Shorewall is a tool to configure Linux inbuilt IPTables in an easy and understandable way. Assume we have a basic setup: Lan | Firewall with Proxy server | Internet 
A secure setup is to:
- ACCEPT HTTP(80) and HTTPS(443) from LAN to NET
- ACCEPT special services port’s from specific LAN to NET (like e-banking)
- ACCEPT only the needed FW services from LAN to FW - SSH(22) and MAIL(25,443,993,…) to FW (if mail server is on FW)
- ACCEPT only the needed FW services from NET to FW - SSH(22) with IP restriction (and SSH key) and MAIL(25,443,993,…) to FW (if mail server is on FW)
- SSH port can be changed
- LOC to LOC connections are not possible to be governed by FW, therefore all allowed
- REJECT any incoming connection (other than above) to LAN or FW
Shorewall configuration - with some additional examples on the syntax and rules:
# File: zones
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###########################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
net ipv4
loc ipv4
fw firewall
#-------------------------------------------------------
# File: masq
# http://www.shorewall.net/manpages/shorewall-masq.html
#
############################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth1
#------------------------------------------------------------------------------
# File: interfaces
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
############################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect routeback
#------------------------------------------------------------------------------
# File: policy
# http://www.shorewall.net/manpages/shorewall-policy.html
#
############################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net REJECT
loc fw REJECT
fw loc ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info
#------------------------------------------------------------------------------
# File: rules
# http://www.shorewall.net/manpages/shorewall-rules.html
#
#############################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S)
#DEST LIMIT GROUP
# Proxy server - exception on redirect for a server machine
REDIRECT loc 3128 tcp 80 - !192.168.0.10
ACCEPT loc net tcp 443
# Allow SMTP, SMTPs, HTTPs, POP3S for loc
ACCEPT net fw tcp 25,443,995 -
AllowFTP loc net
# AllowAndroid loc net
ACCEPT loc net tcp 5222,5228
ACCEPT loc net udp 5222,5228
#AllowPOP, AllowIMAP loc net
ACCEPT loc net tcp 110,143
ACCEPT loc net udp 110,143
# Windows Update
ACCEPT loc net udp 137,138,53
ACCEPT loc net tcp 137,138,139,53
ACCEPT loc net tcp 445
# loc:192.168.0.3 to have limitless connection to net
ACCEPT loc:192.168.0.3 net all
Assume we have a Hadoop cluster that needs secure firewall : 
A secure setup is to:
- A FW functioning as a Jumpbox machine hiding all internal network components
- LAN as Cluster network
- All internal nodes without firewalls (if internal nodes can be accessed from the outside then the setup is elsewhat, all nodes with firewalls enabled with strict access policy)
- ACCEPT HTTP(80) and HTTPS(443) from LAN to NET for repository updates
- ACCEPT only the needed FW services from NET to FW - SSH(22) with IP restriction (and SSH key)
- SSH port can be changed
- REJECT any incoming connection to LAN or FW
- Access all Hadoop services, Ambari, Hue, etc. by using SSH tunneling to Jumpbox (FW)
The plan of the network topology and security for large Hadoop deployments with co-located racks needs thorough planning and security settings.