A SERVICE OF

logo

Open as PDF
next previous
Chapter 11 – Configuring The Firewall
Note: In order to improve security the router will create a zone “unusd” and unused
interfaces to this zone when Shorewall starts. A policy is also installed that blocks access
from “unusd” to all other zones.
Interfaces are defined in the file /etc/shorewall/interfaces and are modified from the
Network Interfaces menu.
Hosts
Shorewall hosts are used to assign zones to individual hosts or subnets, on an
interface which handles multiple subnets. This allows the firewall to manage traffic
being forwarded back out the interface it arrived on, but destined for another subnet.
This is often useful for VPN setups to handle the VPN traffic separately from the
other traffic on the interface which carries the VPN traffic. An example follows:
Zone Interface IP Address or Network
local eth3 10.0.0.0/8
guests eth3 192.168.0.0/24
Interfaces are defined in the file /etc/shorewall/hosts and are modified from the
Network Hosts menu.
Policy
Shorewall policies are the default actions for connection establishment between
different firewall zones. Each policy is of the form:
Source-zone Destination-zone Default-action
You can define a policy from each zone to each other. You may also use a wildcard
zone of “all” to represent all zones.
The default action describes how to handle the connection request. There are six
types of actions: ACCEPT, DROP, REJECT, QUEUE, CONTINUE and NONE.
The first three are the most widely used and are described here.
When the ACCEPT policy is used, a connection is allowed. When the DROP policy
is used, a request is simply ignored. No notification is made to the requesting client.
When the REJECT policy is used, a request is rejected with an TCP RST or an
ICMP destination-unreachable packet being returned to the client.
An example should illustrate the use of policies.
Source Zone Destination Zone Policy
loc net ACCEPT
net all DROP
all all REJECT
The above policies will:
Allow connection requests only from your local network to the Internet.
If you wanted to allow requests from a console on the RuggedRouter to
Internet you would need to add a policy of ACCEPT fw zone to net zone.
Drop (ignore) all connection requests from the Internet to your firewall
or local network, and
Reject all other connection requests.
RuggedCom 107