How-To Alpine Wall: Difference between revisions
(Highlighting code sections) |
(review last edits) |
||
| Line 12: | Line 12: | ||
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''.<BR> | You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''.<BR> | ||
Each such file is called ''Policy''.<BR> | Each such file is called ''Policy''.<BR> | ||
The ''Policy(s)'' can be enabled or disabled | The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command. | ||
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls <code>/etc/shorewall/policy</code> file.}} | {{note|AWalls ''Policy'' files are not equivalent to Shorewalls <code>/etc/shorewall/policy</code> file.}} | ||
| Line 22: | Line 22: | ||
* filters and NAT rules ''(like <code>/etc/shorewall/rules</code>)'' | * filters and NAT rules ''(like <code>/etc/shorewall/rules</code>)'' | ||
* services ''(like <code>/usr/share/shorewall/macro.HTTP</code>)'' | * services ''(like <code>/usr/share/shorewall/macro.HTTP</code>)'' | ||
== Prerequisites == | == Prerequisites == | ||
After installing awall package, you need to load the following iptables modules: | After installing awall package, you need to load the following iptables modules: | ||
<pre> | |||
modprobe iptable_nat #if NAT is used | modprobe ip_tables | ||
modprobe iptable_nat #if NAT is used | |||
</pre> | |||
This is needed only the first time, after AWall installation. | |||
Make the firewall autostart at boot and autoload the needed modules: | Make the firewall autostart at boot and autoload the needed modules: | ||
<pre> | |||
rc-update add iptables | |||
</pre> | |||
= A Basic Home Firewall = | = A Basic Home Firewall = | ||
We will give a example on how you can | We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall. | ||
== Example firewall using Shorewall == | == Example firewall using Shorewall == | ||
| Line 68: | Line 68: | ||
== Example firewall using AWall == | == Example firewall using AWall == | ||
Now we will configure AWall to do the same thing as we just did with the above Shorewall example. | Now we will configure AWall to do the same thing as we just did with the above Shorewall example. | ||
Create a new file called | Create a new file called '''/usr/share/awall/optional/test-policy.json''' and add the following content to the file.<BR> | ||
{{Tip|You could call it something else as long as you save it in | {{Tip|You could call it something else as long as you save it in '/usr/share/awall/optional/' and name it '???'''.json'''')}} | ||
<pre> | <pre> | ||
{ | { | ||
| Line 99: | Line 98: | ||
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}} | {{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}} | ||
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}} | {{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}} | ||
=== Activating/Applying a Policy === | === Activating/Applying a Policy === | ||
After saving the ''Policy'' you can run the following commands to activate your firewall settings: | After saving the ''Policy'' you can run the following commands to activate your firewall settings: | ||
<pre> | |||
awall list # Listing available 'Policy(s)' (This step is optional) | |||
awall enable test-policy # This enables the 'Policy' | awall enable test-policy # This enables the 'Policy' | ||
awall activate # This command genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}} | awall activate # This command genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}} | ||
</pre> | |||
If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules. | |||
= Advanced Firewall settings = | = Advanced Firewall settings = | ||
Assuming you have your | Assuming you have your '/usr/share/awall/optional/test-policy.json' with your "Basic home firewall" settings, you could choose to modify that file to test the below examples. | ||
{{tip|You could create new files in | {{tip|You could create new files in '/usr/share/awall/optional/' for testing some of the below examples}} | ||
== Logging == | == Logging == | ||
AWall will ''(since | AWall will ''(since v0.2.7)'' automatically log dropped packets. If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use ''"action": "logdrop"'' in order to log dropped packets.<br> | ||
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets. | You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets. | ||
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre> | <pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre> | ||
{{Note|If you are adding the above content to | {{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}} | ||
== Port-Forwarding == | == Port-Forwarding == | ||
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<BR> | Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<BR> | ||
With Shorewall you would have a rule like this in your | With Shorewall you would have a rule like this in your '/etc/shorewall/rules': | ||
<pre> | <pre> | ||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL | ||
| Line 149: | Line 149: | ||
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions) | * "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions) | ||
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}} | {{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}} | ||
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see | {{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see '/usr/share/awall/mandatory/services.json')''}} | ||
== Create own service definitions == | == Create own service definitions == | ||
You can add your own service definitions into your ''Policy'' files: | You can add your own service definitions into your ''Policy'' files: | ||
<pre> | <pre> | ||
| Line 160: | Line 159: | ||
</pre> | </pre> | ||
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}} | {{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}} | ||
{{todo|Does the 'home made' definitions override the | {{todo|Does the 'home made' definitions override the '/usr/share/awall/mandatory/services.json' if they are named likewise}} | ||
== Inherit services or variables == | == Inherit services or variables == | ||
Revision as of 11:34, 12 October 2012
 Do not follow instructions here until this notice is removed. |
General
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples.
