mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-18 10:40:54 +01:00
Modify 'my configuration' to match reality
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1597 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
525541e549
commit
5388f7a631
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-08-05</pubdate>
|
<pubdate>2004-09-04</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -48,7 +48,7 @@
|
|||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>The configuration shown here corresponds to Shorewall version
|
<para>The configuration shown here corresponds to Shorewall version
|
||||||
2.1.1. My configuration uses features not available in earlier Shorewall
|
2.1.7. My configuration uses features not available in earlier Shorewall
|
||||||
releases.</para>
|
releases.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
@ -64,9 +64,9 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>I use one-to-one NAT for Ursa (my personal system that
|
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE
|
||||||
dual-boots Mandrake 10.0 (Official) and Windows XP) - Internal address
|
9.1) - Internal address 192.168.1.5 and external address
|
||||||
192.168.1.5 and external address 206.124.146.178.</para>
|
206.124.146.178.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -76,11 +76,10 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>I use SNAT through 206.124.146.179 for my SuSE 9.0 Linux
|
<para>I use SNAT through 206.124.146.179 for my Wife's Windows XP
|
||||||
system <quote>Wookie</quote>, my Wife's Windows XP system
|
system <quote>Tarry</quote>, and our dual-booting (Windows
|
||||||
<quote>Tarry</quote>, and our dual-booting (Windows XP/SuSE 9.1)
|
XP/SuSE 9.1) laptop <quote>Tipper</quote> which connects through the
|
||||||
laptop <quote>Tipper</quote> which connects through the Wireless
|
Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
|
||||||
Access Point (wap) via a Wireless Bridge (wet).<note>
|
|
||||||
<para>While the distance between the WAP and where I usually use
|
<para>While the distance between the WAP and where I usually use
|
||||||
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
|
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
|
||||||
wireless card) has proved very unsatisfactory (lots of lost
|
wireless card) has proved very unsatisfactory (lots of lost
|
||||||
@ -96,17 +95,21 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>I have Wookie (193.168.1.3) configured as a 3-port bridge. Squid
|
<para>I have Ursa (193.168.1.5/206.124.146.178) configured as a 2-port
|
||||||
runs on this system and is configured as a transparent proxy.</para>
|
bridge.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Squid runs on the firewall and is configured as a transparent
|
||||||
|
proxy.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>The firewall runs on a 256MB PII/233 with Debian Sarge
|
<para>The firewall runs on a 384MB K-6/II with SuSE 9.1.</para>
|
||||||
(Testing).</para>
|
|
||||||
|
|
||||||
<para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
|
<para>Ursa runs Samba for file sharing with the Windows systems..</para>
|
||||||
|
|
||||||
<para>The wireless network connects to Wookie's eth2 via a LinkSys
|
<para>The wireless network connects to Ursa's eth0 via a LinkSys
|
||||||
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
||||||
(64-bit with the 24-bit preamble), I use <ulink
|
(64-bit with the 24-bit preamble), I use <ulink
|
||||||
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
|
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
|
||||||
@ -142,8 +145,9 @@
|
|||||||
/etc/network/interfaces file (see below) adds a host route to
|
/etc/network/interfaces file (see below) adds a host route to
|
||||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||||
|
|
||||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
|
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
||||||
access.</para>
|
my work laptop and the Firewall is configured with IPSEC for tunnel mode
|
||||||
|
road warrior access from Tipper.</para>
|
||||||
|
|
||||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||||
</section>
|
</section>
|
||||||
@ -156,6 +160,7 @@
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>LOGFILE=/var/log/messages
|
<programlisting>LOGFILE=/var/log/messages
|
||||||
|
LOGFORMAT="Shorewall:%s:%s "
|
||||||
LOGRATE=
|
LOGRATE=
|
||||||
LOGBURST=
|
LOGBURST=
|
||||||
LOGUNCLEAN=$LOG
|
LOGUNCLEAN=$LOG
|
||||||
@ -165,17 +170,19 @@ MACLIST_LOG_LEVEL=$LOG
|
|||||||
TCP_FLAGS_LOG_LEVEL=$LOG
|
TCP_FLAGS_LOG_LEVEL=$LOG
|
||||||
RFC1918_LOG_LEVEL=$LOG
|
RFC1918_LOG_LEVEL=$LOG
|
||||||
SMURF_LOG_LEVEL=
|
SMURF_LOG_LEVEL=
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
|
||||||
