Shorewall 2.2.0 RC4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1892 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-01-07 15:51:33 +00:00
parent 72c8afc829
commit b32231581c
6 changed files with 16214 additions and 3443 deletions

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-01-03</pubdate>
<pubdate>2005-01-06</pubdate>
<copyright>
<year>2001-2005</year>
@ -152,9 +152,12 @@
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with OpenVPN for VPN access
from our second home in <ulink url="http://www.omakchamber.com/">Omak,
Washington</ulink> or when we are otherwise out of town.</para>
my work laptop and Ursa (206.124.146.178/192.168.1.5) is configured with
OpenVPN for VPN access from our second home in <ulink
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
otherwise out of town. I have a new work laptop that is not yet in
service; when it is, I will install OpenVPN on it as well and use OpenVPN
exclusively for remote access.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
@ -216,7 +219,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=ULOGD
LOG=ULOG
EXT_IF=eth1
INT_IF=eth2
DMZ_IF=eth0</programlisting></para>
@ -231,7 +234,6 @@ DMZ_IF=eth0</programlisting></para>
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
road Roadwarrior Our Laptop on the Road
tx Texas Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
@ -250,7 +252,6 @@ net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blackli
loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
road tun+ - routeback
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -316,9 +317,6 @@ $INT_IF -
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT
loc net ACCEPT
fw road ACCEPT
road loc ACCEPT
loc road ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
@ -384,7 +382,6 @@ $EXT_IF:: eth2 206.124.146.176
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
openvpn:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -504,7 +501,7 @@ AllowPing net dmz
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
# When I'm "on the road", the following two rules allow me VPN access back home via PPTP.
#
DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!$TEXAS loc:192.168.1.4 gre -
@ -581,46 +578,6 @@ ACCEPT tx loc:192.168.1.5 all
</blockquote>
</section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>This is my OpenVPN server configuration file:</para>
<blockquote>
<programlisting>ddev tun
server 192.168.2.0 255.255.255.0
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
client-config-dir /etc/openvpn/clients
ccd-exclusive
client-to-client
verb 3</programlisting>
</blockquote>
</section>
<section id="debian_interfaces">
<title>/etc/network/interfaces</title>
@ -680,11 +637,12 @@ syslogsync 1</programlisting>
</section>
<section>
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
<title>Wireless IPSEC/OpenVPN Gateway (Ursa) Configuration</title>
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
network. It's view of the network is diagrammed in the following
figure.</para>
network and as an OpenVPN gateway for roadwarrior access from Tipper and
my new work laptop. It's view of the network is diagrammed in the
following figure.</para>
<graphic align="center" fileref="images/network1.png" valign="middle" />
@ -703,6 +661,7 @@ loc Local Local networks
net Internet The Big Bad Internet
WiFi Wireless Wireless Network
sec Secure Secure Wireless Network
road Roadwarriors Roadwarriors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
</blockquote>
@ -716,16 +675,22 @@ sec Secure Secure Wireless Network
loc fw ACCEPT
loc net NONE
loc sec ACCEPT
loc road ACCEPT
net fw ACCEPT
net loc NONE
net sec ACCEPT
sec fw ACCEPT
sec loc ACCEPT
sec net ACCEPT
road sec ACCEPT
road loc ACCEPT
road net ACCEPT
road fw ACCEPT
fw loc ACCEPT
fw net ACCEPT
fw sec ACCEPT
fw WiFi ACCEPT
fw Road ACCEPT
sec WiFi NONE
WiFi sec NONE
all all REJECT info
@ -744,6 +709,7 @@ all all REJECT info
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.168.1.255 dhcp,nobogons,blacklist
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
road tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -779,12 +745,26 @@ loc eth0:192.168.1.0/24
</blockquote>
</section>
<section>
<title>tunnels</title>
<blockquote>
<programlisting># TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsec:noah WiFi 192.168.3.8
openvpn:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>rules</title>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
allowBcast WiFi fw
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -794,7 +774,7 @@ loc eth0:192.168.1.0/24
<blockquote>
<programlisting>#INTERFACE HOST(S) OPTIONS
eth0 0.0.0.0/0
eth1 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -868,6 +848,46 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
}</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>This is my OpenVPN server configuration file:</para>
<blockquote>
<programlisting>dev tun
server 192.168.2.0 255.255.255.0
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/ursa.pem
key /etc/certs/ursa_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
client-config-dir /etc/openvpn/clients
ccd-exclusive
client-to-client
verb 3</programlisting>
</blockquote>
</section>
</section>
<section>
@ -878,6 +898,12 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
connected via our wireless network, it uses IPSEC tunnel mode for all
access.</para>
<note>
<para>Given that I use OpenVPN for remote access, it would be more
convenient to also use it for wireless access at home. I use IPSEC just
so that I always have a working IPSEC testbed.</para>
</note>
<para>Tipper's view of the world is shown in the following diagram:</para>
<graphic align="center" fileref="images/network2.png" valign="middle" />
@ -1081,7 +1107,7 @@ ACCEPT net fw tcp 4000:4100
<blockquote>
<programlisting>dev tun
remote gateway.shorewall.net
remote ursa.shorewall.net
up /etc/openvpn/home.up
tls-client

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-01-01</pubdate>
<pubdate>2005-01-07</pubdate>
<copyright>
<year>2001-2005</year>
@ -103,8 +103,9 @@
<title>Guides that Others have Written</title>
<para>Andrew Allen has provided <ulink
url="http://unofficial-support.com/node/view/46">this guide</ulink> for
installing Shorewall on standalone webhosting servers.</para>
url="http://unofficial-support.com/article/how-to/shorewall">this
guide</ulink> for installing Shorewall on standalone webhosting
servers.</para>
</section>
</section>
</article>