Can someone help me set up Shorewall on a basic Ubuntu 9.04 setup (apache2, php, mysql)?

I can't find a guide that just leads you through every step. It always tells me to customize it for my setup or something like that and I have no clue what to do.

Any help is greatly appreciated!

I originally setup Shorewall using the Shorewall parts of this guide:
http://flurdy.com/docs/postfix/

Shorewall setup is going to be the same for 99% of setups, the only difference is which ports your allow external access to... In your case you probably want to allow the following ports:

80 (HTTP)
22 (SSH)
3306 (only if you plan on doing MySQL testing from a home machine or something)

Refer to this page for 90% of your information:
http://www.shorewall.net/ (Shorewall Homepage)

http://www.shorewall.net/shorewall_quickstart_guide.htm


Ignore the warning about installing shorewall on a remote machine. That's what LISH is for.

Smark: I'm following the guide you posted the link to however I don't see a file that defines the ports you mentioned. Could you point me in the right direction?

Thanks for the help

EDIT: Nevermind about the port thing. I think I got it all working now.

How do I test the firewall to make sure it's doing what it should be doing?

'shorewall status' says it's running and as far as I can tell the site + ssh still connect so that much works.

No one seems to around, so I'll chirp in. For default ports, you simply refer to the macros supplied with Shorewall. In the example (http://flurdy.com/docs/postfix/#config-simple-firewall, below Open for Business):

vi /etc/shorewall/rules

# Permit all ICMP traffic FROM the firewall TO the net zone 
ACCEPT $FW net icmp 

# mail lines 
SMTP/ACCEPT net $FW 
SMTPS/ACCEPT net 
Submission/ACCEPT net $FW 
IMAP/ACCEPT net $FW 
IMAPS/ACCEPT net $FW 

#web 
Web/ACCEPT net $FW

The line containing SMTP/ACCEPT net $FW will allow traffic on port 25 from the zone 'net', according to the macro defined in /usr/share/shorewall/macro.SMTP. To specify port 2525 manually, use a line such as

#Accept from anyone on the net
ACCEPT          net       $FW             tcp     2525

# Or accept from IP 1.2.3.4
ACCEPT          net:1.2.3.4       $FW             tcp     2525

Thanks mjrich,
That confirms it to me that I did it the right way.

Now I just need a test script that can make sure I did everything right and I'll be finished.

You can try changing the port on something such as apache (if its not a production machine ATM), if its unreachable on the new port without changing shorewall then it works. If you add the port to shorewall, restart shorewall, and you can view a webpage then it works.

You can also install something like a ventrilo server to test it out if you want. Install it, start the server, try to connect (it should fail), add 3784 to Shorewall, restart Shorewall and you should be able to connect.