SHOREWALL_SHELL=/bin/ash
|
SHOREWALL_SHELL=/bin/ash
|
||||||
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
SUBSYSLOCK=
|
||||||
STATEDIR=/var/state/shorewall
|
STATEDIR=/var/state/shorewall
|
||||||
MODULESDIR=
|
MODULESDIR=
|
||||||
|
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
|
||||||
|
RESTOREFILE=standard
|
||||||
FW=fw
|
FW=fw
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
ADD_IP_ALIASES=Yes
|
ADD_IP_ALIASES=Yes
|
||||||
ADD_SNAT_ALIASES=Yes
|
ADD_SNAT_ALIASES=Yes
|
||||||
TC_ENABLED=Yes
|
TC_ENABLED=Yes
|
||||||
CLEAR_TC=No
|
CLEAR_TC=Yes
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
CLAMPMSS=Yes
|
CLAMPMSS=Yes
|
||||||
ROUTE_FILTER=No
|
ROUTE_FILTER=No
|
||||||
@ -183,6 +190,9 @@ DETECT_DNAT_IPADDRS=Yes
|
|||||||
MUTEX_TIMEOUT=60
|
MUTEX_TIMEOUT=60
|
||||||
NEWNOTSYN=Yes
|
NEWNOTSYN=Yes
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
DYNAMIC_ZONES=No
|
||||||
|
DISABLE_IPV6=Yes
|
||||||
|
PKTTYPE=No
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
@ -197,7 +207,12 @@ TCP_FLAGS_DISPOSITION=DROP
|
|||||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||||
NTPSERVERS=<list of the NTP servers I sync with>
|
NTPSERVERS=<list of the NTP servers I sync with>
|
||||||
TEXAS=<ip address of gateway in Plano>
|
TEXAS=<ip address of gateway in Plano>
|
||||||
LOG=info</programlisting></para>
|
OMAK=<ip address of tipper while we are at our second home>
|
||||||
|
LOG=info
|
||||||
|
EXT_IF=eth1
|
||||||
|
INT_IF=eth0
|
||||||
|
DMZ_IF=eth2
|
||||||
|
</programlisting></para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -209,8 +224,10 @@ LOG=info</programlisting></para>
|
|||||||
net Internet Internet
|
net Internet Internet
|
||||||
dmz DMZ Demilitarized zone
|
dmz DMZ Demilitarized zone
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
tx Texas Peer Network in Plano
|
omak Omak Our Laptop at our second home
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
tx Texas Peer Network in Dallas
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -221,12 +238,12 @@ tx Texas Peer Network in Plano
|
|||||||
<para>This is set up so that I can start the firewall before bringing
|
<para>This is set up so that I can start the firewall before bringing
|
||||||
up my Ethernet interfaces.</para>
|
up my Ethernet interfaces.</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||||
loc eth2 192.168.1.255 dhcp
|
loc $INT_IF detect dhcp
|
||||||
dmz eth1 -
|
dmz $DMZ_IF -
|
||||||
- texas 192.168.9.255
|
- texas -
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -235,18 +252,32 @@ dmz eth1 -
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ZONE HOST(S) OPTIONS
|
<programlisting>#ZONE HOST(S) OPTIONS
|
||||||
tx texas:192.168.8.0/22
|
tx texas:192.168.8.0/22
|
||||||
|
omak $EXT_IF:$OMAK
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Ipsec File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||||
|
# ONLY OPTIONS OPTIONS
|
||||||
|
omak yes mode=tunnel
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Routestopped File</title>
|
<title>Routestopped File</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#INTERFACE HOST(S)
|
<programlisting>#INTERFACE HOST(S)
|
||||||
eth1 206.124.146.177
|
$DMZ_IF 206.124.146.177
|
||||||
eth2 -
|
$INT_IF -
|
||||||
|
$EXT_IF $OMAK
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -289,15 +320,26 @@ eth2 -
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||||
fw fw ACCEPT # For testing fw->fw rules
|
fw fw ACCEPT
|
||||||
loc net ACCEPT # Allow all net traffic from local net
|
loc net ACCEPT
|
||||||
$FW loc ACCEPT # Allow local access from the firewall
|
fw sec ACCEPT
|
||||||
$FW tx ACCEPT # Allow firewall access to texas
|
omak fw ACCEPT
|
||||||
loc tx ACCEPT # Allow local net access to texas
|
fw omak ACCEPT
|
||||||
loc fw REJECT $LOG # Reject loc->fw and log
|
omak loc ACCEPT
|
||||||
net all DROP $LOG 10/sec:40 # Rate limit and
|
loc omak ACCEPT
|
||||||
# DROP net->all
|
omak net NONE
|
||||||
all all REJECT $LOG # Reject and log the rest
|
net omak NONE
|
||||||
|
omak dmz NONE
|
||||||
|
dmz omak NONE
|
||||||
|
omak tx NONE
|
||||||
|
tx omak NONE
|
||||||
|
$FW loc ACCEPT #Firewall to Local
|
||||||
|
$FW tx ACCEPT
|
||||||
|
loc tx ACCEPT
|
||||||
|
loc fw REJECT $LOG
|
||||||
|
dmz tx ACCEPT
|
||||||
|
net all DROP $LOG 10/sec:40
|
||||||
|
all all REJECT $LOG
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -318,8 +360,8 @@ all all REJECT $LOG # Reje
|
|||||||
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
|
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||||
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
|
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||||
eth0:2 eth2 206.124.146.179
|
$EXT_IF:2 eth2 206.124.146.179
