====== Firewall ======
We originally went with [[http://pcxfirewall.sourceforge.net/|PCX Firewall]] on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with [[http://www.shorewall.net/|Shorewall]]. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall.
We currently aren't running a firewall on bock. Solaris 10 ships with IPF, but it has suffered from throughput problems, so we're leaving it off.
===== Requirements =====
Shorewall doesn't seem to have any requirements, except ''iptables'', ''iproute'', and ''libatm1''.
apt-get install iproute iproute-doc libatm1
All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going **through** the system.) We want to allow all outbound connections, and allow inbound connections to only the following ports:
* 22 -- SSH
* 25 -- SMTP (Bud only)
* 53 -- DNS (Bud only)
* 80 -- HTTP
* 110 -- POP (Bud only)
* 123 -- NTP (UDP)
* 143 -- IMAP (Bud only)
* 443 -- HTTPS
* 993 -- IMAPS (Bud only)
* 995 -- POPS (Bud only)
===== Installation =====
Install shorewall (and its documentation):
apt-get install shorewall shorewall-doc
===== Configuration =====
In ''/etc/default/shorewall'', set shorewall to run by changing the ''startup'' line:
sed -i -e 's/startup=0/startup=1/' /etc/default/shorewall
Install default config files for systems with one interface:
cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/
cd /etc/shorewall/
gunzip *.gz
If the system has more than one interface, see the other directories of examples.
In ''/etc/shorewall/shorewall.conf'', set some configuration options. Change the following lines:
LOGFILE=/var/log/shorewall.log
LOGRATE=10/minute
LOGBURST=5
Edit ''/etc/shorewall/rules'' to add some rules to allow various ports inbound:
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 53
ACCEPT net $FW udp 53
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 110
ACCEPT net $FW udp 123
ACCEPT net $FW tcp 143
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW tcp 995
If the system has more than one interface, duplicate the same rules for each interface unless there is a reason to not do that. In that case, document the purpose and restrictions for each interface, and why the rules are different.
===== Startup =====
Start shorewall:
touch /var/log/shorewall.log
/etc/init.d/shorewall start
===== Testing =====
To check whether Shorewall is running, check what IP Tables are configured:
iptables -L -vn
This should show a large number of tables.
If Shorewall is not running, check the ''/var/log/shorewall-init.log'' file for details.
===== TODO =====
Can we restrict some ports to the local subnet?
Determine if our port list is correct for what we need open. We might want to open up additional ports for LMTP, SMTP w/ SSL, and SMTP w/ forced STARTTLS. Perhaps Squid caching and Rsync as well. We might want to remove Webmin and some of the other ports.
Is Shorewall configured to start on boot at the proper time? Is there a window of time where the network starts up (and there are services running) before Shorewall is protecting the system?
How can we back up our configuration on a regular basis?
How much ICMP do we block? How much do we want to block?
===== Credits =====
Shorewall was initially installed and configured by Jeff Muse on 2005-07-30. Craig Buchek assisted and documented.
PCX Firewall was initially installed, configured, and documented on the test/development system by James Pattie and Carl Fitch, 2005-02-19.
===== Comments =====