<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>My Network Configuration</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2009</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <para>The ruleset shown in this article uses Shorewall features that are
    not available in Shorewall versions prior to 4.4.0.</para>
  </caution>

  <section>
    <title>Introduction</title>

    <para>The configuration described in this article represents the network
    at shorewall.net during the summer of 2009. It uses the following
    Shorewall features:</para>

    <itemizedlist>
      <listitem>
        <para><ulink url="MultiISP.html">Two Internet
        Interfaces</ulink></para>
      </listitem>

      <listitem>
        <para>A DMZ with two "systems" using <ulink url="ProxyARP.htm">Proxy
        ARP</ulink> and running in <ulink url="OpenVZ.html">OpenVZ Virtual
        Environments</ulink></para>
      </listitem>

      <listitem>
        <para><ulink url="6to4.htm">IPv6 Access through a 6to4
        Tunnel</ulink></para>
      </listitem>

      <listitem>
        <para><ulink url="OPENVPN.html">OpenVPN</ulink> and <ulink
        url="IPSEC-2.6.html">IPSEC</ulink> for access when we are on the
        road.</para>
      </listitem>

      <listitem>
        <para><ulink url="ipsets.html">Ipsets</ulink></para>
      </listitem>

      <listitem>
        <para><ulink url="Dynamic.html">Dynamic Zones</ulink></para>
      </listitem>

      <listitem>
        <para><ulink url="Shorewall_Squid_Usage.html">Transparent proxy using
        Squid</ulink></para>
      </listitem>

      <listitem>
        <para><ulink url="ManualChains.html">Manual Chains</ulink></para>
      </listitem>

      <listitem>
        <para><ulink url="traffic_shaping.htm">Traffic Shaping</ulink></para>
      </listitem>
    </itemizedlist>

    <para>Linux runs the firewall and the servers (although they run in OpenVZ
    containers on the firewall system). Linux is not used natively on any of
    our other systems except for an <ulink url="http://www.hpmini.com">HP mini
    which runs HP Mobile Internet Experience (MIE)</ulink> -- essentially
    Ubuntu Hardy. I rather run Windows natively (either Vista Home Premium or
    XP Professional) and run Linux in VMs under <ulink
    url="http://www.sun.com/software/products/virtualbox/">VirtualBox</ulink>.
    This approach has a number of advantages:</para>

    <orderedlist>
      <listitem>
        <para>Efficient disk utilization.</para>

        <para>The virtual disks used by Linux are just files in the NTFS file
        system. There is no need to pre-allocate one or more partitions for
        use by Linux. Some large applications, like Google Earth, are
        installed only on Windows.</para>
      </listitem>

      <listitem>
        <para>Avoids proprietary hardware issues.</para>

        <para>The Linux VMs emulate standard hardware that is well-supported
        by Linux.</para>
      </listitem>

      <listitem>
        <para>Avoids DRM hassles</para>

        <para>All DRM-protected media can be handled under Windows.</para>
      </listitem>

      <listitem>
        <para>Websites that don't work with Firefox (or at least with Linux
        Firefox)</para>
      </listitem>
    </orderedlist>

    <para>VirtualBox is fast (when your processor supports virtualization
    extensions) and very easy to use. I highly recommend it!</para>
  </section>

  <section>
    <title>Network Topology</title>

    <para>Our network is diagrammed in the following graphic.</para>

    <graphic fileref="images/Network2009d.png" />

    <para>We have accounts with two different ISPs:</para>

    <orderedlist>
      <listitem>
        <para>Comcast</para>

        <para>This is a high-speed (20mb/4mb) link with a single dynamic IPv4
        address. We are not allowed to run servers accessible through this
        account.</para>
      </listitem>

      <listitem>
        <para>Avvanta</para>

        <para>This is a low-speec (1.5mb/384kbit) link with five static IP
        address. Our servers are accessed through this account.</para>
      </listitem>
    </orderedlist>

