Shorewall users - Aug 2011 - Configuration for ppp0 and wlan0 (Standalone laptop - Debian Squeeze)

Hello,

I would appreciate any feedback/suggestions on my Shorewall configuration for a
standalone laptop Debian Squeeze configuration for ppp0 and wlan0, set out
below:

------------------
My current system:
------------------
I have successfuly configured Shorewall 4.4.11.6 on my standalone Debian Squeeze
laptop for a ppp0 (Mobile broadband) connection using GNOME PPP, works great
(refer to bottom of this message for ''ip addr show'' and
''ip route show'' outputs), using the following:

/etc/ppp/ip-up.d/mobile:
#!/bin/sh
      /sbin/shorewall restart
fi
(Refer: http://sourceforge.net/mailarchive/message.php?msg_id=19774645 )


/etc/shorewall/interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0            -               tcpflags,logmartians,nosmurfs


/etc/default/shorewall:
startup=0
wait_interface="ppp0"

-----------------------
What I''m wanting to do:
-----------------------
I want to configure Shorewall to work with my ppp0 and wlan0 connections. I will
use one or the other connection at a time, but I will only be connecting once
the desktop is loaded using Wicd.

I have followed the instructions at  http://shorewall.net/Laptop.html , and
added the following to:

/etc/shorewall/interfaces:
net     wlan0           detect          dhcp,tcpflags,logmartians,nosmurfs

-----------------------------------
My concerns with the current setup:
-----------------------------------
1. My understanding is that when a connection goes up, shorewall needs to be
restarted. I have got that covered for my ppp0 connection in
/etc/ppp/ip-up.d/mobile (refer "My current setup" above) but assume I
have to do the same with wireless connections by copying:

/etc/ppp/ip-up.d/mobile
TO:
/etc/wicd/scripts/postconnect/mobile

(Refer:
http://wicd.sourceforge.net/moinmoin/Adding%20pre%20and%20post%20%28dis%29connection%20scripts
)

If anyone can confirm or trash my understanding and/or assumption on this I
would appreciate it.


2. I have read in passing posts about Shorewall that there is a slight delay
between connecting to a network and Shorewall restarting. Is this a significant
security issue or is there a way around it?


Thank you in advance for any advice/assistance you can give on my setup.

Cheers,
Toby


--------------------------
/sbin/shorewall version
4.4.11.6
--------------------------
ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state UNKNOWN
qlen 1000
    link/ether 00:0d:93:59:48:54 brd ff:ff:ff:ff:ff:ff
4: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN
qlen 1000
    link/ether 00:11:24:26:bd:57 brd ff:ff:ff:ff:ff:ff
11: usbpn0: <POINTOPOINT,NOARP> mtu 65541 qdisc noop state DOWN qlen 3
    link/[820] 1b peer 00
    family 35 ???/0 scope link 
12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 118.149.24.25 peer 10.6.6.6/32 scope global ppp0
--------------------------
ip route show

10.6.6.6 dev ppp0  proto kernel  scope link  src 118.149.24.25 
default dev ppp0  scope link 
--------------------------

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

On Fri, 2011-08-05 at 17:28 +1200, toby.18305@freerangekiwi.com wrote:
> Hello,
> 
> I would appreciate any feedback/suggestions on my Shorewall configuration
for a standalone laptop Debian Squeeze configuration for ppp0 and wlan0, set out
below:
> 
> ------------------
> My current system:
> ------------------
> I have successfuly configured Shorewall 4.4.11.6 on my standalone Debian
Squeeze laptop for a ppp0 (Mobile broadband) connection using GNOME PPP, works
great (refer to bottom of this message for ''ip addr show'' and
''ip route show'' outputs), using the following:
> 
> /etc/ppp/ip-up.d/mobile:
> #!/bin/sh
>       /sbin/shorewall restart
> fi
> (Refer: http://sourceforge.net/mailarchive/message.php?msg_id=19774645 )
> 
> 
> /etc/shorewall/interfaces:
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     ppp0            -               tcpflags,logmartians,nosmurfs
> 
> 
> /etc/default/shorewall:
> startup=0
> wait_interface="ppp0"
> 
> -----------------------
> What I''m wanting to do:
> -----------------------
> I want to configure Shorewall to work with my ppp0 and wlan0 connections. I
will use one or the other connection at a time, but I will only be connecting
once the desktop is loaded using Wicd.
> 
> I have followed the instructions at  http://shorewall.net/Laptop.html , and
added the following to:
> 
> /etc/shorewall/interfaces:
> net     wlan0           detect          dhcp,tcpflags,logmartians,nosmurfs
> 
> -----------------------------------
> My concerns with the current setup:
> -----------------------------------
> 1. My understanding is that when a connection goes up, shorewall needs to
be restarted. I have got that covered for my ppp0 connection in
/etc/ppp/ip-up.d/mobile (refer "My current setup" above) but assume I
have to do the same with wireless connections by copying:
> 
> /etc/ppp/ip-up.d/mobile
> TO:
> /etc/wicd/scripts/postconnect/mobile
> 
> (Refer:
http://wicd.sourceforge.net/moinmoin/Adding%20pre%20and%20post%20%28dis%29connection%20scripts
)
> 
> If anyone can confirm or trash my understanding and/or assumption on this I
would appreciate it.
> 
> 
> 2. I have read in passing posts about Shorewall that there is a slight
delay between connecting to a network and Shorewall restarting. Is this a
significant security issue or is there a way around it?
> 

