How-To Alpine Wall: Difference between revisions

From Alpine Linux
(new logging feature)
(Reformatting the page to make it a bit more user friendly for those not familiar with AWall)
Line 1: Line 1:
{{Draft}}
{{Draft}}


Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. Please see [[Alpine_Wall_User's_Guide]] for details about the syntax. We will explain AWall from the viewpoint of a Shorewall user. AWall is available since Alpine v2.4.
= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples.<BR>
We will explain AWall from the viewpoint of a Shorewall user.<BR>


Your firewall configuration goes to '''/usr/share/awall/optional'''. Each file is called ''Policy''. ''Policy'' files are not equivalent to /etc/shorewall/policy file. An AWall ''Policy'' contains definitions of variables (like /etc/shorewall/params), zones (like /etc/shorewall/zones), interfaces (like /etc/shorewall/interfaces), policies (like /etc/shorewall/policy), filters and NAT rules (like /etc/shorewall/rules). You may have multiple ''Policy'' files. This is useful, for example, for specific firewall roles, such as FTP, HTTP, etc. You can create separated ''policies''  that can be enabled or disabled on the fly with the "awall [enable|disable]" command.
AWall is available since Alpine v2.4.<BR>
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.  


==Prerequisites==
== Structure ==
Your AWall firewall configuration file(s) goes to '''/usr/share/awall/optional'''.<BR>
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''.<BR>
Each such file is called ''Policy''.<BR>
The ''Policy(s)'' can be enabled or disabled on the fly by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls '/etc/shorewall/policy' file.}}


After installing awall package, if this is the first time that you configure iptables on your machine, you need to load the following iptables modules:
An AWall ''Policy'' can contain definitions of:
* variables ''(like '/etc/shorewall/params')''
* zones ''(like '/etc/shorewall/zones')''
* interfaces ''(like '/etc/shorewall/interfaces')''
* policies ''(like '/etc/shorewall/policy')''
* filters and NAT rules ''(like '/etc/shorewall/rules')''
* services ''(like '/usr/share/shorewall/macro.HTTP')''


  # modprobe ip_tables
{{todo|In what way are ''Policy(s)'' enabled/disabled on the fly?<br>
  # modprobe iptable_nat    #if NAT is used
Will it actually touch iptables when enabling/disabling a ''Policy''?<br>
It might need some clarification.}}


Make the firewall to autostart at boot and autoload the needed modules:
== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat    #if NAT is used}}


  # rc-update add iptables
Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}


==A Basic Home Firewall==
{{Todo|Is it really true you need to modprobe iptables variables when you installed AWall?}}
In this case you just have a "local" zone and an "internet" zone, and the Alpine router firewall you from internet.


= A Basic Home Firewall =
We will give a example on how you can create a "Basic home firewall" using Shorewall and AWall.
== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:
Let's suppose you have the following Shorewall configuration:


/etc/shorewall/zones:
'''/etc/shorewall/zones'''
<pre>
inet  ipv4
loc  ipv4
</pre>


  inet  ipv4
'''/etc/shorewall/interfaces'''
  loc  ipv4
<pre>
inet  eth0
loc  eth1
</pre>


/etc/shorewall/interfaces:
'''/etc/shorewall/policy'''
<pre>
fw  all  ACCEPT
loc  inet ACCEPT
all  all  DROP
</pre>


  inet eth0
'''/etc/shorewall/masq'''
  loc  eth1
<pre>
eth0 0.0.0.0/0
</pre>


/etc/shorewall/policy:
== Example firewall using AWall ==


  fw  all  ACCEPT
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.
  loc  inet ACCEPT
  all  all  DROP


/etc/shorewall/masq:
Create a new file called '''/usr/share/awall/optional/test-policy.json''' and add the following content to the file.<BR>
{{Tip|You could call it something else as long as you save it in '/usr/share/awall/optional/' and name it '???'''.json'''')}}
<pre>
{
  "description": "Home firewall"


   eth0 0.0.0.0/0
   "zone": {
    "inet": { "iface": "eth0" },
    "loc": { "iface": "eth1" }
  },


You can convert this configuration to AWall doing the following:
  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "loc", "out": "inet", "action": "accept" }
  ],


Open a blank file from /usr/share/awall/optional and start with a description of your ''Policy'' (useful when you have multiple policies) and the define the zones:
   "snat": [
 
     { "out": "inet", "action": "masquerade" }
   {
  ]
    "description": "Home firewall"
}
 