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -354,6 +396,7 @@ eth0:2 eth2 206.124.146.179
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||||
gre net $TEXAS
|
gre net $TEXAS
|
||||||
|
ipsec:noah net $OMAK omak
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -449,10 +492,10 @@ REJECT loc net tcp 137,445
|
|||||||
REJECT loc net udp 137:139
|
REJECT loc net udp 137:139
|
||||||
#
|
#
|
||||||
DROP loc:!192.168.1.0/24 net
|
DROP loc:!192.168.1.0/24 net
|
||||||
|
#
|
||||||
#QUEUE loc net udp
|
# SQUID
|
||||||
#QUEUE loc fw udp
|
#
|
||||||
#QUEUE loc net tcp
|
REDIRECT loc 3128 tcp 80
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Local Network to Firewall
|
# Local Network to Firewall
|
||||||
#
|
#
|
||||||
@ -471,15 +514,24 @@ ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,f
|
|||||||
dropNotSyn net fw tcp
|
dropNotSyn net fw tcp
|
||||||
dropNotSyn net loc tcp
|
dropNotSyn net loc tcp
|
||||||
dropNotSyn net dmz tcp
|
dropNotSyn net dmz tcp
|
||||||
|
|
||||||
|
#
|
||||||
|
# Drop ping to firewall and local
|
||||||
|
#
|
||||||
|
|
||||||
|
DropPing net fw
|
||||||
|
DropPing net loc
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Internet to DMZ
|
# Internet to DMZ
|
||||||
#
|
#
|
||||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.1
|
||||||
|
78
|
||||||
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
|
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
|
||||||
ACCEPT net dmz udp domain
|
ACCEPT net dmz udp domain
|
||||||
ACCEPT net dmz udp 33434:33436
|
ACCEPT net dmz udp 33434:33436
|
||||||
Mirrors net dmz tcp rsync
|
Mirrors net dmz tcp rsync
|
||||||
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak
|
||||||
|
AllowPing net dmz
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
#
|
#
|
||||||
# Net to Local
|
# Net to Local
|
||||||
@ -487,12 +539,13 @@ Mirrors net dmz tcp rsync
|
|||||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||||
#
|
#
|
||||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||||
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
|
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
||||||
ACCEPT net loc:192.168.1.5 tcp 22
|
ACCEPT net loc:192.168.1.5 tcp 22
|
||||||
#
|
#
|
||||||
# ICQ
|
# ICQ
|
||||||
#
|
#
|
||||||
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||||||
|
DNAT net loc:192.168.1.8 tcp 4000:4100 - 206.124.146.179
|
||||||
#
|
#
|
||||||
# Real Audio
|
# Real Audio
|
||||||
#
|
#
|
||||||
@ -513,8 +566,6 @@ ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,80
|
|||||||
ACCEPT dmz net udp domain
|
ACCEPT dmz net udp domain
|
||||||
REJECT:$LOG dmz net udp 1025:1031
|
REJECT:$LOG dmz net udp 1025:1031
|
||||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
|
||||||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
|
||||||
#
|
#
|
||||||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||||
@ -532,13 +583,15 @@ REJECT dmz fw tcp auth
|
|||||||
# DMZ to Local Network
|
# DMZ to Local Network
|
||||||
#
|
#
|
||||||
ACCEPT dmz loc tcp smtp,6001:6010
|
ACCEPT dmz loc tcp smtp,6001:6010
|
||||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 tcp 111
|
||||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Internet to Firewall
|
# Internet to Firewall
|
||||||
#
|
#
|
||||||
REJECT net fw tcp www,ftp,https
|
REJECT net fw tcp www,ftp,https
|
||||||
ACCEPT net dmz udp 33434:33435
|
ACCEPT net dmz udp 33434:33435
|
||||||
|
ACCEPT net:$OMAK fw udp ntp
|
||||||
|
ACCEPT net:$OMAK fw tcp 22 #SSH from Omak
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Firewall to Internet
|
# Firewall to Internet
|
||||||
#
|
#
|
||||||
@ -557,10 +610,6 @@ ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
|||||||
ACCEPT fw dmz udp domain
|
ACCEPT fw dmz udp domain
|
||||||
REJECT fw dmz udp 137:139
|
REJECT fw dmz udp 137:139
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Ping
|
|
||||||
#
|
|
||||||
ACCEPT all all icmp 8
|
|
||||||
###############################################################################################################################################################################
|
|
||||||
ACCEPT tx loc:192.168.1.5 all
|
ACCEPT tx loc:192.168.1.5 all
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -600,10 +649,10 @@ iface eth1 inet static
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Bridge (Wookie) Configuration</title>
|
<title>Bridge (Ursa) Configuration</title>
|
||||||
|
|
||||||
<para>As mentioned above, Wookie acts as a bridge. It's view of the
|
<para>As mentioned above, Ursa acts as a bridge. It's view of the network
|
||||||
network is diagrammed in the following figure.</para>
|
is diagrammed in the following figure.</para>
|
||||||
|
|
||||||
<graphic fileref="images/network1.png" />
|
