mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 09:33:14 +01:00
Modify 'my configuration' to match reality
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1597 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
525541e549
commit
5388f7a631
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-08-05</pubdate>
|
||||
<pubdate>2004-09-04</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -48,7 +48,7 @@
|
||||
|
||||
<caution>
|
||||
<para>The configuration shown here corresponds to Shorewall version
|
||||
2.1.1. My configuration uses features not available in earlier Shorewall
|
||||
2.1.7. My configuration uses features not available in earlier Shorewall
|
||||
releases.</para>
|
||||
</caution>
|
||||
|
||||
@ -64,9 +64,9 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>I use one-to-one NAT for Ursa (my personal system that
|
||||
dual-boots Mandrake 10.0 (Official) and Windows XP) - Internal address
|
||||
192.168.1.5 and external address 206.124.146.178.</para>
|
||||
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE
|
||||
9.1) - Internal address 192.168.1.5 and external address
|
||||
206.124.146.178.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -76,11 +76,10 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>I use SNAT through 206.124.146.179 for my SuSE 9.0 Linux
|
||||
system <quote>Wookie</quote>, my Wife's Windows XP system
|
||||
<quote>Tarry</quote>, and our dual-booting (Windows XP/SuSE 9.1)
|
||||
laptop <quote>Tipper</quote> which connects through the Wireless
|
||||
Access Point (wap) via a Wireless Bridge (wet).<note>
|
||||
<para>I use SNAT through 206.124.146.179 for my Wife's Windows XP
|
||||
system <quote>Tarry</quote>, and our dual-booting (Windows
|
||||
XP/SuSE 9.1) laptop <quote>Tipper</quote> which connects through the
|
||||
Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
|
||||
<para>While the distance between the WAP and where I usually use
|
||||
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
|
||||
wireless card) has proved very unsatisfactory (lots of lost
|
||||
@ -96,17 +95,21 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>I have Wookie (193.168.1.3) configured as a 3-port bridge. Squid
|
||||
runs on this system and is configured as a transparent proxy.</para>
|
||||
<para>I have Ursa (193.168.1.5/206.124.146.178) configured as a 2-port
|
||||
bridge.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Squid runs on the firewall and is configured as a transparent
|
||||
proxy.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The firewall runs on a 256MB PII/233 with Debian Sarge
|
||||
(Testing).</para>
|
||||
<para>The firewall runs on a 384MB K-6/II with SuSE 9.1.</para>
|
||||
|
||||
<para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
|
||||
<para>Ursa runs Samba for file sharing with the Windows systems..</para>
|
||||
|
||||
<para>The wireless network connects to Wookie's eth2 via a LinkSys
|
||||
<para>The wireless network connects to Ursa's eth0 via a LinkSys
|
||||
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
||||
(64-bit with the 24-bit preamble), I use <ulink
|
||||
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
|
||||
@ -142,8 +145,9 @@
|
||||
/etc/network/interfaces file (see below) adds a host route to
|
||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||
|
||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
|
||||
access.</para>
|
||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
||||
my work laptop and the Firewall is configured with IPSEC for tunnel mode
|
||||
road warrior access from Tipper.</para>
|
||||
|
||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||
</section>
|
||||
@ -156,6 +160,7 @@
|
||||
|
||||
<blockquote>
|
||||
<programlisting>LOGFILE=/var/log/messages
|
||||
LOGFORMAT="Shorewall:%s:%s "
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
LOGUNCLEAN=$LOG
|
||||
@ -165,17 +170,19 @@ MACLIST_LOG_LEVEL=$LOG
