Shorewall Interview Questions & Answers


Q: – What is Shorewall?

Shorewall is a opensource gateway/firewall configuration tool for Linux. Shorewall, is high-level tool for configuring Netfilter. We describe our firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match our requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Q: -What are configuration files of shorewalls in linux ?

The configuration files for Shorewall are contained in the directory /etc/shorewall for the most setups.

Q: – Explain the zone files in the shorewall ?

/etc/shorewall/zones is the default configuration file for the zones. We can describe the zones as given below

fw firewall
net ipv4
loc ipv4
dmz ipv4

Shorewall recognizes the firewall system as its own zone – The above example follows the usual convention of naming the Firewall zone fw. The name specified for the firewall zone (fw in the above example) is stored in the shell variable $FW when the /etc/shorewall/zones file is processed.

Q: – How to start and stop shorewall serverice ?

First we will edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes , then

# Service shorewall start (command to start service)
# Service shorewall stop (command to stop service)

Q: – What is NAT ?

Network Address Translation(NAT) generally involves re-writing the source and/or destination addresses of IP packets as they pass through a firewall.There are two two types of natting

Q: – What are the limitations of natting ?

Local computers can access the internet, but there are still some restrictions left. A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best. Usually the addressed port is currently not used and hence the packet will be rejected. Even if the port is currently used by a local machine the packet might be forwarded but will then usually be rejected since the computer is already communicating with a different computer. Establishing connections from the internet to one of the local computers is therefore nearly impossible. For regular services it is possible to statically map ports on the router to sockets in the local net, for example one can configure the router to forward packets arriving at port 80 to a HTTP-server located in the local net. Very often this is needed for playing online games, especially if we want to host games.

Q: – What is DNAT ?

Destination network address translation (DNAT) is a technique for transparently changing the destination IP address of an en-route packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet.

DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address. This use of DNAT is also called port forwarding, or DMZ when used on an entire server, which becomes exposed to the WAN, becoming analogous to an undefended military demilitarised zone (DMZ)

Q: – Explain the procedure of SNAT ?

Source Network Address Translation(SNAT) is to do Source Network Address Translation, which means that this target will rewrite the Source IP address in the IP header of the packet. This is what we want, for example, when several hosts have to share an Internet connection. We can then turn on ip forwarding in the kernel, and write an SNAT rule which will translate all packets going out from our local network to the source IP of our own Internet connection. Without doing this, the outside world would not know where to send reply packets, since our local networks mostly use the IANA specified IP addresses which are allocated for LAN networks.

Q: – What is DMZ(Demilitarized zone) in shorewall ?

In computer security, a DMZ (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military action is not permitted.

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:

web servers
mail servers
FTP servers
VoIP servers

Submitted By:-Sonali Balayan            Email-ID: –