diff --git a/docs/Introduction.xml b/docs/Introduction.xml index 366465afb..cdfbf913f 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -121,13 +121,12 @@ - kmyfirewall + UFW + (Uncomplicated Firewall) - firestarter + ipcop diff --git a/docs/MyNetwork.xml b/docs/MyNetwork.xml index f13767b5e..82159f282 100644 --- a/docs/MyNetwork.xml +++ b/docs/MyNetwork.xml @@ -20,6 +20,8 @@ 2009 + 2015 + Thomas M. Eastep @@ -36,14 +38,14 @@ The ruleset shown in this article uses Shorewall features that are - not available in Shorewall versions prior to 4.4.0. + not available in Shorewall versions prior to 4.6.11
Introduction The configuration described in this article represents the network - at shorewall.net during the summer of 2009. It uses the following + at shorewall.org during the summer of 2015. It uses the following Shorewall features: @@ -53,50 +55,30 @@ - A DMZ with two "systems" using Proxy - ARP and running in OpenVZ Virtual - Environments + A DMZ with three "systems" using Proxy + ARP and running in Linux Containers + (LXC) - IPv6 Access through a 6to4 - Tunnel - - - - OpenVPN and IPSEC for access when we are on the - road. + IPv6 Access through two 6to4 + Tunnels Ipsets - - Dynamic Zones - - Transparent proxy using Squid - - - Manual Chains - - - - Traffic Shaping - - Linux runs the firewall and the servers (although they run in OpenVZ + Linux runs the firewall and the servers (although they run in LXC containers on the firewall system). Linux is not used natively on any of - our other systems except for an HP mini - which runs HP Mobile Internet Experience (MIE) -- essentially - Ubuntu Hardy. I rather run Windows natively (either Vista Home Premium or - XP Professional) and run Linux in VMs under VirtualBox. This approach has a number of advantages: @@ -122,11 +104,6 @@ All DRM-protected media can be handled under Windows. - - - Websites that don't work with Firefox (or at least with Linux - Firefox) - VirtualBox is fast (when your processor supports virtualization @@ -138,34 +115,31 @@ Our network is diagrammed in the following graphic. - + - We have accounts with two different ISPs: + We have two accounts with Comcast: - Comcast + ComcastC - This is a high-speed (20mb/4mb) link with a single dynamic IPv4 + This is a high-speed (40mb/8mb) link with a single dynamic IPv4 address. We are not allowed to run servers accessible through this account. - Avvanta + ComcastB - This is a low-speec (1.5mb/384kbit) link with five static IP - address. Our servers are accessed through this account. + Comcast Business Class Service with a /29 + (70.90.191.120/29). The wired local network is restricted to my home office. The - wireless network is managed by a Linksys WRT300N pre-N router which we use - only as an access point -- its WAN interface is unused and it is - configured to not do NAT. The wireless network uses WPA2 personal security - and MAC filtering is enabled in the router. These two factors make it a - hassle when guests visit with a laptop but provide good security for the - network. + wireless network is managed by a wireless router which we use only as an + access point -- its WAN interface is unused and it is configured to not do + NAT. The wireless network uses WPA2 personal security.
@@ -174,30 +148,55 @@ This section contains excerpts from the Shorewall configuration. - It is important to keep in mind that parts of my configuration are - there just to provide a test bed for Shorewall features. So while they - show correct usage, they don't necessarily provide any useful benefit. I - have tried to point those out in the sub-sections that follow. +
+ /etc/shorewall/mirrors + + MIRRORS=62.216.169.37,\ +62.216.184.105,\ +63.229.2.114,\ +... + + Defines the IP addresses of the Shorewall mirror sites. +
/etc/shorewall/params - MIRRORS=62.216.169.37,\ -63.229.2.114,\ -... -NTPSERVERS=... + INCLUDE mirrors -POPSERVERS=... +LOG="NFLOG(0,0,1)" -LOG=ULOG +INT_IF=eth0 +TUN_IF=tun+ +COMB_IF=eth2 +COMC_IF=eth1 -INT_IF=eth1 -EXT_IF=eth2 -COM_IF=eth0 -VPS_IF=venet0As shown, this file defines variables to hold - the various lists of IP addresses that I need to maintain. To simplify - network reconfiguration, I also use variables to define the log level - and the network interfaces. +MYNET=70.90.191.120/29 #External IP addresses handled by this router +DMZ_NET=70.90.191.124/31 +FW_NET=70.90.191.120/30 +INT_NET=172.20.1.0/24 +DYN_NET=$(find_first_interface_address_if_any $COMC_IF) +SMC_ADDR=10.1.10.11 + +[ -n "${DYN_NET:=67.170.122.219}" ] + +DYN_NET=${DYN_NET}/32 + +DMZ=fw:$DMZ_NET + +LISTS=:70.90.191.124 +SERVER=:70.90.191.125 +MAIL=172.20.1.200 + +PROXY=Yes +STATISTICAL=Yes +SQUID2=Yes + +[ -n "${EXPERIMENTAL:=0}" ] +As shown, this file defines variables to hold the various + lists of IP addresses that I need to maintain. To simplify network + reconfiguration, I also use variables to define the log level and the + network interfaces.