|
||||
TCP_FLAGS_LOG_LEVEL=$LOG
|
||||
RFC1918_LOG_LEVEL=$LOG
|
||||
SMURF_LOG_LEVEL=
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
|
||||
SHOREWALL_SHELL=/bin/ash
|
||||
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
||||
SUBSYSLOCK=
|
||||
STATEDIR=/var/state/shorewall
|
||||
MODULESDIR=
|
||||
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
|
||||
RESTOREFILE=standard
|
||||
FW=fw
|
||||
IP_FORWARDING=On
|
||||
ADD_IP_ALIASES=Yes
|
||||
ADD_SNAT_ALIASES=Yes
|
||||
TC_ENABLED=Yes
|
||||
CLEAR_TC=No
|
||||
CLEAR_TC=Yes
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
CLAMPMSS=Yes
|
||||
ROUTE_FILTER=No
|
||||
@ -183,6 +190,9 @@ DETECT_DNAT_IPADDRS=Yes
|
||||
MUTEX_TIMEOUT=60
|
||||
NEWNOTSYN=Yes
|
||||
BLACKLISTNEWONLY=Yes
|
||||
DYNAMIC_ZONES=No
|
||||
DISABLE_IPV6=Yes
|
||||
PKTTYPE=No
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
@ -197,7 +207,12 @@ TCP_FLAGS_DISPOSITION=DROP
|
||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||
NTPSERVERS=<list of the NTP servers I sync with>
|
||||
TEXAS=<ip address of gateway in Plano>
|
||||
LOG=info</programlisting></para>
|
||||
OMAK=<ip address of tipper while we are at our second home>
|
||||
LOG=info
|
||||
EXT_IF=eth1
|
||||
INT_IF=eth0
|
||||
DMZ_IF=eth2
|
||||
</programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -209,8 +224,10 @@ LOG=info</programlisting></para>
|
||||
net Internet Internet
|
||||
dmz DMZ Demilitarized zone
|
||||
loc Local Local networks
|
||||
tx Texas Peer Network in Plano
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
omak Omak Our Laptop at our second home
|
||||
tx Texas Peer Network in Dallas
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -221,12 +238,12 @@ tx Texas Peer Network in Plano
|
||||
<para>This is set up so that I can start the firewall before bringing
|
||||
up my Ethernet interfaces.</para>
|
||||
|
||||
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
||||
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||
loc eth2 192.168.1.255 dhcp
|
||||
dmz eth1 -
|
||||
- texas 192.168.9.255
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF detect dhcp
|
||||
dmz $DMZ_IF -
|
||||
- texas -
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -235,18 +252,32 @@ dmz eth1 -
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
tx texas:192.168.8.0/22
|
||||
tx texas:192.168.8.0/22
|
||||
omak $EXT_IF:$OMAK
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Ipsec File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
omak yes mode=tunnel
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Routestopped File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#INTERFACE HOST(S)
|
||||
eth1 206.124.146.177
|
||||
eth2 -
|
||||
$DMZ_IF 206.124.146.177
|
||||
$INT_IF -
|
||||
$EXT_IF $OMAK
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -289,15 +320,26 @@ eth2 -
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||
fw fw ACCEPT # For testing fw->fw rules
|
||||
loc net ACCEPT # Allow all net traffic from local net
|
||||
$FW loc ACCEPT # Allow local access from the firewall
|
||||
$FW tx ACCEPT # Allow firewall access to texas
|
||||
loc tx ACCEPT # Allow local net access to texas
|
||||
loc fw REJECT $LOG # Reject loc->fw and log
|
||||
net all DROP $LOG 10/sec:40 # Rate limit and
|
||||
# DROP net->all
|
||||
all all REJECT $LOG # Reject and log the rest
|
||||
fw fw ACCEPT
|
||||
loc net ACCEPT
|
||||
fw sec ACCEPT
|
||||
omak fw ACCEPT
|
||||
fw omak ACCEPT
|
||||
omak loc ACCEPT
|
||||
loc omak ACCEPT
|
||||
omak net NONE
|
||||
net omak NONE
|
||||
omak dmz NONE
|
||||
dmz omak NONE
|
||||
omak tx NONE
|
||||
tx omak NONE
|
||||
$FW loc ACCEPT #Firewall to Local
|
||||
$FW tx ACCEPT
|
||||
loc tx ACCEPT
|
||||
loc fw REJECT $LOG
|
||||
dmz tx ACCEPT
|
||||
net all DROP $LOG 10/sec:40
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -318,8 +360,8 @@ all all REJECT $LOG # Reje
|
||||
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
