How-To Alpine Wall: Difference between revisions

Revision as of 16:21, 24 January 2026

This guide shows how to configure a firewall using Alpine Wall (awall), a Linux firewall configuration tool, providing various benefits over plain iptables. Alpine Wall User Guide is the official source for details about the syntax.

The purpose of this page is to illustrate Alpine Wall (AWall) by example. This page explains AWall from the viewpoint of Shorewall, a firewall configuration tool used in many applications. This comparison is meant to help readers who are familiar with Shorewall learn AWall. You should follow the AWall configuration examples. Use the Shorewall examples as contextual references, or ignore them, if unfamiliar with Shorewall.

Installation

Install the awall package by running the following command:

# apk add iptables awall

Note that awall requires iptables but works with both backends nftables and legacy iptables. It does not interact with nftables directly.

Configuration

The easier method for performing initial steps for running awall:

# awall activate

The above command has special handling for the first run, when firewall is not yet enabled in the kernel. It performs the below manual steps and also updates the default runlevel and files in /etc/conf.d

Use the below commands for performing initial setup manually.

To update /etc/iptables:
# awall translate
To start the OpenRC services for iptables and load modules and rules for IPv4 and IPv6
# rc-service iptables start # rc-service ip6tables start

Configuration files

Your Alpine Wall configuration files go in /etc/awall/optional. From version 0.2.12 and later, Awall will look for Policy files in both the former and /usr/share/awall/optional Each such file is called a Policy.

You may have multiple Policy files. It is useful to have separate files for eg. HTTP, FTP, etc.

The Policy(s) can be enabled or disabled by using the command:

# awall [enable|disable]

An AWall Policy can contain definitions of:

variables (like /etc/shorewall/params)
zones (like /etc/shorewall/zones)
interfaces (like /etc/shorewall/interfaces)
policies (like /etc/shorewall/policy)
filters and NAT rules (like /etc/shorewall/rules)
services (like /usr/share/shorewall/macro.HTTP)

Basic home firewall configuration

The examples below show how to configure a basic home firewall using AWall. Note that AWall Policy files differ substantially from Shorewall's policy files in syntax and layout.

Shorewall configuration

Let's suppose you have the following Shorewall configuration files in /etc/shorewall/, which you want to convert to a configuration for AWall.

Contents of /etc/shorewall/zones

inet  ipv4
loc   ipv4

Contents of /etc/shorewall/interfaces

inet  eth0
loc   eth1

Contents of /etc/shorewall/policy

fw   all  ACCEPT
loc  inet ACCEPT
all  all  DROP

Contents of /etc/shorewall/masq

eth0  0.0.0.0/0

AWall configuration

The equivalent AWall configuration that does the same thing as the above Shorewall example is given below.

Create a new file called /etc/awall/optional/home-policy.json and add the following content

Contents of /etc/awall/optional/home-policy.json

{
  "description": "Home firewall",

  "zone": {
    "inet": { "iface": "eth0" },
    "loc": { "iface": "eth1" }
  },

  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "loc", "out": "inet", "action": "accept" }
  ],

  "snat": [
    { "out": "inet" }
  ]
}

The above configuration will:

Create a description of your Policy
Define zones
Define policy
Define snat (to masqurade the outgoing traffic)

snat means "source NAT". It does not mean "static NAT".

Tip: AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.

Activating/Applying a Policy

After saving the Policy you can run the following commands to activate your firewall settings.

To listing available 'Policy(s)'

# awall list

To enable the 'Policy' created in the previous section:

# awall enable home-policy

To generate firewall configuration from the 'Policy' file and enable it i.e start the firewall:

# awall activate

If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.

Advanced configuration

Assuming you have your /etc/awall/optional/home-policy.json with your "Basic home firewall" settings, you could choose to modify that file to test the below examples. You could also create new files in /etc/awall/optional/ for testing some of the below examples.

AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. in the file /usr/share/awall/mandatory/services.json)

Note: If you are adding the sample content given in this section to an already existing policy file, then make sure you add "," signs where they are needed!

Logging

AWall will (since v0.2.7) automatically log dropped packets.

You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.

{ "in": "inet", "out": "loc", "action": "drop" }

Port forwarding

Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".

With Shorewall you would have a rule like this in your

Contents of /etc/shorewall/rules

#ACTION  SOURCE  DEST               PROTO  DEST PORT(S)    SOURCEPORT(S)    ORIGINALDEST
DNAT     inet     loc:192.168.1.10  tcp    80

Lets configure our AWall Policy file likewise by adding the following content.

  "variable": {
    "APACHE": "192.168.1.10",
    "STATIC_IP": "1.2.3.4"
    },

  "filter": [
    { "in": "inet", 
      "dest": "$STATIC_IP", 
      "service": "http", 
      "action": "accept", 
      "dnat": "$APACHE" 
      }
    ]

As you can see in the above example, we create a

"variable" section where we specify some IP-addresses
"filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)

If you need to forward to a different port (e.g. 8080) you can do:

"dnat": [
  {"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]

Create your own service definitions

Note: You can not override a "service" definition that comes from /usr/share/awall/mandatory/services.json

You can add your own service definitions into your Policy files:

"service": {  
  "openvpn": { "proto": "udp", "port": 1194 }
  }

Inherit services or variables

You can import a Policy into other Policy files for inheriting services or variables definitions:

"import": "myfirewall"

Customize policy loading order

By default policies are loaded on alphabetical order. The load order can be changed with the keywords "before" and "after":

