mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Shorewall 2.2.0 RC4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1892 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
72c8afc829
commit
b32231581c
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-01-03</pubdate>
|
<pubdate>2005-01-06</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2005</year>
|
<year>2001-2005</year>
|
||||||
@ -152,9 +152,12 @@
|
|||||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||||
|
|
||||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
||||||
my work laptop and the Firewall is configured with OpenVPN for VPN access
|
my work laptop and Ursa (206.124.146.178/192.168.1.5) is configured with
|
||||||
from our second home in <ulink url="http://www.omakchamber.com/">Omak,
|
OpenVPN for VPN access from our second home in <ulink
|
||||||
Washington</ulink> or when we are otherwise out of town.</para>
|
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
|
||||||
|
otherwise out of town. I have a new work laptop that is not yet in
|
||||||
|
service; when it is, I will install OpenVPN on it as well and use OpenVPN
|
||||||
|
exclusively for remote access.</para>
|
||||||
|
|
||||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||||
</section>
|
</section>
|
||||||
@ -216,7 +219,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|||||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||||
NTPSERVERS=<list of the NTP servers I sync with>
|
NTPSERVERS=<list of the NTP servers I sync with>
|
||||||
TEXAS=<ip address of gateway in Plano>
|
TEXAS=<ip address of gateway in Plano>
|
||||||
LOG=ULOGD
|
LOG=ULOG
|
||||||
EXT_IF=eth1
|
EXT_IF=eth1
|
||||||
INT_IF=eth2
|
INT_IF=eth2
|
||||||
DMZ_IF=eth0</programlisting></para>
|
DMZ_IF=eth0</programlisting></para>
|
||||||
@ -231,7 +234,6 @@ DMZ_IF=eth0</programlisting></para>
|
|||||||
net Internet Internet
|
net Internet Internet
|
||||||
dmz DMZ Demilitarized zone
|
dmz DMZ Demilitarized zone
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
road Roadwarrior Our Laptop on the Road
|
|
||||||
tx Texas Peer Network in Dallas
|
tx Texas Peer Network in Dallas
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -250,7 +252,6 @@ net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blackli
|
|||||||
loc $INT_IF detect dhcp
|
loc $INT_IF detect dhcp
|
||||||
dmz $DMZ_IF -
|
dmz $DMZ_IF -
|
||||||
- texas -
|
- texas -
|
||||||
road tun+ - routeback
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -316,9 +317,6 @@ $INT_IF -
|
|||||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||||
fw fw ACCEPT
|
fw fw ACCEPT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
fw road ACCEPT
|
|
||||||
road loc ACCEPT
|
|
||||||
loc road ACCEPT
|
|
||||||
$FW loc ACCEPT
|
$FW loc ACCEPT
|
||||||
$FW tx ACCEPT
|
$FW tx ACCEPT
|
||||||
loc tx ACCEPT
|
loc tx ACCEPT
|
||||||
@ -384,7 +382,6 @@ $EXT_IF:: eth2 206.124.146.176
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||||
gre net $TEXAS
|
gre net $TEXAS
|
||||||
openvpn:1194 net 0.0.0.0/0
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -504,7 +501,7 @@ AllowPing net dmz
|
|||||||
#
|
#
|
||||||
# Net to Local
|
# Net to Local
|
||||||
#
|
#
|
||||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
# When I'm "on the road", the following two rules allow me VPN access back home via PPTP.
|
||||||
#
|
#
|
||||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||||
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
||||||
@ -581,46 +578,6 @@ ACCEPT tx loc:192.168.1.5 all
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>/etc/openvpn/server.conf</title>
|
|
||||||
|
|
||||||
<para>This is my OpenVPN server configuration file:</para>
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<programlisting>ddev tun
|
|
||||||
|
|
||||||
server 192.168.2.0 255.255.255.0
|
|
||||||
|
|
||||||
dh dh1024.pem
|
|
||||||
|
|
||||||
ca /etc/certs/cacert.pem
|
|
||||||
|
|
||||||
crl-verify /etc/certs/crl.pem
|
|
||||||
|
|
||||||
cert /etc/certs/gateway.pem
|
|
||||||
key /etc/certs/gateway_key.pem
|
|
||||||
|
|
||||||
port 1194
|
|
||||||
|
|
||||||
comp-lzo
|
|
||||||
|
|
||||||
user nobody
|
|
||||||
group nogroup
|
|
||||||
|
|
||||||
ping 15
|
|
||||||
ping-restart 45
|
|
||||||
ping-timer-rem
|
|
||||||
persist-tun
|
|
||||||
persist-key
|
|
||||||
|
|
||||||
client-config-dir /etc/openvpn/clients
|
|
||||||
ccd-exclusive
|
|
||||||
client-to-client
|
|
||||||
|
|
||||||
verb 3</programlisting>
|
|
||||||
</blockquote>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section id="debian_interfaces">
|
<section id="debian_interfaces">
|
||||||
<title>/etc/network/interfaces</title>
|
<title>/etc/network/interfaces</title>
|
||||||
|
|
||||||
@ -680,11 +637,12 @@ syslogsync 1</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
|
<title>Wireless IPSEC/OpenVPN Gateway (Ursa) Configuration</title>
|
||||||
|
|
||||||
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
||||||
network. It's view of the network is diagrammed in the following
|
network and as an OpenVPN gateway for roadwarrior access from Tipper and
|
||||||
figure.</para>
|
my new work laptop. It's view of the network is diagrammed in the
|
||||||
|
following figure.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
||||||
|
|
||||||
