Update for Shorewall 2.2.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1959 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-02 19:49:08 +01:00 · 2005-02-15 23:45:27 +00:00 · 2005-02-15 23:45:27 +00:00 · 464ad6019d
commit 464ad6019d
parent 70a88b7870
11 changed files with 481 additions and 364 deletions
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-02-08</pubdate>
+    <pubdate>2005-02-13</pubdate>
    <copyright>
      <year>2004</year>
@ -728,4 +728,63 @@ all             all             REJECT          info
      occur, NONE policies are used.</para>
    </blockquote>
  </section>
  <section>
    <title>IPSEC and <trademark>Windows</trademark> XP</title>
    <para>I have successfully configured my work laptop to use IPSEC for
    wireless IP communication when it is undocked at home. I looked at dozens
    of sites and the one I found most helpful was <ulink
    url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
    The instructions on that site are directed to students at UCLA but they
    worked fine for me (once I followed them very carefully).</para>
    <warning>
      <para>The instructions found on the UCLA site are complex and do not
      include any information on the generation of X.509 certificates. There
      are lots of sites however that can tell you how to generate
      certificates, including <ulink
      url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
      <para>One piece of information that may not be so easy to find is "How
      to I generate a PKCS#12 certificate to import into Windows?". Here's the
      openssl command I used:</para>
      <programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
      <para>I was prompted for a password to associate with the certificate.
      This password is entered on the Windows system during import.</para>
      <para>In the above command:</para>
      <itemizedlist>
        <listitem>
          <para>eastepnc6000.pem was the laptop's certificate in PEM
          format.</para>
        </listitem>
        <listitem>
          <para>eastepnc6000_key.pem was the laptop's private key (actually,
          it's the original signing request which includes the private
          key).</para>
        </listitem>
        <listitem>
          <para>eastepnc6000.pfx is the PKCS#12 output file.</para>
        </listitem>
        <listitem>
          <para>"IPSEC Cert for Home Wireless" is the friendly name for the
          certificate.I</para>
        </listitem>
      </itemizedlist>
      <para>I started to write an article about how to do this, complete with
      graphics captured from my laptop. I gave up. I had captured 12 images
      and hadn't really started yet. The Windows interface for configuring
      IPSEC is the worst GUI that I have ever used. What can be displayed on
      one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
      different dialog boxes on Windows XP!!!</para>
    </warning>
  </section>
 </article>
--- a/Shorewall-docs2/images/Thumbs.db
+++ b/Shorewall-docs2/images/Thumbs.db
--- a/Shorewall-docs2/images/network.png
+++ b/Shorewall-docs2/images/network.png
--- a/Shorewall-docs2/images/network.vdx
+++ b/Shorewall-docs2/images/network.vdx
--- a/Shorewall-docs2/images/~$$network.~vdx
+++ b/Shorewall-docs2/images/~$$network.~vdx
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-02-08</pubdate>
+    <pubdate>2005-02-15</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -122,19 +122,19 @@
    through Proxy ARP.</para>
    <para>The firewall system itself runs a DHCP server that serves the local
-    network.</para>
+    and wireless networks.</para>
    <para>I have one system (Remote, 206.124.146.179) outside the firewall.
    This system, which runs Debian Sarge (testing) is used for roadwarrior VPN
    testing and for checking my firewall "from the outside".</para>
    <para>All administration and publishing is done using ssh/scp. I have a
-    desktop environment installed on the firewall but I am not usually logged
+    desktop environment installed on the firewall but I usually don't start
-    in to it. X applications tunnel through SSH to Ursa. The server also has a
+    it. X applications tunnel through SSH to Ursa or one of the laptops. The
-    desktop environment installed and that desktop environment is available
+    server also has a desktop environment installed but it is seldom started
-    via XDMCP from the local zone. For the most part though, X tunneled
+    either. For the most part, X tunneled through SSH is used for server
-    through SSH is used for server administration and the server runs at run
+    administration and the server runs at run level 3 (multi-user console mode
-    level 3 (multi-user console mode on Fedora).</para>
+    on Fedora).</para>
    <para>I run an SNMP server on my firewall to serve <ulink
    url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
@ -150,7 +150,10 @@
    <para>The firewall is configured with OpenVPN for VPN access from our
    second home in <ulink url="http://www.omakchamber.com/">Omak,
    Washington</ulink> or when we are otherwise out of town. Secure remote
-    access via IPSEC is also available.</para>
+    access via IPSEC is also available. We typically use IPSEC for wireless
