mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-20 12:39:06 +01:00
Update for Shorewall 2.2.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1959 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
70a88b7870
commit
464ad6019d
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-02-08</pubdate>
|
<pubdate>2005-02-13</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2004</year>
|
<year>2004</year>
|
||||||
@ -728,4 +728,63 @@ all all REJECT info
|
|||||||
occur, NONE policies are used.</para>
|
occur, NONE policies are used.</para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>IPSEC and <trademark>Windows</trademark> XP</title>
|
||||||
|
|
||||||
|
<para>I have successfully configured my work laptop to use IPSEC for
|
||||||
|
wireless IP communication when it is undocked at home. I looked at dozens
|
||||||
|
of sites and the one I found most helpful was <ulink
|
||||||
|
url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
|
||||||
|
The instructions on that site are directed to students at UCLA but they
|
||||||
|
worked fine for me (once I followed them very carefully).</para>
|
||||||
|
|
||||||
|
<warning>
|
||||||
|
<para>The instructions found on the UCLA site are complex and do not
|
||||||
|
include any information on the generation of X.509 certificates. There
|
||||||
|
are lots of sites however that can tell you how to generate
|
||||||
|
certificates, including <ulink
|
||||||
|
url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
|
||||||
|
|
||||||
|
<para>One piece of information that may not be so easy to find is "How
|
||||||
|
to I generate a PKCS#12 certificate to import into Windows?". Here's the
|
||||||
|
openssl command I used:</para>
|
||||||
|
|
||||||
|
<programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
|
||||||
|
|
||||||
|
<para>I was prompted for a password to associate with the certificate.
|
||||||
|
This password is entered on the Windows system during import.</para>
|
||||||
|
|
||||||
|
<para>In the above command:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>eastepnc6000.pem was the laptop's certificate in PEM
|
||||||
|
format.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>eastepnc6000_key.pem was the laptop's private key (actually,
|
||||||
|
it's the original signing request which includes the private
|
||||||
|
key).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>eastepnc6000.pfx is the PKCS#12 output file.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>"IPSEC Cert for Home Wireless" is the friendly name for the
|
||||||
|
certificate.I</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>I started to write an article about how to do this, complete with
|
||||||
|
graphics captured from my laptop. I gave up. I had captured 12 images
|
||||||
|
and hadn't really started yet. The Windows interface for configuring
|
||||||
|
IPSEC is the worst GUI that I have ever used. What can be displayed on
|
||||||
|
one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
|
||||||
|
different dialog boxes on Windows XP!!!</para>
|
||||||
|
</warning>
|
||||||
|
</section>
|
||||||
</article>
|
</article>
|
Binary file not shown.
Binary file not shown.
File diff suppressed because one or more lines are too long
Binary file not shown.
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-02-08</pubdate>
|
<pubdate>2005-02-15</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2005</year>
|
<year>2001-2005</year>
|
||||||
@ -122,19 +122,19 @@
|
|||||||
through Proxy ARP.</para>
|
through Proxy ARP.</para>
|
||||||
|
|
||||||
<para>The firewall system itself runs a DHCP server that serves the local
|
<para>The firewall system itself runs a DHCP server that serves the local
|
||||||
network.</para>
|
and wireless networks.</para>
|
||||||
|
|
||||||
<para>I have one system (Remote, 206.124.146.179) outside the firewall.
|
<para>I have one system (Remote, 206.124.146.179) outside the firewall.
