Configuring 6wall
Prev 6wall User Guide Next

Configuring 6wall

Overview

The 6wall package LRP configuration menu allows you to define the parameter files that together make up 6wall. If you've read the Shorewall documentation the names of these files should be familiar to you.

The most important parameter files that should be edited are:

  • Zone definitions

  • Interface definitions

  • Policy definitions

  • Rule definitions

For a complete description of the components that together make up 6wall check 6wall reference manual.

Zone defintions

The file /etc/6wall/zones6 is used to define the network zones. There is one entry for each zone. Columns in an entry are:

  • ZONE - short name for the zone. The name should be 5 characters or less in length and consist of lower-case letters or numbers. Short names must begin with a letter and the name assigned to the firewall is reserved for use by 6wall itself. Note that the output produced by ip6tables is much easier to read if you select short names that are three characters or less in length. The name "all" may not be used as a zone name nor may the zone name assigned to the firewall itself via the FW variable in /etc/6wall/6wall.conf.

  • DISPLAY - The name of the zone as displayed during 6wall startup.

  • COMMENTS - Any comments that you want to make about the zone. 6wall ignores these comments.

The /etc/6wall/zones6 file released with 6wall is as follows:

#ZONE DISPLAY COMMENTS
#
net	Net	Internet
loc	Local 	Local networks

More details on the /etc/6wall/zones6 in the 6wall reference manual.

Interface definitions

The file /etc/6wall/interfaces6 is used to tell the firewall which of your firewall's network interfaces are connected to which zone. Columns in an entry are:

  • ZONE - A zone defined in the /etc/6wall/zones6 file.

  • INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+). Each interface can be listed on only one record in this file.

    Important

    DO NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!

  • OPTIONS - a comma-separated list of options. Possible options include:

    • routeback - This option causes 6wall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is specified, the ZONE column may not contain "-".

    • tcpflags - This option causes 6wall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are typically used for "silent" port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/6wall/6wall.conf and are disposed of according to the TCP_FLAGS_DISPOSITION option.

    • blacklist - This option causes incoming packets on this interface to be checked against the blacklist.

    • nositelocal - Packets arriving on this interface and that have a site-local source address will be dropped after being optionally logged.

    • maclist - If this option is specified, all connection requests from this interface are subject to MAC Verification. May only be specified for ethernet interfaces.

The /etc/6wall/zones6 file released with 6wall is as follows:

#ZONE    INTERFACE      OPTIONS
#
net      tun6to4        nositelocal
loc      eth1

More details on the /etc/6wall/zones6 in the 6wall reference manual.

Policy definitions

The file /etc/6wall/policy6 is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies describe which zones are allowed to establish connections with other zones.

Four policies are defined:

  • ACCEPT - The connection is allowed.

  • DROP - The connection request is ignored.

  • CONTINUE - The connection is neither ACCEPTed nor DROPped. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of or intersect with another zone. Where zones are nested or overlapping, the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones.

  • NONE - 6wall should not set up any infrastructure for handling traffic from the SOURCE zone to the DEST zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT columns must be left blank.

Entries in /etc/6wall/policy6 have four columns as follows:

  • SOURCE - The name of a client zone (a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all").

  • DEST - The name of a client zone (a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all"). 6wall automatically allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the SOURCE and DEST columns.

  • POLICY - The default policy for connection requests from the SOURCE zone to the DESTINATION zone.

  • LOG LEVEL - Optional. If left empty, no log message is generated when the policy is applied. Otherwise, this column should contain an integer or name indicating a syslog level.

  • LIMIT:BURST - Optional. If left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited. Otherwise, this column specifies the maximum rate at which TCP connection requests will be accepted followed by a colon (":") followed by the maximum burst size that will be tolerated. Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.

The /etc/6wall/zones6 file released with 6wall is as follows:

#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
#
loc	net	ACCEPT	-		-
net	all	DROP	info		-
all	all	DROP	info		-

More details on the /etc/6wall/policy6 in the 6wall reference manual.

Rule definitions

Policies established in /etc/6wall/policy6 can be viewed as default policies. Rules in /etc/6wall/rules6 define exceptions to these policies. Entries in the file have the following columns:

  • ACTION

    • ACCEPT, DROP, CONTINUE. These have the same meaning here as in the policy file above.

    • LOG - Log the packet -- requires a syslog level (see below).

    The ACTION may optionally be followed by ":" and a syslog level (example: DROP:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION. Note: if the ACTION is LOG then you MUST specify a syslog level.

  • SOURCE - Describes the source hosts to which the rule applies. The contents of this field must begin with the name of a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all".

    If the source is not 'all' then the source may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may include:

    • An interface name - refers to any connection requests arriving on the specified interface (example loc:eth4). The interface name may optionally be followed by a colon (":") and an IP address or prefix (examples: net:eth0:2002:888::2ef, loc:eth1:fec0::/64).

    • An IP address - refers to a connection request from the host with the specified address (example net:2002:888::2ef).

    • A MAC Address in Shorewall format.

    • A prefix - refers to a connection request from any host in the specified subnet (example loc:fec0:1::/64).

  • DEST - Describes the destination host(s) to which the rule applies. May take most of the forms described above for SOURCE. Restrictions:

    • MAC addresses may not be specified.

    • You may not specify both an IP address and an interface name in the DEST column.

  • PROTO - Protocol. Must be a protocol name from /etc/protocols, a number or "all". Specifies the protocol of the connection request.

  • DEST PORT(S) - Port or port range (<low port>:<high port>) being connected to. May only be specified if the protocol is tcp, udp or icmpv6. For icmpv6, this column's contents are interpreted as an icmpv6 type. If you don't want to specify DEST PORT(S) but need to include information in one of the columns to the right, enter "-" in this column. You may give a list of ports and/or port ranges separated by commas. Port numbers may be either integers or service names from /etc/services.

  • SOURCE PORTS(S) - May be used to restrict the rule to a particular client port or port range (a port range is specified as <low port number>:<high port number>). If you don't want to restrict client ports but want to specify something in the next column, enter "-" in this column. If you wish to specify a list of port number or ranges, separate the list elements with commas (with no embedded white space). Port numbers may be either integers or service names from /etc/services.

The /etc/6wall/rules6 file released with 6wall is as follows:

#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE     
#						PORT	PORT(S)    
#
#       Allow ping6 from the firewall
#
ACCEPT	fw		all		icmpv6	echo-request
#
#
#       Allow ping6 from the local network to the firewall
#
ACCEPT	loc		fw		icmpv6	echo-request

More details on the /etc/6wall/rules6 in the 6wall reference manual.

Finishing up

After you've edited at leas the files above to suite your needs, backup the 6wall package !!

Prev Up Next
Getting started Home Controlling 6wall