@@ -206,293 +205,425 @@ VPS_IF=venet0As shown, this file defines variables to hold ############################################################################### # S T A R T U P E N A B L E D ############################################################################### + STARTUP_ENABLED=Yes + ############################################################################### -# V E R B O S I T Y +# V E R B O S I T Y ############################################################################### -VERBOSITY=0 -############################################################################### -# C O M P I L E R -# (setting this to 'perl' requires installation of Shorewall-perl) -############################################################################### -SHOREWALL_COMPILER=perl + +VERBOSITY=1 + ############################################################################### # L O G G I N G ############################################################################### -LOGFILE=/var/log/ulog/syslogemu.log -STARTUP_LOG=/var/log/shorewall-init.log -LOG_VERBOSITY=2 -LOGFORMAT="%s:%s:" -LOGTAGONLY=No -LOGRATE= -LOGBURST= + +BLACKLIST_LOG_LEVEL=none + +INVALID_LOG_LEVEL= + +LOG_BACKEND=ULOG + +LOG_MARTIANS=Yes + +LOG_VERBOSITY=1 + LOGALLNEW= -BLACKLIST_LOGLEVEL= -MACLIST_LOG_LEVEL= -TCP_FLAGS_LOG_LEVEL=$LOG -SMURF_LOG_LEVEL=$LOG -LOG_MARTIANS=No + +LOGFILE=/var/log/ulogd/ulogd.syslogemu.log + +LOGFORMAT=": %s %s" + +LOGTAGONLY=Yes + +LOGLIMIT="s:5/min" + +MACLIST_LOG_LEVEL="$LOG" + +RELATED_LOG_LEVEL="$LOG" + +RPFILTER_LOG_LEVEL=info + +SFILTER_LOG_LEVEL="$LOG" + +SMURF_LOG_LEVEL="$LOG" + +STARTUP_LOG=/var/log/shorewall-init.log + +TCP_FLAGS_LOG_LEVEL="$LOG" + +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -IPTABLES= + +ARPTABLES= + +CONFIG_PATH="/etc/shorewall:/etc/shorewall-common:/usr/share/shorewall:/usr/share/shorewall/Shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE + +IPTABLES=/sbin/iptables + +IP=/sbin/ip + IPSET= -PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin -SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK= + +LOCKFILE=/var/lib/shorewall/lock + MODULESDIR= -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + +NFACCT= + +PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" + +PERL=/usr/bin/perl + RESTOREFILE= -IPSECFILE=zones -LOCKFILE= + +SHOREWALL_SHELL=/bin/bash + +SUBSYSLOCK= + +TC= + ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -DROP_DEFAULT="Drop" -REJECT_DEFAULT="Reject" -ACCEPT_DEFAULT="none" -QUEUE_DEFAULT="none" + +ACCEPT_DEFAULT=none +DROP_DEFAULT=Drop +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT=Reject + ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### -RSH_COMMAND='ssh ${root}@${system} ${command}' + RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=Yes + +ACCOUNTING=Yes + +ACCOUNTING_TABLE=mangle + ADD_IP_ALIASES=No + ADD_SNAT_ALIASES=No -RETAIN_ALIASES=No -TC_ENABLED=Internal -TC_EXPERT=No -CLEAR_TC=Yes -MARK_IN_FORWARD_CHAIN=Yes -CLAMPMSS=Yes -ROUTE_FILTER=No -DETECT_DNAT_IPADDRS=Yes -MUTEX_TIMEOUT=60 + ADMINISABSENTMINDED=Yes -BLACKLISTNEWONLY=Yes -DELAYBLACKLISTLOAD=No -MODULE_SUFFIX=ko -DONT_LOAD= -DISABLE_IPV6=No -BRIDGING=No -DYNAMIC_ZONES=No -PKTTYPE=No -MACLIST_TABLE=mangle -MACLIST_TTL=60 -SAVE_IPSETS=No -MAPOLDACTIONS=No -FASTACCEPT=No -IMPLICIT_CONTINUE=Yes -HIGH_ROUTE_MARKS=Yes -USE_ACTIONS=Yes -OPTIMIZE=1 -EXPORTPARAMS=Yes -EXPAND_POLICIES=Yes -KEEP_RT_TABLES=No + +BASIC_FILTERS=No + +IGNOREUNKNOWNVARIABLES=No + +AUTOCOMMENT=Yes + +AUTOHELPERS=Yes + +AUTOMAKE=Yes + +BLACKLIST="NEW,INVALID,UNTRACKED" + +CHAIN_SCRIPTS=No + +CLAMPMSS=Yes + +CLEAR_TC=Yes + +COMPLETE=No + +DEFER_DNS_RESOLUTION=No + DELETE_THEN_ADD=No -MULTICAST=Yes -AUTO_COMMENT=Yes + +DETECT_DNAT_IPADDRS=No + +DISABLE_IPV6=No + +DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323" + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +FASTACCEPT=Yes + +FORWARD_CLEAR_MARK=Yes + +HELPERS="ftp,irc" + +IMPLICIT_CONTINUE=No + +INLINE_MATCHES=Yes + +IPSET_WARNINGS=No + +IP_FORWARDING=Yes + +KEEP_RT_TABLES=Yes + +LEGACY_FASTSTART=Yes + +LOAD_HELPERS_ONLY=Yes + +MACLIST_TABLE=mangle + +MACLIST_TTL=60 + MANGLE_ENABLED=Yes -NULL_ROUTE_RFC1918=Yes -USE_DEFAULT_RT=No + +MAPOLDACTIONS=No + +MARK_IN_FORWARD_CHAIN=No + +MODULE_SUFFIX="ko ko.xz" + +MULTICAST=No + +MUTEX_TIMEOUT=60 + +NULL_ROUTE_RFC1918=unreachable + +OPTIMIZE=All + +OPTIMIZE_ACCOUNTING=No + +REJECT_ACTION=RejectAct + +REQUIRE_INTERFACE=No + RESTORE_DEFAULT_ROUTE=No -FAST_STOP=Yes -AUTOMAKE=No -LOG_MARTIANS=Yes -WIDE_TC_MARKS=Yes + +RESTORE_ROUTEMARKS=Yes + +RETAIN_ALIASES=No + +ROUTE_FILTER=No + +SAVE_ARPTABLES=Yes + +SAVE_IPSETS=ipv4 + +TC_ENABLED=No + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=Yes + +TRACK_RULES=No + +USE_DEFAULT_RT=Yes + +USE_PHYSICAL_NAMES=Yes + +USE_RT_NAMES=Yes + +WARNOLDCAPVERSION=Yes + +WORKAROUNDS=No + +ZONE2ZONE=- + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### + BLACKLIST_DISPOSITION=DROP + +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=ACCEPT + +RELATED_DISPOSITION=REJECT + +RPFILTER_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +SFILTER_DISPOSITION=DROP + TCP_FLAGS_DISPOSITION=DROP -I don't believe that there is anything remarkable - there + +UNTRACKED_DISPOSITION=DROP + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS=8 + +PROVIDER_BITS=2 + +PROVIDER_OFFSET=16 + +MASK_BITS=8 + +ZONE_BITS=0 + +################################################################################ +# L E G A C Y O P T I O N +# D O N O T D E L E T E O R A L T E R +################################################################################ + +IPSECFILE=zonesI don't believe that there is anything + remarkable there
/etc/shorewall/actions - #ACTION -Mirrors # Accept traffic from Shorewall Mirrors -I make this into an action so the rather long list of rules - go into their own chain. + Mirrors # Accept traffic from Shorewall Mirrors +SSHLIMIT +SSH_BL +tarpit inline # Wrapper for TARPIT + +
/etc/shorewall/action.Mirrors - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -COMMENT Accept traffic from Mirrors -ACCEPT $MIRRORS -See the rules file -- this - action is used for rsync traffic. + #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT +?COMMENT Accept traffic from Mirrors +?FORMAT 2 +DEFAULTS - +$1 $MIRRORS +I make this into an action so the rather long list of rules + go into their own chain. See the rules file + -- this action is used for rsync traffic. +
+ +
+ /etc/shorewall/action.tarpit + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP +$LOG { rate=s:1/min } +TARPIT + + +
/etc/shorewall/zones fw firewall -loc ipv4 #Local Zone -dmz ipv4 #DMZ -net ipv4 #Internet -vpn:loc,net ipsec #IPSEC -drct:loc ipv4 #Direct internet accessThe - vpn zone is mostly for testing - Shorewall IPSEC support. It is nested in loc and net to - test a feature added in Shorewall 4.4.0. The drct zone is a dynamic zone whose members bypass - the transparent proxy. Some applications (such as VirtualBox - registration) don't work through the proxy. +loc ip #Local Zone +net ipv4 #Internet +dmz ipv4 #LXC Containers +smc:net ip #10.0.1.0/24 +
/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS -loc $INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags -dmz $VPS_IF detect logmartians=1,routefilter=0,routeback -net $EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1 -net $COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0 -loc tun+ detectNotice that VPN clients are treated - the same as local hosts. - - I set the proxyarp option on - $EXT_IF so that - - - - The firewall will respond to ARP who-has requests for the - servers in the DMZ. - - - - To keep OpenVZ happy (it issues dire warnings if the option is - not set on the associated external interface). - - +loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0 +net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags +net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp +dmz br0 routeback,proxyarp=1,required,wait=30 +- ifb0 ignore +
/etc/shorewall/hosts #ZONE HOST(S) OPTIONS -vpn $EXT_IF:0.0.0.0/0 -vpn $COM_IF:0.0.0.0/0 -vpn $INT_IF:0.0.0.0/0 -drct $INT_IF:dynamicThe vpn zone includes ipsec hosts interfacing from - either external interface as well as the local interface. drct is defined as dynamic through the local - interface (recall that it is a sub-zone of loc). +smc COMB_IF:10.1.10.0/24 mss=1400 +smc COMC_IF:10.0.0.0/24 +
/etc/shorewall/policy - #SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL -$FW dmz REJECT $LOG + #SOURCE DEST POLICY LOG LIMIT:BURST +# LEVEL +$FW dmz REJECT $LOG +$FW net REJECT $LOG +?else +$FW dmz REJECT $LOG +$FW net REJECT $LOG $FW all ACCEPT -loc net ACCEPT - -loc fw ACCEPT -loc vpn ACCEPT -vpn fw ACCEPT -vpn loc ACCEPT +smc loc ACCEPT +smc fw CONTINUE +smc net NONE +loc smc ACCEPT +loc net ACCEPT +loc fw REJECT $LOG net net NONE -net all DROP $LOG 8/sec:30 -dmz fw REJECT $LOG -all fw DROP $LOG -all all REJECT $LOGI'm a bit - sloppy with my fw<->loc policies -- I should fix that - someday... +net smc NONE +net all DROP:Drop $LOG 8/sec:30 +dmz fw REJECT:Reject $LOG +all all REJECT:Reject $LOG +