eth0:2 eth2 206.124.146.179
|
||||
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
$EXT_IF:2 eth2 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
@ -354,6 +396,7 @@ eth0:2 eth2 206.124.146.179
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||
gre net $TEXAS
|
||||
ipsec:noah net $OMAK omak
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -449,10 +492,10 @@ REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
#
|
||||
DROP loc:!192.168.1.0/24 net
|
||||
|
||||
#QUEUE loc net udp
|
||||
#QUEUE loc fw udp
|
||||
#QUEUE loc net tcp
|
||||
#
|
||||
# SQUID
|
||||
#
|
||||
REDIRECT loc 3128 tcp 80
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to Firewall
|
||||
#
|
||||
@ -471,15 +514,24 @@ ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,f
|
||||
dropNotSyn net fw tcp
|
||||
dropNotSyn net loc tcp
|
||||
dropNotSyn net dmz tcp
|
||||
|
||||
#
|
||||
# Drop ping to firewall and local
|
||||
#
|
||||
|
||||
DropPing net fw
|
||||
DropPing net loc
|
||||
###############################################################################################################################################################################
|
||||
# Internet to DMZ
|
||||
#
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.1
|
||||
78
|
||||
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
|
||||
ACCEPT net dmz udp domain
|
||||
ACCEPT net dmz udp 33434:33436
|
||||
Mirrors net dmz tcp rsync
|
||||
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
||||
ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak
|
||||
AllowPing net dmz
|
||||
###############################################################################################################################################################################
|
||||
#
|
||||
# Net to Local
|
||||
@ -487,12 +539,13 @@ Mirrors net dmz tcp rsync
|
||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||
#
|
||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
|
||||
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
||||
ACCEPT net loc:192.168.1.5 tcp 22
|
||||
#
|
||||
# ICQ
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||||
DNAT net loc:192.168.1.8 tcp 4000:4100 - 206.124.146.179
|
||||
#
|
||||
# Real Audio
|
||||
#
|
||||
@ -513,8 +566,6 @@ ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,80
|
||||
ACCEPT dmz net udp domain
|
||||
REJECT:$LOG dmz net udp 1025:1031
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||
#
|
||||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||
@ -532,13 +583,15 @@ REJECT dmz fw tcp auth
|
||||
# DMZ to Local Network
|
||||
#
|
||||
ACCEPT dmz loc tcp smtp,6001:6010
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 tcp 111
|
||||
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
|
||||
###############################################################################################################################################################################
|
||||
# Internet to Firewall
|
||||
#
|
||||
REJECT net fw tcp www,ftp,https
|
||||
ACCEPT net dmz udp 33434:33435
|
||||
ACCEPT net:$OMAK fw udp ntp
|
||||
ACCEPT net:$OMAK fw tcp 22 #SSH from Omak
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to Internet
|
||||
#
|
||||
@ -557,10 +610,6 @@ ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
###############################################################################################################################################################################
|
||||
# Ping
|
||||
#
|
||||
ACCEPT all all icmp 8
|
||||
###############################################################################################################################################################################
|
||||
ACCEPT tx loc:192.168.1.5 all
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
@ -600,10 +649,10 @@ iface eth1 inet static
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Bridge (Wookie) Configuration</title>