"before": "myfirewall"
"after": "someotherpolicy"

Troubleshooting

If you end up in some kind of trouble, you might find some commands useful when debugging:

awall # (With no parameters) Shows some basic help about awall application awall dump # Dump definitions like zones and variables iptables -L -n # Show what's in iptables

@@ Line 1: / Line 1: @@
-[https://git.alpinelinux.org/awall/about/ Alpine Wall User Guide] is the official source for details about the syntax. The purpose of this page is to illustrate Alpine Wall (AWall) by example. This page explains AWall from the viewpoint of a Shorewall user.
+This guide shows how to configure a firewall using Alpine Wall (awall), a Linux firewall configuration tool, providing various benefits over plain iptables. [https://git.alpinelinux.org/awall/about/ Alpine Wall User Guide] is the official source for details about the syntax.
+The purpose of this page is to illustrate Alpine Wall (AWall) by example. This page explains AWall from the viewpoint of  {{pkg|Shorewall}}, a firewall configuration tool used in many applications. This comparison is meant to help readers who are familiar with Shorewall learn AWall. You should follow the AWall configuration examples. Use the Shorewall examples as contextual references, or ignore them, if unfamiliar with Shorewall.
 == Installation ==
@@ Line 33: / Line 35: @@
 * services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''
-== Basic home firewall ==
+== Basic home firewall configuration ==
-The below example shows the "Basic home firewall" configuration for both Shorewall and AWall. Based on below example, it can be clearly seen that AWall ''Policy'' files are not equivalent to Shorewall's {{Path|/etc/shorewall/policy}} files.
+The examples below show how to configure a basic home firewall using AWall. Note that AWall Policy files differ substantially from Shorewall's policy files in syntax and layout.
 === Shorewall configuration ===
-Let's suppose you have the following Shorewall configuration: {{cat|/etc/shorewall/zones|inet  ipv4
+Let's suppose you have the following Shorewall configuration files in {{Path|/etc/shorewall/}}, which you want to convert to a [[#AWall configuration|configuration for AWall]].  {{cat|/etc/shorewall/zones|inet  ipv4
 loc   ipv4}}
@@ Line 53: / Line 55: @@
 === AWall configuration ===
-The equivalent AWall configuration that does the same thing as the above Shorewall example is given below.
+The equivalent AWall configuration that does the same thing as the above [[#Shorewall configuration|Shorewall example]] is given below.
 Create a new file called {{Path|/etc/awall/optional/home-policy.json}} and add the following content {{Cat|/etc/awall/optional/home-policy.json|<nowiki>
@@ Line 72: / Line 74: @@
      { "out": "inet" }
    ]
-}</nowiki>
+}</nowiki>}}
-}}
 The above configuration will:
 * Create a description of your ''Policy''
@@ Line 86: / Line 88: @@
 === Activating/Applying a Policy ===
-After saving the ''Policy'' you can run the following commands to activate your firewall settings:
+After saving the ''Policy'' you can run the following commands to activate your firewall settings.
-{{cmd|awall list                  # Listing available 'Policy(s)' (This step is optional)
+To listing available 'Policy(s)' {{cmd|# awall list}}
-awall enable test-policy    # Enables the 'Policy'
+To enable the 'Policy' created in the previous section:{{cmd|# awall enable home-policy}}
-awall activate              # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}
+To generate firewall configuration from the 'Policy' file and enable it i.e start the firewall: {{Cmd|# awall activate}}
-If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.
+If you have multiple policies, after enabling or disabling them, you need to always run {{Codeline|'''awall activate'''}} in order to update the iptables rules.
 == Advanced configuration ==
-Assuming you have your {{Path|/etc/awall/optional/home-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
+Assuming you have your {{Path|/etc/awall/optional/home-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples. You could also create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples.
+AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. '' in the file {{Path|/usr/share/awall/mandatory/services.json}})''
-{{Tip|You could also create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}
+{{Note|If you are adding the sample content given in this section to an already existing policy file, then make sure you add "," signs where they are needed!}}
 === Logging ===
@@ Line 105: / Line 109: @@
 You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
 <pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
-{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}
 === Port forwarding ===
 Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<br>
-With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
+With Shorewall you would have a rule like this in your {{Cat|/etc/shorewall/rules|<nowiki>#ACTION  SOURCE  DEST               PROTO  DEST PORT(S)    SOURCEPORT(S)    ORIGINALDEST
-<pre>
+DNAT     inet     loc:192.168.1.10  tcp    80</nowiki>}}
-#ACTION  SOURCE  DEST               PROTO  DEST    SOURCE    ORIGINAL
-#                                          PORT(S) PORT(S)   DEST
-DNAT     inet     loc:192.168.1.10  tcp    80
-</pre>
 Lets configure our AWall ''Policy'' file likewise by adding the following content.
@@ Line 137: / Line 135: @@
 * "variable" section where we specify some IP-addresses
 * "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
-{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
-{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}
 If you need to forward to a different port (e.g. 8080) you can do:
@@ Line 158: / Line 154: @@
    }
 </pre>
-{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
 === Inherit services or variables ===
@@ Line 183: / Line 178: @@
 == See also ==
 * [https://git.alpinelinux.org/awall/about/ Alpine Wall User Guide]
 * [[Zero-To-Awall]]
 * [https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-awall-on-alpine-linux/ How To Set Up a Firewall with Awall on Alpine Linux]
 [[Category:Firewall]]