I suggest that you install and configure Shorewall-init. It will close
the firewall before the interfaces come up and will automatically
restart Shorewall when interfaces come up. 

a) Make both interfaces optional (set the ''optional'' option
in /etc/shorewall/interfaces.
b) Set REQUIRE_INTERFACE=Yes in shorewall.conf.
c) Configure Shorewall-init as described at
http://www.shorewall.net/Shorewall-init.html
d) Remove the ''wait_interface='' setting from
/etc/default/shorewall

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

> -----Original Message--------------------------------------------
> Date: Fri, 05 Aug 2011 06:09:31 -0700
> From: Tom Eastep <teastep@shorewall.net>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> Subject: Re: [Shorewall-users] Configuration for ppp0 and wlan0 (Standalone
laptop - Debian Squeeze)
> 
> 
> I suggest that you install and configure Shorewall-init. It will close
> the firewall before the interfaces come up and will automatically
> restart Shorewall when interfaces come up. 
> 
> a) Make both interfaces optional (set the ''optional''
option
> in /etc/shorewall/interfaces.
> b) Set REQUIRE_INTERFACE=Yes in shorewall.conf.
> c) Configure Shorewall-init as described at
> http://www.shorewall.net/Shorewall-init.html
> d) Remove the ''wait_interface='' setting from
/etc/default/shorewall
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________

Hi Tom,

Thank you for your advice and help. I have done as you have described above and
all seems to be ok.

Is it correct to keep startup disabled ("startup=0" in
/etc/default/shorewall) in this instance? I read the following paragraph at
http://www.shorewall.net/Shorewall-init.html, which refers to the situation when
IFUPDOWN=1 in /etc/default/shorewall-init, that startup can be disabled when at
least one interface is marked as optional (which I have). However, I have
IFUPDOWN=0 since I''m using Gnome PPP and Wicd only; not NetworkManager
or ifup/ifdown scripts) - is startup=0 ok in this case?

    "Optional) -- If you have specified at least one required or optional
interface, you can then disable automatic firewall startup at boot time. On
Debian systems, set startup=0 in /etc/default/product. On other systems, use
your service startup configuration tool (chkconfig, insserv, ...) to disable
startup."

I would like to also take the opportunity to thank you for Shorewall, great
software!

Cheers,
Toby

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

On 08/06/2011 06:54 PM, toby.18305@freerangekiwi.com wrote:
> Thank you for your advice and help. I have done as you have
> described above and all seems to be ok.
> 
> Is it correct to keep startup disabled ("startup=0" in 
> /etc/default/shorewall) in this instance? I read the following 
> paragraph at http://www.shorewall.net/Shorewall-init.html, which 
> refers to the situation when IFUPDOWN=1 in 
> /etc/default/shorewall-init, that startup can be disabled when at 
> least one interface is marked as optional (which I have). However, I 
> have IFUPDOWN=0 since I''m using Gnome PPP and Wicd only; not 
> NetworkManager or ifup/ifdown scripts) - is startup=0 ok in this 
> case?
I don''t know -- I''ve never used Gnome PPP.
> 
> I would like to also take the opportunity to thank you for
> Shorewall, great software!
You''re welcome.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1