FAQ

Sanewall - Frequently Asked Questions

Converting from FireHOL

Installation

Running

What must I change in order to convert?

Sanewall configurations are almost entirely compatible with FireHOL ones and will produce identical firewalls except where bugs have been fixed or IPv6 is used (FireHOL does not have any IPv6 ability).

All you need to do is create a Sanewall configuration tree to replace your FireHOL one and rename any variables starting FIREHOL_. The following (as root) should work for most people:

cp -rp /etc/firehol /etc/sanewall
mv /etc/sanewall/firehol.conf /etc/sanewall/sanewall.conf
sed -i -e s/FIREHOL_/SANEWALL_/ /etc/sanewall/sanewall.conf

Sanewall changes the defaults of the _ACTIVATION_POLICY variables for extra security. If you really want the old behaviour back you can add the following near the top of your sanewall.conf:

SANEWALL_INPUT_ACTIVATION_POLICY="ACCEPT"
SANEWALL_OUTPUT_ACTIVATION_POLICY="ACCEPT"
SANEWALL_FORWARD_ACTIVATION_POLICY="ACCEPT"
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT=0

Note that DNS names cannot be used in a Sanewall firewall unless you set at least the INPUT and OUTPUT activation policies to ACCEPT, in order to permit the necessary lookups.

You should read the Getting Started section of the README file as this may contain specific considerations for a particular version of Sanewall.

^ top

Why has the activation policy changed?

During firewall activation the default behaviour for FireHOL was to start by allowing all traffic to flow. This is then gradually restricted as new rules are added until only the desired traffic is allowed. Most rules fully verify both inbound and outbound criteria, so if any connections are made that are not wanted they will soon be severed.

There are exceptions such as all, which once used will allow any established connections to continue, including unwanted ones. So Sanewall takes the view that it is better to start by dropping all new traffic. By default, existing traffic is allowed to continue. This can also be switched off if you require.

The behaviour is fully configurable using the sanewall variables For a little more discussion see this discussion thread.

^ top

What are the installation prerequisites?

The main requirements are that you be running a Linux kernel with netfilter and have the iptables (for IPv4) and ip6tables (for IPv6) userspace installed. These come as standard with all modern distributions.

Sanewall has code which means it specifically requires bash to run. If you would like to eliminate this dependency please consider helping out with this enhancement.

Sanewall detects at runtime if the remaining of the commands it needs to run are installed. In general the requirements are not onerous, just some common shell and networking commands which generally come as part of a default installation. The Wiki has a complete list of dependencies.

Installation is either via your distribution's standard package mechanism or via one of the tar file releases. For the latter, once unpacked, the canonical GNU invocation will install Sanewall:

  ./configure && make && make install

^ top

How do I build from the repository?

You will need xsltproc, dblatex, DocBook XML, DocBook XSL Stylesheets, GNU autoconf and GNU automake.

When building from a repository you can create the Makefiles and enable building the manual using these commands:

./autogen.sh
./configure --enable-maintainer-mode

^ top

How do I debug my configuration?

You can run:

sanewall debug
to get a listing of the actions Sanewall would take based on your configuration.

In the event of an unexpected problem, Sanewall will leave behind its temporary files (and let you know where they are located) in order to help you diagnose the problem.

Sanewall runs as a bash script so if you need detailed information about what is going on internally you can add these lines to your configuration:

set -x
set -v
On version 1.1.2 or above you can achieve the same effect by setting an environment variable
SANEWALL_DEBUGGING=Y

^ top

How do I match virtual interfaces such as eth0:1?

eth0:1 is not really a virtual Ethernet device. The eth0:1 is just a naming convention for tools such as ifconfig to be able to use multiple IP addresses on a single interface.

If you have interfaces with these names, it is for the purpose of having multiple IP addresses on an interface. Netfilter does not recognise the aliases. You cannot use them in your firewall and must match on the IP address instead.

In practice, iptables does not prevent you creating rules to try to match eth0:1. However, when running, the incoming packets will be seen as from eth0 and will match only the eth0 rules. Sanewall inherits this behaviour.

Note that VLAN interfaces such as eth0.1 are genuine interfaces that will work as expected within firewall rules.

^ top