</pre>
     "zone": {
The above configuration will:
      "inet": { "iface": "eth0" },
* Create a description of your ''Policy''
      "loc": { "iface": "eth1" }
* Define ''zones''
    },
* Define ''policy''
 
* Define ''snat'' ''(to masqurade the outgoing traffic)''
AWall has a default zone built-in '''_fw''', that corresponds to the Shorewall "fw" zone, the firewall itself. Setup your default polices:
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}}
 
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}
    "policy": [
      { "in": "_fw", "action": "accept" },
      { "in": "loc", "out": "inet", "action": "accept" }
    ],
 
Then you need to masquerade the outgoing traffic:
 
    "snat": [
      { "out": "inet", "action": "masquerade" }
    ]
  }
 
'''snat''' here has to be intended as "source NAT" and not "static NAT".
 
After saving the ''Policy'', you can list it, enable/disable it and activate it (that is start the firewall):
 
  # awall list
  myfirewall  enabled  Home firewall
  # awall activate
  Warning: inet6 rules not tested
  New firewall configuration activated
  Press RETURN to commit changes permanently:
 
If I want to log all dropped packets from "inet", I can add the following policy:


  { "in": "inet", "out": "loc", "action": "logdrop" }
{{Todo|I had to remove the ''snat'' section due to the "masquerade", which seems to break something.<br>
This needs some research and/or modify the above example}}


Logging has changed since version 0.2.7, making deprecated the action "logdrop", and logging by default any rejected or dropped packet.
=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list                  # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy    # This enables the 'Policy'
awall activate              # This command genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}


  { "in": "inet", "out": "loc", "action": "drop" }
= Advanced Firewall settings =
Assuming you have your '/usr/share/awall/optional/test-policy.json' with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in '/usr/share/awall/optional/' for testing some of the below examples}}


==Port-Forwarding==
== Logging ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". With Shorewall you would have a rule like this:
AWall will ''(since v.0.2.7)'' automatically log dropped packets.<br>
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>


  #ACTION  SOURCE  DEST              PROTO  DEST    SOURCE    ORIGINAL
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
  #                                          PORT(S) PORT(S)  DEST
  DNAT    inet    loc:192.168.1.10  tcp    80


AWall already has a "service" definition list for several services (in /usr/share/awall/mandatory/services.json), like HTTP, FTP, SNMP, etc. So, in order to port-forward the HTTP port to your "loc" zone, you could add a "variables" block with your IP Addresses, and then a "filter" definition:
== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<BR>
With Shorewall you would have a rule like this in your '/etc/shorewall/rules':
<pre>
#ACTION  SOURCE  DEST              PROTO  DEST    SOURCE    ORIGINAL
#                                          PORT(S) PORT(S)  DEST
DNAT    inet    loc:192.168.1.10  tcp    80
</pre>


Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
   "variable": {
   "variable": {
     "APACHE": "192.168.1.10",
     "APACHE": "192.168.1.10",
     "STATIC_IP": "1.2.3.4"
     "STATIC_IP": "1.2.3.4"
  },
    },


   "filter": [
   "filter": [
Line 107: Line 143:
       "dnat": "$APACHE"  
       "dnat": "$APACHE"  
       }
       }
  ]
    ]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see '/usr/share/awall/mandatory/services.json')''}}


==More Stuff==
== Create own service definitions ==


You can add your own service definitions into your ''Policy'' files:
You can add your own service definitions into your ''Policy'' files:
 
<pre>
  "service": {   
"service": {   
    "openvpn": { "proto": "udp", "port": 1194 }
  "openvpn": { "proto": "udp", "port": 1194 }
   }
   }
</pre>
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{todo|Does the 'home made' definitions override the '/usr/share/awall/mandatory/services.json' if they are named likewise}}


Or you can import a ''Policy'' into other ''Policy'' files, for inheriting services or variables definitions:
== Inherit services or variables ==
 
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
  "import": "myfirewall"
<pre>
 
"import": "myfirewall"
By default policies are loaded on alphabetical order. You can change the load order with the keywords "before" and "after":
</pre>
 
  "before": "myfirewall"
  "after": "someotherpolicy"


== Specify load order ==
By default policies are loaded on alphabetical order.<BR>
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>


[[Category:Networking]]
[[Category:Networking]]
[[Category:Security]]
[[Category:Security]]

Revision as of 10:56, 12 October 2012

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Mhavela on 12 Oct 2012.)

General

Purpose of this doc is to illustrate Alpine Wall (AWall) by examples.
We will explain AWall from the viewpoint of a Shorewall user.

