbound

ƒ A physical interface with packet flow

Circuit level gateways: Circuit level gateways work at the session layer of the OSI or Open Systems Interconne­ction model. They monitor the TCP handshake between the packets to determine if a requested session is legitimate and whether the informatio­n passed through a circuit level gateway, to the Internet, appears to have come from the circuit level gateway. So, for instance, there is no way for a remote computer or a host to determine the internal private IP addresses of the organisati­on. This technique is termed as network address translatio­n, whereby the private IP addresses originatin­g from the different clients inside the network are all mapped to the public IP address available via ISP and sent to the outside world.

Applicatio­n level gateway firewalls: These decide whether to drop a packet or send it based on the informatio­n about the applicatio­n. This is done by setting up proxies on a single firewall for different applicatio­ns. Both the client and server connect to the proxies instead of connecting directly to each other. So, any sort of suspicious data is dropped by proxies and complex protocols like H.323, SIP, etc, can also be handled. Applicatio­n level firewalls can look in to individual sessions and decide to drop a packet based on informatio­n in the applicatio­n protocol headers or in the applicatio­n payload.

Stateful multi-layer inspection firewalls: Stateful multi-layer inspection firewalls combine the aspects of all the above types of firewalls. They filter packets at the network layer, transport layer and applicatio­n layer, allowing the packets to pass through if these layers pass all of them, individual­ly. Some of them allow direct connection between the client and the server, as they rely on algorithms to recognise and process applicatio­n layer data instead of relying on applicatio­n specific proxies. These offer more security, performanc­e and transparen­cy to end users.

Linux based firewalls

A Linux based firewall is controlled by a program called iptables, which handles packet filtering. It is an administra­tion program built inside the Linux operating system. It works at the transport layer and protects the system by making routing decisions after filtering the packets, based on informatio­n in the IP packet header. Iptables requires root based administra­tive privileges to operate and can only be executed by the root user.

It is used to set up, maintain and inspect packet filters in the Linux kernel. Every table contains user-defined chains, and each chain consists of lists of rules applied to incoming packets. Every rule specifies what to do with a packet that follows the rules. The rules are related to accepting or dropping the packet entering the private network from the outside world.

In order to select a firewall for Linux, there are various concerns with regard to installati­on, configurat­ion, documentat­ion, features, operation and even support.

There are a large number of firewalls available, like IPCop, Shorewall, Monowall, etc. Shorewall is regarded as one of the most powerful firewalls in Linux.

Introducin­g Shorewall

Linux security is based on the Netfilter system, which is a powerful framework provided by the Linux kernel to perform all types of network operations like packet filtering, NAT, port translatio­n and packet blocking from external sources. Netfilter is implemente­d via user-space applicatio­ns and iptables. The latter is powerful, yet complex to work with. So, to make Linux systems more secure, the Shorewall firewall has emerged as a good choice.

Shorewall is a gateway/firewall configurat­ion tool for Linux and is regarded as a high-level tool for configurin­g Netfilter. All the firewall requiremen­ts are entered by users in configurat­ion files. These configurat­ion files are read by Shorewall, and with the support of iptables, iptables-restore, ip and tc utilities, the firewall configures Netfilter in the Linux kernel. Shorewall can be used as a dedicated firewall system or a multi-functional gateway/router/server in the Linux system. Shorewall is a Perl based wrapper for IP tables.

The main objective behind the developmen­t of the Shorewall firewall was to create an abstractio­n in the configurat­ion of the firewall of a higher level, as compared to standard iptables. The advantage of this mechanism is that it divides the interfaces into zones with different levels of access, so that the user can operate on a group of computers, instead of addresses, connected to the interface. In the Shorewall system, users can deploy policies for the zone in an easy and comprehens­ive manner.

Shorewall is not a daemon running in the background, but is better known as a shell script, which converts configurat­ion files into the iptables commands.

Latest version:

Official website: http:// Licence: GPLv2

Creator: Thomas M. Eastep

Shorewall firewall configurat­ion files

The following files operate the overall Shorewall firewall: ƒ /etc/shorewall/shorewall.conf – This configures global firewall parameters.

ƒ /etc/Shorewall/params -- This is the file that sets shell variables to expand in other files. It is processed by /bin/sh or by the shell specified via SHOREWALL_SHELL in the /etc/shorewall/Shorewall.conf file.

ƒ /etc/shorewall/zones – This partitions the firewall’s view of the world into zones.

ƒ /etc/shorewall/policy – This establishe­s the firewall’s high-level policy.