    <para>The wired local network is restricted to my home office. The
    wireless network is managed by a Linksys WRT300N pre-N router which we use
    only as an access point -- its WAN interface is unused and it is
    configured to not do NAT. The wireless network uses WPA2 personal security
    and MAC filtering is enabled in the router. These two factors make it a
    hassle when guests visit with a laptop but provide good security for the
    network.</para>
  </section>

  <section>
    <title>Shorewall Configuration</title>

    <para>This section contains exerpts from the Shorewall
    configuration.</para>

    <para>It is important to keep in mind that parts of my configuration are
    there just to provide a test bed for Shorewall features. So while they
    show correct usage, they don't necessarily provide any useful benefit. I
    have tried to point those out in the sub-sections that follow.</para>

    <section id="params">
      <title>/etc/shorewall/params</title>

      <para><programlisting>MIRRORS=62.216.169.37,\
63.229.2.114,\
...
NTPSERVERS=...

POPSERVERS=...

LOG=ULOG

INT_IF=eth1
EXT_IF=eth2
COM_IF=eth0
VPS_IF=venet0</programlisting>As shown, this file defines variables to hold
      the various lists of IP addresses that I need to maintain. To simplify
      network reconfiguration, I also use variables to define the log level
      and the network interfaces.</para>
    </section>

    <section id="conf">
      <title>/etc/shorewall/shorewall.conf</title>

      <para><programlisting>###############################################################################
#                      S T A R T U P   E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
#                             V E R B O S I T Y
###############################################################################
VERBOSITY=0
###############################################################################
#                              C O M P I L E R
#      (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=perl
###############################################################################
#                              L O G G I N G
###############################################################################
LOGFILE=/var/log/ulog/syslogemu.log
STARTUP_LOG=/var/log/shorewall-init.log
LOG_VERBOSITY=2
LOGFORMAT="%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=
TCP_FLAGS_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=$LOG
LOG_MARTIANS=No
###############################################################################
#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
###############################################################################
IPTABLES=
IPSET=
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
#               D E F A U L T   A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
#                       F I R E W A L L   O P T I O N S
###############################################################################
IP_FORWARDING=Yes
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=ko
DONT_LOAD=
DISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
MACLIST_TABLE=mangle
MACLIST_TTL=60
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=Yes
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=No
MULTICAST=Yes
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
NULL_ROUTE_RFC1918=Yes
USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=No
FAST_STOP=Yes
AUTOMAKE=No
LOG_MARTIANS=Yes
WIDE_TC_MARKS=Yes
###############################################################################
#                       P A C K E T   D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=ACCEPT
TCP_FLAGS_DISPOSITION=DROP
</programlisting>I don't believe that there is anything remarkable
      there</para>
    </section>

    <section>
      <title>/etc/shorewall/actions</title>

      <para><programlisting>#ACTION
Mirrors	   	    # Accept traffic from Shorewall Mirrors
</programlisting>I make this into an action so the rather long list of rules
      go into their own chain.</para>
    </section>

    <section>
      <title>/etc/shorewall/action.Mirrors</title>

      <para><programlisting>#TARGET SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
#                       	        	PORT    PORT(S)    DEST		LIMIT
COMMENT Accept traffic from Mirrors
ACCEPT	$MIRRORS
</programlisting>See the <link linkend="rules">rules</link> file -- this
      action is used for rsync traffic.</para>
    </section>

    <section id="zones">
      <title>/etc/shorewall/zones</title>

      <para><programlisting>fw              firewall
loc             ipv4            #Local Zone
dmz             ipv4            #DMZ
net             ipv4            #Internet
vpn:loc,net     ipsec           #IPSEC
drct:loc        ipv4            #Direct internet access</programlisting>The
      <emphasis role="bold">vpn</emphasis> zone is mostly for testing
      Shorewall IPSEC support. It is nested in <emphasis
      role="bold">loc</emphasis> and <emphasis role="bold">net</emphasis> to
      test a feature added in Shorewall 4.4.0. The <emphasis
      role="bold">drct</emphasis> zone is a dynamic zone whose members bypass
      the transparent proxy. Some applications (such as VirtualBox
      registration) don't work through the proxy.</para>
    </section>