<graphic fileref="images/network1.png" />
|
||||||
|
|
||||||
@ -629,9 +678,9 @@ iface eth1 inet static
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ZONE DISPLAY COMMENTS
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
net Net Internet
|
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
WiFi WireLess Wireless Network
|
net Internet The Big Bad Internet
|
||||||
|
WiFi Wireless Wireless Network
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -642,15 +691,15 @@ WiFi WireLess Wireless Network
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||||
fw fw ACCEPT
|
|
||||||
loc net ACCEPT
|
|
||||||
net loc ACCEPT
|
|
||||||
net fw ACCEPT
|
|
||||||
loc fw ACCEPT
|
loc fw ACCEPT
|
||||||
loc WiFi ACCEPT
|
loc net NONE
|
||||||
fw WiFi ACCEPT
|
loc WiFi NONE
|
||||||
fw net ACCEPT
|
net fw ACCEPT
|
||||||
|
net WiFi ACCEPT
|
||||||
|
net loc NONE
|
||||||
|
WiFi net ACCEPT
|
||||||
fw loc ACCEPT
|
fw loc ACCEPT
|
||||||
|
fw net ACCEPT
|
||||||
#
|
#
|
||||||
# THE FOLLOWING POLICY MUST BE LAST
|
# THE FOLLOWING POLICY MUST BE LAST
|
||||||
#
|
#
|
||||||
@ -664,7 +713,7 @@ all all REJECT info
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
- br0 192.168.1.255
|
- br0 192.168.1.255 dhcp
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -674,9 +723,9 @@ all all REJECT info
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ZONE HOST(S) OPTIONS
|
<programlisting>#ZONE HOST(S) OPTIONS
|
||||||
|
loc br0:eth1:192.168.1.0/24
|
||||||
net br0:eth1
|
net br0:eth1
|
||||||
loc br0:eth0
|
WiFi br0:eth0 maclist
|
||||||
WiFi br0:eth2 maclist
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -685,33 +734,18 @@ WiFi br0:eth2 maclist
|
|||||||
<title>rules</title>
|
<title>rules</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The first rule allows a transparent WWW proxy (Squid) to run on
|
|
||||||
my bridge/firewall. Squid listens on port 3128.</para>
|
|
||||||
|
|
||||||
<para>The remaining rules protect the local systems and bridge from
|
|
||||||
the WiFi network. Note that we don't restrict WiFi→net traffic since
|
|
||||||
the only directly-accessible system in the net zone is the firewall
|
|
||||||
(Wookie and the Firewall are connected by a cross-over cable).</para>
|
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
# PORT PORT(S) DEST
|
# PORT PORT(S) DEST
|
||||||
REDIRECT loc 3128 tcp www - !192.168.1.0/24
|
|
||||||
|
|
||||||
ACCEPT WiFi loc udp 137:139
|
ACCEPT WiFi loc udp 137:139
|
||||||
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
|
ACCEPT WiFi loc tcp 22,80,137,139,445,631,901,3389
|
||||||
ACCEPT WiFi loc udp 1024: 137
|
ACCEPT WiFi loc udp 1024: 137
|
||||||
ACCEPT WiFi loc udp 177
|
ACCEPT WiFi loc udp 177,123
|
||||||
|
ACCEPT WiFi loc:192.168.1.4 tcp 1723
|
||||||
ACCEPT loc WiFi udp 137:139
|
ACCEPT WiFi loc:192.168.1.4 47
|
||||||
ACCEPT loc WiFi tcp 137,139,445
|
ACCEPT WiFi loc tcp 5900:5909
|
||||||
ACCEPT loc WiFi udp 1024: 137
|
|
||||||
ACCEPT loc WiFi tcp 6000:6010
|
|
||||||
|
|
||||||
ACCEPT WiFi fw tcp ssh,137,139,445
|
|
||||||
ACCEPT WiFi fw udp 137:139,445
|
|
||||||
ACCEPT WiFi fw udp 1024: 137
|
|
||||||
ACCEPT WiFi fw udp ntp
|
|
||||||
|
|
||||||
|
ACCEPT WiFi fw tcp ssh,80,111,137,139,445,9100:9104
|
||||||
|
ACCEPT WiFi fw udp
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -731,10 +765,10 @@ br0 0.0.0.0/0 routeback
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
|
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
|
||||||
br0:eth2 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
|
br0:eth0 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
|
||||||
br0:eth2 00:04:59:0e:85:b9 #WAP11
|
br0:eth0 00:04:59:0e:85:b9 #WAP11
|
||||||
br0:eth2 00:06:D5:45:33:3c #WET11
|
br0:eth0 00:06:D5:45:33:3c #WET11
|
||||||
br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
|
br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -769,7 +803,6 @@ do_stop() {
|
|||||||
brctl delbr br0
|
brctl delbr br0
|
||||||
ip link set eth0 down
|
ip link set eth0 down
|
||||||
ip link set eth1 down
|
ip link set eth1 down
|
||||||
ip link set eth2 down
|
|
||||||
}
|
}
|
||||||
|
|
||||||
do_start() {
|
do_start() {
|
||||||
@ -777,11 +810,9 @@ do_start() {
|
|||||||
echo "Starting Bridge"
|
echo "Starting Bridge"
|
||||||
ip link set eth0 up
|
ip link set eth0 up
|
||||||
ip link set eth1 up
|
ip link set eth1 up
|
||||||
ip link set eth2 up
|
|
||||||
brctl addbr br0
|
brctl addbr br0
|
||||||
brctl addif br0 eth0
|
brctl addif br0 eth0
|
||||||
brctl addif br0 eth1
|
brctl addif br0 eth1
|
||||||
brctl addif br0 eth2
|
|
||||||
}
|
}
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
@ -812,7 +843,7 @@ exit 0</programlisting>
|
|||||||
|
|
||||||
<programlisting>BOOTPROTO='static'
|
<programlisting>BOOTPROTO='static'