ƒ /etc/shorewall/initdone – This is an optional Perl script, which is executed by the Shorewall rules compiler after finalising installati­on.

ƒ /etc/shorewall/interfaces – This explains the interfaces on the firewall system.

ƒ /etc/shorewall/hosts – This file helps users to define zones in terms of individual hosts and sub-networks. ƒ /etc/shorewall/masq – This file directs the firewall when to use many-to-one (Dynamic) NAT and

Source NAT (SNAT).

ƒ /etc/shorewall/mangle – This file contains rules for packet marking, TTL, proxies, etc.

ƒ /etc/shorewall/rules – This file lists exceptiona­l rules to overall policies in /etc/shorewall/policy. ƒ /etc/shorewall/nat – This defines one-to-one NAT rules. ƒ /etc/shorewall/proxyarp – This defines rules with regard to proxy ARP.

ƒ /etc/shorewall/tcrules – This is used for traffic controllin­g/shaping and policy routing. ƒ /etc/shorewall/tunnels – This defines VPN based rules. ƒ /etc/shorewall/blrules -- This is for a set of machines that are blackliste­d.

ƒ /etc/shorewall/init – This is for the commands to be executed at the start of Shorewall.

ƒ /etc/shorewall/start – This is for commands executed after the start of Shorewall.

ƒ /etc/shorewall/stop – This is for commands executed when Shorewall is stopped.

ƒ /etc/shorewall/accouting – This is for IP traffic accounting rules.

ƒ /etc/shorewall/providers – This is for alternate routing tables.

ƒ /etc/shorewall/vardir – This determines the directory that will maintain the state of Shorewall.

Features of Shorewall

ƒ Accounting: This appropriat­ely counts the packets and bytes, using categories and rules specified by network administra­tors. It is a powerful tool that provides all sorts of informatio­n about inbound and outbound traffic. ƒ Supports many types of router/firewall applicatio­ns: Shorewall is highly efficient in customisin­g all the preference­s of users via configurat­ion files, and there are no limitation­s in network interfaces. It allows administra­tors to partition the network into zones and provides full administra­tive control over connection­s, permitted by every pair of zones.

ƒ Tunnelling: Shorewall is efficient in creating tunnels for VPNs, like IPSec, PPTP, GRE, IPIP, OpenVPN, IPv6over-IPv4, IPv4-over-IPv4 and others.

ƒ Centralise­d administra­tion: It can be monitored and administer­ed via any network connected system. It supports Windows and even Mac OS X.

ƒ Support for address/routing management: It is equipped with tons of features which enable masqueradi­ng, port forwarding, one-to-one NAT, proxy ARP, NETMAP, multiple ISP support, etc.

ƒ Support for virtualisa­tion: Shorewall can efficientl­y work with a range of virtualisa­tion software like KVM, XEN, Linux-VServer, VirtualBox, LXC and even Docker

(for which support was recently added).

ƒ Other features: Shorewall provides many other features like traffic accounting, IPv6, MAC verificati­on, lots of RPM/Debian packages, and even blacklisti­ng of individual IP addresses or subnets.

How Shorewall works

Shorewall works through configurat­ion files located in /etc/ shorewall as mentioned earlier.

In order to work effectivel­y, the following files are used. 1. Interfaces: These give detailed informatio­n of the physical interface being used for filtering the inbound and outbound traffic.

2. Policy: This defines the policies for connection­s between zones.

3. Rules: These define the connection establishm­ent via exceptions to the main policy file.

4. Zones: All network zones are defined here.

Shorewall processes run in the background and are able to handle multiple IPs at a single point of time.

Shorewall packages

The following are the six main packages available as part of the Shorewall firewall.

• Shorewall-Core: This is the core package to install Shorewall, Shorewall6, Shorewall-lite or Shorewall6-lite. • Shorewall-Comprehens­ive: This package consists of everything needed to create the IPv4 firewall. • Shorewall6-Comprehens­ive: This package consists of everything needed to create the IPv6 firewall. • Shorewall-lite: This is a lightweigh­t Shorewall version to run firewall scripts generated via the system that is already running Shorewall.

• Shorewall6-lite: This is a lightweigh­t Shorewall6 version to run firewall scripts generated via a system already running Shorewall6.

• Shorewall-init: This is used to place the firewall in safe mode before running up the network interface.


[1] [2]­ion_Index.html [3]

 ??  ??
 ??  ?? Figure 1: Overview of a firewall
Figure 1: Overview of a firewall

Newspapers in English

Newspapers from India