Shorewall Tips



Introduction

Shorewall makes the jobs of configuring a firewall under Linux fairly straight-forward.


Messages written to tty consoles

Fundamentally you need to change the logging level parameter passed to dmesg for kernel logging during system startup. This varies by distribution. See the FAQ at http://www.shorewall.net/FAQ.htm#faq16

In Debian 3.0, "Woody" and 3.1, "Sarge", edit /etc/init.d/klogd, somewhere close to line 13 change

  • KLOGD=""

to

  • KLOGD="-c 6"

See man klogd(8) for more info

If you've got a noisy service broadcasting packets, you can add a DROP rule to /etc/shorewall/rules. This will depend on your particular setup. The following silently drops udp traffic coming from the local network to port 631(ipp).

  • DROP loc $FW udp ipp

In Debian Lenny, if klogd is not being used, then you need to modify /etc/sysctl.conf.

To see the current values:

   # cat /proc/sys/kernel/printk

Uncomment the kernel.printk line in /etc/sysctl.conf and modify the first value to 6 (or less):

# Uncomment the following to stop low-level messages on console
kernel.printk = 6 4 1 7

then apply the settings with:

   # sysctl -p /etc/sysctl.conf

See also http://lists.debian.org/debian-user/2008/02/msg00457.html

Blacklisting

Make sure you've set the blacklist option against the relevant interface in /etc/shorewall/interfaces


-- Frank Dean - 13 Jan 2005