|
||||
<title>Bridge (Ursa) Configuration</title>
|
||||
|
||||
<para>As mentioned above, Wookie acts as a bridge. It's view of the
|
||||
network is diagrammed in the following figure.</para>
|
||||
<para>As mentioned above, Ursa acts as a bridge. It's view of the network
|
||||
is diagrammed in the following figure.</para>
|
||||
|
||||
<graphic fileref="images/network1.png" />
|
||||
|
||||
@ -629,9 +678,9 @@ iface eth1 inet static
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
WiFi WireLess Wireless Network
|
||||
net Internet The Big Bad Internet
|
||||
WiFi Wireless Wireless Network
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
@ -642,15 +691,15 @@ WiFi WireLess Wireless Network
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
fw fw ACCEPT
|
||||
loc net ACCEPT
|
||||
net loc ACCEPT
|
||||
net fw ACCEPT
|
||||
loc fw ACCEPT
|
||||
loc WiFi ACCEPT
|
||||
fw WiFi ACCEPT
|
||||
fw net ACCEPT
|
||||
loc net NONE
|
||||
loc WiFi NONE
|
||||
net fw ACCEPT
|
||||
net WiFi ACCEPT
|
||||
net loc NONE
|
||||
WiFi net ACCEPT
|
||||
fw loc ACCEPT
|
||||
fw net ACCEPT
|
||||
#
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
#
|
||||
@ -664,7 +713,7 @@ all all REJECT info
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- br0 192.168.1.255
|
||||
- br0 192.168.1.255 dhcp
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -674,9 +723,9 @@ all all REJECT info
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
loc br0:eth1:192.168.1.0/24
|
||||
net br0:eth1
|
||||
loc br0:eth0
|
||||
WiFi br0:eth2 maclist
|
||||
WiFi br0:eth0 maclist
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -685,33 +734,18 @@ WiFi br0:eth2 maclist
|
||||
<title>rules</title>
|
||||
|
||||
<blockquote>
|
||||
<para>The first rule allows a transparent WWW proxy (Squid) to run on
|
||||
my bridge/firewall. Squid listens on port 3128.</para>
|
||||
|
||||
<para>The remaining rules protect the local systems and bridge from
|
||||
the WiFi network. Note that we don't restrict WiFi→net traffic since
|
||||
the only directly-accessible system in the net zone is the firewall
|
||||
(Wookie and the Firewall are connected by a cross-over cable).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
REDIRECT loc 3128 tcp www - !192.168.1.0/24
|
||||
|
||||
ACCEPT WiFi loc udp 137:139
|
||||
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
|
||||
ACCEPT WiFi loc tcp 22,80,137,139,445,631,901,3389
|
||||
ACCEPT WiFi loc udp 1024: 137
|
||||
ACCEPT WiFi loc udp 177
|
||||
|
||||
ACCEPT loc WiFi udp 137:139
|
||||
ACCEPT loc WiFi tcp 137,139,445
|
||||
ACCEPT loc WiFi udp 1024: 137
|
||||
ACCEPT loc WiFi tcp 6000:6010
|
||||
|
||||
ACCEPT WiFi fw tcp ssh,137,139,445
|
||||
ACCEPT WiFi fw udp 137:139,445
|
||||
ACCEPT WiFi fw udp 1024: 137
|
||||
ACCEPT WiFi fw udp ntp
|
||||
ACCEPT WiFi loc udp 177,123
|
||||
ACCEPT WiFi loc:192.168.1.4 tcp 1723
|
||||
ACCEPT WiFi loc:192.168.1.4 47
|
||||
ACCEPT WiFi loc tcp 5900:5909
|
||||
|
||||
ACCEPT WiFi fw tcp ssh,80,111,137,139,445,9100:9104
|
||||
ACCEPT WiFi fw udp
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -731,10 +765,10 @@ br0 0.0.0.0/0 routeback
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
|
||||
br0:eth2 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
|
||||
br0:eth2 00:04:59:0e:85:b9 #WAP11
|
||||
br0:eth2 00:06:D5:45:33:3c #WET11
|
||||
br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
|
||||
br0:eth0 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
|
||||
br0:eth0 00:04:59:0e:85:b9 #WAP11
|
||||
br0:eth0 00:06:D5:45:33:3c #WET11
|
||||
br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -769,7 +803,6 @@ do_stop() {
|
||||
brctl delbr br0
|
||||
ip link set eth0 down
|
||||
ip link set eth1 down
|
||||
ip link set eth2 down
|
||||
}
|
||||
|
||||
do_start() {
|
||||
@ -777,11 +810,9 @@ do_start() {
|
||||
echo "Starting Bridge"
|
||||
ip link set eth0 up
|
||||
ip link set eth1 up