|
||||||
BROADCAST='192.168.1.255'
|
BROADCAST='192.168.1.255'
|
||||||
IPADDR='192.168.1.3'
|
IPADDR='192.168.1.5'
|
||||||
NETWORK='192.168.1.0'
|
NETWORK='192.168.1.0'
|
||||||
NETMASK='255.255.255.0'
|
NETMASK='255.255.255.0'
|
||||||
REMOTE_IPADDR=''
|
REMOTE_IPADDR=''
|
||||||
|
|||||||
@ -13,7 +13,7 @@
|
|||||||
<surname>Eastep</surname>
|
<surname>Eastep</surname>
|
||||||
</author>
|
</author>
|
||||||
|
|
||||||
<pubdate>2004-04-03</pubdate>
|
<pubdate>2004-08-25</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -27,7 +27,8 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -48,12 +49,13 @@
|
|||||||
<title>Check the Errata</title>
|
<title>Check the Errata</title>
|
||||||
|
|
||||||
<para>Check the <ulink url="errata.htm">Shorewall Errata</ulink> to be
|
<para>Check the <ulink url="errata.htm">Shorewall Errata</ulink> to be
|
||||||
sure that there isn't an update that you are missing for your
|
sure that there isn't an update that you are missing for your version of
|
||||||
version of the firewall.</para>
|
the firewall.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Try Searching the Shorewall Site and Mailing List Archives</title>
|
<title>Try Searching the Shorewall Site and Mailing List
|
||||||
|
Archives</title>
|
||||||
|
|
||||||
<para>The <ulink url="http://lists.shorewall.net/htdig/search.html">Site
|
<para>The <ulink url="http://lists.shorewall.net/htdig/search.html">Site
|
||||||
and Mailing List Archives search facility</ulink> can locate documents
|
and Mailing List Archives search facility</ulink> can locate documents
|
||||||
@ -66,7 +68,7 @@
|
|||||||
Errors</title>
|
Errors</title>
|
||||||
|
|
||||||
<para>If you receive an error message when starting or restarting the
|
<para>If you receive an error message when starting or restarting the
|
||||||
firewall and you can't determine the cause, then do the following:</para>
|
firewall and you can't determine the cause, then do the following:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -74,7 +76,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><command>shorewall debug start 2> /tmp/trace</command></para>
|
<para><command>shorewall debug start 2> /tmp/trace</command></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -86,8 +88,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If you still can't determine what's wrong then see the
|
<para>If you still can't determine what's wrong then see the <ulink
|
||||||
<ulink url="support.htm">support page</ulink>.</para>
|
url="support.htm">support page</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -103,11 +105,11 @@ Terminated</programlisting>
|
|||||||
<para>A search through the trace for <quote>No chain/target/match by
|
<para>A search through the trace for <quote>No chain/target/match by
|
||||||
that name</quote> turned up the following:</para>
|
that name</quote> turned up the following:</para>
|
||||||
|
|
||||||
<programlisting>+ echo 'Adding Common Rules'
|
<programlisting>+ echo 'Adding Common Rules'
|
||||||
+ add_common_rules
|
+ add_common_rules
|
||||||
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||||
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
|
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||||
++ sed 's/!/! /g'
|
++ sed 's/!/! /g'
|
||||||
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||||
iptables: No chain/target/match by that name
|
iptables: No chain/target/match by that name
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -129,18 +131,18 @@ iptables: No chain/target/match by that name
|
|||||||
external IP address does not mean that the request will be associated
|
external IP address does not mean that the request will be associated
|
||||||
with the external interface or the <quote>net</quote> zone. Any
|
with the external interface or the <quote>net</quote> zone. Any
|
||||||
traffic that you generate from the local network will be associated
|
traffic that you generate from the local network will be associated
|
||||||
with your local interface and will be treated as loc->fw traffic.</para>
|
with your local interface and will be treated as loc->fw
|
||||||
|
traffic.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">IP addresses are properties of systems,
|
<para><emphasis role="bold">IP addresses are properties of systems,
|
||||||
not of interfaces</emphasis>. It is a mistake to believe that your
|
not of interfaces</emphasis>. It is a mistake to believe that your
|
||||||
firewall is able to forward packets just because you can ping the IP
|
firewall is able to forward packets just because you can ping the IP
|
||||||
address of all of the firewall's interfaces from the local
|
address of all of the firewall's interfaces from the local network.