|
||||||
This system, which runs Debian Sarge (testing) is used for roadwarrior VPN
|
This system, which runs Debian Sarge (testing) is used for roadwarrior VPN
|
||||||
testing and for checking my firewall "from the outside".</para>
|
testing and for checking my firewall "from the outside".</para>
|
||||||
|
|
||||||
<para>All administration and publishing is done using ssh/scp. I have a
|
<para>All administration and publishing is done using ssh/scp. I have a
|
||||||
desktop environment installed on the firewall but I am not usually logged
|
desktop environment installed on the firewall but I usually don't start
|
||||||
in to it. X applications tunnel through SSH to Ursa. The server also has a
|
it. X applications tunnel through SSH to Ursa or one of the laptops. The
|
||||||
desktop environment installed and that desktop environment is available
|
server also has a desktop environment installed but it is seldom started
|
||||||
via XDMCP from the local zone. For the most part though, X tunneled
|
either. For the most part, X tunneled through SSH is used for server
|
||||||
through SSH is used for server administration and the server runs at run
|
administration and the server runs at run level 3 (multi-user console mode
|
||||||
level 3 (multi-user console mode on Fedora).</para>
|
on Fedora).</para>
|
||||||
|
|
||||||
<para>I run an SNMP server on my firewall to serve <ulink
|
<para>I run an SNMP server on my firewall to serve <ulink
|
||||||
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
|
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
|
||||||
@ -150,7 +150,10 @@
|
|||||||
<para>The firewall is configured with OpenVPN for VPN access from our
|
<para>The firewall is configured with OpenVPN for VPN access from our
|
||||||
second home in <ulink url="http://www.omakchamber.com/">Omak,
|
second home in <ulink url="http://www.omakchamber.com/">Omak,
|
||||||
Washington</ulink> or when we are otherwise out of town. Secure remote
|
Washington</ulink> or when we are otherwise out of town. Secure remote
|
||||||
access via IPSEC is also available.</para>
|
access via IPSEC is also available. We typically use IPSEC for wireless
|
||||||
|
security around the house and OpenVPN for roadwarrior access but the
|
||||||
|
Firewall is set up to access either tunnel type from either
|
||||||
|
location.</para>
|
||||||
|
|
||||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||||
</section>
|
</section>
|
||||||
@ -733,41 +736,90 @@ syslogsync 1</programlisting>
|
|||||||
<title>/etc/racoon/racoon.conf</title>
|
<title>/etc/racoon/racoon.conf</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting> path certificate "/etc/certs" ;
|
<programlisting>
|
||||||
|
listen
|
||||||
listen
|
{
|
||||||
{
|
isakmp 206.124.146.176 ;
|
||||||
isakmp 206.124.146.176;
|
isakmp 192.168.3.254 ;
|
||||||
isakmp 192.168.3.254;
|
adminsock "/usr/local/var/racoon/racoon.sock" "root" "operator" 0660 ;
|
||||||
}
|
}
|
||||||
|
#
|
||||||
remote anonymous
|
# Tipper at Home
|
||||||
{
|
#
|
||||||
|
remote 192.168.3.8
|
||||||
|
{
|
||||||
exchange_mode main ;
|
exchange_mode main ;
|
||||||
generate_policy on ;
|
dpd_delay 20 ;
|
||||||
passive on ;
|
certificate_type x509 "gateway.pem" "gateway_key.pem" ;
|
||||||
certificate_type x509 "gateway.pem" "gateway_key.pem";
|
verify_cert on ;
|
||||||
verify_cert on;
|
|
||||||
my_identifier asn1dn ;
|
my_identifier asn1dn ;
|
||||||
peers_identifier asn1dn ;
|
peers_identifier asn1dn ;
|
||||||
verify_identifier on ;
|
verify_identifier on ;
|
||||||
lifetime time 24 hour ;
|
lifetime time 1 hour ;
|
||||||
proposal {
|
proposal {
|
||||||
encryption_algorithm blowfish;
|
encryption_algorithm blowfish ;
|
||||||
hash_algorithm sha1;
|
hash_algorithm sha1 ;
|
||||||
authentication_method rsasig ;
|
authentication_method rsasig ;
|
||||||
dh_group 2 ;
|
dh_group 2 ;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sainfo anonymous
|
sainfo address 0.0.0.0/0 any address 192.168.3.8 any
|
||||||
{
|
{
|
||||||
|
pfs_group 2 ;
|
||||||
|
lifetime time 1 hour ;
|
||||||
|
encryption_algorithm blowfish ;
|
||||||
|
authentication_algorithm hmac_sha1, hmac_md5 ;
|
||||||
|
compression_algorithm deflate ;
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Work Laptop at Home -- it doesn't like getting proposals from us
