EnGarde Secure Linux ~ Shorewall

Posted on September 2, 2008 by bodhi.zazen

I am taking EnGarde Linux for a test spin, so far I am on a steep leaning curve.

Home Page : Engarde Linux

A majority of the administration is performed at the web interface, AK “Guardian Digital WebTool”, and the web interface is quite nice. One can restrict access to it by IP address and by firewall.

Which brings us to Shorewall ….

Shorewall is the default configuration tool for EnGarde, and it is quite nice. But there are a few caveats to be aware of …

First, Shorewall is designed to handle multiple network cards and if capable of acting as a firewall for your LAN, but for a single, stand alone system it seems like overkill :)

The most important thing to know about Shorewall … It is very, very easy to lock yourself out of the system and I would take great care not to enable it without physical access to the server (so you can manually disable the firewall :) )

No matter how hard I tried, I could not configure Shorewall from the EnGarde web tool. Every time I enabled Shorewall I lost the ability to connect to the server, including both the web interface and ssh.

It turns out the easiest way is with manual configuration (not unusual with servers). The only editor in a default EnGarde installation is vi (vim actually) so be prepared. There are 3 configuration files you need to edit, and for the most part the defaults are OK. The files are located in /etc/shorewall and are : zones, interfaces, and rules.

/etc/shorewall/zones

fw     firewall     #fw == firewall == localhost
ext   ipv4         # == external net == internet
int    ipv4         # == Internal net == private LAN

/etc/shorewall/interfaces

ext    eth0    detect     blacklist,tcpflags


# if you have multiple network cards and are using EnGarde as a firwall / router, add ‘em here
# int    eth1    detect

/etc/shorewall/rules

#This rule accepts connections from your LAN to the web interface
# Change “192.168.1.1/24″ to your network
ACCEPT net:192.168.1.1/24 $FW tcp 1023


# This rule accepts http, https, and ssh (default port) from anywhere.
Web/ACCEPT net $FW tcp 22,80,443

That’s it, you now have a shorewall configured to allow access to the web tool.

Start shorewall :

/etc/init.d/shorewall start|reload

Stop shorewall :

/etc.init.d/shorewall stop

For additional information on shorewall, I liked this link :

Debian wiki Shorewall Firewall

This entry was posted in Linux. Bookmark the permalink.

3 Responses to EnGarde Secure Linux ~ Shorewall

  1. Olechka-persik says:
    December 9, 2008 at 9:34 pm

    Thanks for post. Nice to see such good ideas.

  2. johnny says:
    December 29, 2008 at 11:35 am

    Ly50R9 Thanks for good post

  3. Odin says:
    April 28, 2011 at 2:52 pm

    I can’t thank you enough. This had been baffling me for about an hour.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>