Shadows of epiphany

EnGarde Secure Linux ~ Shorewall

September 2nd, 2008 by bodhi.zazen

I am taking EnGarde Linux for a test spin, so far I am on a steep leaning curve.

Home Page : Engarde Linux

A majority of the administration is performed at the web interface, AK “Guardian Digital WebTool”, and the web interface is quite nice. One can restrict access to it by IP address and by firewall.

Which brings us to Shorewall ….

Shorewall is the default configuration tool for EnGarde, and it is quite nice. But there are a few caveats to be aware of …

First, Shorewall is designed to handle multiple network cards and if capable of acting as a firewall for your LAN, but for a single, stand alone system it seems like overkill :)

The most important thing to know about Shorewall … It is very, very easy to lock yourself out of the system and I would take great care not to enable it without physical access to the server (so you can manually disable the firewall :) )

No matter how hard I tried, I could not configure Shorewall from the EnGarde web tool. Every time I enabled Shorewall I lost the ability to connect to the server, including both the web interface and ssh.

It turns out the easiest way is with manual configuration (not unusual with servers). The only editor in a default EnGarde installation is vi (vim actually) so be prepared. There are 3 configuration files you need to edit, and for the most part the defaults are OK. The files are located in /etc/shorewall and are : zones, interfaces, and rules.

/etc/shorewall/zones

fw     firewall     #fw == firewall == localhost
ext   ipv4         # == external net == internet
int    ipv4         # == Internal net == private LAN

/etc/shorewall/interfaces

ext    eth0    detect     blacklist,tcpflags


# if you have multiple network cards and are using EnGarde as a firwall / router, add ‘em here
# int    eth1    detect

/etc/shorewall/rules

#This rule accepts connections from your LAN to the web interface
# Change “192.168.1.1/24″ to your network
ACCEPT net:192.168.1.1/24 $FW tcp 1023


# This rule accepts http, https, and ssh (default port) from anywhere.
Web/ACCEPT net $FW tcp 22,80,443

That’s it, you now have a shorewall configured to allow access to the web tool.

Start shorewall :

/etc/init.d/shorewall start|reload

Stop shorewall :

/etc.init.d/shorewall stop

For additional information on shorewall, I liked this link :

Debian wiki Shorewall Firewall

StumbleUpon

Posted in Linux

2 Comments »

  1. Thanks for post. Nice to see such good ideas.

    Comment by Olechka-persik — December 9, 2008 @ 9:34 pm

  2. Ly50R9 Thanks for good post

    Comment by johnny — December 29, 2008 @ 11:35 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Previous entries

Shadows of epiphany

Where enlightenment is obscurated by the kaleidoscope

© 2010 Shadows of epiphany
Theme by bodhi.zazen inspired from Arcsin