    <section id="interfaces">
      <title>/etc/shorewall/interfaces</title>

      <para><programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
loc    $INT_IF    detect    dhcp,logmartians=1,routefilter=1,tcpflags
dmz    $VPS_IF    detect    logmartians=1,routefilter=0,routeback
net    $EXT_IF    detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1
net    $COM_IF    detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0
loc    tun+       detect</programlisting>Notice that VPN clients are treated
      the same as local hosts.</para>

      <para>I set the <emphasis role="bold">proxyarp</emphasis> option on
      $EXT_IF so that</para>

      <orderedlist numeration="loweralpha">
        <listitem>
          <para>The firewall will respond to ARP who-has requests for the
          servers in the DMZ.</para>
        </listitem>

        <listitem>
          <para>To keep OpenVZ happy (it issues dire warnings if the option is
          not set on the associated external interface).</para>
        </listitem>
      </orderedlist>
    </section>

    <section id="hosts">
      <title>/etc/shorewall/hosts</title>

      <para><programlisting>#ZONE   HOST(S)                                 OPTIONS
vpn     $EXT_IF:0.0.0.0/0
vpn     $COM_IF:0.0.0.0/0
vpn     $INT_IF:0.0.0.0/0
drct    $INT_IF:dynamic</programlisting>The <emphasis
      role="bold">vpn</emphasis> zone includes ipsec hosts interfacing from
      either external interface as well as the local interface. <emphasis
      role="bold">drct</emphasis> is defined as dynamic through the local
      interface (recall that it is a sub-zone of <emphasis
      role="bold">loc</emphasis>).</para>
    </section>

    <section id="policy">
      <title>/etc/shorewall/policy</title>

      <para><programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
$FW             dmz             REJECT          $LOG
$FW             all             ACCEPT
loc             net             ACCEPT          -
loc             fw              ACCEPT
loc             vpn             ACCEPT
vpn             fw              ACCEPT
vpn             loc             ACCEPT
net             net             NONE
net             all             DROP            $LOG            8/sec:30
dmz             fw              REJECT          $LOG
all             fw              DROP            $LOG
all             all             REJECT          $LOG</programlisting>I'm a bit
      sloppy with my fw&lt;-&gt;loc policies -- I should fix that
      someday...</para>
    </section>

    <section id="accounting">
      <title>/etc/shorewall/accounting</title>

      <para><programlisting>#ACTION         CHAIN           SOURCE                          DESTINATION                     PROTO   DEST            SOURCE  USER/
#                                                                                                       PORT(S)         PORT(S) GROUP
hp:COUNT        accounting      $COM_IF                         $INT_IF:172.20.1.107            UDP
hp:COUNT        accounting      $INT_IF:172.20.1.107            $COM_IF                         UDP
DONE            hp

mail:COUNT      -               $EXT_IF                         $VPS_IF:206.124.146.0/24        tcp     25
mail:COUNT      -               $VPS_IF:206.124.146.0/24        $EXT_IF                         tcp     25
DONE            mail

web             -               $EXT_IF                         $VPS_IF:206.124.146.0/24        tcp     80
web             -               $EXT_IF                         $VPS_IF:206.124.146.0/24        tcp     443
web             -               $VPS_IF:206.124.146.0/24        $EXT_IF                         tcp     -               80
web             -               $VPS_IF:206.124.146.0/24        $EXT_IF                         tcp     -               443

COUNT           web             $EXT_IF                         $VPS_IF:206.124.146.0/24
COUNT           web             $VPS_IF:206.124.146.0/24        $EXT_IF
</programlisting>The accounting chains are as follows:</para>

      <orderedlist>
        <listitem>
          <para>hp</para>

          <para>Counts traffic to/from my work laptop to HP. The VPN users
          NAT-Traversal (UDP 4500) so I just count all UDP traffic to/from my
          work system.</para>
        </listitem>

        <listitem>
          <para>mail</para>

          <para>Incoming and outgoing email</para>
        </listitem>

        <listitem>
          <para>web</para>

          <para>Website traffic (both HTTP and HTTPS)</para>
        </listitem>
      </orderedlist>
    </section>

