Difference between revisions of "Server ports and shorewall installation"

Revision as of 04:39, 15 November 2011

Ports opened

Here is the information for the opened ports of the server. When this information is changed, such changes have to be done in the firewall/shorewall settings (and vice versa).

The columns are:

• service: the name of the service
• port/protocol: the port number and protocol (tcp, udp ot icmp)
• allow from: filter by IP address, all means allow from all IP addresses
• server: the process name of the server

Servers running

• ssh is running at 22
• Apache is listening at 80 and 443
• Tomcat is listening at 8180
• Mysql is listening at 8088
• Webmin is listening on 8010
• Fedora 3 is at: http://160.45.63.55:8183/fedoragsearch/rest
• No, we do not use ftp
• (VNC was using 5800/5900 (+ display number) but we currently not longer use this) -- Recommended vnc strategy: open ssh, start a vnc4server (vncserver points to same) with a specified display port, connect to the display port with vnc (e.g. tightVNC). Advantage over a generally open vnc server: the login password is not transmitted unencrypted (sec. Bob Morris). -- after logging in through ssh, start a server with: vnc4server -geometry 1280x1024 -depth 8 :33 where each user should select a user-specific number at the end

TODO:

• Get SSL working (probably creation of certificates, etc.) and document how to do it.

Shorewall

Version 2.6 of the Linux kernel uses iptables to provide its firewall facilities. Iptables is installed by default as part of the minimal Debian installation, so there's no further installation needed. Iptables is wonderfully powerful, but unfortunately that power comes at a price ... namely configuration. While it can technically be configured by hand, it has been said that iptables configuration is not human readable. In short, it's very complex and can quickly become overwhelming. Luckily, we have a solution in the form of a program called wikipedia:Shorewall.

Shorewall Installation

To start, use apt-get to install the shorewall package:

Firewall:~# apt-get install shorewall

Shorewall is not a firewall, and in fact it's not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits. We are provided with default configuration files in /usr/share/doc/shorewall/default-config

Since we will need to use these config files to actually make Shorewall work, the first thing to do is to copy them over to /etc/shorewall:

Firewall:~# cp /usr/share/doc/shorewall/default-config/{interfaces,policy,rules,zones} /etc/shorewall/

Please read the documentation in each config file you edit so you can fully understand what each step is really doing!

/etc/shorewall/zones

First we add our network "zones" Shorewall uses zones as a way of defining different logical portions of our network. This configuration is performed in /etc/shorewall/zones:

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4

/etc/shorewall/interfaces

Next, we have to add our network interfaces. This is done via /etc/shorewall/interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect

/etc/shorewall/policy

Now comes the ever important firewall policy. The policy forms the basis for how all traffic on our network will be treated. This is not for fine grained control, we'll get to that later. This just sets the baseline actions for a zone. This is done via /etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
$FW             net             ACCEPT
net             all             DROP
all             all             REJECT          info

Each line (excepts these beginning with #) sets one policy. The first policy:

$FW             net             ACCEPT

says all traffic generated by the machine is allowed. Note that $FW refers to the firewall machine itself zone. The policy:

net             all             DROP

says that we don't trust external traffic from the internet. When we see internet traffic that doesn't match any specific rules (later), we want it DROPPED. Finally any traffic not matching the above is rejected (this must be the last rule):

all             all             REJECT          info

/etc/shorewall/rules

This is the most used configuration file! For the current status of the opened ports of the our server see the top of this page!

Often, there are times when we need to make exceptions to the firewall policy we set up early. To accomplish this, we use the /etc/shorewall/rules file:

#ACTION           SOURCE          DEST            PROTO   DEST
#                                                         PORT(S)
ACCEPT            net             $FW             tcp     ssh,http,https
Ping/ACCEPT       net             $FW
Trcrt/ACCEPT      net             $FW

Let's say we have a server running on the firewall machine itself, for example SSH. Rather than deny connections, we want the firewall to pass the traffic to one of it's own servers. For this we use the ACCEPT option:

ACCEPT            net             $FW             tcp     ssh

This example will tell the firewall to accept any connections coming from the internet (net) zone to itself on port ssh (22). In other words, you can connect to an SSH server on your firewall with this rule.

Another option would be to allow people to ping and traceroute our firewall, which is disabled by our policy:

Ping/ACCEPT       net             $FW
Trcrt/ACCEPT      net             $FW

Apply configuration

Run "shorewall check" to see if you've made any typos. It won't catch all possible errors, but it helps:

Firewall:~# shorewall check

If you get "Configuration Validated" you can go ahead and start Shorewall:

Firewall:~# shorewall start

If the firewall works fine then we can perform startup configuration in /etc/default/shorewall. Simply change "startup = 0" to "startup = 1".

Note: dropbox demon needs no special setting of shorewall.