/etc/shorewall/accounting - #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT(S) PORT(S) GROUP -hp:COUNT accounting $COM_IF $INT_IF:172.20.1.107 UDP -hp:COUNT accounting $INT_IF:172.20.1.107 $COM_IF UDP -DONE hp + #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC +# PORT(S) PORT(S) GROUP +?COMMENT +?SECTION PREROUTING +?SECTION INPUT +ACCOUNT(fw-net,$FW_NET) - COMB_IF +COUNT - COMB_IF - tcp - 80 +COUNT - COMC_IF - tcp - 80 +COUNT - br0:70.90.191.124 - tcp 80 = -mail:COUNT - $EXT_IF $VPS_IF:206.124.146.0/24 tcp 25 -mail:COUNT - $VPS_IF:206.124.146.0/24 $EXT_IF tcp 25 -DONE mail +?SECTION OUTPUT +ACCOUNT(fw-net,$FW_NET) - - COMB_IF +COUNT - - COMB_IF tcp 80 +COUNT - - COMC_IF tcp 80 -web - $EXT_IF $VPS_IF:206.124.146.0/24 tcp 80 -web - $EXT_IF $VPS_IF:206.124.146.0/24 tcp 443 -web - $VPS_IF:206.124.146.0/24 $EXT_IF tcp - 80 -web - $VPS_IF:206.124.146.0/24 $EXT_IF tcp - 443 +?SECTION FORWARD +ACCOUNT(dmz-net,$DMZ_NET) - br0 COMB_IF +ACCOUNT(dmz-net,$DMZ_NET) - COMB_IF br0 +ACCOUNT(loc-net,$INT_NET) - COMB_IF INT_IF +ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF -COUNT web $EXT_IF $VPS_IF:206.124.146.0/24 -COUNT web $VPS_IF:206.124.146.0/24 $EXT_IF -The accounting chains are as follows: - - - - hp - - Counts traffic to/from my work laptop to HP. The VPN users - NAT-Traversal (UDP 4500) so I just count all UDP traffic to/from my - work system. - - - - mail - - Incoming and outgoing email - - - - web - - Website traffic (both HTTP and HTTPS) - - +
- /etc/shorewall/blacklist + /etc/shorewall/blrules - #ADDRESS/SUBNET PROTOCOL PORT -- udp 1024:1033,1434 -- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898This - configuration silently drops a few ports that get lots of - traffic. -
- -
- /etc/shorewall/compile - - use strict; -use Shorewall::Chains; - -my $chainref = ensure_manual_chain qw/DNS_DDoS/; - -add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP); -add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" -j DROP); -add_rule $chainref, q(-j ACCEPT); - -1;The above was created during a recent DDOS incident that - targeted DNS servers. It illustrates how manual chains can be - created. + WHITELIST net:70.90.191.126 all +BLACKLIST net:+blacklist all +BLACKLIST net all udp 1023:1033,1434,5948,23773 +DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 +DROP net:63.149.127.103 all +DROP net:175.143.53.113 all +DROP net:121.134.248.190 all +REJECT net:188.176.145.22 dmz tcp 25 +DROP net fw udp 111 +Invalid(DROP) net all
/etc/shorewall/findgw - if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then - grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases | tail -n 1 | while read j1 j2 gateway; do echo $gateway | sed 's/;//'; return 0; done -fiThe Comcast line has a dynamic IP address assigned with the + if [ -f /var/lib/dhcpcd/dhcpcd-eth1.info ]; then + . /var/lib/dhcpcd/dhcpcd-eth1.info + echo $GATEWAY +fi +The Comcast line has a dynamic IP address assigned with the help of dhclient.
@@ -512,68 +643,144 @@ return $statusFor use with /etc/shorewall/lib.private start_lsm() { + # + # Kill any existing lsm process(es) + # killall lsm 2> /dev/null + # + # Create the Shorewall-specific part of the LSM configuration. This file is + # included by /etc/lsm/lsm.conf + # + # ComcastB has a static gateway while ComcastC's is dynamic + # cat <<EOF > /etc/lsm/shorewall.conf connection { - name=Avvanta - checkip=206.124.146.254 - device=$EXT_IF - ttl=2 + name=ComcastB + checkip=76.28.230.1 + device=$COMB_IF + ttl=2 } connection { - name=Comcast - checkip=${ETH0_GATEWAY:-71.231.152.1} - device=$COM_IF - ttl=1 + name=ComcastC + checkip=76.28.230.188 + device=$COMC_IF + ttl=3 } EOF - rm -f /etc/shorewall/*.status - /usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm -} -This function configures and starts This function configures and starts lsm.
/etc/shorewall/masq - #INTERFACE SOURCE ADDRESS + #INTERFACE SOURCE ADDRESS PROTO -COMMENT Masquerade Local Network -$COM_IF 0.0.0.0/0 -$EXT_IF !206.124.146.0/24 206.124.146.179 -All connections out through Comcast must have the dynamically - assigned address as their source address. Traffic from hosts without an - Avvanta public IP address get 206.124.146.179 as their source - address. +?COMMENT Use the SMC's local net address when communicating with that net + +COMB_IF:10.1.10.0/24 0.0.0.0/0 %{SMC_ADDR} + +?COMMENT Masquerade Local Network + +COMB_IF !70.90.191.120/29 70.90.191.121 ; -m statistic --mode random --probability 0.50 +COMB_IF !70.90.191.120/29 70.90.191.123 +COMC_IF 0.0.0.0/0 +#INT_IF:172.20.1.15 172.20.1.0/24 172.20.1.254 + +br0 70.90.191.120/29 70.90.191.121 tcp 80 +I split connections out of COMB_IF between the two IP + addresses configured on the interface.