|
||||||
network. The only conclusion you can draw from such pinging success is
|
The only conclusion you can draw from such pinging success is that the
|
||||||
that the link between the local system and the firewall works and that
|
link between the local system and the firewall works and that you
|
||||||
you probably have the local system's default gateway set
|
probably have the local system's default gateway set correctly.</para>
|
||||||
correctly.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -148,8 +150,9 @@ iptables: No chain/target/match by that name
|
|||||||
interfaces are in the $FW (fw) zone</emphasis>. If 192.168.1.254 is
|
interfaces are in the $FW (fw) zone</emphasis>. If 192.168.1.254 is
|
||||||
the IP address of your internal interface then you can write
|
the IP address of your internal interface then you can write
|
||||||
<quote><emphasis role="bold">$FW:192.168.1.254</emphasis></quote> in a
|
<quote><emphasis role="bold">$FW:192.168.1.254</emphasis></quote> in a
|
||||||
rule but you may not write <quote><emphasis role="bold">loc:192.168.1.254</emphasis></quote>.
|
rule but you may not write <quote><emphasis
|
||||||
Similarly, it is nonsensical to add 192.168.1.254 to the <emphasis
|
role="bold">loc:192.168.1.254</emphasis></quote>. Similarly, it is
|
||||||
|
nonsensical to add 192.168.1.254 to the <emphasis
|
||||||
role="bold">loc</emphasis> zone using an entry in
|
role="bold">loc</emphasis> zone using an entry in
|
||||||
<filename>/etc/shorewall/hosts</filename>.</para>
|
<filename>/etc/shorewall/hosts</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -178,7 +181,8 @@ iptables: No chain/target/match by that name
|
|||||||
<title>Your Network Environment</title>
|
<title>Your Network Environment</title>
|
||||||
|
|
||||||
<para>Many times when people have problems with Shorewall, the problem is
|
<para>Many times when people have problems with Shorewall, the problem is
|
||||||
actually an ill-conceived network setup. Here are several popular snafus:</para>
|
actually an ill-conceived network setup. Here are several popular
|
||||||
|
snafus:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -201,11 +205,25 @@ iptables: No chain/target/match by that name
|
|||||||
role="bold">arp_filter</emphasis> option in <filename><ulink
|
role="bold">arp_filter</emphasis> option in <filename><ulink
|
||||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
|
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
|
||||||
for all interfaces connected to the common hub/switch. Using such a
|
for all interfaces connected to the common hub/switch. Using such a
|
||||||
setup with a production firewall is strongly recommended against.</para>
|
setup with a production firewall is strongly recommended
|
||||||
|
against.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>New Device Doesn't Work?</title>
|
||||||
|
|
||||||
|
<para>If you have just added a new device such as VOIP and it doesn't
|
||||||
|
work, be sure that you have assigned it an IP address in your local
|
||||||
|
network and that its default gateway has been set to the IP address of
|
||||||
|
your internal interface. For many of these devices, the simplest solution
|
||||||
|
is to run a DHCP server; running it on your firewall is fine — be sure to
|
||||||
|
set the <emphasis role="bold">dhcp</emphasis> option on your internal
|
||||||
|
interface in <ulink
|
||||||
|
url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Connection Problems</title>
|
<title>Connection Problems</title>
|
||||||
|
|
||||||
@ -218,22 +236,23 @@ iptables: No chain/target/match by that name
|
|||||||
<para>I also recommend against setting all of your policies to ACCEPT in
|
<para>I also recommend against setting all of your policies to ACCEPT in
|
||||||
an effort to make something work. That robs you of one of your best
|
an effort to make something work. That robs you of one of your best
|
||||||
diagnostic tools - the <quote>Shorewall</quote> messages that Netfilter
|
diagnostic tools - the <quote>Shorewall</quote> messages that Netfilter
|
||||||
will generate when you try to connect in a way that isn't permitted by
|
will generate when you try to connect in a way that isn't permitted by
|
||||||
your rule set.</para>
|
your rule set.</para>
|
||||||
|
|
||||||
<para>Check your log (<quote><command>/sbin/shorewall show log</command></quote>).
