RuggedRouter User Guide
7) If your hosts must accept sessions from the Internet configure the rules file to
support Destination Network address Translation (DNAT). Which hosts need to
accept connections, from whom and on which ports?
8) Configure the rules file to override the default policies. Have external
connections been limited to approved IP address ranges. Have all but the required
protocols been blocked?
9) If you are supporting a VPN, add additional rules.
10) Check the configuration using the Shorewall Firewall menu, “Check Firewall”
button.
11) Activate the firewall. It is usually a good idea to port scan the firewall after
activation and verify that logging is functioning.
ShoreWal l Terminolog y And Concept sThis section provides background on various Shorewall terms and concepts.
References are made to the section where configuration applies.
Zones
A network zone is a collection of interfaces, for which forwarding decisions are
made, for example:
Name Description
net The Internet
loc Your Local Network
dmz Demilitarized Zone
fw The firewall itself
vpn1 IPSec connections on w1ppp
vpn2 IPSec connections on w2ppp
You may create new zones if you wish. For example if all of your Ethernet in terfaces
are part of the local network zone, disallowing traffic from the Internet zone to the
local zone will disallow it to all Ethernet interfaces. If you wanted some interfaces
(but not others) to access the Internet, you could create another zone.
Zones are defined in the file /etc/shorewall/zones and are modified from the Network
Zones menu.
Interfac es
Shorewall Interfaces are simply the Ethernet and WAN interfaces available to the
router. You must place each interface into a network zone.
If an interface supports more than one subnet, place the interface in zone 'Any' and
use the zone hosts setup (see below) to define a zone for each subnet on the interface.
An example follows:
Interface Zone
eth1 loc
eth2 loc
eth3 Any
eth4 dmz
w1ppp net
106 RuggedCom