- /etc/shorewall/notrack + /etc/shorewall/conntrack - #SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT(S) PORT(S) GROUP -net:!192.88.99.1 - 41 -dmz 206.124.146.255 udp -dmz 255.255.255.255 udp -loc 172.20.1.255 udp -loc 255.255.255.255 udp -$FW 255.255.255.255 udp -$FW 172.20.1.255 udp -$FW 206.124.146.255 udpThis file omits the - 6to4 traffic originating from 6to4 relays as well as broadcast traffic - (which Netfilter doesn't handle). + ?FORMAT 2 +#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ +# PORT(S) PORT(S) GROUP +# +DROP net - udp 3551 +NOTRACK net - tcp 23 +NOTRACK loc 172.20.1.255 udp +NOTRACK loc 255.255.255.255 udp +NOTRACK $FW 255.255.255.255 udp +NOTRACK $FW 172.20.1.255 udp +NOTRACK $FW 70.90.191.127 udp +NOTRACK net:192.88.99.1 - +NOTRACK $FW 192.88.99.1 + +?if $AUTOHELPERS +?if __CT_TARGET && __AMANDA_HELPER +CT:helper:amanda all - udp 10080 +?endif +?if __CT_TARGET && __FTP_HELPER +CT:helper:ftp all - tcp 21 +?endif +?if __CT_TARGET && __H323_HELPER +CT:helper:RAS all - udp 1719 +CT:helper:Q.931 all - tcp 1720 +?endif +?if __CT_TARGET && __IRC_HELPER +CT:helper:irc all - tcp 6667 +?endif +?if __CT_TARGET && __NETBIOS_NS_HELPER +CT:helper:netbios-ns all - udp 137 +?endif +?if __CT_TARGET && __PPTP_HELPER +CT:helper:pptp all - tcp 1729 +?endif +?if __CT_TARGET && __SANE_HELPER +CT:helper:sane all - tcp 6566 +?endif +#?if __CT_TARGET && __SIP_HELPER +#CT:helper:sip all - udp 5060 +#?endif +?if __CT_TARGET && __SNMP_HELPER +CT:helper:snmp all - udp 161 +?endif +?if __CT_TARGET && __TFTP_HELPER +CT:helper:tftp all - udp 69 +?endif +?endif +This file omits the 6to4 traffic originating from 6to4 relays + as well as broadcast traffic (which Netfilter doesn't handle).
/etc/shorewall/providers - #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -Avvanta 1 0x10000 main $EXT_IF 206.124.146.254 track,loose,fallback $INT_IF,$VPS_IF,tun* -Comcast 2 0x20000 main $COM_IF detect track,balance $INT_IF,$VPS_IF,tun*See - the Multi-ISP article for an explaination of - the multi-ISP aspects of this configuration. + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +?IF $STATISTICAL +ComcastB 1 0x10000 - COMB_IF 70.90.191.126 loose,load=0.66666667,fallback +ComcastC 2 0x20000 - COMC_IF detect loose,load=0.33333333 +?ELSE +ComcastB 1 0x10000 - COMB_IF 70.90.191.126 nohostroute,loose,balance=2 +ComcastC 2 0x20000 - COMC_IF detect nohostroute,loose,balance +?ENDIF +?IF $PROXY && ! $SQUID2 +TProxy 3 - - lo - tproxy +?ENDIF +root@gateway:/etc/shorewall# +See the Multi-ISP article for an + explaination of the multi-ISP aspects of this configuration.
@@ -599,154 +806,261 @@ chmod 744 ${VARDIR}/stateIf lsm isn't running then start it. /etc/shorewall/rtrules #SOURCE DEST PROVIDER PRIORITY - -- 172.20.0.0/24 main 1000 #OpenVPN clients -- 206.124.146.177 main 1001 #Servers -- Routes configured by OpenVZ -- 206.124.146.178 main 1001 # -- 216.168.3.44 Avvanta 1001 #NNTP -- Does source IP verification -206.124.146.176/30 - Avvanta 26000 #Avvanta public IP addresses -206.124.146.180 - Avvanta 26000 #These +70.90.191.121,\ +70.90.191.123 - ComcastB 1000 +&COMC_IF - ComcastC 1000 +br0 - ComcastB 11000 +172.20.1.191 - ComcastB 1000These entries simply ensure that outgoing traffic uses the correct interface.
- /etc/shorewall/routestopped + /etc/shorewall/stoppedrules - #INTERFACE HOST(S) OPTIONS PROTO -$INT_IF 172.20.1.0/24 source,dest -$VPS_IF 206.124.146.177,206.124.146.178 -$EXT_IF - notrack 41Keep + #TARGET HOST(S) DEST PROTO DEST SOURCE +# PORT(S) PORT(S) +ACCEPT INT_IF:172.20.1.0/24 $FW +NOTRACK COMB_IF - 41 +NOTRACK $FW COMB_IF 41 +ACCEPT COMB_IF $FW 41 +ACCEPT COMC_IF $FW udp 67:68Keep the lights on while Shorewall is stopped.