|
||||
ip link set eth2 up
|
||||
brctl addbr br0
|
||||
brctl addif br0 eth0
|
||||
brctl addif br0 eth1
|
||||
brctl addif br0 eth2
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
@ -812,7 +843,7 @@ exit 0</programlisting>
|
||||
|
||||
<programlisting>BOOTPROTO='static'
|
||||
BROADCAST='192.168.1.255'
|
||||
IPADDR='192.168.1.3'
|
||||
IPADDR='192.168.1.5'
|
||||
NETWORK='192.168.1.0'
|
||||
NETMASK='255.255.255.0'
|
||||
REMOTE_IPADDR=''
|
||||
|
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2004-04-03</pubdate>
|
||||
<pubdate>2004-08-25</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -27,7 +27,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -48,12 +49,13 @@
|
||||
<title>Check the Errata</title>
|
||||
|
||||
<para>Check the <ulink url="errata.htm">Shorewall Errata</ulink> to be
|
||||
sure that there isn't an update that you are missing for your
|
||||
version of the firewall.</para>
|
||||
sure that there isn't an update that you are missing for your version of
|
||||
the firewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Try Searching the Shorewall Site and Mailing List Archives</title>
|
||||
<title>Try Searching the Shorewall Site and Mailing List
|
||||
Archives</title>
|
||||
|
||||
<para>The <ulink url="http://lists.shorewall.net/htdig/search.html">Site
|
||||
and Mailing List Archives search facility</ulink> can locate documents
|
||||
@ -66,7 +68,7 @@
|
||||
Errors</title>
|
||||
|
||||
<para>If you receive an error message when starting or restarting the
|
||||
firewall and you can't determine the cause, then do the following:</para>
|
||||
firewall and you can't determine the cause, then do the following:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -74,7 +76,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall debug start 2> /tmp/trace</command></para>
|
||||
<para><command>shorewall debug start 2> /tmp/trace</command></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -86,8 +88,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you still can't determine what's wrong then see the
|
||||
<ulink url="support.htm">support page</ulink>.</para>
|
||||
<para>If you still can't determine what's wrong then see the <ulink
|
||||
url="support.htm">support page</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -103,11 +105,11 @@ Terminated</programlisting>
|
||||
<para>A search through the trace for <quote>No chain/target/match by
|
||||
that name</quote> turned up the following:</para>
|
||||
|
||||
<programlisting>+ echo 'Adding Common Rules'
|
||||
<programlisting>+ echo 'Adding Common Rules'
|
||||
+ add_common_rules
|
||||
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
++ sed 's/!/! /g'
|
||||
++ sed 's/!/! /g'
|
||||
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
iptables: No chain/target/match by that name
|
||||
</programlisting>
|
||||
@ -129,18 +131,18 @@ iptables: No chain/target/match by that name
|
||||
external IP address does not mean that the request will be associated
|
||||
with the external interface or the <quote>net</quote> zone. Any
|
||||
traffic that you generate from the local network will be associated
|
||||
with your local interface and will be treated as loc->fw traffic.</para>
|
||||
with your local interface and will be treated as loc->fw
|
||||
traffic.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">IP addresses are properties of systems,
|
||||
not of interfaces</emphasis>. It is a mistake to believe that your
|
||||
firewall is able to forward packets just because you can ping the IP
|
||||
address of all of the firewall's interfaces from the local
|
||||
network. The only conclusion you can draw from such pinging success is
|
||||
that the link between the local system and the firewall works and that
|
||||
you probably have the local system's default gateway set
|
||||
correctly.</para>
|
||||
address of all of the firewall's interfaces from the local network.
