Server ports and shorewall installation

From MetaWiki
Jump to: navigation, search


Ports opened

Here is the information for the opened ports of the server. When this information is changed, such changes have to be done in the firewall/shorewall settings (and vice versa).

service port/protocol allow from server
ssh 22/tcp all sshd
http 80/tcp all nginx
https 443/tcp all nginx
http 8180/tcp all NO tomcat (only the fedora one is running, 8183)
http 8010/tcp all webmin
http 8880/tcp all apache for proxying
http 8183/tcp all Fedora Commons 3 Tomcat!
http 10035/tcp all Allegrograph - responsible: Joel Sachs
mysql 8088/tcp mysqld

The columns are:

  • service: the name of the service
  • port/protocol: the port number and protocol (tcp, udp ot icmp)
  • allow from: filter by IP address, all means allow from all IP addresses
  • server: the process name of the server
  • Test Fedora 3 as
  • No, we do not use ftp (password is easily sniffable if you do).


Version 2.6 of the Linux kernel uses iptables to provide its firewall facilities. Iptables is installed by default as part of the minimal Debian installation, so there's no further installation needed. Iptables is wonderfully powerful, but unfortunately that power comes at a price ... namely configuration. While it can technically be configured by hand, it has been said that iptables configuration is not human readable. In short, it's very complex and can quickly become overwhelming. Luckily, we have a solution in the form of a program called wikipedia:Shorewall.

Shorewall Installation

To start, use apt-get to install the shorewall package:

Firewall:~# apt-get install shorewall

Shorewall is not a firewall, and in fact it's not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits. We are provided with default configuration files in /usr/share/doc/shorewall/default-config

Since we will need to use these config files to actually make Shorewall work, the first thing to do is to copy them over to /etc/shorewall:

Firewall:~# cp /usr/share/doc/shorewall/default-config/{interfaces,policy,rules,zones} /etc/shorewall/

Please read the documentation in each config file you edit so you can fully understand what each step is really doing!


First we add our network "zones" Shorewall uses zones as a way of defining different logical portions of our network. This configuration is performed in /etc/shorewall/zones:

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4


Next, we have to add our network interfaces. This is done via /etc/shorewall/interfaces:

net     eth0            detect


Now comes the ever important firewall policy. The policy forms the basis for how all traffic on our network will be treated. This is not for fine grained control, we'll get to that later. This just sets the baseline actions for a zone. This is done via /etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
$FW             net             ACCEPT
net             all             DROP
all             all             REJECT          info

Each line (excepts these beginning with #) sets one policy. The first policy:

$FW             net             ACCEPT

says all traffic generated by the machine is allowed. Note that $FW refers to the firewall machine itself zone. The policy:

net             all             DROP

says that we don't trust external traffic from the internet. When we see internet traffic that doesn't match any specific rules (later), we want it DROPPED. Finally any traffic not matching the above is rejected (this must be the last rule):

all             all             REJECT          info


This is the most used configuration file! For the current status of the opened ports of the our server see the top of this page!

Often, there are times when we need to make exceptions to the firewall policy we set up early. To accomplish this, we use the /etc/shorewall/rules file:

#ACTION           SOURCE          DEST            PROTO   DEST
#                                                         PORT(S)
ACCEPT            net             $FW             tcp     ssh,http,https
Ping/ACCEPT       net             $FW
Trcrt/ACCEPT      net             $FW

Let's say we have a server running on the firewall machine itself, for example SSH. Rather than deny connections, we want the firewall to pass the traffic to one of it's own servers. For this we use the ACCEPT option:

ACCEPT            net             $FW             tcp     ssh

This example will tell the firewall to accept any connections coming from the internet (net) zone to itself on port ssh (22). In other words, you can connect to an SSH server on your firewall with this rule.

Another option would be to allow people to ping and traceroute our firewall, which is disabled by our policy:

Ping/ACCEPT       net             $FW
Trcrt/ACCEPT      net             $FW

Apply configuration

Run "shorewall check" to see if you've made any typos. It won't catch all possible errors, but it helps:

Firewall:~# shorewall check

If you get "Configuration Validated" you can go ahead and start Shorewall:

Firewall:~# shorewall start

If the firewall works fine then we can perform startup configuration in /etc/default/shorewall. Simply change "startup = 0" to "startup = 1".

Note: dropbox daemon needs no special setting of shorewall.

Personal tools