@ -703,6 +661,7 @@ loc Local Local networks
|
|||||||
net Internet The Big Bad Internet
|
net Internet The Big Bad Internet
|
||||||
WiFi Wireless Wireless Network
|
WiFi Wireless Wireless Network
|
||||||
sec Secure Secure Wireless Network
|
sec Secure Secure Wireless Network
|
||||||
|
road Roadwarriors Roadwarriors
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -716,16 +675,22 @@ sec Secure Secure Wireless Network
|
|||||||
loc fw ACCEPT
|
loc fw ACCEPT
|
||||||
loc net NONE
|
loc net NONE
|
||||||
loc sec ACCEPT
|
loc sec ACCEPT
|
||||||
|
loc road ACCEPT
|
||||||
net fw ACCEPT
|
net fw ACCEPT
|
||||||
net loc NONE
|
net loc NONE
|
||||||
net sec ACCEPT
|
net sec ACCEPT
|
||||||
sec fw ACCEPT
|
sec fw ACCEPT
|
||||||
sec loc ACCEPT
|
sec loc ACCEPT
|
||||||
sec net ACCEPT
|
sec net ACCEPT
|
||||||
|
road sec ACCEPT
|
||||||
|
road loc ACCEPT
|
||||||
|
road net ACCEPT
|
||||||
|
road fw ACCEPT
|
||||||
fw loc ACCEPT
|
fw loc ACCEPT
|
||||||
fw net ACCEPT
|
fw net ACCEPT
|
||||||
fw sec ACCEPT
|
fw sec ACCEPT
|
||||||
fw WiFi ACCEPT
|
fw WiFi ACCEPT
|
||||||
|
fw Road ACCEPT
|
||||||
sec WiFi NONE
|
sec WiFi NONE
|
||||||
WiFi sec NONE
|
WiFi sec NONE
|
||||||
all all REJECT info
|
all all REJECT info
|
||||||
@ -744,6 +709,7 @@ all all REJECT info
|
|||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net eth0 192.168.1.255 dhcp,nobogons,blacklist
|
net eth0 192.168.1.255 dhcp,nobogons,blacklist
|
||||||
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
||||||
|
road tun0 -
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -779,12 +745,26 @@ loc eth0:192.168.1.0/24
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>tunnels</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting># TYPE ZONE GATEWAY GATEWAY
|
||||||
|
# ZONE
|
||||||
|
ipsec:noah WiFi 192.168.3.8
|
||||||
|
openvpn:1194 net 0.0.0.0/0
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>rules</title>
|
<title>rules</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
# PORT PORT(S) DEST
|
# PORT PORT(S) DEST
|
||||||
|
allowBcast WiFi fw
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -794,7 +774,7 @@ loc eth0:192.168.1.0/24
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#INTERFACE HOST(S) OPTIONS
|
<programlisting>#INTERFACE HOST(S) OPTIONS
|
||||||
eth0 0.0.0.0/0
|
eth1 0.0.0.0/0
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -868,6 +848,46 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
|||||||
}</programlisting>
|
}</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>/etc/openvpn/server.conf</title>
|
||||||
|
|
||||||
|
<para>This is my OpenVPN server configuration file:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>dev tun
|
||||||
|
|
||||||
|
server 192.168.2.0 255.255.255.0
|
||||||
|
|
||||||
|
dh dh1024.pem
|
||||||
|
|
||||||
|
ca /etc/certs/cacert.pem
|
||||||
|
|
||||||
|
crl-verify /etc/certs/crl.pem
|
||||||
|
|
||||||
|
cert /etc/certs/ursa.pem
|
||||||
|
key /etc/certs/ursa_key.pem
|
||||||
|
|
||||||
|
port 1194
|
||||||
|
|
||||||
|
comp-lzo
|
||||||
|
|
||||||
|
user nobody
|
||||||
|
group nogroup
|
||||||
|
|
||||||
|
ping 15
|
||||||
|
ping-restart 45
|
||||||
|
ping-timer-rem
|
||||||
|
persist-tun
|
||||||
|
persist-key
|
||||||
|
|
||||||
|
client-config-dir /etc/openvpn/clients
|
||||||
|
ccd-exclusive
|
||||||
|
client-to-client
|
||||||
|
|
||||||
|
verb 3</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -878,6 +898,12 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
|||||||
connected via our wireless network, it uses IPSEC tunnel mode for all
|
connected via our wireless network, it uses IPSEC tunnel mode for all
|
||||||
access.</para>
|
access.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>Given that I use OpenVPN for remote access, it would be more
|
||||||
|
convenient to also use it for wireless access at home. I use IPSEC just
|
||||||
|
so that I always have a working IPSEC testbed.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
<para>Tipper's view of the world is shown in the following diagram:</para>
|
<para>Tipper's view of the world is shown in the following diagram:</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
||||||
@ -1081,7 +1107,7 @@ ACCEPT net fw tcp 4000:4100
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>dev tun
|
<programlisting>dev tun
|
||||||
remote gateway.shorewall.net
|
remote ursa.shorewall.net
|
||||||
up /etc/openvpn/home.up
|
up /etc/openvpn/home.up
|
||||||
|
|
||||||
tls-client
|
tls-client
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-01-01</pubdate>
|
<pubdate>2005-01-07</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2005</year>
|
<year>2001-2005</year>
|
||||||
@ -103,8 +103,9 @@
|
|||||||
<title>Guides that Others have Written</title>
|
<title>Guides that Others have Written</title>
|
||||||
|
|
||||||
<para>Andrew Allen has provided <ulink
|
<para>Andrew Allen has provided <ulink
|
||||||
url="http://unofficial-support.com/node/view/46">this guide</ulink> for
|
url="http://unofficial-support.com/article/how-to/shorewall">this
|
||||||
installing Shorewall on standalone webhosting servers.</para>
|
guide</ulink> for installing Shorewall on standalone webhosting
|
||||||
|
servers.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
Loading…
Reference in New Issue
Block a user