|
<para>Check your log (<quote><command>/sbin/shorewall show
|
||||||
If you don't see Shorewall messages, then your problem is probably NOT
|
log</command></quote>). If you don't see Shorewall messages, then your
|
||||||
a Shorewall problem. If you DO see packet messages, it may be an
|
problem is probably NOT a Shorewall problem. If you DO see packet
|
||||||
indication that you are missing one or more rules -- see <ulink
|
messages, it may be an indication that you are missing one or more rules
|
||||||
url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
|
-- see <ulink url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
|
||||||
|
|
||||||
<para>While you are troubleshooting, it is a good idea to clear two
|
<para>While you are troubleshooting, it is a good idea to clear two
|
||||||
variables in <filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
|
variables in
|
||||||
|
<filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
|
||||||
|
|
||||||
<para><programlisting>LOGRATE=
|
<para><programlisting>LOGRATE=
|
||||||
LOGBURST=""</programlisting>This way, you will see all of the log
|
LOGBURST=""</programlisting>This way, you will see all of the log messages
|
||||||
messages being generated (be sure to restart shorewall after clearing
|
being generated (be sure to restart shorewall after clearing these
|
||||||
these variables).</para>
|
variables).</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Log Message</title>
|
<title>Log Message</title>
|
||||||
@ -244,13 +263,14 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
|||||||
PREC=0x00 TTL=63 ID=5805 DF
|
PREC=0x00 TTL=63 ID=5805 DF
|
||||||
PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
|
PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
|
||||||
|
|
||||||
<para>Let's look at the important parts of this message:</para>
|
<para>Let's look at the important parts of this message:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>all2all:REJECT - This packet was REJECTed out of the all2all
|
<para>all2all:REJECT - This packet was REJECTed out of the all2all
|
||||||
chain -- the packet was rejected under the <quote>all</quote>-><quote>all</quote>
|
chain -- the packet was rejected under the
|
||||||
REJECT policy (see <ulink url="FAQ.htm#faq17">FAQ 17</ulink>).</para>
|
<quote>all</quote>-><quote>all</quote> REJECT policy (see <ulink
|
||||||
|
url="FAQ.htm#faq17">FAQ 17</ulink>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -258,7 +278,8 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>OUT=eth1 - if accepted, the packet would be sent on eth1</para>
|
<para>OUT=eth1 - if accepted, the packet would be sent on
|
||||||
|
eth1</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -266,7 +287,8 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>DST=192.168.1.3 - the packet is destined for 192.168.1.3</para>
|
<para>DST=192.168.1.3 - the packet is destined for
|
||||||
|
192.168.1.3</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -279,7 +301,8 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>In this case, 192.168.2.2 was in the <quote>dmz</quote> zone and
|
<para>In this case, 192.168.2.2 was in the <quote>dmz</quote> zone and
|
||||||
192.168.1.3 is in the <quote>loc</quote> zone. I was missing the rule:</para>
|
192.168.1.3 is in the <quote>loc</quote> zone. I was missing the
|
||||||
|
rule:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
@ -290,26 +313,27 @@ ACCEPT dmz loc udp 53</programlisting>
|
|||||||
<section>
|
<section>
|
||||||
<title>Ping Problems</title>
|
<title>Ping Problems</title>
|
||||||
|
|
||||||
<para>Either can't ping when you think you should be able to or are
|
<para>Either can't ping when you think you should be able to or are able
|
||||||
able to ping when you think that you shouldn't be allowed?
|
to ping when you think that you shouldn't be allowed? Shorewall's
|
||||||
Shorewall's <quote>Ping</quote> Management is <ulink url="ping.html">described
|
<quote>Ping</quote> Management is <ulink url="ping.html">described
|
||||||
here</ulink>. Here are a couple of tips:</para>
|
here</ulink>. Here are a couple of tips:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Remember that Shorewall doesn't automatically allow ICMP
|
<para>Remember that Shorewall doesn't automatically allow ICMP type 8
|
||||||
type 8 (<quote>ping</quote>) requests to be sent between zones. If you
|
(<quote>ping</quote>) requests to be sent between zones. If you want
|
||||||
want pings to be allowed between zones, you need a rule of the form:</para>
|
pings to be allowed between zones, you need a rule of the form:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
ACCEPT   <emphasis><source zone></emphasis>   <emphasis><destination zone></emphasis>    icmp    echo-request</programlisting>
|
ACCEPT <emphasis><source zone></emphasis> <emphasis><destination zone></emphasis> icmp echo-request</programlisting>
|
||||||
|
|
||||||
<para>The ramifications of this can be subtle. For example, if you
|
<para>The ramifications of this can be subtle. For example, if you
|
||||||
have the following in <filename><ulink url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
|
have the following in <filename><ulink
|
||||||
|
url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
|
||||||
|
|
||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL
|
||||||
10.1.1.2    eth0    130.252.100.18</programlisting>
|
10.1.1.2 eth0 130.252.100.18</programlisting>
|
||||||
|
|
||||||
<para>and you ping 130.252.100.18, unless you have allowed icmp type 8
|
<para>and you ping 130.252.100.18, unless you have allowed icmp type 8
|
||||||
between the zone containing the system you are pinging from and the
|
between the zone containing the system you are pinging from and the
|
||||||
@ -339,17 +363,19 @@ DROP net fw icmp echo-request</programlist
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>your zone definitions are screwed up and the host that is
|
<para>your zone definitions are screwed up and the host that is
|
||||||
sending the packets or the destination host isn't in any zone
|
sending the packets or the destination host isn't in any zone
|
||||||
(using an <ulink url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
|
(using an <ulink
|
||||||
|
url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
|
||||||
file are you?); or</para>
|
file are you?); or</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>the source and destination hosts are both connected to the
|
<para>the source and destination hosts are both connected to the
|
||||||
same interface and you don't have a policy or rule for the
|
same interface and you don't have a policy or rule for the source
|
||||||
source zone to or from the destination zone or you haven't set
|
zone to or from the destination zone or you haven't set the
|
||||||
the <emphasis role="bold">routeback</emphasis> option for the
|
<emphasis role="bold">routeback</emphasis> option for the
|
||||||
interface in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
interface in <ulink
|
||||||
|
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -364,11 +390,11 @@ DROP net fw icmp echo-request</programlist
|
|||||||
need to be configured with their default gateway set to the IP address
|
need to be configured with their default gateway set to the IP address
|
||||||
of their nearest firewall interface. One often overlooked aspect of
|
of their nearest firewall interface. One often overlooked aspect of
|
||||||
routing is that in order for two hosts to communicate, the routing
|
routing is that in order for two hosts to communicate, the routing
|
||||||
between them must be set up <emphasis role="bold">in both directions</emphasis>.