|
||||||
|
# so we let it initiate the tunnel.
|
||||||
|
#
|
||||||
|
# Windows XP doesn't support blowfish or rijndal
|
||||||
|
# so we're stuck with 3des :-(
|
||||||
|
#
|
||||||
|
remote 192.168.3.6 inherit 192.168.3.8
|
||||||
|
{
|
||||||
|
proposal_check obey ;
|
||||||
|
passive on ;
|
||||||
|
generate_policy on ;
|
||||||
|
proposal {
|
||||||
|
encryption_algorithm 3des ;
|
||||||
|
hash_algorithm sha1 ;
|
||||||
|
authentication_method rsasig ;
|
||||||
|
dh_group 2 ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
sainfo address 0.0.0.0/0 any address 192.168.3.6 any
|
||||||
|
{
|
||||||
|
pfs_group 2 ;
|
||||||
|
lifetime time 1 hour ;
|
||||||
|
encryption_algorithm 3des ;
|
||||||
|
authentication_algorithm hmac_sha1, hmac_md5 ;
|
||||||
|
compression_algorithm deflate ;
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Both systems on the road -- We use 3des for phase I to accomodate XP.
|
||||||
|
# Since we don't know the IP address of the
|
||||||
|
# remote host ahead of time, we must use
|
||||||
|
# "anonymous".
|
||||||
|
#
|
||||||
|
remote anonymous inherit 192.168.3.6
|
||||||
|
{
|
||||||
|
nat_traversal on ;
|
||||||
|
ike_frag on;
|
||||||
|
}
|
||||||
|
|
||||||
|
sainfo anonymous
|
||||||
|
{
|
||||||
pfs_group 2;
|
pfs_group 2;
|
||||||
lifetime time 12 hour ;
|
lifetime time 12 hour ;
|
||||||
encryption_algorithm blowfish, 3des;
|
encryption_algorithm blowfish, 3des;
|
||||||
authentication_algorithm hmac_sha1, hmac_md5 ;
|
authentication_algorithm hmac_sha1, hmac_md5 ;
|
||||||
compression_algorithm deflate ;
|
compression_algorithm deflate ;
|
||||||
}</programlisting>
|
}</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -780,7 +832,8 @@ syslogsync 1</programlisting>
|
|||||||
flush;
|
flush;
|
||||||
spdflush;
|
spdflush;
|
||||||
|
|
||||||
# Add some SPD rules
|
# We only define policies for 'tipper'. The XP box seems to work better when it initiates the
|
||||||
|
# negotiation so we essentially run it like a roadwarrior even around the house.
|
||||||
|
|
||||||
spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
|
spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
|
||||||
spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
|
spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=2.2.0
|
VERSION=2.2.1
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=2.2.0
|
VERSION=2.2.1
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -28,6 +28,9 @@ Problems corrected in version 2.2.1
|
|||||||
3) The comments regarding built-in actions in
|
3) The comments regarding built-in actions in
|
||||||
/usr/share/shorewall/actions.std have been corrected.
|
/usr/share/shorewall/actions.std have been corrected.
|
||||||
|
|
||||||
|
4) The /etc/shorewall/policy file in the LRP package was missing the
|
||||||
|
'all->all' policy.
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 2.2.0
|
%define version 2.2.1
|
||||||
%define release 1
|
%define release 1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
@ -138,6 +138,8 @@ fi
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 2.2.1-1
|
||||||
|
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.2.0-1
|
- Updated to 2.2.0-1
|
||||||
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
|
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.2.0-0RC5
|
- Updated to 2.2.0-0RC5
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=2.2.0
|
VERSION=2.2.1
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user