    <section id="blacklist">
      <title>/etc/shorewall/blacklist</title>

      <para><programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
-                       udp             1024:1033,1434
-                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>This
      configuration silently drops a few ports that get lots of
      traffic.</para>
    </section>

    <section id="compile">
      <title>/etc/shorewall/compile</title>

      <para><programlisting>use strict;
use Shorewall::Chains;

my $chainref = ensure_manual_chain qw/DNS_DDoS/;

add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP);
add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" -j DROP);
add_rule $chainref, q(-j ACCEPT);

1;</programlisting>The above was created during a recent DDOS incident that
      targeted DNS servers. It illustrates how manual chains can be
      created.</para>
    </section>

    <section id="findgw">
      <title>/etc/shorewall/findgw</title>

      <para><programlisting>if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
    grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases | tail -n 1 | while read j1 j2 gateway; do echo $gateway | sed 's/;//'; return 0; done
fi</programlisting>The Comcast line has a dynamic IP address assigned with the
      help of dhclient.</para>
    </section>

    <section id="isusable">
      <title>/etc/shorewall/isusable</title>

      <para><programlisting>local status
status=0

[ -f /etc/shorewall/${1}.status ] &amp;&amp; status=$(cat /etc/shorewall/${1}.status)

return $status</programlisting>For use with <ulink
      url="MultiISP.html#lsm">lsm</ulink>.</para>
    </section>

    <section id="libprivate">
      <title>/etc/shorewall/lib.private</title>

      <para><programlisting>start_lsm() {
   killall lsm 2&gt; /dev/null
   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
connection {
   name=Avvanta
   checkip=206.124.146.254
   device=$EXT_IF
   ttl=2
}

connection {
   name=Comcast
   checkip=${ETH0_GATEWAY:-71.231.152.1}
   device=$COM_IF
   ttl=1
}
EOF
   rm -f /etc/shorewall/*.status
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
}
</programlisting>This function configures and starts <ulink
      url="MultiISP.html#lsm">lsm</ulink>.</para>
    </section>

    <section id="masq">
      <title>/etc/shorewall/masq</title>

      <para><programlisting>#INTERFACE SOURCE            ADDRESS

COMMENT Masquerade Local Network
$COM_IF    0.0.0.0/0
$EXT_IF    !206.124.146.0/24 206.124.146.179
</programlisting>All connections out through Comcast must have the dynamically
      assigned address as their source address. Traffic from hosts without an
      Avvanta public IP address get 206.124.146.179 as their source
      address.</para>
    </section>

    <section>
      <title>/etc/shorewall/notrack</title>

      <para><programlisting>#SOURCE            DESTINATION      PROTO    DEST    SOURCE    USER/
#                                            PORT(S) PORT(S)   GROUP
net:!192.88.99.1   -                41
dmz                206.124.146.255  udp
dmz                255.255.255.255  udp
loc                172.20.1.255     udp
loc                255.255.255.255  udp
$FW                255.255.255.255  udp
$FW                172.20.1.255     udp
$FW                206.124.146.255  udp</programlisting>This file omits the
      6to4 traffic originating from 6to4 relays as well as broadcast traffic
      (which Netfilter doesn't handle).</para>
    </section>

    <section>
      <title>/etc/shorewall/providers</title>

      <para><programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
Avvanta 1        0x10000 main       $EXT_IF    206.124.146.254 track,loose,fallback  $INT_IF,$VPS_IF,tun*
Comcast 2        0x20000 main       $COM_IF    detect          track,balance         $INT_IF,$VPS_IF,tun*</programlisting>See
      the <ulink url="???">Multi-ISP article</ulink> for an explaination of
      the multi-ISP aspects of this configuration.</para>
    </section>

    <section id="proxyarp">
      <title>/etc/shorewall/proxyarp</title>

      <para><programlisting>&lt;empty&gt;</programlisting>As mentioned <link
      linkend="interfaces">above</link>, I set the proxyarp on the associated
      external interface instead of defining proxy ARP in this file.</para>
    </section>

