extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-19 05:01:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Documentation changes for 1.3.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@240 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
2002-09-16 17:02:45 +00:00
parent da993d8c10
commit 342db2dd44
15 changed files with 6956 additions and 6220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

434
STABLE/documentation/myfiles.htm
View File

@@ -1,297 +1,165 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">About My Network</font></h1>
</td>
</tr>
</table>
<blockquote> </blockquote>
<h1>My Current Network </h1>
<blockquote>
<p>
I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) is connected to eth0. I have
a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected
to eth1 (192.168.2.0/24).<2E></p>
<p>
I use Static NAT for all internal systems (those connected to the switch) except my Wife's system (tarry)
and the Wireless Access Point (wap) which are
masqueraded through the primary gateway address (206.124.146.176).</p>
<p>
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
<p>
My personal GNU/Linux System (wookie) is 192.168.1.3 and my personal Windows XP system (ursa)
is 192.168.1.5. Wookie
runs Samba and acts as the a WINS server.&nbsp; Wookie is in its own 'whitelist' zone
called 'me'.</p>
<p>
My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own <a href="http://www.sygate.com">
Sygate</a> firewall software and is managed by Proxy ARP. It connects to the
local network through the PopTop server running on my firewall. </p>
<p>
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier
IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1>My Current Network </h1>
<blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
and a DMZ connected to eth1 (192.168.2.0/24).<2E></p>
<p> I use:<br>
</p>
<ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for<6F> my
Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
<p> Wookie runs Samba and acts as the a WINS server.<2E> Wookie is in its
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p>
<p>
The firewall system itself runs a DHCP server that serves the local network.</p>
<p>
All administration and publishing is done using ssh/scp.</p>
<p>
I run an SNMP server on my firewall to serve <a href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/">
MRTG</a> running in the DMZ.</p>
<p align="center">
<img border="0" src="images/network.png" width="764" height="846"></p>
<p>&nbsp;</p>
<p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because of
the entry in /etc/shorewall/proxyarp (see below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5">
Note: My files use features not available before
Shorewall version 1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
LOGRATE=
LOGBURST=
ADD_IP_ALIASES=&quot;Yes&quot;
CLAMPMSS=Yes
MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS
net Internet Internet
me Eastep My Workstation
loc Local Local networks
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p>
This is set up so that I can start the firewall before bringing up my Ethernet
interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
loc eth2 192.168.1.255 dhcp
dmz eth1 206.124.146.255 -
net eth3 206.124.146.255 norfc1918
- texas -
loc ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS
me eth2:192.168.1.3
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3>Policy File:</h3>
<pre><font size="2" face="Courier">
<p> The firewall system itself runs a DHCP server that serves the local
network.</p>
<p> All administration and publishing is done using ssh/scp.</p>
<p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p>
<p align="center"> <img border="0"
src="images/network.png" width="764" height="846">
</p>
<p><EFBFBD></p>
<p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3>Policy File:</h3>
<pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT
tx me ACCEPT #Give Texas access to my personal system
all me CONTINUE #<font color="#FF0000">WARNING: You must be running Shorewall 1.3.1 or later for
</font>#<font color="#FF0000"> this policy to work as expected!!!</font>
loc loc ACCEPT
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT
net net ACCEPT
net all DROP info 10/sec:40
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
<h3>Masq File: </h3>
<blockquote>
<p>
Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net tcp 6667
#
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
#
# Local Network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz tcp domain
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz tcp auth
ACCEPT loc dmz tcp imap
ACCEPT loc dmz tcp https
ACCEPT loc dmz tcp imaps
ACCEPT loc dmz tcp cvspserver
ACCEPT loc dmz tcp www
ACCEPT loc dmz tcp ftp
ACCEPT loc dmz tcp pop3
ACCEPT loc dmz icmp echo-request
#
# Internet to DMZ
#
ACCEPT net dmz tcp www
ACCEPT net dmz tcp smtp
ACCEPT net dmz tcp ftp
ACCEPT net dmz tcp auth
ACCEPT net dmz tcp https
ACCEPT net dmz tcp imaps
ACCEPT net dmz tcp domain
ACCEPT net dmz tcp cvspserver
ACCEPT net dmz udp domain
ACCEPT net dmz icmp echo-request
ACCEPT net:$MIRRORS dmz tcp rsync
#
# Net to Me (ICQ chat and file transfers)
#
ACCEPT net me tcp 4000:4100
#
# Net to Local
#
ACCEPT net loc tcp auth
REJECT net loc tcp www
#
# DMZ to Internet
#
ACCEPT dmz net icmp echo-request
ACCEPT dmz net tcp smtp
ACCEPT dmz net tcp auth
ACCEPT dmz net tcp domain
ACCEPT dmz net tcp www
ACCEPT dmz net tcp https
ACCEPT dmz net tcp whois
ACCEPT dmz net tcp echo
ACCEPT dmz net udp domain
ACCEPT dmz net:$NTPSERVERS udp ntp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients
#
ACCEPT:info dmz net tcp 1024: 20
#
# DMZ to Firewall -- snmp
#
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
ACCEPT dmz loc tcp auth
ACCEPT dmz loc icmp echo-request
# Internet to Firewall
#
ACCEPT net fw tcp 1723
ACCEPT net fw gre
REJECT net fw tcp www
#
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
#
# Firewall to DMZ
#
ACCEPT fw dmz tcp www
ACCEPT fw dmz tcp ftp
ACCEPT fw dmz tcp ssh
ACCEPT fw dmz tcp smtp
ACCEPT fw dmz udp domain
#
# Let Texas Ping
#
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2">
Last updated 8/9/2002
- </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
all me CONTINUE #<font
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
<h3>Masq File: </h3>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/14/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</body>
</html>