|
||||
The only conclusion you can draw from such pinging success is that the
|
||||
link between the local system and the firewall works and that you
|
||||
probably have the local system's default gateway set correctly.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -148,8 +150,9 @@ iptables: No chain/target/match by that name
|
||||
interfaces are in the $FW (fw) zone</emphasis>. If 192.168.1.254 is
|
||||
the IP address of your internal interface then you can write
|
||||
<quote><emphasis role="bold">$FW:192.168.1.254</emphasis></quote> in a
|
||||
rule but you may not write <quote><emphasis role="bold">loc:192.168.1.254</emphasis></quote>.
|
||||
Similarly, it is nonsensical to add 192.168.1.254 to the <emphasis
|
||||
rule but you may not write <quote><emphasis
|
||||
role="bold">loc:192.168.1.254</emphasis></quote>. Similarly, it is
|
||||
nonsensical to add 192.168.1.254 to the <emphasis
|
||||
role="bold">loc</emphasis> zone using an entry in
|
||||
<filename>/etc/shorewall/hosts</filename>.</para>
|
||||
</listitem>
|
||||
@ -178,7 +181,8 @@ iptables: No chain/target/match by that name
|
||||
<title>Your Network Environment</title>
|
||||
|
||||
<para>Many times when people have problems with Shorewall, the problem is
|
||||
actually an ill-conceived network setup. Here are several popular snafus:</para>
|
||||
actually an ill-conceived network setup. Here are several popular
|
||||
snafus:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -201,11 +205,25 @@ iptables: No chain/target/match by that name
|
||||
role="bold">arp_filter</emphasis> option in <filename><ulink
|
||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
|
||||
for all interfaces connected to the common hub/switch. Using such a
|
||||
setup with a production firewall is strongly recommended against.</para>
|
||||
setup with a production firewall is strongly recommended
|
||||
against.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>New Device Doesn't Work?</title>
|
||||
|
||||
<para>If you have just added a new device such as VOIP and it doesn't
|
||||
work, be sure that you have assigned it an IP address in your local
|
||||
network and that its default gateway has been set to the IP address of
|
||||
your internal interface. For many of these devices, the simplest solution
|
||||
is to run a DHCP server; running it on your firewall is fine — be sure to
|
||||
set the <emphasis role="bold">dhcp</emphasis> option on your internal
|
||||
interface in <ulink
|
||||
url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Connection Problems</title>
|
||||
|
||||
@ -218,22 +236,23 @@ iptables: No chain/target/match by that name
|
||||
<para>I also recommend against setting all of your policies to ACCEPT in
|
||||
an effort to make something work. That robs you of one of your best
|
||||
diagnostic tools - the <quote>Shorewall</quote> messages that Netfilter
|
||||
will generate when you try to connect in a way that isn't permitted by
|
||||
will generate when you try to connect in a way that isn't permitted by
|
||||
your rule set.</para>
|
||||
|
||||
<para>Check your log (<quote><command>/sbin/shorewall show log</command></quote>).