We will explain AWall from the viewpoint of a Shorewall user.
AWall is available since Alpine v2.4.
Please see Alpine_Wall_User's_Guide for details about the syntax.
Structure
Your AWall firewall configuration file(s) goes to /usr/share/awall/optional.
You may have multiple configuration files (it is useful to have separate files for eg. HTTP,FTP and other roles).
Each such file is called Policy.
The Policy(s) can be enabled or disabled by using the "awall [enable|disable]" command.
Note: AWalls Policy files are not equivalent to Shorewalls
/etc/shorewall/policy file.An AWall Policy can contain definitions of:
- variables (like
/etc/shorewall/params) - zones (like
/etc/shorewall/zones) - interfaces (like
/etc/shorewall/interfaces) - policies (like
/etc/shorewall/policy) - filters and NAT rules (like
/etc/shorewall/rules) - services (like
/usr/share/shorewall/macro.HTTP)
Prerequisites
After installing awall package, you need to load the following iptables modules:
modprobe ip_tables modprobe iptable_nat #if NAT is used
This is needed only the first time, after AWall installation.
Make the firewall autostart at boot and autoload the needed modules:
rc-update add iptables
A Basic Home Firewall
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.
Example firewall using Shorewall
Let's suppose you have the following Shorewall configuration:
/etc/shorewall/zones
inet ipv4 loc ipv4
/etc/shorewall/interfaces
inet eth0 loc eth1
/etc/shorewall/policy
fw all ACCEPT loc inet ACCEPT all all DROP
/etc/shorewall/masq
eth0 0.0.0.0/0
Example firewall using AWall
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.
Create a new file called /usr/share/awall/optional/test-policy.json and add the following content to the file.
Tip: You could call it something else as long as you save it in '/usr/share/awall/optional/' and name it '???.json')
{
"description": "Home firewall"
"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},
"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],
"snat": [
{ "out": "inet", "action": "masquerade" }
]
}
The above configuration will:
- Create a description of your Policy
- Define zones
- Define policy
- Define snat (to masqurade the outgoing traffic)
Note: snat means "source NAT". It does not mean "static NAT".
Tip: AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.
Activating/Applying a Policy
After saving the Policy you can run the following commands to activate your firewall settings:
awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # This enables the 'Policy' awall activate # This command genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}
If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.
Advanced Firewall settings
Assuming you have your '/usr/share/awall/optional/test-policy.json' with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
Tip: You could create new files in '/usr/share/awall/optional/' for testing some of the below examples
Logging
AWall will (since v0.2.7) automatically log dropped packets. If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use "action": "logdrop" in order to log dropped packets.
You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.
{ "in": "inet", "out": "loc", "action": "drop" }
Note: If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!
Port-Forwarding
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your '/etc/shorewall/rules':
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) DEST DNAT inet loc:192.168.1.10 tcp 80
Lets configure our AWall Policy file likewise by adding the following content.
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},
"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
As you can see in the above example, we create a
- "variable" section where we specify some IP-addresses
- "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Tip: AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. (see '/usr/share/awall/mandatory/services.json')
Create own service definitions
You can add your own service definitions into your Policy files:
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Todo: Does the 'home made' definitions override the '/usr/share/awall/mandatory/services.json' if they are named likewise
Inherit services or variables
You can import a Policy into other Policy files for inheriting services or variables definitions:
"import": "myfirewall"
Specify load order
By default policies are loaded on alphabetical order.
You can change the load order with the keywords "before" and "after":
"before": "myfirewall" "after": "someotherpolicy"