/etc/shorewall/rules - ############################################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -############################################################################################################################################################################### -SECTION ESTABLISHED -SECTION RELATED -SECTION NEW + ################################################################################################################################################################################################ +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH +# PORT(S) PORT(S) DEST LIMIT GROUP +################################################################################################################################################################################################ +?if $VERSION < 40500 +?SHELL echo " ERROR: Shorewall version is too low" >&2; exit 1 +?endif -REJECT:$LOG loc net tcp 25 #Stop direct loc->net SMTP (Comcast uses submission). -REJECT:$LOG loc net udp 1025:1031 #MS Messaging +?begin perl +1; +?end perl -COMMENT Stop NETBIOS crap +?SECTION ALL -REJECT loc net tcp 137,445 -REJECT loc net udp 137:139 +#ACCEPT net:smc.shorewall.net $FW +#RST(LOG) all all -COMMENT Stop my idiotic work laptop from sending to the net with an HP source IP address +?SECTION ESTABLISHED -DROP loc:!172.20.0.0/23 net +#SSH(REJECT) net loc:1.2.3.4 { time=timestart=18:48 } -COMMENT -############################################################################################################################################################################### -# Local Network to Firewall +?SECTION RELATED +ACCEPT all dmz:70.90.191.125 tcp 61001:62000 { helper=ftp } +ACCEPT dmz all tcp { helper=ftp } +ACCEPT all net tcp { helper=ftp } +ACCEPT all all icmp +RST(ACCEPT) all all tcp +ACCEPT dmz dmz +ACCEPT $FW all + +?SECTION INVALID +DROP net all +?SECTION UNTRACKED + +ACCEPT net:192.88.99.1 $FW 41 +tarpit net all tcp 23 + +Broadcast(ACCEPT)\ + all $FW +ACCEPT all $FW udp +CONTINUE loc $FW +CONTINUE $FW all + +?SECTION NEW + +DNSAmp(ACCEPT) loc fw +REJECT:$LOG loc net tcp 25 #Stop direct loc->net SMTP (Comcast uses submission). +REJECT:$LOG loc net udp 1025:1031 #MS Messaging + +?COMMENT Stop NETBIOS crap + +REJECT all net tcp 137,445 +REJECT all net udp 137:139 + +?COMMENT Disallow port 333 + +REJECT all net tcp 3333 + +?COMMENT Stop Teredo + +REJECT all net udp 3544 + +?COMMENT Stop my idiotic work laptop from sending to the net with an HP source IP address + +{ action=DROP, source=loc:!172.20.0.0/22, dest=net } # + +?COMMENT + +#dropInvalid net all tcp +################################################################################################################################################################################################ +# Local network to DMZ # -NONAT drct - -REDIRECT- loc 3128 tcp 80 - !66.199.187.46,172.20.1.108,206.124.146.177,155.98.64.80,81.19.16.0/21 -############################################################################################################################################################################### -# Local network to DMZ +DNAT loc dmz:70.90.191.125 tcp www - 70.90.191.123 +ACCEPT loc dmz tcp ssh,smtp,465,548,587,www,ftp,imaps,https,5901:5903 +ACCEPT loc dmz udp 3478:3479,33434:33524 +################################################################################################################################################################################################ +# SMC network to DMZ # -ACCEPT loc dmz udp domain,177 -ACCEPT loc dmz tcp ssh,smtp,465,587,www,ftp,imaps,domain,https,5901:5903 - -ACCEPT loc dmz udp 33434:33524 -############################################################################################################################################################################### +ACCEPT smc dmz tcp ssh,smtp,465,587,www,ftp,imaps,https,5901:5903 +ACCEPT smc dmz udp 33434:33524 +################################################################################################################################################################################################ +# SMC network to LOC +# +################################################################################################################################################################################################ +# Local Network to Firewall +# + +?IF $SQUID2 +REDIRECT loc 3128 tcp 80 {origdest="!172.20.1.0/24,70.90.191.120/29,155.98.64.80,81.19.16.0/21,10.1.10.1"} +?ENDIF + +ACCEPT loc fw udp 53,111,123,177,192,631,1024: +SMB(ACCEPT) loc fw +ACCEPT loc fw tcp 22,53,80,111,229,548,2049,3000,32765:61000 +ACCEPT loc fw tcp 3128 +mDNS(ACCEPT) loc fw +ACCEPT loc fw tcp 5001 + +ACCEPT loc:172.20.2.149 fw tcp 3551 #APCUPSD + +################################################################################################################################################################################################ +# SMC Network to Firewall +# +ACCEPT smc fw udp 53,111,123,177,192,631,1024: +SMB(ACCEPT) smc fw +ACCEPT smc fw tcp 22,53,111,548,2049,3000,3128,32765:32768,49152 +mDNS(ACCEPT) smc fw +################################################################################################################################################################################################ +# SMC Network to multiple destinations +# +Ping(ACCEPT) smc dmz,fw +################################################################################################################################################################################################ +# Local Network to Internet +#REJECT:info loc net tcp 80,443 +################################################################################################################################################################################################ +# Local Network to multiple destinations +# +Ping(ACCEPT) loc dmz,fw +################################################################################################################################################################################################ # Internet to ALL -- drop NewNotSyn packets # -dropNotSyn net fw tcp -dropNotSyn net loc tcp -dropNotSyn net dmz tcp -############################################################################################################################################################################### -# Internet to DMZ +dropNotSyn net fw,loc,smc tcp +AutoBL(SSH,60,-,-,-,-,$LOG)\ + net all tcp 22 +################################################################################################################################################################################################ +# Internet to DMZ # -DNS_DDoS net dmz udp domain -ACCEPT net dmz tcp smtp,www,ftp,465,587,imaps,domain,https -ACCEPT net dmz udp 33434:33454 -Mirrors:none net dmz tcp 873 -ACCEPT net dmz tcp 22 - - s:ssh:3/min:3 -############################################################################################################################################################# -################# -# -# Net to Local -# -Limit:$LOG:SSHA,3,60\ - net loc tcp 22 -# -# BitTorrent from Wireless Network -# -#DNAT net:$COM_IF loc:172.20.1.102 tcp 6881:6889 -#DNAT net:$COM_IF loc:172.20.1.102 udp 6881 +ACCEPT net dmz udp 33434:33454 +ACCEPT net dmz tcp 25 - - smtp:2/min:4,mail:60/min:100 +DNAT- net 70.90.191.125 tcp https - 70.90.191.123 +DNAT- net 70.90.191.125 tcp http - 70.90.191.123 +DNAT- all 172.20.2.44 tcp ssh - 70.90.191.123 +ACCEPT net dmz:70.90.191.122 tcp https,imaps +ACCEPT net dmz:70.90.191.124 tcp http,https,465,587,imaps +ACCEPT net dmz:70.90.191.125 tcp http,ftp +Mirrors(ACCEPT:none)\ #Continuation test + net dmz tcp 873 +Ping(ACCEPT) net dmz +DROP net dmz tcp http,https +################################################################################################################################################################################################ # # UPnP # -forwardUPnP net loc +ACCEPT loc fw udp 1900 +forwardUPnP net loc # # Silently Handle common probes # -REJECT net loc tcp www,ftp,https -DROP net loc icmp 8 -############################################################################################################################################################################### +REJECT net loc tcp www,ftp,https +DROP net loc icmp 8 +################################################################################################################################################################################################ +# DMZ to DMZ +# +################################################################################################################################################################################################ +DNAT dmz dmz:70.90.191.125:80 tcp 80 - 70.90.191.121 # DMZ to Internet # -ACCEPT dmz net udp domain,ntp -REJECT dmz net:$COM_IF tcp smtp -ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,nntp,https,2401,2702,2703,8080 -ACCEPT dmz net:$POPSERVERS tcp pop3 +ACCEPT dmz net udp ntp,domain +ACCEPT dmz net tcp domain,echo,ftp,ssh,smtp,whois,www,81,nntp,https,993,465,587,2401,2702,2703,5901,8080,9418,11371 # # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking -# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases +# code from processing the command and setting up the proper expectation +# The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # -ACCEPT:$LOG dmz net tcp 1024: 20 -############################################################################################################################################################################### -# DMZ to Local +ACCEPT:$LOG dmz net tcp 1024: 20 + +Ping(ACCEPT) dmz all +################################################################################################################################################################################################ +# DMZ to fw # -ACCEPT dmz loc tcp 22 - - s:ssh:3/min:3 -############################################################################################################################################################################### -# DMZ to Firewall -- ntp & snmp Silently reject Auth -# -ACCEPT dmz fw tcp 161,ssh -ACCEPT dmz fw udp 161,ntp -REJECT dmz fw tcp auth -############################################################################################################################################################################### +DNS(ACCEPT) dmz $FW +HTTP(ACCEPT) dmz $FW +Ping(ACCEPT) dmz $FW +################################################################################################################################################################################################ # Internet to Firewall # -REJECT net fw tcp www,ftp,https -DROP net fw icmp 8 -ACCEPT net fw udp 33434:33454 -ACCEPT net fw tcp 22 - - s:ssh:3/min:3 -ACCEPT net fw udp 33434:33524 -############################################################################################################################################################################### + +REJECT net fw tcp www,ftp,https +ACCEPT net fw udp 3478:3479,33434:33454 +ACCEPT net fw tcp 22 - - s:ssh:1/min:3 +ACCEPT net fw tcp 51413 +?COMMENT IPv6 tunnel ping + +ACCEPT net fw:70.90.191.121,70.90.191.122/31\ + icmp 8 +ACCEPT net:COMC_IF fw icmp 8 + +?COMMENT + +################################################################################################################################################################################################ # Firewall to DMZ # -ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465,587,5901 -ACCEPT fw dmz udp domain -REJECT fw dmz udp 137:139 -############################################################################################################################################################################## +ACCEPT fw dmz tcp www,ftp,ssh,smtp,https,465,587,993,3128,5901 +REJECT fw dmz udp 137:139 +Ping(ACCEPT) fw dmz +################################################################################################################################################################################################ +# Firewall to NET # -COMMENT Freenode Probes -DROP net:82.96.96.3,85.190.0.3 any -COMMENT -############################################################################################################################################################################## -# Allow Ping except where disallowed earlier +DNS(ACCEPT) fw net +NTP(ACCEPT) fw net +DNAT- fw 172.20.1.254:3128 tcp 80 - - - !:proxy +ACCEPT+ fw net tcp 43,80,443,3466 - - - - +ACCEPT fw net tcp 3128 - - - !:proxy +FTP(ACCEPT) fw net - - - - - proxy +Git(ACCEPT) fw net - - - - - teastep +ACCEPT fw net tcp 22 +NNTP(ACCEPT) fw net +Ping(ACCEPT) fw net +ACCEPT fw net udp 33434:33524 +#ACCEPT:info fw net - - - - - root +ACCEPT fw net tcp 25,143,993 - - - teastep +################################################################################################################################################################################################ # -ACCEPT any any icmp 8 +?COMMENT Freenode Probes +DROP net:\ + 82.96.96.3,\ + 85.190.0.3 any!loc,smc +?COMMENT +################################################################################################################################################################################################ +
/etc/shorewall/started - if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then + if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then start_lsm fi - -chmod 744 ${VARDIR}/stateIf lsm isn't running then start it. - Make the state file world-readable. +If lsm isn't running then start it.
