1
0
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-30 18:19:04 +01:00
shorewall_code/docs/MyNetwork.xml

869 lines
34 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>My Network Configuration</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2009</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
2009-08-02 18:28:26 +02:00
<caution>
<para>The ruleset shown in this article uses Shorewall features that are
not available in Shorewall versions prior to 4.4.0.</para>
</caution>
<section>
<title>Introduction</title>
<para>The configuration described in this article represents the network
at shorewall.net during the summer of 2009. It uses the following
Shorewall features:</para>
<itemizedlist>
<listitem>
<para><ulink url="MultiISP.html">Two Internet
Interfaces</ulink></para>
</listitem>
<listitem>
<para>A DMZ with two "systems" using <ulink url="ProxyARP.htm">Proxy
ARP</ulink> and running in <ulink url="OpenVZ.html">OpenVZ Virtual
Environments</ulink></para>
</listitem>
<listitem>
<para><ulink url="6to4.htm">IPv6 Access through a 6to4
Tunnel</ulink></para>
</listitem>
<listitem>
<para><ulink url="OPENVPN.html">OpenVPN</ulink> and <ulink
url="IPSEC-2.6.html">IPSEC</ulink> for access when we are on the
road.</para>
</listitem>
<listitem>
<para><ulink url="ipsets.html">Ipsets</ulink></para>
</listitem>
<listitem>
<para><ulink url="Dynamic.html">Dynamic Zones</ulink></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Transparent proxy using
Squid</ulink></para>
</listitem>
<listitem>
<para><ulink url="ManualChains.html">Manual Chains</ulink></para>
</listitem>
<listitem>
<para><ulink url="traffic_shaping.htm">Traffic Shaping</ulink></para>
</listitem>
</itemizedlist>
<para>Linux runs the firewall and the servers (although they run in OpenVZ
containers on the firewall system). Linux is not used natively on any of
2009-08-06 21:45:10 +02:00
our other systems except for an <ulink url="http://www.hpmini.com">HP mini
which runs HP Mobile Internet Experience (MIE)</ulink> -- essentially
Ubuntu Hardy. I rather run Windows natively (either Vista Home Premium or
XP Professional) and run Linux in VMs under <ulink
url="http://www.sun.com/software/products/virtualbox/">VirtualBox</ulink>.
This approach has a number of advantages:</para>
<orderedlist>
<listitem>
<para>Efficient disk utilization.</para>
<para>The virtual disks used by Linux are just files in the NTFS file
system. There is no need to pre-allocate one or more partitions for
use by Linux. Some large applications, like Google Earth, are
installed only on Windows.</para>
</listitem>
<listitem>
<para>Avoids proprietary hardware issues.</para>
<para>The Linux VMs emulate standard hardware that is well-supported
by Linux.</para>
</listitem>
<listitem>
<para>Avoids DRM hassles</para>
<para>All DRM-protected media can be handled under Windows.</para>
</listitem>
2009-08-03 22:23:34 +02:00
<listitem>
<para>Websites that don't work with Firefox (or at least with Linux
Firefox)</para>
</listitem>
</orderedlist>
<para>VirtualBox is fast (when your processor supports virtualization
extensions) and very easy to use. I highly recommend it!</para>
</section>
<section>
<title>Network Topology</title>
<para>Our network is diagrammed in the following graphic.</para>
<graphic fileref="images/Network2009d.png" />
<para>We have accounts with two different ISPs:</para>
<orderedlist>
<listitem>
<para>Comcast</para>
<para>This is a high-speed (20mb/4mb) link with a single dynamic IPv4
address. We are not allowed to run servers accessible through this
account.</para>
</listitem>
<listitem>
<para>Avvanta</para>
<para>This is a low-speec (1.5mb/384kbit) link with five static IP
address. Our servers are accessed through this account.</para>
</listitem>
</orderedlist>
<para>The wired local network is restricted to my home office. The
wireless network is managed by a Linksys WRT300N pre-N router which we use
only as an access point -- its WAN interface is unused and it is
configured to not do NAT. The wireless network uses WPA2 personal security
and MAC filtering is enabled in the router. These two factors make it a
hassle when guests visit with a laptop but provide good security for the
network.</para>
</section>
<section>
<title>Shorewall Configuration</title>
2014-06-13 13:25:54 +02:00
<para>This section contains excerpts from the Shorewall
configuration.</para>
<para>It is important to keep in mind that parts of my configuration are
there just to provide a test bed for Shorewall features. So while they
show correct usage, they don't necessarily provide any useful benefit. I
have tried to point those out in the sub-sections that follow.</para>
2009-08-01 16:56:31 +02:00
<section id="params">
<title>/etc/shorewall/params</title>
<para><programlisting>MIRRORS=62.216.169.37,\
63.229.2.114,\
...
