Hi,

I want to use Shorewall as the firewall config tool on my Linode, but I can't figure out how I need to config my zones. The problem is that linode uses aliases for the private ip range (eth0:1). It seems to me that I can't put those in separate zones?

Also, it seems that there is a bit of contradiction between the Linode set-up guide for the private ip, and the Shorewall documentation on ethernet-aliases. According to linode, the private ip should be setup like this:

===
# eth0:1 - Private IPs have no gateway (they are not publicly routable) so all you need to
# specify is the address and netmask.
iface eth0:1 inet static
address 192.168.133.234
netmask 255.255.128.0
===

But Shorewall recommends another way:

===
# Internet interface
auto eth0
iface eth0 inet static
address 206.124.146.176
netmask 255.255.255.0
gateway 206.124.146.254
up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0
===

I don't quite understand the difference between these two different ways to configure the ethernet-alias. I'm not even sure it really matters for Linode or Shorewall.

Then there is the matter of having one zone per addresses. According to the Shorewall documentation, this is possible with Linux vServer support (?), but I can't figure out how to set it up.

I hope someone can help me with this, because it all seems much harder than it has to be...

Either network configuration will work just fine, and will produce the same system state. I've done both from time to time. The advantage of the "iface" approach is that you've got each address separated into logical configuration stanzas; the advantage of the "up" approach is that you only need one line per IP address. I use a combo of the two approaches currently:

# The loopback network interface
auto lo
iface lo inet loopback

# Public IP addresses
auto eth0 eth0:sodtechssl
iface eth0 inet static
    address 97.107.134.213
    netmask 255.255.255.0
    gateway 97.107.134.1
    up /sbin/ip addr add 2600:3c03::f03c:91ff:fe96:1dc9 dev eth0 # main
    up /sbin/ip -6 route add default via fe80::1 dev eth0
    up /sbin/ip addr add 2600:3c03::13:3025/64 dev eth0 preferred_lft 0 # mail.sodtech.net
    up /sbin/ip addr add 2600:3c03::13:3123/64 dev eth0 preferred_lft 0 # ntp.sodtech.net
    # and fifteen billion other IPv6 addresses

iface eth0:sodtechssl inet static
    address 97.107.131.4
    netmask 255.255.255.0

# Internal IP address
auto eth0:lan
iface eth0:lan inet static
        address 192.168.137.246
        netmask 255.255.128.0

_________________

/* TODO: need to add signature to posts */

Thanks for the info

I'm still in the dark on how to configure the shorewall zones. Would something like this work:

zones file:

===
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
===

interfaces file:

===
#ZONE   INTERFACE       BROADCAST       OPTIONS
-       eth0            -
===

hosts file:

===
#ZONE   HOST(S)                                 OPTIONS
net     176.58.125.0/24                         tcpflags
loc                                             tcpflags
===

To be honest, I don't know what to fill in my hosts file for the "loc" zone.

According to Linode my private ip is 192.168.195.3/255.255.128.0, but I'm not sure how I should convert this to a format that shorewall understands.

I still wonder why Linode can't provide a separate virtual adapter for the private range. It would make firewall setup so much easier. A virtual adapter is just a piece of software, and wouldn't consume any additional resources.

Shorewall is easier than you think to setup for private/public ips.

Your zones file should have one ipv4 zone (let's call it net) then in your rules file you specify the IP i.e.

#ACTION      SOURCE      DEST      PROTO   DEST   SOURCE      ORIGINAL   RATE      USER/   MARK
#                     PORT   PORT(S)      DEST      LIMIT      GROUP
ACCEPT   net   $FW:1.2.3.4     tcp     22   -   -   

The above allows SSH on the ip 1.2.3.4 any other IPs would be dropped (assuming your default policy is to drop).

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Thanks, that does look a lot easier.

One final question: What's the difference between using '$FW' and using the zone 'fw' (as specified in the zones file by default) in your rules file?

$FW is a variable which represents the fw zone, so you can change the fw zone name and it'd still work. Apart from that they're the same it doesn't matter which you use.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue