From aef34d7908ce2099044f0d551ce692e9bbadcf56 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 28 Jun 2007 22:24:59 +0000 Subject: [PATCH] Fix oversights in ID changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6699 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/6to4.xml | 42 +-- docs/CorpNetwork.xml | 557 ----------------------------------- docs/Documentation_Index.xml | 39 ++- docs/Introduction.xml | 10 +- docs/ReleaseModel.xml | 4 +- docs/ping.xml | 4 +- docs/survey-200603.xml | 4 +- 7 files changed, 53 insertions(+), 607 deletions(-) delete mode 100644 docs/CorpNetwork.xml diff --git a/docs/6to4.xml b/docs/6to4.xml index 93ed381c6..92e2aa949 100644 --- a/docs/6to4.xml +++ b/docs/6to4.xml @@ -35,7 +35,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -53,7 +54,7 @@ url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup of 6to4 tunnels. -
+
Connecting two IPv6 Networks Suppose that we have the following situation: @@ -62,17 +63,20 @@ We want systems in the 2002:100:333::/64 subnetwork to be able to communicate with the systems in the 2002:488:999::/64 network. This is - accomplished through use of the /etc/shorewall/tunnels - file and the ip utility for network interface and routing + accomplished through use of the + /etc/shorewall/tunnels file and + the ip utility for network interface and routing configuration. - Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, - /etc/shorewall/interfaces and /etc/shorewall/zones - files are not used. There is no need to declare a zone to represent the - remote IPv6 network. This remote network is not visible on IPv4 interfaces - and to iptables. All that is visible on the IPv4 level is an IPv4 stream - which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules - need to be defined to handle this traffic. + Unlike GRE and IPIP tunneling, the + /etc/shorewall/policy, + /etc/shorewall/interfaces and + /etc/shorewall/zones files are not used. There is no + need to declare a zone to represent the remote IPv6 network. This remote + network is not visible on IPv4 interfaces and to iptables. All that is + visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic. + Separate IPv6 interfaces and ip6tables rules need to be defined to handle + this traffic. In /etc/shorewall/tunnels on system A, we need the following: @@ -86,10 +90,10 @@ Use the following commands to setup system A: - >ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2 ->ip link set dev tun6to4 up ->ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4 ->ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2 + >ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2 +>ip link set dev tun6to4 up +>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4 +>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2 Similarly, in /etc/shorewall/tunnels on system B we have: @@ -99,10 +103,10 @@ And use the following commands to setup system B: - >ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9 ->ip link set dev tun6to4 up ->ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4 ->ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1 + >ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9 +>ip link set dev tun6to4 up +>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4 +>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1 On both systems, restart Shorewall and issue the configuration commands as listed above. The systems in both IPv6 subnetworks can now diff --git a/docs/CorpNetwork.xml b/docs/CorpNetwork.xml deleted file mode 100644 index 92eb506e6..000000000 --- a/docs/CorpNetwork.xml +++ /dev/null @@ -1,557 +0,0 @@ - - -
- - - - Corporate Network - - - - Tom - - Eastep - - - - Graeme - - Boyle - - - - - - - 2003 - - 2005 - - Thomas M. Eastep and Graeme Boyle - - - - Permission is granted to copy, distribute and/or modify this - document under the terms of the GNU Free Documentation License, Version - 1.2 or any later version published by the Free Software Foundation; with - no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. - - - - - This document has not been updated yet, to - reflect a correct configuration for Shorewall 3. - - -
- The Network - - - - - This configuration is used on a corporate network that has a - Linux (RedHat 8.0) server with three interfaces, running Shorewall - 1.4.5 release, - - - - Make sure you know what public IP addresses are currently - being used and verify these before - starting. - - - - Verify your DNS settings before starting - any Shorewall configuration especially if you have split DNS. - - - - System names and Internet IP addresses have been changed to - protect the innocent. - - - - - - This configuration uses a combination of One-to-one NAT and Proxy - ARP. This is generally not relevant to a simple configuration with a - single public IP address. If you have just a single public IP address, - most of what you see here won't apply to your setup so beware of copying - parts of this configuration and expecting them to work for you. What you - copy may or may not work in your configuration. - - - I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The - internet is connected to eth0. The local network is connected via eth1 - (10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have - an IPSec tunnel connecting our offices in Germany to our offices in the - US. I host two Microsoft Exchange servers for two different companies - behind the firewall hence, the two Exchange servers in the diagram - below. - -
- Summary - - - - SNAT for all systems connected to the LAN - Internal addresses - 10.10.x.x to external address 192.0.18.127. - - - - One-to-one NAT for Polaris (Exchange - Server #2). Internal address 10.10.1.8 and external address - 192.0.18.70. - - - - One-to-one NAT for Sims (Inventory - Management server). Internal address 10.10.1.56 and external address - 192.0.18.75. - - - - One-to-one NAT for Project (Project Web - Server). Internal address 10.10.1.55 and external address - 192.0.18.84. - - - - One-to-one NAT for Fortress (Exchange - Server). Internal address 10.10.1.252 and external address - 192.0.18.93. - - - - One-to-one NAT for BBSRV (Blackberry - Server). Internal address 10.10.1.230 and external address - 192.0.18.97. - - - - One-to-one NAT for Intweb (Intranet Web - Server). Internal address 10.10.1.60 and external address - 192.0.18.115. - - - - The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard - with RH8.0. - - The Firewall is also a proxy server running Privoxy 3.0. - - The single system in the DMZ (address 192.0.18.80) runs sendmail, - imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). - That server is managed through Proxy ARP. - - All administration and publishing is done using ssh/scp. I have X - installed on the firewall and the system in the DMZ. X applications - tunnel through SSH to Hummingbird Exceed running on a PC located in the - LAN. Access to the firewall using SSH is restricted to systems in the - LAN, DMZ or the system Kaos which is on the Internet and managed by - me. - - - - The Ethernet 0 interface in the Server is configured with IP - address 192.0.18.68, netmask 255.255.255.192. The server's default - gateway is 192.0.18.65, the Router connected to my network and the ISP. - This is the same default gateway used by the firewall itself. On the - firewall, Shorewall automatically adds a host route to 192.0.18.80 - through Ethernet 2 (192.168.21.1) because of the entry in - /etc/shorewall/proxyarp (see below). I modified the start, stop and init - scripts to include the fixes suggested when having an IPSec - tunnel. -
- -
- Some Mistakes I Made - - Yes, believe it or not, I made some really basic mistakes when - building this firewall. Firstly, I had the new firewall setup in - parallel with the old firewall so that there was no interruption of - service to my users. During my out-bound testing, I set up systems on - the LAN to utilize the firewall which worked fine. When testing my NAT - connections, from the outside, these would fail and I could not - understand why. Eventually, I changed the default route on the internal - system I was trying to access, to point to the new firewall and - bingo, everything worked as expected. This oversight - delayed my deployment by a couple of days not to mention level of - frustration it produced. - - Another problem that I encountered was in setting up the Proxyarp - system in the DMZ. Initially I forgot to remove the entry for the eth2 - from the /etc/shorewall/masq file. Once my file settings were correct, I - started verifying that the ARP caches on the firewall, as well as the - outside system kaos, were showing the correct Ethernet - MAC address. However, in testing remote access, I could access the - system in the DMZ only from the firewall and LAN but not from the - Internet. The message I received was connection denied on - all protocols. What I did not realize was that a helpful - administrator that had turned on an old system and assigned the same - address as the one I was using for Proxyarp without notifying me. How - did I work this out. I shutdown the system in the DMZ, rebooted the - router and flushed the ARP cache on the firewall and kaos. Then, from - kaos, I started pinging that IP address and checked the updated ARP - cache and lo-and-behold a different MAC address showed up. High levels - of frustration etc., etc. The administrator will not be doing that - again! :-) -
- -
- Lessons Learned - - - - Read the documentation. - - - - Draw your network topology before starting. - - - - Understand what services you are going to allow in and out of - the firewall, whether they are TCP or UDP packets and make a note of - these port numbers. - - - - Try to get quiet time to build the firewall - you need to - focus on the job at hand. - - - - When asking for assistance, be honest and include as much - detail as requested. Don't try and hide IP addresses etc., you will - probably screw up the logs and make receiving assistance - harder. - - - - Read the documentation. - - -
- -
- Futures - - This is by no means the final configuration. In the near future, I - will be moving more systems from the LAN to the DMZ. I will also be - watching the logs for port scan programs etc. but, this should be - standard security maintenance. -
-
- -
- Configuration Files - - Here are copies of my files. I have removed most of the internal - documentation for the purpose of this space however, my system still has - the original files with all the comments and I highly recommend you do the - same. - -
- Shorewall.conf - - ############################################################################## -# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to -# match your setup -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# This file should be placed in /etc/shorewall -# -# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) -############################################################################## -# L O G G I N G -############################################################################## -LOGFILE=/var/log/messages -LOGFORMAT=Shorewall:%s:%s: -LOGRATE= -LOGBURST= -LOGUNCLEAN=info -BLACKLIST_LOGLEVEL= -LOGNEWNOTSYN= -MACLIST_LOG_LEVEL=info -TCP_FLAGS_LOG_LEVEL=debug -RFC1918_LOG_LEVEL=debug -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -SUBSYSLOCK=/var/lock/subsys/shorewall -STATEDIR=/var/lib/shorewall -MODULESDIR= -FW=fw -NAT_ENABLED=Yes -MANGLE_ENABLED=Yes -IP_FORWARDING=On -ADD_IP_ALIASES=Yes -ADD_SNAT_ALIASES=Yes -TC_ENABLED=Yes -CLEAR_TC=No -MARK_IN_FORWARD_CHAIN=No -CLAMPMSS=No -ROUTE_FILTER=Yes -NAT_BEFORE_RULES=No -MULTIPORT=Yes -DETECT_DNAT_IPADDRS=Yes -MUTEX_TIMEOUT=60 -NEWNOTSYN=Yes -BLACKLIST_DISPOSITION=DROP -MACLIST_DISPOSITION=REJECT -TCP_FLAGS_DISPOSITION=DROP -#LAST LINE -- DO NOT REMOVE -
- -
- Zones File - - # -# Shorewall 1.4 -- Sample Zone File For Two Interfaces -# /etc/shorewall/zones -# -# This file determines your network zones. Columns are: -# -# ZONE Short name of the zone -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone -# -#ZONE DISPLAY COMMENTS -net Net Internet -loc Local Local Networks -dmz DMZ Demilitarized Zone -vpn1 VPN1 VPN to Germany -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -
- -
- Interfaces File - - ############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags -loc eth1 detect dhcp,routefilter -dmz eth2 detect -vpn1 ipsec0 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - -
- -
- Routestopped File - - #INTERFACE HOST(S) -eth1 - -eth2 - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
- -
- Policy File - - ############################################################################### -#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -loc net ACCEPT -loc fw ACCEPT -loc dmz ACCEPT -# If you want open access to the Internet from your Firewall -# remove the comment from the following line. -fw net ACCEPT -fw loc ACCEPT -fw dmz ACCEPT -dmz fw ACCEPT -dmz loc ACCEPT -dmz net ACCEPT -# -# Adding VPN Access -loc vpn1 ACCEPT -dmz vpn1 ACCEPT -fw vpn1 ACCEPT -vpn1 loc ACCEPT -vpn1 dmz ACCEPT -vpn1 fw ACCEPT -# -net all DROP info -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -
- -
- Masq File - - #INTERFACE SUBNET ADDRESS -eth0 eth1 192.0.18.126 -# -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -
- -
- NAT File - - #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL -# -# Intranet Web Server -192.0.18.115 eth0:0 10.10.1.60 No No -# -# Project Web Server -192.0.18.84 eth0:1 10.10.1.55 No No -# -# Blackberry Server -192.0.18.97 eth0:2 10.10.1.55 No No -# -# Corporate Mail Server -192.0.18.93 eth0:3 10.10.1.252 No No -# -# Second Corp Mail Server -192.0.18.70 eth0:4 10.10.1.8 No No -# -# Sims Server -192.0.18.75 eth0:5 10.10.1.56 No No -# -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -
- -
- Proxy ARP File - - #ADDRESS INTERFACE EXTERNAL HAVEROUTE -# -# The Corporate email server in the DMZ -192.0.18.80 eth2 eth0 No -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
- -
- Tunnels File - - # TYPE ZONE GATEWAY GATEWAY ZONE PORT -ipsec net 134.147.129.82 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
- -
- Rules File (The shell variables are set in - /etc/shorewall/params) - - ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST -# -# Accept DNS connections from the firewall to the network -# -ACCEPT fw net tcp 53 -ACCEPT fw net udp 53 -# -# Accept SSH from internet interface from kaos only -# -ACCEPT net:192.0.18.98 fw tcp 22 -# -# Accept connections from the local network for administration -# -ACCEPT loc fw tcp 20:22 -ACCEPT loc net tcp 22 -ACCEPT loc fw tcp 53 -ACCEPT loc fw udp 53 -ACCEPT loc net tcp 53 -ACCEPT loc net udp 53 -# -# Allow Ping To And From Firewall -# -ACCEPT loc fw icmp 8 -ACCEPT loc dmz icmp 8 -ACCEPT loc net icmp 8 -ACCEPT dmz fw icmp 8 -ACCEPT dmz loc icmp 8 -ACCEPT dmz net icmp 8 -DROP net fw icmp 8 -DROP net loc icmp 8 -DROP net dmz icmp 8 -ACCEPT fw loc icmp 8 -ACCEPT fw dmz icmp 8 -DROP fw net icmp 8 -# -# Accept proxy web connections from the inside -# -ACCEPT loc fw tcp 8118 -# -# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems -# From a specific IP Address on the Internet. -# -# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http -# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632 -# -# Intranet web server -ACCEPT net loc:10.10.1.60 tcp 443 -ACCEPT dmz loc:10.10.1.60 tcp 443 -# -# Projects web server -ACCEPT net loc:10.10.1.55 tcp 80 -ACCEPT dmz loc:10.10.1.55 tcp 80 -# -# Blackberry Server -ACCEPT net loc:10.10.1.230 tcp 3101 -# -# Corporate Email Server -ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443 -# -# Corporate #2 Email Server -ACCEPT net loc:10.10.1.8 tcp 25,80,110,443 -# -# Sims Server -ACCEPT net loc:10.10.1.56 tcp 80,443 -ACCEPT net loc:10.10.1.56 tcp 7001:7002 -ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632 -# -# Access to DMZ -ACCEPT loc dmz udp 53,177 -ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -ACCEPT net dmz udp 53 -ACCEPT net dmz tcp 25,53,22,21,123 -ACCEPT dmz net tcp 25,53,80,123,443,21,22 -ACCEPT dmz net udp 53 -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
- -
- Start File - - ############################################################################ -# Shorewall 1.4 -- /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. -# -qt service ipsec start -
- -
- Stop File - - ############################################################################ -# Shorewall 1.4 -- /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# shorewall stop command. -# -qt service ipsec stop -
- -
- Init File - - ############################################################################ -# Shorewall 1.4 -- /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a shorewall start or shorewall restart command. -# -qt service ipsec stop -
-
-
\ No newline at end of file diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index f67cb6200..a757e51d3 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -170,8 +170,7 @@ - Corporate Network - Example + DHCP Multiple Zones Through One Interface @@ -182,7 +181,8 @@ - DHCP + ECN Disabling by host or + subnet My Shorewall Configuration @@ -192,8 +192,8 @@ - ECN Disabling by host or - subnet + Extension + Scripts (User Exits) Netfilter Overview @@ -202,8 +202,8 @@ - Extension - Scripts (User Exits) + Fallback/Uninstall Network Mapping @@ -212,8 +212,7 @@ - Fallback/Uninstall + FAQs One-to-one NAT (Static NAT) @@ -224,7 +223,8 @@ - FAQs + Features OpenVPN @@ -233,8 +233,8 @@ - Features + Forwarding Traffic on the + Same Interface Operating Shorewall @@ -243,8 +243,7 @@ - Forwarding Traffic on the - Same Interface + FTP and Shorewall Packet Marking @@ -254,7 +253,8 @@ - FTP and Shorewall + Getting help or answers to + questions Packet Processing in a Shorewall-based Firewall @@ -263,8 +263,8 @@ - Getting help or answers to - questions + Installation/Upgrade + (Français) 'Ping' Management @@ -273,8 +273,7 @@ - Installation/Upgrade - (Français) + IPP2P Port Information @@ -283,7 +282,7 @@ - IPP2P + Port Knocking and Other Uses of the 'Recent Match' diff --git a/docs/Introduction.xml b/docs/Introduction.xml index aeeba6339..82bc69211 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -32,8 +32,8 @@ -
- Introduction +
+ Introduction The information in this document applies only to 4.x releases of Shorewall. @@ -64,7 +64,7 @@
-
+
What is Shorewall? The Shoreline Firewall, more commonly known as @@ -305,8 +305,8 @@ ACCEPT net $FW tcp 22
-
- Shorewall Packages +
+ Shorewall Packages Shorewall 4.0 consists of four packages. diff --git a/docs/ReleaseModel.xml b/docs/ReleaseModel.xml index 97b0794dc..41ed9dba4 100644 --- a/docs/ReleaseModel.xml +++ b/docs/ReleaseModel.xml @@ -128,8 +128,8 @@ The currently-supported major releases are 3.2.x and 3.4.x.
-
- Old Release Model +
+ Old Release Model This release model described above was adopted on 2004-07-03 and modified 2004-07-21. Prior to 2004-07-03, a different release model was diff --git a/docs/ping.xml b/docs/ping.xml index 64ba24ffa..eb7ed4ca0 100644 --- a/docs/ping.xml +++ b/docs/ping.xml @@ -58,7 +58,7 @@ #ACTION SOURCE DEST PROTO DEST PORT(S) Ping/ACCEPT z1 z2 - + Ping from local zone to firewall To permit ping from the local zone to the firewall: @@ -82,7 +82,7 @@ Ping/ACCEPT loc $FW #ACTION SOURCE DEST PROTO DEST PORT(S) Ping/DROP z1 z2 - + Silently drop pings from the Internet To drop ping from the internet, you would need this rule in diff --git a/docs/survey-200603.xml b/docs/survey-200603.xml index 046d2d973..a89406d0f 100644 --- a/docs/survey-200603.xml +++ b/docs/survey-200603.xml @@ -57,8 +57,8 @@ have a survey module, but when i last looked at them, they were more limited and harder to use than Zoomerang. -
- Survey and results links +
+ Survey and results links The survey is still open as of this writing, and can be accessed at the