Posted by: Eric Hansen
when relevant content is
added and updated.
Linux is well known for it’s networking capabilities. This includes turning an old dusty machine in your house into a home grown firewall or even PBX (a fun weekend project, by the way). But with just about everything else involving Linux, there’s a million ways to solve one problem. Such is true with firewalls.
When you install your OS, you’re most likely going to have iptables pre-installed (you should, anyways). This is mostly due to the fact that iptables is the de-facto standard application for Linux when managing a firewall. It allows direct access via netfilter to inspect packets to great depths and even interface with IDSes like Snort when configured properly. But, the problem with having such power is that it can become very troublesome to maintain and configure.
For example, to set up a simple logging rule, you have to do this: iptables -A INPUT -p tcp –dport 22 -s !192.168.1.0/24 -j LOG –log-level 4 –log-prefix “[ssh daemon access attempt]: ”
This is not very well written, and the fact I know this by heart kind of speaks for itself too. Mind you, this is a pretty simplistic rule, but it goes to show that it takes a bit to configure a firewall properly with the default tools. But, what if there was an easier tool? A better tool? A safer tool?
Over the weekend I spent a few hours working with Shorewall, a front-end of sorts for iptables. Now, while the documentation for Shorewall says to disable iptables from running, it still requires iptables to be installed. This threw me off at first until I realized why, when I started up Shorewall.
Shorewall does a lot of work by making firewall management easier without taking away the power of iptables, it just simplifies it. For a one-NIC firewall configuration, you’re looking at about 4 or 5 files you have to edit, with 2 of them being ones you have to edit more than once (policies and rules files). This, compared to the troublesome iptables rules and switches, remembering which rule does what, etc… can make for a headache fast.
I’ll be writing a tutorial on this soon, but as a starting point, Shorewall separates the power from the user. This allows you to easily know what you’re configuring, and how it’s configured, and when it’ll work. Shorewall even allows for macros, which are even further simplified rulesets that you can use for known services (i.e.: to deny ping attempts, just call the ping macro like this: Ping(DROP)). This makes for quick and easy mangement and also makes rules that much simpler to follow.
Now that I’ve talked Shorewall up like it’s a godsend and unbeatable, lets raise the playing requirements a bit. While a great solution, Shorewall also has it’s downfalls. The biggest of which is poor documentation.
The documentation on the website makes Shorewall sound like it takes at least a master’s degree to get up and running. However, even if I had an associate’s I could get it going without issues, but I had to follow a different guide. There is a lot of technical jargon that, to me, is nothing more than fluff. It adds nothing to assisting users in getting a firewall set up, and if it wasn’t for I was bored and wanted to configure it, I would’ve just stuck with direct iptables rules.
There is also a severe lack of tutorials on Shorewall, and most of what is out there is lacking in substance. A lot of the guides I looked through were either for older versions, or for configuring ‘the perfect firewall’. I just wanted a simple how-to and that was that.