AWall is available since Alpine v2.4.
Please see Alpine_Wall_User's_Guide for details about the syntax.

Structure

Your AWall firewall configuration file(s) goes to /usr/share/awall/optional.
You may have multiple configuration files (it is useful to have separate files for eg. HTTP,FTP and other roles).
Each such file is called Policy.
The Policy(s) can be enabled or disabled on the fly by using the "awall [enable|disable]" command.

Note: AWalls Policy files are not equivalent to Shorewalls '/etc/shorewall/policy' file.

An AWall Policy can contain definitions of:

  • variables (like '/etc/shorewall/params')
  • zones (like '/etc/shorewall/zones')
  • interfaces (like '/etc/shorewall/interfaces')
  • policies (like '/etc/shorewall/policy')
  • filters and NAT rules (like '/etc/shorewall/rules')
  • services (like '/usr/share/shorewall/macro.HTTP')
Todo: In what way are Policy(s) enabled/disabled on the fly?

Will it actually touch iptables when enabling/disabling a Policy?

It might need some clarification.


Prerequisites

After installing awall package, you need to load the following iptables modules:

modprobe ip_tables modprobe iptable_nat #if NAT is used

Make the firewall autostart at boot and autoload the needed modules:

rc-update add iptables

Todo: Is it really true you need to modprobe iptables variables when you installed AWall?


A Basic Home Firewall

We will give a example on how you can create a "Basic home firewall" using Shorewall and AWall.

Example firewall using Shorewall

Let's suppose you have the following Shorewall configuration:

/etc/shorewall/zones

inet  ipv4
loc   ipv4

/etc/shorewall/interfaces

inet  eth0
loc   eth1

/etc/shorewall/policy

fw   all  ACCEPT
loc  inet ACCEPT
all  all  DROP

/etc/shorewall/masq

eth0  0.0.0.0/0

Example firewall using AWall

Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called /usr/share/awall/optional/test-policy.json and add the following content to the file.

Tip: You could call it something else as long as you save it in '/usr/share/awall/optional/' and name it '???.json')
{
  "description": "Home firewall"

  "zone": {
    "inet": { "iface": "eth0" },
    "loc": { "iface": "eth1" }
  },

  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "loc", "out": "inet", "action": "accept" }
  ],

  "snat": [
    { "out": "inet", "action": "masquerade" }
  ]
}

The above configuration will:

  • Create a description of your Policy
  • Define zones
  • Define policy
  • Define snat (to masqurade the outgoing traffic)
Note: snat means "source NAT". It does not mean "static NAT".
Tip: AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.
Todo: I had to remove the snat section due to the "masquerade", which seems to break something.
This needs some research and/or modify the above example


Activating/Applying a Policy

After saving the Policy you can run the following commands to activate your firewall settings:

awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # This enables the 'Policy' awall activate # This command genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)

Advanced Firewall settings

Assuming you have your '/usr/share/awall/optional/test-policy.json' with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.

Tip: You could create new files in '/usr/share/awall/optional/' for testing some of the below examples

Logging

AWall will (since v.0.2.7) automatically log dropped packets.
You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.

{ "in": "inet", "out": "loc", "action": "drop" }
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!

Port-Forwarding

Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your '/etc/shorewall/rules':

#ACTION  SOURCE  DEST               PROTO  DEST    SOURCE    ORIGINAL
#                                          PORT(S) PORT(S)   DEST
DNAT     inet     loc:192.168.1.10  tcp    80

Lets configure our AWall Policy file likewise by adding the following content.

  "variable": {
    "APACHE": "192.168.1.10",
    "STATIC_IP": "1.2.3.4"
    },

  "filter": [
    { "in": "inet", 
      "dest": "$STATIC_IP", 
      "service": "http", 
      "action": "accept", 
      "dnat": "$APACHE" 
      }
    ]

As you can see in the above example, we create a

  • "variable" section where we specify some IP-addresses
  • "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Tip: AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. (see '/usr/share/awall/mandatory/services.json')

Create own service definitions

You can add your own service definitions into your Policy files:

"service": {  
  "openvpn": { "proto": "udp", "port": 1194 }
  }
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Todo: Does the 'home made' definitions override the '/usr/share/awall/mandatory/services.json' if they are named likewise


Inherit services or variables

You can import a Policy into other Policy files for inheriting services or variables definitions:

"import": "myfirewall"

Specify load order

By default policies are loaded on alphabetical order.
You can change the load order with the keywords "before" and "after":

"before": "myfirewall"
"after": "someotherpolicy"