Shorewall 2.2.0 RC4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1892 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-01-07 15:51:33 +00:00
parent 72c8afc829
commit b32231581c
6 changed files with 16214 additions and 3443 deletions

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-01-03</pubdate> <pubdate>2005-01-06</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -152,9 +152,12 @@
206.124.146.177 through eth1 when that interface is brought up.</para> 206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with OpenVPN for VPN access my work laptop and Ursa (206.124.146.178/192.168.1.5) is configured with
from our second home in <ulink url="http://www.omakchamber.com/">Omak, OpenVPN for VPN access from our second home in <ulink
Washington</ulink> or when we are otherwise out of town.</para> url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
otherwise out of town. I have a new work laptop that is not yet in
service; when it is, I will install OpenVPN on it as well and use OpenVPN
exclusively for remote access.</para>
<para><graphic align="center" fileref="images/network.png" /></para> <para><graphic align="center" fileref="images/network.png" /></para>
</section> </section>
@ -216,7 +219,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt; <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt; NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt; TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=ULOGD LOG=ULOG
EXT_IF=eth1 EXT_IF=eth1
INT_IF=eth2 INT_IF=eth2
DMZ_IF=eth0</programlisting></para> DMZ_IF=eth0</programlisting></para>
@ -231,7 +234,6 @@ DMZ_IF=eth0</programlisting></para>
net Internet Internet net Internet Internet
dmz DMZ Demilitarized zone dmz DMZ Demilitarized zone
loc Local Local networks loc Local Local networks
road Roadwarrior Our Laptop on the Road
tx Texas Peer Network in Dallas tx Texas Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting> </programlisting>
@ -250,7 +252,6 @@ net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blackli
loc $INT_IF detect dhcp loc $INT_IF detect dhcp
dmz $DMZ_IF - dmz $DMZ_IF -
- texas - - texas -
road tun+ - routeback
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -316,9 +317,6 @@ $INT_IF -
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT <programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT fw fw ACCEPT
loc net ACCEPT loc net ACCEPT
fw road ACCEPT
road loc ACCEPT
loc road ACCEPT
$FW loc ACCEPT $FW loc ACCEPT
$FW tx ACCEPT $FW tx ACCEPT
loc tx ACCEPT loc tx ACCEPT
@ -384,7 +382,6 @@ $EXT_IF:: eth2 206.124.146.176
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS gre net $TEXAS
openvpn:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -504,7 +501,7 @@ AllowPing net dmz
# #
# Net to Local # Net to Local
# #
# When I'm "on the road", the following two rules allow me VPN access back home. # When I'm "on the road", the following two rules allow me VPN access back home via PPTP.
# #
DNAT net loc:192.168.1.4 tcp 1723 - DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!$TEXAS loc:192.168.1.4 gre - DNAT net:!$TEXAS loc:192.168.1.4 gre -
@ -581,46 +578,6 @@ ACCEPT tx loc:192.168.1.5 all
</blockquote> </blockquote>
</section> </section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>This is my OpenVPN server configuration file:</para>
<blockquote>
<programlisting>ddev tun
server 192.168.2.0 255.255.255.0
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
client-config-dir /etc/openvpn/clients
ccd-exclusive
client-to-client
verb 3</programlisting>
</blockquote>
</section>
<section id="debian_interfaces"> <section id="debian_interfaces">
<title>/etc/network/interfaces</title> <title>/etc/network/interfaces</title>
@ -680,11 +637,12 @@ syslogsync 1</programlisting>
</section> </section>
<section> <section>
<title>Wireless IPSEC Gateway (Ursa) Configuration</title> <title>Wireless IPSEC/OpenVPN Gateway (Ursa) Configuration</title>
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless <para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
network. It's view of the network is diagrammed in the following network and as an OpenVPN gateway for roadwarrior access from Tipper and
figure.</para> my new work laptop. It's view of the network is diagrammed in the
following figure.</para>
<graphic align="center" fileref="images/network1.png" valign="middle" /> <graphic align="center" fileref="images/network1.png" valign="middle" />
