Shorewall Firewall

From OptionC

If it's not obvious, we tend to go through regular steps as we create these wiki pages.

  1. Get the thing to work
  2. Take the notes from step one, and try to write them up in a meaningful fashion
  3. Review the notes for sanity's sake
  4. Build from scratch using the notes, and make changes
  5. Make some other poor soul follow the wiki, to see if it works

This wiki is at step 1.5 - I'm putting the information up now, because otherwise I will lose it.

I started with an old machine that wasn't doing much - a pentium II/350mhz with 256 MB ram and a 20 GB hard drive. The CD-ROM is unreliable at best. It only had three PCI slots. I point this out because it impacts why I made certain decisions (such as to install from floppies). Also, this is specific to version 2.0.6 of Xen. As of this writing, unstable does not work the same way (or, to be more specific, does not support hiding of PCI devices with direct access to them in a domU. If I'm wrong on this, please let me know...)


1) Install Debian Sarge

2) Install Xen

3) Hide the hardware (via grub) I custom compiled this kernel, and this grub entry is exactly what I have (I probably should have called it something other than "blah0" but it was late). Note that these entries only work if you have a dedicated boot partition, otherwise you'll want to prepend "/boot" to the kernel and module lines. 

title           Debian 3.1/Xen 2.0.6 (2.6.11-blah0)
root            (hd0,1) 
kernel          /xen-2.0.6.gz dom0_mem=65536 noreboot physdev_dom0_hide='(00:12.0)(00:14.0)'
module          /xen-linux-2.6.11-blah0 root=/dev/hda3 ro console=tty0

Before: 

lspci

After: lspci 0000:00:00.0 Host bridge: Intel Corp. 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 03) 

0000:00:01.0 PCI bridge: Intel Corp. 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 03)
0000:00:02.0 ISA bridge: Intel Corp. 82371AB/EB/MB PIIX4 ISA (rev 02)
0000:00:02.1 IDE interface: Intel Corp. 82371AB/EB/MB PIIX4 IDE (rev 01)
0000:00:02.2 USB Controller: Intel Corp. 82371AB/EB/MB PIIX4 USB (rev 01) 
0000:00:02.3 Bridge: Intel Corp. 82371AB/EB/MB PIIX4 ACPI (rev 02) 
0000:00:10.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 04)
0000:01:01.0 VGA compatible controller: S3 Inc. Trio 64 3D (rev 01)

4) domU config - some of these are defaults, some specific to how my system is set up (such as the location of the files) 

kernel = "/boot/xen-linux-2.6.11-blah0"
memory = 128
name = "router1"
cpu = -1   # leave to Xen to pick
nics=1
disk = ['phy:vg/router,sda1,w','phy:vg/router_sw,sda2,w','phy:vg/router_var,sda3,w']
pci = [ '0,12,0','0,14,0' ]
dhcp="off"
root = "/dev/sda1 ro"

5) Shorewall configuration for domU I am often rather bothered by directions that say "and then I just followed the documentation" because I would already have read the documentation and it didn't quite give me all the information I was looking for, otherwise I wouldn't have looked further. However, in this case, the shorewall quickstart is excellent, and if I try to add to it I'll probably mess it up. They are even well aware of the Debian alterations to the default, so when you follow the instructions there are lots of side notes that say "and if you are using Debian, you also need to..." The only side points I can add are:

  • Write down the name of your interfaces (eth0/eth1/eth2 et al), memorize them, and make sure you change them in _all_ the relevant config files if they differ from the standard
  • I used the quickstart (http://www.shorewall.net/shorewall_quickstart_guide.htm) directions for a three-interface, one IP address system http://www.shorewall.net/three-interface.htm. Since at this writing the version of Shorewall in Debian Sarge is 2.2.3, (http://packages.debian.org/stable/net/shorewall) I used the samples for 2.2.0 (http://shorewall.net/pub/shorewall/Samples/samples-2.2.0/) as a starting point.
Retrieved from "http://www.option-c.com/xwiki/Shorewall_Firewall"