NTPSERVERS=...
POPSERVERS=...
LOG=ULOG
INT_IF=eth1
EXT_IF=eth2
COM_IF=eth0
VPS_IF=venet0</programlisting>As shown, this file defines variables to hold
the various lists of IP addresses that I need to maintain. To simplify
network reconfiguration, I also use variables to define the log level
and the network interfaces.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="conf">
<title>/etc/shorewall/shorewall.conf</title>
<para><programlisting>###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=0
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=perl
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/ulog/syslogemu.log
STARTUP_LOG=/var/log/shorewall-init.log
LOG_VERBOSITY=2
LOGFORMAT="%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=
TCP_FLAGS_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=$LOG
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
IPSET=
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=Yes
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=ko
DONT_LOAD=
DISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
MACLIST_TABLE=mangle
MACLIST_TTL=60
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=Yes
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=No
MULTICAST=Yes
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
NULL_ROUTE_RFC1918=Yes
USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=No
FAST_STOP=Yes
AUTOMAKE=No
LOG_MARTIANS=Yes
WIDE_TC_MARKS=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=ACCEPT
TCP_FLAGS_DISPOSITION=DROP
</programlisting>I don't believe that there is anything remarkable
there</para>
</section>
2009-08-02 18:28:26 +02:00
<section>
<title>/etc/shorewall/actions</title>
<para><programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors
</programlisting>I make this into an action so the rather long list of rules
go into their own chain.</para>
</section>
<section>
<title>/etc/shorewall/action.Mirrors</title>
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
COMMENT Accept traffic from Mirrors
ACCEPT $MIRRORS
</programlisting>See the <link linkend="rules">rules</link> file -- this
action is used for rsync traffic.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="zones">
<title>/etc/shorewall/zones</title>
<para><programlisting>fw firewall
loc ipv4 #Local Zone
dmz ipv4 #DMZ
net ipv4 #Internet
vpn:loc,net ipsec #IPSEC
drct:loc ipv4 #Direct internet access</programlisting>The
<emphasis role="bold">vpn</emphasis> zone is mostly for testing
Shorewall IPSEC support. It is nested in <emphasis
role="bold">loc</emphasis> and <emphasis role="bold">net</emphasis> to
test a feature added in Shorewall 4.4.0. The <emphasis
role="bold">drct</emphasis> zone is a dynamic zone whose members bypass
the transparent proxy. Some applications (such as VirtualBox
registration) don't work through the proxy.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="interfaces">
<title>/etc/shorewall/interfaces</title>
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags
dmz $VPS_IF detect logmartians=1,routefilter=0,routeback
net $EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1
net $COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0
loc tun+ detect</programlisting>Notice that VPN clients are treated
the same as local hosts.</para>
2009-08-01 16:56:31 +02:00
<para>I set the <emphasis role="bold">proxyarp</emphasis> option on
$EXT_IF so that</para>
2009-08-01 16:56:31 +02:00
<orderedlist numeration="loweralpha">
<listitem>
<para>The firewall will respond to ARP who-has requests for the
servers in the DMZ.</para>
</listitem>
<listitem>
<para>To keep OpenVZ happy (it issues dire warnings if the option is
not set on the associated external interface).</para>
</listitem>
</orderedlist>
</section>
2009-08-01 16:56:31 +02:00
<section id="hosts">
<title>/etc/shorewall/hosts</title>
<para><programlisting>#ZONE HOST(S) OPTIONS
vpn $EXT_IF:0.0.0.0/0
vpn $COM_IF:0.0.0.0/0
vpn $INT_IF:0.0.0.0/0
drct $INT_IF:dynamic</programlisting>The <emphasis
role="bold">vpn</emphasis> zone includes ipsec hosts interfacing from
either external interface as well as the local interface. <emphasis
role="bold">drct</emphasis> is defined as dynamic through the local
interface (recall that it is a sub-zone of <emphasis
role="bold">loc</emphasis>).</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="policy">
<title>/etc/shorewall/policy</title>
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW dmz REJECT $LOG
$FW all ACCEPT
loc net ACCEPT -
loc fw ACCEPT
loc vpn ACCEPT
vpn fw ACCEPT
vpn loc ACCEPT
net net NONE
