RuggedCom RX1000, RX1100

Chapter 11 – Configuring The Firewall

Note: I n order to improve security t he router will crea te a zone “unusd” a nd unused

interfac es to this zone whe n Shorewal l starts. A policy is also installe d that blocks ac cess

from “un usd” to all othe r zones.

Interfaces are defined in the file /etc/shorewall/interfaces and are modified from the

Network Interfaces menu.

Hosts

Shorewall hosts are used to assign zones to individual hosts or subnets, on an

interface which handles multiple subnets. This allows the firewall to manage traffic

being forwarded back out the interface it arrived on, but destined for another subnet.

This is often useful for VPN setups to handle the VPN traffic separately from the

other traffic on the interface which carries the VPN traffic. An example follows:

Zone Interface IP Address or Network

local eth3 10.0.0.0/8

guests eth3 192.168.0.0/24

Interfaces are defined in the file /etc/shorewall/hosts and are modified from the

Network Hosts menu.

Policy

Shorewall policies are the default actions for connection establishment between

different firewall zones. Each policy is of the form:

Source-zone Destination-zone Default-action

You can define a policy from each zone to each other. You may also use a wildcard

zone of “all” to represent all zones.

The default action describes how to handle the connection request. There are six

types of actions: ACCEPT, DROP, REJECT, QUEUE, CONTINUE and NONE.

The first three are the most widely used and are described here.

When the ACCEPT policy is used, a connection is allowed. When the DROP policy

is used, a request is simply ignored. No notification is made to the requesting client.

When the REJECT policy is used, a request is rejected with an TCP RST or an

ICMP destination-unreachable packet being returned to the client.

An example should illustrate the use of policies.

Source Zone Destination Zone Policy

loc net ACCEPT

net all DROP

all all REJECT

The above policies will:

•Allow connecti on requ ests on ly from your local n etwork to the Internet .

If you wanted to allo w reque sts fro m a con sole on the Ru ggedRout er to

Interne t you w ould n eed to a dd a po licy of ACCEPT fw zone to net zone.

•Drop (i gnore) all conn ection request s from the Int ernet to your firewall

or loca l netwo rk, and

•Reject all other connection requests.

RuggedCom 107