|
between them must be set up <emphasis role="bold">in both
|
||||||
So when setting up routing between <emphasis role="bold">A</emphasis>
|
directions</emphasis>. So when setting up routing between <emphasis
|
||||||
and <emphasis role="bold">B</emphasis>, be sure to verify that the
|
role="bold">A</emphasis> and <emphasis role="bold">B</emphasis>, be
|
||||||
route from <emphasis role="bold">B</emphasis> back to <emphasis
|
sure to verify that the route from <emphasis role="bold">B</emphasis>
|
||||||
role="bold">A</emphasis> is defined.</para>
|
back to <emphasis role="bold">A</emphasis> is defined.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -380,15 +406,17 @@ DROP net fw icmp echo-request</programlist
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Do you have your kernel properly configured? <ulink
|
<para>Do you have your kernel properly configured? <ulink
|
||||||
url="kernel.htm">Click here to see my kernel configuration</ulink>.</para>
|
url="kernel.htm">Click here to see my kernel
|
||||||
|
configuration</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Shorewall requires the <quote>ip</quote> program. That program
|
<para>Shorewall requires the <quote>ip</quote> program. That program
|
||||||
is generally included in the <quote>iproute</quote> package which
|
is generally included in the <quote>iproute</quote> package which
|
||||||
should be included with your distribution (though many distributions
|
should be included with your distribution (though many distributions
|
||||||
don't install iproute by default). You may also download the
|
don't install iproute by default). You may also download the latest
|
||||||
latest source tarball from <ulink url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
|
source tarball from <ulink
|
||||||
|
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
|
||||||
.</para>
|
.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -404,17 +432,77 @@ DROP net fw icmp echo-request</programlist
|
|||||||
<section>
|
<section>
|
||||||
<title>Still Having Problems?</title>
|
<title>Still Having Problems?</title>
|
||||||
|
|
||||||
<para>See the <ulink url="support.htm">Shorewall Support Page</ulink>.</para>
|
<para>See the <ulink url="support.htm">Shorewall Support
|
||||||
|
Page</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<appendix>
|
<appendix>
|
||||||
<title>Revision History</title>
|
<title>Revision History</title>
|
||||||
|
|
||||||
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-03</date><authorinitials>TE</authorinitials><revremark>Point
|
<para><revhistory>
|
||||||
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-02</date><authorinitials>TE</authorinitials><revremark>Add
|
<revision>
|
||||||
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
<revnumber>1.9</revnumber>
|
||||||
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
|
||||||
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
<date>2004-08-25</date>
|
||||||
Docbook Conversion</revremark></revision></revhistory></para>
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Advice for the networking-challenged.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.8</revnumber>
|
||||||
|
|
||||||
|
<date>2004-04-03</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Point out that firewall addresses are in the $FW
|
||||||
|
zone.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.7</revnumber>
|
||||||
|
|
||||||
|
<date>2004-02-02</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Add hint about testing from inside the
|
||||||
|
firewall.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.6</revnumber>
|
||||||
|
|
||||||
|
<date>2004-01-06</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Add pointer to Site and Mailing List Archives
|
||||||
|
Searches.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.5</revnumber>
|
||||||
|
|
||||||
|
<date>2004-01-01</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Added information about eliminating ping-generated log
|
||||||
|
messages.</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.4</revnumber>
|
||||||
|
|
||||||
|
<date>2003-12-22</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Initial Docbook Conversion</revremark>
|
||||||
|
</revision>
|
||||||
|
</revhistory></para>
|
||||||
</appendix>
|
</appendix>
|
||||||
</article>
|
</article>
|
||||||
Loading…
Reference in New Issue
Block a user