Shorewall FAQs

About Shorewall

Why do you call it "Shorewall"?

What distributions does it work with?

What features does it support?

Why isn't there a GUI?

Port Forwarding

I want to forward UDP port 7777 to my my personal PC with IP address 192.168.1.5. I've looked everywhere and can't find how to do it.

Ok -- I followed those instructions but it doesn't work.

I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse http://www.mydomain.com but internal clients can't.

I have a zone "Z" with an RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot communicate with each other using their external (non-RFC1918 addresses) so they can't access each other using their DNS names.

Applications

I want to use Netmeeting with Shorewall. What do I do?

Connection Problems

I added the following rule and now I can't surf the internet from my local systems

I've installed Shorewall and now I can't ping through the firewall

Logging

Where are the log messages written and  how do I change the destination?

Are there any log parsers that work with Shorewall?

Starting and stopping the firewall

When I stop Shorewall using 'shorewall stop', I can't connect to anything. Why doesn't that command work?

When I try to start Shorewall on RedHat 7.x, I get messages about insmod failing -- what's wrong?

Design

Why does Shorewall only accept IP addresses as opposed to FQDNs?

1. I want to forward UDP port 7777 to my my personal PC with IP address 192.168.1.5. I've looked everywhere and can't find how to do it.

The first example in the rules file documentation shows how to do port forwarding under Shorewall. Assuming that you have a dynamic external IP address, the format of a port-forwarding rule to a local system is as follows:

     ACCEPT net local:<local IP address> <protocol> <port #> - all

So to forward UDP port 7777 to internal system 192.168.1.5, the rule is:

     ACCEPT net local:192.168.1.5 udp 7777 - all

If you want to forward requests directed to a particular <external ip> to an internal system:

     ACCEPT net local:<local IP address> <protocol> <port #> - <external ip>

1a. Ok -- I followed those instructions but it doesn't work

That is usually the result of one of two things:

bullet

You are trying to test from inside your firewall (no, that won't work -- see FAQ #2).

bullet

You have a more basic problem with your local system such as an incorrect default gateway configured (it should be set to the IP address of your firewall's internal interface).

2. I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse http://www.mydomain.com but internal clients can't.

I have two objections to this setup.

bulletHaving an internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over cable, you can put your server in a DMZ such that it is isolated from your local systems - assuming that the Server can be located near the Firewall, of course :-)
bulletThe accessibility problem is best solved using Bind Version 9 "views" such that www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's what I do here at shorewall.net for my local systems that use static NAT.

If you insist on an IP solution to the accessibility problem rather than a DNS solution, then assuming that your internal interface is eth1 and your internal network is 192.168.1.0/24, do the following:

a) In /etc/shorewall/interfaces, specify "multi" as an option for eth1.
b) In /etc/shorewall/masq, add:

     eth1    192.168.1.0/24

c) In /etc/shorewall/rules, add:
     ACCEPT    local    local:192.168.1.5    tcp    www    -    130.151.100.69

2a. I have a zone "Z" with an RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot communicate with each other using their external (non-RFC1918 addresses) so they can't access each other using their DNS names.

This is another problem that is best solved using Bind Version 9 "views". It allows both external and internal clients to access a NATed host using the host's DNS name.

Another good way to approach this problem is to switch from static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address. 

If you don't like those solutions and prefer routing all Z->Z traffic through your firewall then:

a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.
b) Set the Z->Z policy to ACCEPT.
c) Masquerade Z to itself.

Example:

Zone: dmz
Interface: eth2
Subnet: 192.168.2.0/24

In /etc/shorewall/interfaces:

     dmz    eth2    192.168.2.255    multi

In /etc/shorewall/policy:

     dmz    dmz    ACCEPT

In /etc/shorewall/masq:

     eth2    192.168.2.0/24

3. I want to use Netmeeting with Shorewall. What do I do?

There is an H.323 connection tracking/NAT module that may help. Also check the Netfilter mailing list archives at http://netfilter.samba.org.

4. I added the following rule and now I can't surf the internet from my local systems

    ACCEPT    local    dmz:10.0.0.5    tcp    www    -    all

Why?

That rule says that any traffic from the local network for TCP port 80 regardless of which host it is addressed to (yes, that's what the 'all' means) should be forwarded to system 10.0.0.5 in the DMZ. The solution is to remove the "all".

5. I've installed Shorewall and now I can't ping through the firewall

If you want your firewall to be totally open for "ping":

a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
c) Add the following to /etc/shorewall/icmpdef:

run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT

6. Where are the log messages written and  how do I change the destination?

NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, "service syslog restart").

By default, Shorewall ratelimits log messages through settings in /etc/shorewall/shorewall.conf -- If you want to log all messages (beware of DOS attacks!), set:

     LOGLIMIT=""
     LOGBURST=""

6a. Are there any log parsers that work with Shorewall?

Here are several links that may be helpful:

http://www.shorewall.net/pub/shorewall/parsefw/
http://www.fireparse.com
http://cert.uni-stuttgart.de/projects/fwlogwatch

7. When I stop Shorewall using 'shorewall stop', I can't connect to anything. Why doesn't that command work?

The 'stop' command is intended to place your firewall into a safe state whereby only those interfaces/hosts having the 'routestopped' option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want to totally open up your firewall, you must use the 'shorewall clear' command.

8. When I try to start Shorewall on RedHat 7.x, I get messages about insmod failing -- what's wrong?

The output you will see looks something like this:

     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.

This is usually cured by the following sequence of commands:

     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains

Also, be sure to check the errata for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.

9. Why does Shorewall only accept IP addresses as opposed to FQDNs?

I'm trying to protect people from themselves. If your firewall rules include FQDN's then:

bullet

If your /etc/resolv.conf is wrong then your firewall won't start.

bullet

If your /etc/nsswitch.conf is wrong then your firewall won't start.

bullet

If your Name Server(s) is(are) down then your firewall won't start.

bullet

Factors totally outside your control (your ISP's router is down for example), can prevent your firewall from starting.

10. What Distributions does it work with?

Shorewall works with any Linux distribution that includes the proper prerequisites.

11. What Features does it have?

See the Shorewall Feature List.

12. Why isn't there a GUI?

I'm working on one as time permits.

13. Why do you call it "Shorewall"?

Shorewall is a concatenation of "Shoreline" (the city where I live) and "Firewall".

Last updated 3/25/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.

2.1/interfaces">updated