net all DROP $LOG 8/sec:30
dmz fw REJECT $LOG
all fw DROP $LOG
all all REJECT $LOG</programlisting>I'm a bit
sloppy with my fw&lt;-&gt;loc policies -- I should fix that
someday...</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="accounting">
<title>/etc/shorewall/accounting</title>
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
hp:COUNT accounting $COM_IF $INT_IF:172.20.1.107 UDP
hp:COUNT accounting $INT_IF:172.20.1.107 $COM_IF UDP
DONE hp
mail:COUNT - $EXT_IF $VPS_IF:206.124.146.0/24 tcp 25
mail:COUNT - $VPS_IF:206.124.146.0/24 $EXT_IF tcp 25
DONE mail
web - $EXT_IF $VPS_IF:206.124.146.0/24 tcp 80
web - $EXT_IF $VPS_IF:206.124.146.0/24 tcp 443
web - $VPS_IF:206.124.146.0/24 $EXT_IF tcp - 80
web - $VPS_IF:206.124.146.0/24 $EXT_IF tcp - 443
COUNT web $EXT_IF $VPS_IF:206.124.146.0/24
COUNT web $VPS_IF:206.124.146.0/24 $EXT_IF
</programlisting>The accounting chains are as follows:</para>
<orderedlist>
<listitem>
<para>hp</para>
<para>Counts traffic to/from my work laptop to HP. The VPN users
NAT-Traversal (UDP 4500) so I just count all UDP traffic to/from my
work system.</para>
</listitem>
<listitem>
<para>mail</para>
<para>Incoming and outgoing email</para>
</listitem>
<listitem>
<para>web</para>
<para>Website traffic (both HTTP and HTTPS)</para>
</listitem>
</orderedlist>
</section>
2009-08-01 16:56:31 +02:00
<section id="blacklist">
<title>/etc/shorewall/blacklist</title>
<para><programlisting>#ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>This
configuration silently drops a few ports that get lots of
traffic.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="compile">
<title>/etc/shorewall/compile</title>
<para><programlisting>use strict;
use Shorewall::Chains;
my $chainref = ensure_manual_chain qw/DNS_DDoS/;
add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP);
add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" -j DROP);
add_rule $chainref, q(-j ACCEPT);
1;</programlisting>The above was created during a recent DDOS incident that
targeted DNS servers. It illustrates how manual chains can be
created.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="findgw">
<title>/etc/shorewall/findgw</title>
<para><programlisting>if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases | tail -n 1 | while read j1 j2 gateway; do echo $gateway | sed 's/;//'; return 0; done
fi</programlisting>The Comcast line has a dynamic IP address assigned with the
help of dhclient.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="isusable">
<title>/etc/shorewall/isusable</title>
<para><programlisting>local status
status=0
[ -f /etc/shorewall/${1}.status ] &amp;&amp; status=$(cat /etc/shorewall/${1}.status)
return $status</programlisting>For use with <ulink
url="MultiISP.html#lsm">lsm</ulink>.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="libprivate">
<title>/etc/shorewall/lib.private</title>
<para><programlisting>start_lsm() {
killall lsm 2&gt; /dev/null
cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
connection {
name=Avvanta
checkip=206.124.146.254
device=$EXT_IF
ttl=2
}
connection {
name=Comcast
checkip=${ETH0_GATEWAY:-71.231.152.1}
device=$COM_IF
ttl=1
}
EOF
rm -f /etc/shorewall/*.status
/usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
}
</programlisting>This function configures and starts <ulink
url="MultiISP.html#lsm">lsm</ulink>.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="masq">
<title>/etc/shorewall/masq</title>
<para><programlisting>#INTERFACE SOURCE ADDRESS
COMMENT Masquerade Local Network
$COM_IF 0.0.0.0/0
$EXT_IF !206.124.146.0/24 206.124.146.179
</programlisting>All connections out through Comcast must have the dynamically
assigned address as their source address. Traffic from hosts without an
Avvanta public IP address get 206.124.146.179 as their source
address.</para>
</section>
<section>
<title>/etc/shorewall/notrack</title>
<para><programlisting>#SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
dmz 206.124.146.255 udp
dmz 255.255.255.255 udp
loc 172.20.1.255 udp
loc 255.255.255.255 udp
$FW 255.255.255.255 udp
$FW 172.20.1.255 udp
$FW 206.124.146.255 udp</programlisting>This file omits the
6to4 traffic originating from 6to4 relays as well as broadcast traffic
(which Netfilter doesn't handle).</para>
</section>
<section>
<title>/etc/shorewall/providers</title>
<para><programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Avvanta 1 0x10000 main $EXT_IF 206.124.146.254 track,loose,fallback $INT_IF,$VPS_IF,tun*
Comcast 2 0x20000 main $COM_IF detect track,balance $INT_IF,$VPS_IF,tun*</programlisting>See
