Quickly configure shorewall on Debian

By definition shorewall is not a firewall, it is a way to (more) easily configure iptables to work as a firewall.

  • First install shorewall “$ apt-get intall shorewall”
  • Enter /etc/shorewall
  • Copy the example files from /usr/share/doc/shorewall-common/default-config/ (might also be located in /usr/share/doc/shorewall/default-config/) “$ cp /usr/share/doc/shorewall-common/default-config/* .”
  • Edit the files and enter the data that your system has
    • First create zones “$ nano zones”
       #ZONE   TYPE            OPTIONS         IN OPTIONS                OUT OPTIONS
      fw      firewall
      net     ipv4
      vpn     ipv4
    • Connect zones with interfaces”$ nano interfaces”
      net     eth0            detect          tcpflags,blacklist,dhcp
      vpn	tun0		-
    • Create policies “$ nano policy”
       #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
      fw              net             ACCEPT
      vpn             net             ACCEPT
      vpn             fw              ACCEPT
      fw              vpn             ACCEPT
      net             all             DROP            info
      all             all             DROP            info
    • Create rules “$ nano rules”
       #ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
      #                                               PORT(S) PORT(S)         DEST            LIMIT           GROUP
      ACCEPT          net             fw             tcp     22 # ssh
      ACCEPT          net             fw             tcp     80 # web
    • Verify that the rules are fine “$ shorewall check”
    • Edit /etc/default/shorewall and set startup to 1
       # prevent startup with default configuration
      # set the following varible to 1 in order to allow Shorewall to start
    • Start the firewall “$ /etc/init.d/shorewall start”

If you later decide to update rules, zones etc run “$ /etc/init.d/shorewall restart” to load the changes.

ubuntu: what version is installed?

The quick way is to run “lsb_release -a”

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 9.10
Release:        9.10
Codename:       karmic

Or just read the info from /etc/lsb-release

$ cat /etc/lsb-release

It is also possible to check the file “/etc/issue”

$ cat /etc/issue
Ubuntu 9.10 \n \l

From X check out System->about.

Attaching BOINC to a manager (without the gui)

Go into the directory with all the files created by BOINC (in Debian: /var/lib/boinc-client)

Use the boinccmd command to attach to the manager

boinccmd --join_acct_mgr [URL] [name] [passwd]

And for (boincstats) bam the url is bam.boincstats.com

Hint in the BOINC directory there is a file called stdoute.log – this is a log so tailing this file while doing this might be a good idea 😉

apt-get update and key problems

After updating my installation to etch I ran into a sligt problem with apt-get.

I just got an odd error message from apt-get update
GPG error: ftp://www.se.debian.org unstable Release:
The following signatures couldn’t be verified
because the public key is not available:

W: You may want to run apt-get update to correct these problems

Well, running apt-get update again (and again…) has no effect;)
What it (tries to) tell me is that the key used to verify the files in the archive was not found
The solution to this is simply

$ gpg --keyserver wwwkeys.eu.pgp.net --recv-keys F1D53D8C4F368D5D
$ gpg --armor --export F1D53D8C4F368D5D | apt-key add -
$ apt-get update

The wwwkeys.eu.pgp.net can be exchanged for any other key server that hosts the key, the only thing to note is that you should only use a key server that you feel is trusted.

Some info from Debian about this