@@ -760,109 +1074,14 @@ chmod 744 ${VARDIR}/stateKill lsm if the command is stop or clear. Make the state file world-readable.
-
- /etc/shorewall/tcdevices - - #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS -$EXT_IF - 300kbit classify -$INT_IF - 80mbit classify -$COM_IF - 4mbit classify,hfsc -The use of HFSC on the Comcast link is largely to provide a - test bed for that qdisc; I really don't have any real-time requirement - such as VOIP. -
- -
- /etc/shorewall/tcclasses - - #INTERFACE MARK RATE CEIL PRIORITY OPTIONS -1:110 - full/4 full 1 tcp-ack,tos-minimize-delay -1:120 - full/4 full 2 flow=nfct-src -1:130 - full/4 230kbit 3 default,flow=nfct-src -1:140 - full/4 230kbit 4 flow=nfct-src - -2:10 - 95*full/100 full 1 flow=dst -2:100 - 14mbit 20mbit 2 -2:100:101 - 7mbit 20mbit 3 default,flow=dst -2:100:102 - 7mbit 20mbit 3 flow=dst - -3:10 - 2mbit:4ms full 1 flow=nfct-src -3:100 - 2mbit full 2 -3:100:101 - 1mbit full 3 default,flow=nfct-src -3:100:102 - 1mbit full 3 flow=nfct-src -Note that most of the outgoing bandwidth on the local - interface is allocated to one class. That class is used for local - traffic. -
- -
- /etc/shorewall/tcfilters - - #INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH -#CLASS PORT(S) PORT(S) - -# =============================== AVVANTA ==================================== -# -# Give Highest priority to LSM's pings to the gateway and to DNS queries -# -1:110 206.124.146.176 206.124.146.254 icmp -1:110 206.124.146.177 - udp 53 -# -# Second Highest priority to IPv6 Tunnel -# -1:120 206.124.146.180 -# -# Lowest priority to bulk traffic -# -1:140 206.124.146.177 - tcp - 873 - 2048 -1:140 206.124.146.177 - - - - tos-minimize-cost -The tcfilters file is only used for the Avvanta provider - because it has static public IP addresses. -
- -
- /etc/shorewall/tcrules - - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS -# PORT(S) - -COMMENT Shape incoming traffic - -# -# Most of the bandwidth is reserved for local traffic since the downlinks aren't that fast -# -2:10 206.124.146.176/30 $INT_IF -2:10 206.124.146.177 $INT_IF -2:10 172.20.1.254 $INT_IF -# -# Guarantee 1/2 of the incoming bandwidth for my work system -# -2:102 0.0.0.0/0 $INT_IF:172.20.1.107 - -COMMENT Shape outgoing traffic to Comcast -# -# Give 1/2 to my work system and add a latency guarantee -# -3:10 172.20.1.107 $COM_IF -# -# Restrict Torrent uploads -# -3:102 172.20.1.0/24 $COM_IF tcp - 6881:6889 -The tcrules file is used to classify traffic that deals with - the local network and/or with Comcast. -
-
/etc/shorewall/tunnels #TYPE ZONE GATEWAY GATEWAY # ZONE -openvpnserver:udp net -6to4 net -ipsec net -ipsec loc -ipip vpn 0.0.0.0/0The ipip tunnel from - the vpn zone handles IP compression on IPSEC connections. +6to4 net 216.218.226.238 +6to4 net 192.88.99.1 +
diff --git a/docs/images/Network2015.dia b/docs/images/Network2015.dia new file mode 100755 index 000000000..8f9336598 Binary files /dev/null and b/docs/images/Network2015.dia differ diff --git a/docs/images/Network2015.png b/docs/images/Network2015.png new file mode 100755 index 000000000..aaa7bd073 Binary files /dev/null and b/docs/images/Network2015.png differ diff --git a/docs/shorewall_quickstart_guide.xml b/docs/shorewall_quickstart_guide.xml index ac88d9b53..970ebd46e 100644 --- a/docs/shorewall_quickstart_guide.xml +++ b/docs/shorewall_quickstart_guide.xml @@ -71,29 +71,22 @@ running quickly in the three most common Shorewall configurations. If you want to learn more about Shorewall than is explained in these simple guides then the Shorewall Setup - Guide (Version - Française) is for you. + Guide is for you. - Standalone Linux System - (Version Française) (Russian Version) Version en Español + Standalone Linux + System Two-interface Linux - System acting as a firewall/router for a small local network - (Version Française) - (Russian - Version) + System acting as a firewall/router for a small local + network Three-interface Linux System acting as a firewall/router for a small local network - and a DMZ.. (Version - Française) (Russian - Version) + and a DMZ @@ -103,11 +96,10 @@ address The Shorewall Setup - Guide (Version - Française) outlines the steps necessary to set up a firewall - where there are multiple public IP addresses involved or if you want to - learn more about Shorewall than is explained in the single-address - guides above. + Guide outlines the steps necessary to set up a firewall where + there are multiple public IP addresses involved or if you want to learn + more about Shorewall than is explained in the single-address guides + above.