the <ulink url="???">Multi-ISP article</ulink> for an explaination of
the multi-ISP aspects of this configuration.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="proxyarp">
<title>/etc/shorewall/proxyarp</title>
2009-08-01 16:56:31 +02:00
<para><programlisting>&lt;empty&gt;</programlisting>As mentioned <link
linkend="interfaces">above</link>, I set the proxyarp on the associated
external interface instead of defining proxy ARP in this file.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="restored">
<title>/etc/shorewall/restored</title>
<para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
start_lsm
fi
chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
Make the state file world-readable.</para>
</section>
<section id="rtrules">
<title>/etc/shorewall/rtrules</title>
<para><programlisting>#SOURCE DEST PROVIDER PRIORITY
2009-08-09 20:38:18 +02:00
- 172.20.0.0/24 main 1000 #OpenVPN clients
- 206.124.146.177 main 1001 #Servers -- Routes configured by OpenVZ
- 206.124.146.178 main 1001 #
- 216.168.3.44 Avvanta 1001 #NNTP -- Does source IP verification
206.124.146.176/30 - Avvanta 26000 #Avvanta public IP addresses
206.124.146.180 - Avvanta 26000 #</programlisting>These
entries simply ensure that outgoing traffic uses the correct
interface.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="routestopped">
<title>/etc/shorewall/routestopped</title>
<para><programlisting>#INTERFACE HOST(S) OPTIONS PROTO
$INT_IF 172.20.1.0/24 source,dest
$VPS_IF 206.124.146.177,206.124.146.178
$EXT_IF - notrack 41</programlisting>Keep
the lights on while Shorewall is stopped.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="rules">
<title>/etc/shorewall/rules</title>
<para><programlisting>###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
###############################################################################################################################################################################
SECTION ESTABLISHED
SECTION RELATED
SECTION NEW
REJECT:$LOG loc net tcp 25 #Stop direct loc-&gt;net SMTP (Comcast uses submission).
REJECT:$LOG loc net udp 1025:1031 #MS Messaging
COMMENT Stop NETBIOS crap
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
COMMENT Stop my idiotic work laptop from sending to the net with an HP source IP address
DROP loc:!172.20.0.0/23 net
COMMENT
###############################################################################################################################################################################
# Local Network to Firewall
#
NONAT drct -
REDIRECT- loc 3128 tcp 80 - !66.199.187.46,172.20.1.108,206.124.146.177,155.98.64.80,81.19.16.0/21
###############################################################################################################################################################################
# Local network to DMZ
#
ACCEPT loc dmz udp domain,177
ACCEPT loc dmz tcp ssh,smtp,465,587,www,ftp,imaps,domain,https,5901:5903 -
ACCEPT loc dmz udp 33434:33524
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn net fw tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
###############################################################################################################################################################################
# Internet to DMZ
#
DNS_DDoS net dmz udp domain
ACCEPT net dmz tcp smtp,www,ftp,465,587,imaps,domain,https
ACCEPT net dmz udp 33434:33454
Mirrors:none net dmz tcp 873
ACCEPT net dmz tcp 22 - - s:ssh:3/min:3
#############################################################################################################################################################
#################
#
# Net to Local
#
Limit:$LOG:SSHA,3,60\
net loc tcp 22
#
# BitTorrent from Wireless Network
#
#DNAT net:$COM_IF loc:172.20.1.102 tcp 6881:6889
#DNAT net:$COM_IF loc:172.20.1.102 udp 6881
#
# UPnP
#
forwardUPnP net loc
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
DROP net loc icmp 8
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net udp domain,ntp
REJECT dmz net:$COM_IF tcp smtp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,nntp,https,2401,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
# but logs the connection so I can keep an eye on this potential security hole.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Local
#
ACCEPT dmz loc tcp 22 - - s:ssh:3/min:3
###############################################################################################################################################################################
2009-08-02 18:28:26 +02:00
