Shorewall

Shorewall [7] also relies on netfilter and iptables. The graphical management interface for filtering packages is written in Perl; packages are included in most major Linux distributions. Shorewall is suitable both for single workstations and for server systems, which can also be used as gateways with two network connections or in a DMZ with three network interfaces. Shorewall uses Webmin [20] as a GUI or the drakfirewall [21] graphical front end in Mandriva derivatives. This control center module supports configuration in just a few steps (Figure 11).

Figure 11: With Mandriva-based distributions, Shorewall can be set up with just a few mouse clicks.

Webmin for distributions outside the Mandriva universe offers many more options for system administration than just configuring the firewall. After installing, you can access it in the browser from the 127.0.0.0.1:10000 URL. Alternatively, it specifies – if known – the IP address in the local intranet or the hostname.

After logging on, you find yourself in the configuration window. In the list area on the left, selecting Networking | Shoreline Firewall displays the individual configuration options on the right (Figure 12).

Figure 12: Webmin offers extensive configuration options for Shorewall.

Group Dynamics

The most important options for the existing infrastructure's basic settings can be found in the Network Zones and Network Interfaces groups. These are joined by the firewall settings options in the Default Policies, Firewall Rules, and Blacklist Hosts groups. The options responsible for routing can be found in the Routing Rules, Additional Routing Providers, Masquerading, and Static NAT groups.

You will encounter clear setting dialogs in all configuration groups, which list the available options in tabular form. Below the group selection, you can enable various management options simply by clicking on one of the buttons available there: Clicking on Apply Configuration restarts the firewall with your settings.

The Refresh Configuration button updates the blacklist and traffic shaping tables, which ensures that the firewall prioritizes certain packets. If you want to reset the firewall settings, click on Clear Firewall. The Stop Firewall button blocks access from all hosts – with the exception of those excluded from the whitelist. The Show Status button tells you about the current operating status of Shorewall.

The Check Firewall button enables a consistency check: Many extensive iptables-based rules and regulations contain errors because of their complexity. They can be detected and fixed before being exploited by malicious attackers.

Logging

Shorewall can log the data traffic and stores the protocols in the /var/log/ directory. Alternatively, you can view the logfiles in Webmin with the View Module's Logs option (Figure 13).

Figure 13: Shorewall logfiles are also very helpful.