@ -703,6 +661,7 @@ loc Local Local networks
net Internet The Big Bad Internet net Internet The Big Bad Internet
WiFi Wireless Wireless Network WiFi Wireless Wireless Network
sec Secure Secure Wireless Network sec Secure Secure Wireless Network
road Roadwarriors Roadwarriors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting> </programlisting>
</blockquote> </blockquote>
@ -716,16 +675,22 @@ sec Secure Secure Wireless Network
loc fw ACCEPT loc fw ACCEPT
loc net NONE loc net NONE
loc sec ACCEPT loc sec ACCEPT
loc road ACCEPT
net fw ACCEPT net fw ACCEPT
net loc NONE net loc NONE
net sec ACCEPT net sec ACCEPT
sec fw ACCEPT sec fw ACCEPT
sec loc ACCEPT sec loc ACCEPT
sec net ACCEPT sec net ACCEPT
road sec ACCEPT
road loc ACCEPT
road net ACCEPT
road fw ACCEPT
fw loc ACCEPT fw loc ACCEPT
fw net ACCEPT fw net ACCEPT
fw sec ACCEPT fw sec ACCEPT
fw WiFi ACCEPT fw WiFi ACCEPT
fw Road ACCEPT
sec WiFi NONE sec WiFi NONE
WiFi sec NONE WiFi sec NONE
all all REJECT info all all REJECT info
@ -744,6 +709,7 @@ all all REJECT info
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.168.1.255 dhcp,nobogons,blacklist net eth0 192.168.1.255 dhcp,nobogons,blacklist
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
road tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -779,12 +745,26 @@ loc eth0:192.168.1.0/24
</blockquote> </blockquote>
</section> </section>
<section>
<title>tunnels</title>
<blockquote>
<programlisting># TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsec:noah WiFi 192.168.3.8
openvpn:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section> <section>
<title>rules</title> <title>rules</title>
<blockquote> <blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST
allowBcast WiFi fw
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -794,7 +774,7 @@ loc eth0:192.168.1.0/24
<blockquote> <blockquote>
<programlisting>#INTERFACE HOST(S) OPTIONS <programlisting>#INTERFACE HOST(S) OPTIONS
eth0 0.0.0.0/0 eth1 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -868,6 +848,46 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
}</programlisting> }</programlisting>
</blockquote> </blockquote>
</section> </section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>This is my OpenVPN server configuration file:</para>
<blockquote>
<programlisting>dev tun
server 192.168.2.0 255.255.255.0
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/ursa.pem
key /etc/certs/ursa_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
client-config-dir /etc/openvpn/clients
ccd-exclusive
client-to-client
verb 3</programlisting>
</blockquote>
</section>
</section> </section>
<section> <section>
@ -878,6 +898,12 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
connected via our wireless network, it uses IPSEC tunnel mode for all connected via our wireless network, it uses IPSEC tunnel mode for all
access.</para> access.</para>
<note>
<para>Given that I use OpenVPN for remote access, it would be more
convenient to also use it for wireless access at home. I use IPSEC just
so that I always have a working IPSEC testbed.</para>
</note>
<para>Tipper's view of the world is shown in the following diagram:</para> <para>Tipper's view of the world is shown in the following diagram:</para>
<graphic align="center" fileref="images/network2.png" valign="middle" /> <graphic align="center" fileref="images/network2.png" valign="middle" />
@ -1081,7 +1107,7 @@ ACCEPT net fw tcp 4000:4100
<blockquote> <blockquote>
<programlisting>dev tun <programlisting>dev tun
remote gateway.shorewall.net remote ursa.shorewall.net
up /etc/openvpn/home.up up /etc/openvpn/home.up
tls-client tls-client

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-01-01</pubdate> <pubdate>2005-01-07</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -103,8 +103,9 @@
<title>Guides that Others have Written</title> <title>Guides that Others have Written</title>
<para>Andrew Allen has provided <ulink <para>Andrew Allen has provided <ulink
url="http://unofficial-support.com/node/view/46">this guide</ulink> for url="http://unofficial-support.com/article/how-to/shorewall">this
installing Shorewall on standalone webhosting servers.</para> guide</ulink> for installing Shorewall on standalone webhosting
servers.</para>
</section> </section>
</section> </section>
</article> </article>