Update for Shorewall 2.2.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1959 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-15 23:45:27 +00:00
parent 70a88b7870
commit 464ad6019d
11 changed files with 481 additions and 364 deletions

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-08</pubdate>
<pubdate>2005-02-13</pubdate>
<copyright>
<year>2004</year>
@ -728,4 +728,63 @@ all all REJECT info
occur, NONE policies are used.</para>
</blockquote>
</section>
<section>
<title>IPSEC and <trademark>Windows</trademark> XP</title>
<para>I have successfully configured my work laptop to use IPSEC for
wireless IP communication when it is undocked at home. I looked at dozens
of sites and the one I found most helpful was <ulink
url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
The instructions on that site are directed to students at UCLA but they
worked fine for me (once I followed them very carefully).</para>
<warning>
<para>The instructions found on the UCLA site are complex and do not
include any information on the generation of X.509 certificates. There
are lots of sites however that can tell you how to generate
certificates, including <ulink
url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
<para>One piece of information that may not be so easy to find is "How
to I generate a PKCS#12 certificate to import into Windows?". Here's the
openssl command I used:</para>
<programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
<para>I was prompted for a password to associate with the certificate.
This password is entered on the Windows system during import.</para>
<para>In the above command:</para>
<itemizedlist>
<listitem>
<para>eastepnc6000.pem was the laptop's certificate in PEM
format.</para>
</listitem>
<listitem>
<para>eastepnc6000_key.pem was the laptop's private key (actually,
it's the original signing request which includes the private
key).</para>
</listitem>
<listitem>
<para>eastepnc6000.pfx is the PKCS#12 output file.</para>
</listitem>
<listitem>
<para>"IPSEC Cert for Home Wireless" is the friendly name for the
certificate.I</para>
</listitem>
</itemizedlist>
<para>I started to write an article about how to do this, complete with
graphics captured from my laptop. I gave up. I had captured 12 images
and hadn't really started yet. The Windows interface for configuring
IPSEC is the worst GUI that I have ever used. What can be displayed on
one split Emacs screen (racoon.conf plus setkey.conf) takes 20+
different dialog boxes on Windows XP!!!</para>
</warning>
</section>
</article>

Binary file not shown.

Binary file not shown.

File diff suppressed because one or more lines are too long

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-08</pubdate>
<pubdate>2005-02-15</pubdate>
<copyright>
<year>2001-2005</year>
@ -122,19 +122,19 @@
through Proxy ARP.</para>
<para>The firewall system itself runs a DHCP server that serves the local
network.</para>
and wireless networks.</para>
<para>I have one system (Remote, 206.124.146.179) outside the firewall.
This system, which runs Debian Sarge (testing) is used for roadwarrior VPN
testing and for checking my firewall "from the outside".</para>
<para>All administration and publishing is done using ssh/scp. I have a
desktop environment installed on the firewall but I am not usually logged
in to it. X applications tunnel through SSH to Ursa. The server also has a
desktop environment installed and that desktop environment is available
via XDMCP from the local zone. For the most part though, X tunneled
through SSH is used for server administration and the server runs at run
level 3 (multi-user console mode on Fedora).</para>
desktop environment installed on the firewall but I usually don't start
it. X applications tunnel through SSH to Ursa or one of the laptops. The
server also has a desktop environment installed but it is seldom started
either. For the most part, X tunneled through SSH is used for server
administration and the server runs at run level 3 (multi-user console mode
on Fedora).</para>
<para>I run an SNMP server on my firewall to serve <ulink
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
@ -150,7 +150,10 @@
<para>The firewall is configured with OpenVPN for VPN access from our
second home in <ulink url="http://www.omakchamber.com/">Omak,
Washington</ulink> or when we are otherwise out of town. Secure remote
access via IPSEC is also available.</para>
access via IPSEC is also available. We typically use IPSEC for wireless
security around the house and OpenVPN for roadwarrior access but the
Firewall is set up to access either tunnel type from either
location.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
@ -733,41 +736,90 @@ syslogsync 1</programlisting>
<title>/etc/racoon/racoon.conf</title>
<blockquote>
<programlisting> path certificate "/etc/certs" ;
listen
{
isakmp 206.124.146.176;
isakmp 192.168.3.254;
<programlisting>
listen
{
isakmp 206.124.146.176 ;
isakmp 192.168.3.254 ;
adminsock "/usr/local/var/racoon/racoon.sock" "root" "operator" 0660 ;
}
#
# Tipper at Home
#
remote 192.168.3.8
{
exchange_mode main ;
dpd_delay 20 ;
certificate_type x509 "gateway.pem" "gateway_key.pem" ;
verify_cert on ;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 1 hour ;
proposal {
encryption_algorithm blowfish ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group 2 ;
}
}
remote anonymous
{
exchange_mode main ;
generate_policy on ;
passive on ;
certificate_type x509 "gateway.pem" "gateway_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
sainfo address 0.0.0.0/0 any address 192.168.3.8 any
{
pfs_group 2 ;
lifetime time 1 hour ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#
# Work Laptop at Home -- it doesn't like getting proposals from us
# so we let it initiate the tunnel.
#
# Windows XP doesn't support blowfish or rijndal
# so we're stuck with 3des :-(
#
remote 192.168.3.6 inherit 192.168.3.8
{
proposal_check obey ;
passive on ;
generate_policy on ;
proposal {
encryption_algorithm 3des ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm blowfish, 3des;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
sainfo address 0.0.0.0/0 any address 192.168.3.6 any
{
pfs_group 2 ;
lifetime time 1 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#
# Both systems on the road -- We use 3des for phase I to accomodate XP.
# Since we don't know the IP address of the
# remote host ahead of time, we must use
# "anonymous".
#
remote anonymous inherit 192.168.3.6
{
nat_traversal on ;
ike_frag on;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm blowfish, 3des;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
</blockquote>
</section>
@ -780,7 +832,8 @@ syslogsync 1</programlisting>
flush;
spdflush;
# Add some SPD rules
# We only define policies for 'tipper'. The XP box seems to work better when it initiates the
# negotiation so we essentially run it like a roadwarrior even around the house.
spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.2.0
VERSION=2.2.1
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.2.0
VERSION=2.2.1
usage() # $1 = exit status
{

View File

@ -28,6 +28,9 @@ Problems corrected in version 2.2.1
3) The comments regarding built-in actions in
/usr/share/shorewall/actions.std have been corrected.
4) The /etc/shorewall/policy file in the LRP package was missing the
'all->all' policy.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.2.0
%define version 2.2.1
%define release 1
%define prefix /usr
@ -138,6 +138,8 @@ fi
%changelog
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-1
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC5

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.0
VERSION=2.2.1
usage() # $1 = exit status
{