We originally went with PCX Firewall on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with Shorewall. Shorewall also has the advantage that we don't need to provide the IP addresses of the system – it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall.

Shorewall doesn't seem to have any requirements, except perhaps a working network stack.

All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going through the system.) We want to allow all outbound connections, and allow inbound connections to only the following ports:

• 22 – SSH
• 25 – SMTP
• 80 – HTTP
• 110 – POP
• 143 – IMAP
• 443 – HTTPS
• 993 – IMAPS
• 995 – POPS
• 10000 – Webmin (HTTPS)

Install shorewall (and its documentation):

apt-get install shorewall shorewall-doc

In /etc/default/shorewall, set shorewall to run by changing this line:

startup=1

Install default config files for systems with one interface:

cd /tmp
tar xfz /usr/share/doc/shorewall-doc/examples/one-interface.tgz
cp one-interface/* /etc/shorewall/

In /etc/shorewall/shorewall.conf, set some configuration options:

LOGFILE=/var/log/shorewall.log
LOGRATE=10/minute
LOGBURST=5
IPTABLES=/sbin/iptables

Edit /etc/shorewall/rules to add some rules to allow various ports inbound:

ACCEPT net fw tcp 22
ACCEPT net fw tcp 25
ACCEPT net fw tcp 80
ACCEPT net fw tcp 110
ACCEPT net fw tcp 143
ACCEPT net fw tcp 443
ACCEPT net fw tcp 993
ACCEPT net fw tcp 995
ACCEPT net fw tcp 10000

Start shorewall:

touch /var/log/shorewall.log
/etc/init.d/shorewall start

To check whether Shorewall is running, check what IP Tables are configured:

iptables -L -vn

This should show a large number of tables.

If Shorewall is not running, check the /var/log/shorewall-init.log file for details.

The firewall was (originally) constructed with the PCXFirewall Toolkit available here: http://pcxfirewall.sourceforge.net/ After determining list of services to be offered, a list of open ports was created. The following list enumerates that list.

Admin instructions on how to access PCXFirewall

https://63.252.5.3/pcxfirewall/

username – admin

Firewall Config – budlight1

Config Options

• Network Command – ifconfig
• Mangle Rules – Enabled

Validity Check:

• TCP Flags – on
• ECN Enabled – off
• Unclean – off
• Kernel Type – modular

Zones:

• internal Zone Enabled – off
• ipsec Zone Enabled – off
• dmz Zone Enabled – off
• dialin Zone Enabled – off
• Bridge Support Enabled – off
• Snort-Inline Support Enabled – off

Special Protocol Modules:

• ftp Enabled – on
• ftp Params – none
• irc Enabled – off
• irc Params – none

Rate Limit:

• Tainted Packets Log Rate – 20 / minute
• Reserved Packets Log Rate – 20 / minute
• Default Policy Packets Log Rate – 30 / minute
• Reject Packets Log Rate – 30 / minute
• Normal Packets Log Rate – 30 / minute
• ICMP Packets Allow Rate – 30 / minute

Logging:

• Log Prefix – FW
• Log Level – debug

Dynamic Interfaces:

• Dynamic Interfaces Mode – ignoreIP

• Index – 0
• Host – budlight
• Type – normal
• Active – true
• Comment – external network/lan

• Alias – external
• Interface – eth0
• IP Address – 63.252.5.3
• IPSec – false
• IPSec LimitFrom –
• Network – budlight
• Proxy Arp – false
• Active – true
• Comment – This is configured for a LAN server, not a WAN.

Existing services were left as preconfigured.

Added : POP3s

• Protocol – tcp
• d-port – 995
• s-port – any
• icmp type –

get this from PCXFirewall instructions and put here

Please post changes here in the format of: [H4] date|your name [/H4] [CR]description of chages made

Added Path to allow Webmin access. This was added as a seperate path to allow an easier way to turn the path on or off as needed.

The initial installation

Changed Zone "external" to current static IP address

Remove info regarding PCX Firewall.

Determine if our port list is correct for what we need open. We might want to open up additional ports for LMTP, SMTP w/ SSL, and SMTP w/ forced STARTTLS. Perhaps Squid caching and Rsync as well. We might want to remove Webmin and some of the other ports.

Is Shorewall configured to start on boot at the proper time? Is there a window of time where the network starts up (and there are services running) before Shorewall is protecting the system?

How can we back up our configuration on a regular basis?

How much ICMP do we block? How much do we want to block?

Shorewall was initially installed and configured by Jeff Muse on 2005-07-30. Craig Buchek assisted and documented.

PCX Firewall was initially installed, configured, and documented on the test/development system by James Pattie and Carl Fitch, 2005-02-19.