|
||||
If you don't see Shorewall messages, then your problem is probably NOT
|
||||
a Shorewall problem. If you DO see packet messages, it may be an
|
||||
indication that you are missing one or more rules -- see <ulink
|
||||
url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
|
||||
<para>Check your log (<quote><command>/sbin/shorewall show
|
||||
log</command></quote>). If you don't see Shorewall messages, then your
|
||||
problem is probably NOT a Shorewall problem. If you DO see packet
|
||||
messages, it may be an indication that you are missing one or more rules
|
||||
-- see <ulink url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
|
||||
|
||||
<para>While you are troubleshooting, it is a good idea to clear two
|
||||
variables in <filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
|
||||
variables in
|
||||
<filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
|
||||
|
||||
<para><programlisting>LOGRATE=
|
||||
LOGBURST=""</programlisting>This way, you will see all of the log
|
||||
messages being generated (be sure to restart shorewall after clearing
|
||||
these variables).</para>
|
||||
LOGBURST=""</programlisting>This way, you will see all of the log messages
|
||||
being generated (be sure to restart shorewall after clearing these
|
||||
variables).</para>
|
||||
|
||||
<example>
|
||||
<title>Log Message</title>
|
||||
@ -244,13 +263,14 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
||||
PREC=0x00 TTL=63 ID=5805 DF
|
||||
PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
|
||||
|
||||
<para>Let's look at the important parts of this message:</para>
|
||||
<para>Let's look at the important parts of this message:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>all2all:REJECT - This packet was REJECTed out of the all2all
|
||||
chain -- the packet was rejected under the <quote>all</quote>-><quote>all</quote>
|
||||
REJECT policy (see <ulink url="FAQ.htm#faq17">FAQ 17</ulink>).</para>
|
||||
chain -- the packet was rejected under the
|
||||
<quote>all</quote>-><quote>all</quote> REJECT policy (see <ulink
|
||||
url="FAQ.htm#faq17">FAQ 17</ulink>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -258,7 +278,8 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>OUT=eth1 - if accepted, the packet would be sent on eth1</para>
|
||||
<para>OUT=eth1 - if accepted, the packet would be sent on
|
||||
eth1</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -266,7 +287,8 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DST=192.168.1.3 - the packet is destined for 192.168.1.3</para>
|
||||
<para>DST=192.168.1.3 - the packet is destined for
|
||||
192.168.1.3</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -279,7 +301,8 @@ LOGBURST=""</programlisting>This way, you will see all of the log
|
||||
</itemizedlist>
|
||||
|
||||
<para>In this case, 192.168.2.2 was in the <quote>dmz</quote> zone and
|
||||
192.168.1.3 is in the <quote>loc</quote> zone. I was missing the rule:</para>
|
||||
192.168.1.3 is in the <quote>loc</quote> zone. I was missing the
|
||||
rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
@ -290,26 +313,27 @@ ACCEPT dmz loc udp 53</programlisting>
|
||||
<section>
|
||||
<title>Ping Problems</title>
|
||||
|
||||
<para>Either can't ping when you think you should be able to or are
|
||||
able to ping when you think that you shouldn't be allowed?
|
||||
Shorewall's <quote>Ping</quote> Management is <ulink url="ping.html">described
|
||||
<para>Either can't ping when you think you should be able to or are able
|
||||
to ping when you think that you shouldn't be allowed? Shorewall's
|
||||
<quote>Ping</quote> Management is <ulink url="ping.html">described
|
||||
here</ulink>. Here are a couple of tips:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Remember that Shorewall doesn't automatically allow ICMP
|
||||
type 8 (<quote>ping</quote>) requests to be sent between zones. If you
|
||||
want pings to be allowed between zones, you need a rule of the form:</para>
|
||||
<para>Remember that Shorewall doesn't automatically allow ICMP type 8
|
||||
(<quote>ping</quote>) requests to be sent between zones. If you want
|
||||
pings to be allowed between zones, you need a rule of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT   <emphasis><source zone></emphasis>   <emphasis><destination zone></emphasis>    icmp    echo-request</programlisting>
|
||||
ACCEPT <emphasis><source zone></emphasis> <emphasis><destination zone></emphasis> icmp echo-request</programlisting>
|
||||
|
||||
<para>The ramifications of this can be subtle. For example, if you
|
||||
have the following in <filename><ulink url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
|
||||
have the following in <filename><ulink
|
||||
url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL
|
||||
10.1.1.2    eth0    130.252.100.18</programlisting>
|
||||
10.1.1.2 eth0 130.252.100.18</programlisting>
|
||||
|
||||
<para>and you ping 130.252.100.18, unless you have allowed icmp type 8
|
||||