    security around the house and OpenVPN for roadwarrior access but the
    Firewall is set up to access either tunnel type from either
    location.</para>
    <para><graphic align="center" fileref="images/network.png" /></para>
  </section>
@ -733,41 +736,90 @@ syslogsync 1</programlisting>
      <title>/etc/racoon/racoon.conf</title>
      <blockquote>
-        <programlisting>        path certificate "/etc/certs" ;
+        <programlisting> 
-
+listen
-        listen
+{
-        {
+        isakmp 206.124.146.176 ;
-                isakmp 206.124.146.176;
+        isakmp 192.168.3.254 ;
-                isakmp 192.168.3.254;
+        adminsock "/usr/local/var/racoon/racoon.sock" "root" "operator" 0660 ;
 }
 #
 # Tipper at Home
 #
 remote 192.168.3.8
 {
        exchange_mode main ;
        dpd_delay 20 ;
        certificate_type x509 "gateway.pem" "gateway_key.pem" ;
        verify_cert on ;
        my_identifier asn1dn ;
        peers_identifier asn1dn ;
        verify_identifier on ;
        lifetime time 1 hour ;
        proposal {
                encryption_algorithm blowfish ;
                hash_algorithm sha1 ;
                authentication_method rsasig ;
                dh_group 2 ;
        }
 }
-        remote anonymous
+sainfo address 0.0.0.0/0 any address 192.168.3.8 any
-        {
+{
-                exchange_mode main ;
+        pfs_group 2 ;
-                generate_policy on ;
+        lifetime time 1 hour ;
-                passive on ;
+        encryption_algorithm blowfish ;
-                certificate_type x509 "gateway.pem" "gateway_key.pem";
+        authentication_algorithm hmac_sha1, hmac_md5 ;
-                verify_cert on;
+        compression_algorithm deflate ;
-                my_identifier asn1dn ;
+}
-                peers_identifier asn1dn ;
+#
-                verify_identifier on ;
+# Work Laptop at Home -- it doesn't like getting proposals from us
-                lifetime time 24 hour ;
+#                        so we let it initiate the tunnel.
-                proposal {
+#
-                        encryption_algorithm blowfish;
+#                        Windows XP doesn't support blowfish or rijndal
-                        hash_algorithm sha1;
+#                        so we're stuck with 3des :-(
-                        authentication_method rsasig ;
+#
-                        dh_group 2 ;
+remote 192.168.3.6 inherit 192.168.3.8
-                }
+{
        proposal_check obey ;
        passive on ;
        generate_policy on ;
        proposal {
                encryption_algorithm 3des ;
                hash_algorithm sha1 ;
                authentication_method rsasig ;
                dh_group 2 ;
        }
 }
-        sainfo anonymous
+sainfo address 0.0.0.0/0 any address 192.168.3.6 any
-        {
+{
-                pfs_group 2;
+        pfs_group 2 ;
-                lifetime time 12 hour ;
+        lifetime time 1 hour ;
-                encryption_algorithm blowfish, 3des;
+        encryption_algorithm 3des ;
-                authentication_algorithm hmac_sha1, hmac_md5 ;
+        authentication_algorithm hmac_sha1, hmac_md5 ;
-                compression_algorithm deflate ;
+        compression_algorithm deflate ;
-        }</programlisting>
+}
 #
 # Both systems on the road -- We use 3des for phase I to accomodate XP.
 #                             Since we don't know the IP address of the
 #                             remote host ahead of time, we must use
 #                             "anonymous".
 #
 remote anonymous inherit 192.168.3.6
 {
        nat_traversal on ;
        ike_frag on;
 }
 sainfo anonymous
 {
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm blowfish, 3des;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
 }</programlisting>
      </blockquote>
    </section>
@ -780,7 +832,8 @@ syslogsync 1</programlisting>
 flush;
 spdflush;
-# Add some SPD rules
+# We only define policies for 'tipper'. The XP box seems to work better when it initiates the
 # negotiation so we essentially run it like a roadwarrior even around the house.
 spdadd 0.0.0.0/0          192.168.3.8/32     any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
 spdadd 192.168.3.8/32     0.0.0.0/0          any -P in  ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.2.0
+VERSION=2.2.1
 usage() # $1 = exit status
 {
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.2.0
+VERSION=2.2.1
 usage() # $1 = exit status
 {
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -27,6 +27,9 @@ Problems corrected in version 2.2.1
 3) The comments regarding built-in actions in
   /usr/share/shorewall/actions.std have been corrected.
 4) The /etc/shorewall/policy file in the LRP package was missing the
   'all->all' policy.
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.2.0
+%define version 2.2.1
 %define release 1
 %define prefix /usr
@ -138,6 +138,8 @@ fi
 %changelog
 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.1-1
 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.0-1
 * Mon Jan 17 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.0-0RC5
--- a/Shorewall2/uninstall.sh
+++ b/Shorewall2/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.2.0
+VERSION=2.2.1
 usage() # $1 = exit status
 {