How-To Alpine Wall: Difference between revisions

From Alpine Linux
(Created page with "Purpose of this doc is to illustrate Alpine Wall by examples. Please see Alpine_Wall_User's_Guide for details about the syntax. Your firewall configuration goes to '''/us...")
 
(Basic home firewall config)
Line 1: Line 1:
Purpose of this doc is to illustrate Alpine Wall by examples. Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.
'''DRAFT'''


Your firewall configuration goes to '''/usr/share/awall/optional'''. Each file is called ''Policy''. You may have multiple ''Policy'' files.
Purpose of this doc is to illustrate Alpine Wall by examples. Please see [[Alpine_Wall_User's_Guide]] for details about the syntax. We will explain AWall from the viewpoint of a Shorewall user.


=====A basic home firewall=====
Your firewall configuration goes to '''/usr/share/awall/optional'''. Each file is called ''Policy''. ''Policy'' files are not equivalent to /etc/shorewall/policy file. An AWall ''Policy'' contains definitions of variables (like /etc/shorewall/params), zones (like /etc/shorewall/zones), interfaces (like /etc/shorewall/interfaces), policies (like /etc/shorewall/policy), filters and NAT rules (like /etc/shorewall/rules). You may have multiple ''Policy'' files. This is useful, for example, for specific firewall roles, such as FTP, HTTP, etc. You can create separated ''policies''  that can be enabled or disabled on the fly with the "awall [enable|disable]" command.
 
==Prerequisites==
 
After installing awall package, you need to load the following iptables modules:
 
  # modprobe iptables
  # modprobe iptable_nat    #if NAT is used
 
Put them into /etc/modules for autoload at boot.
 
==A Basic Home Firewall==
In this case you just have a "local" zone and an "internet" zone, and the Alpine router firewall you from internet.
 
Open a blank file from /usr/share/awall/optional and start with a description of your ''Policy'' (useful when you have multiple policies) and the define the zones:
 
  {
    "description": "Home firewall"
 
    "zone": {
      "inet": { "iface": "eth0" },
      "loc": { "iface": "eth1" }
    }
 
AWall has a default zone built-in '''_fw''', that corresponds to the Shorewall "fw" zone, the firewall itself. Setup your default polices:
 
    "policy": [
      { "out": "_fw", "action": "accept" },
      { "in": "loc", "out": "inet", "action": "accept" }
    ]
 
Then you need to masquerade the outgoing traffic:
 
    "snat": [
      { "out": "inet", "action": "masquerade" }
    ]
  }
 
'''snat''' here has to be intended as "source NAT" and not "static NAT". A static or dynamic NAT is done by means of the '''dnat''' rule (destination NAT).
 
After saving the ''Policy'', you can list it, enable/disable it and activate it (that is start the firewall):
 
  # awall list
  myfirewall  enabled  Home firewall
  # awall activate
  Warning: inet6 rules not tested
  New firewall configuration activated
  Press RETURN to commit changes permanently:
 
If I want to log all dropped packets from "inet", I can add the following policy:
 
  { "in": "inet", "out": "loc", "action": "logdrop" }
 
==Port-Forwarding==

Revision as of 14:27, 16 July 2012

DRAFT

Purpose of this doc is to illustrate Alpine Wall by examples. Please see Alpine_Wall_User's_Guide for details about the syntax. We will explain AWall from the viewpoint of a Shorewall user.

Your firewall configuration goes to /usr/share/awall/optional. Each file is called Policy. Policy files are not equivalent to /etc/shorewall/policy file. An AWall Policy contains definitions of variables (like /etc/shorewall/params), zones (like /etc/shorewall/zones), interfaces (like /etc/shorewall/interfaces), policies (like /etc/shorewall/policy), filters and NAT rules (like /etc/shorewall/rules). You may have multiple Policy files. This is useful, for example, for specific firewall roles, such as FTP, HTTP, etc. You can create separated policies that can be enabled or disabled on the fly with the "awall [enable|disable]" command.

Prerequisites

After installing awall package, you need to load the following iptables modules:

 # modprobe iptables
 # modprobe iptable_nat    #if NAT is used

Put them into /etc/modules for autoload at boot.

A Basic Home Firewall

In this case you just have a "local" zone and an "internet" zone, and the Alpine router firewall you from internet.

Open a blank file from /usr/share/awall/optional and start with a description of your Policy (useful when you have multiple policies) and the define the zones:

 {
   "description": "Home firewall"
   "zone": {
     "inet": { "iface": "eth0" },
     "loc": { "iface": "eth1" }
   }

AWall has a default zone built-in _fw, that corresponds to the Shorewall "fw" zone, the firewall itself. Setup your default polices:

   "policy": [
     { "out": "_fw", "action": "accept" },
     { "in": "loc", "out": "inet", "action": "accept" }
   ]

Then you need to masquerade the outgoing traffic:

   "snat": [
     { "out": "inet", "action": "masquerade" }
   ]
 }

snat here has to be intended as "source NAT" and not "static NAT". A static or dynamic NAT is done by means of the dnat rule (destination NAT).

After saving the Policy, you can list it, enable/disable it and activate it (that is start the firewall):

 # awall list
 myfirewall  enabled   Home firewall
 # awall activate
 Warning: inet6 rules not tested
 New firewall configuration activated
 Press RETURN to commit changes permanently: 

If I want to log all dropped packets from "inet", I can add the following policy:

 { "in": "inet", "out": "loc", "action": "logdrop" }

Port-Forwarding