between the zone containing the system you are pinging from and the
|
||||
@ -339,17 +363,19 @@ DROP net fw icmp echo-request</programlist
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>your zone definitions are screwed up and the host that is
|
||||
sending the packets or the destination host isn't in any zone
|
||||
(using an <ulink url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
|
||||
sending the packets or the destination host isn't in any zone
|
||||
(using an <ulink
|
||||
url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
|
||||
file are you?); or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the source and destination hosts are both connected to the
|
||||
same interface and you don't have a policy or rule for the
|
||||
source zone to or from the destination zone or you haven't set
|
||||
the <emphasis role="bold">routeback</emphasis> option for the
|
||||
interface in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
||||
same interface and you don't have a policy or rule for the source
|
||||
zone to or from the destination zone or you haven't set the
|
||||
<emphasis role="bold">routeback</emphasis> option for the
|
||||
interface in <ulink
|
||||
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
@ -364,11 +390,11 @@ DROP net fw icmp echo-request</programlist
|
||||
need to be configured with their default gateway set to the IP address
|
||||
of their nearest firewall interface. One often overlooked aspect of
|
||||
routing is that in order for two hosts to communicate, the routing
|
||||
between them must be set up <emphasis role="bold">in both directions</emphasis>.
|
||||
So when setting up routing between <emphasis role="bold">A</emphasis>
|
||||
and <emphasis role="bold">B</emphasis>, be sure to verify that the
|
||||
route from <emphasis role="bold">B</emphasis> back to <emphasis
|
||||
role="bold">A</emphasis> is defined.</para>
|
||||
between them must be set up <emphasis role="bold">in both
|
||||
directions</emphasis>. So when setting up routing between <emphasis
|
||||
role="bold">A</emphasis> and <emphasis role="bold">B</emphasis>, be
|
||||
sure to verify that the route from <emphasis role="bold">B</emphasis>
|
||||
back to <emphasis role="bold">A</emphasis> is defined.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -380,15 +406,17 @@ DROP net fw icmp echo-request</programlist
|
||||
|
||||
<listitem>
|
||||
<para>Do you have your kernel properly configured? <ulink
|
||||
url="kernel.htm">Click here to see my kernel configuration</ulink>.</para>
|
||||
url="kernel.htm">Click here to see my kernel
|
||||
configuration</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall requires the <quote>ip</quote> program. That program
|
||||
is generally included in the <quote>iproute</quote> package which
|
||||
should be included with your distribution (though many distributions
|
||||
don't install iproute by default). You may also download the
|
||||
latest source tarball from <ulink url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
|
||||
don't install iproute by default). You may also download the latest
|
||||
source tarball from <ulink
|
||||
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
|
||||
.</para>
|
||||
</listitem>
|
||||
|
||||
@ -404,17 +432,77 @@ DROP net fw icmp echo-request</programlist
|
||||
<section>
|
||||
<title>Still Having Problems?</title>
|
||||
|
||||
<para>See the <ulink url="support.htm">Shorewall Support Page</ulink>.</para>
|
||||
<para>See the <ulink url="support.htm">Shorewall Support
|
||||
Page</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-03</date><authorinitials>TE</authorinitials><revremark>Point
|
||||
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-02</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Docbook Conversion</revremark></revision></revhistory></para>
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.9</revnumber>
|
||||
|
||||
<date>2004-08-25</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Advice for the networking-challenged.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.8</revnumber>
|
||||
|
||||
<date>2004-04-03</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Point out that firewall addresses are in the $FW
|
||||
zone.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.7</revnumber>
|
||||
|
||||
<date>2004-02-02</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add hint about testing from inside the
|
||||
firewall.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2004-01-06</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add pointer to Site and Mailing List Archives
|
||||
Searches.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2004-01-01</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added information about eliminating ping-generated log
|
||||
messages.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-12-22</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial Docbook Conversion</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user