# DMZ to Firewall -- ntp &amp; snmp Silently reject Auth
#
2009-08-02 18:28:26 +02:00
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161,ntp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
DROP net fw icmp 8
ACCEPT net fw udp 33434:33454
ACCEPT net fw tcp 22 - - s:ssh:3/min:3
ACCEPT net fw udp 33434:33524
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465,587,5901
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
##############################################################################################################################################################################
#
COMMENT Freenode Probes
DROP net:82.96.96.3,85.190.0.3 any
COMMENT
##############################################################################################################################################################################
# Allow Ping except where disallowed earlier
#
ACCEPT any any icmp 8</programlisting></para>
</section>
2009-08-01 16:56:31 +02:00
<section id="started">
<title>/etc/shorewall/started</title>
<para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
start_lsm
fi
chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
Make the state file world-readable.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="stopped">
<title>/etc/shorewall/stopped</title>
<para><programlisting>if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then
killall lsm 2&gt; /dev/null
fi
chmod 744 ${VARDIR}/state</programlisting>Kill lsm if the command is stop or
clear. Make the state file world-readable.</para>
</section>
<section>
<title>/etc/shorewall/tcdevices</title>
<para><programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
$EXT_IF - 300kbit classify
$INT_IF - 80mbit classify
$COM_IF - 4mbit classify,hfsc
</programlisting>The use of HFSC on the Comcast link is largely to provide a
test bed for that qdisc; I really don't have any real-time requirement
such as VOIP.</para>
</section>
<section>
<title>/etc/shorewall/tcclasses</title>
2009-08-09 20:38:18 +02:00
<para><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
1:110 - full/4 full 1 tcp-ack,tos-minimize-delay
1:120 - full/4 full 2 flow=nfct-src
1:130 - full/4 230kbit 3 default,flow=nfct-src
1:140 - full/4 230kbit 4 flow=nfct-src
2:10 - 95*full/100 full 1 flow=dst
2:100 - 14mbit 20mbit 2
2:100:101 - 7mbit 20mbit 3 default,flow=dst
2:100:102 - 7mbit 20mbit 3 flow=dst
3:10 - 2mbit:4ms full 1 flow=nfct-src
3:100 - 2mbit full 2
3:100:101 - 1mbit full 3 default,flow=nfct-src
3:100:102 - 1mbit full 3 flow=nfct-src
</programlisting>Note that most of the outgoing bandwidth on the local
interface is allocated to one class. That class is used for local
traffic.</para>
</section>
<section>
<title>/etc/shorewall/tcfilters</title>
<para><programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH
#CLASS PORT(S) PORT(S)
# =============================== AVVANTA ====================================
#
# Give Highest priority to LSM's pings to the gateway and to DNS queries
#
1:110 206.124.146.176 206.124.146.254 icmp
1:110 206.124.146.177 - udp 53
#
# Second Highest priority to IPv6 Tunnel
#
1:120 206.124.146.180
#
# Lowest priority to bulk traffic
#
1:140 206.124.146.177 - tcp - 873 - 2048
1:140 206.124.146.177 - - - - tos-minimize-cost
</programlisting>The tcfilters file is only used for the Avvanta provider
because it has static public IP addresses.</para>
</section>
<section>
<title>/etc/shorewall/tcrules</title>
<para><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
# PORT(S)
COMMENT Shape incoming traffic
#
# Most of the bandwidth is reserved for local traffic since the downlinks aren't that fast
#
2:10 206.124.146.176/30 $INT_IF
2:10 206.124.146.177 $INT_IF
2:10 172.20.1.254 $INT_IF
#
# Guarantee 1/2 of the incoming bandwidth for my work system
#
2:102 0.0.0.0/0 $INT_IF:172.20.1.107
COMMENT Shape outgoing traffic to Comcast
#
# Give 1/2 to my work system and add a latency guarantee
#
3:10 172.20.1.107 $COM_IF
#
# Restrict Torrent uploads
#
3:102 172.20.1.0/24 $COM_IF tcp - 6881:6889
</programlisting>The tcrules file is used to classify traffic that deals with
the local network and/or with Comcast.</para>
</section>
2009-08-01 16:56:31 +02:00
<section id="tunnels">
2009-08-01 16:35:07 +02:00
<title>/etc/shorewall/tunnels</title>
<para><programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:udp net
6to4 net
ipsec net
ipsec loc
ipip vpn 0.0.0.0/0</programlisting>The ipip tunnel from
the vpn zone handles IP compression on IPSEC connections.</para>
</section>
</section>
</article>