    <section id="restored">
      <title>/etc/shorewall/restored</title>

      <para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
    start_lsm
fi

chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
      Make the state file world-readable.</para>
    </section>

    <section id="route_rules">
      <title>/etc/shorewall/route_rules</title>

      <para><programlisting>#SOURCE             DEST             PROVIDER  PRIORITY

-                   172.20.0.0/24    main      1000       #OpenVPN clients
-                   206.124.146.177  main      1001       #Servers -- Routes configured by OpenVZ
-                   206.124.146.178  main      1001       #
-                   216.168.3.44     Avvanta   1001       #NNTP -- Does source IP verification
206.124.146.176/30  -                Avvanta  26000       #Avvanta public IP addresses
206.124.146.180     -                Avvanta  26000       #</programlisting>These
      entries simply ensure that outgoing traffic uses the correct
      interface.</para>
    </section>

    <section id="routestopped">
      <title>/etc/shorewall/routestopped</title>

      <para><programlisting>#INTERFACE      HOST(S)                           OPTIONS      PROTO
$INT_IF         172.20.1.0/24                     source,dest
$VPS_IF         206.124.146.177,206.124.146.178
$EXT_IF         -                                 notrack      41</programlisting>Keep
      the lights on while Shorewall is stopped.</para>
    </section>

    <section id="rules">
      <title>/etc/shorewall/rules</title>

      <para><programlisting>###############################################################################################################################################################################
#ACTION         SOURCE                          DEST                    PROTO   DEST                                    SOURCE          ORIGINAL        RATE    USER/
#                                                                               PORT                                    PORT(S)         DEST            LIMIT   GROUP
###############################################################################################################################################################################
SECTION ESTABLISHED
SECTION RELATED
SECTION NEW

REJECT:$LOG     loc                             net                     tcp     25              #Stop direct loc-&gt;net SMTP (Comcast uses submission).
REJECT:$LOG     loc                             net                     udp     1025:1031       #MS Messaging

COMMENT Stop NETBIOS crap

REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139

COMMENT Stop my idiotic work laptop from sending to the net with an HP source IP address

DROP            loc:!172.20.0.0/23              net

COMMENT
###############################################################################################################################################################################
# Local Network to Firewall 
#
NONAT           drct                            -
REDIRECT-       loc                             3128                    tcp     80                                      -               !66.199.187.46,172.20.1.108,206.124.146.177,155.98.64.80,81.19.16.0/21
###############################################################################################################################################################################
# Local network to DMZ 
#
ACCEPT          loc                             dmz                     udp     domain,177
ACCEPT          loc                             dmz                     tcp     ssh,smtp,465,587,www,ftp,imaps,domain,https,5901:5903   -
ACCEPT          loc                             dmz                     udp     33434:33524 
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn      net                             fw                      tcp
dropNotSyn      net                             loc                     tcp
dropNotSyn      net                             dmz                     tcp
###############################################################################################################################################################################
# Internet to DMZ 
#
DNS_DDoS        net                             dmz                     udp     domain
ACCEPT          net                             dmz                     tcp     smtp,www,ftp,465,587,imaps,domain,https
ACCEPT          net                             dmz                     udp     33434:33454
Mirrors:none    net                             dmz                     tcp     873
ACCEPT          net                             dmz                     tcp     22                                      -               -        s:ssh:3/min:3
#############################################################################################################################################################
#################
#
# Net to Local
#
Limit:$LOG:SSHA,3,60\
                net                             loc                     tcp     22
#
# BitTorrent from Wireless Network
#
#DNAT            net:$COM_IF                     loc:172.20.1.102       tcp     6881:6889
#DNAT            net:$COM_IF                     loc:172.20.1.102        udp     6881    
#
# UPnP
#
forwardUPnP     net                             loc
#
# Silently Handle common probes
#
REJECT          net                             loc                     tcp     www,ftp,https
DROP            net                             loc                     icmp    8
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     udp     domain,ntp
REJECT          dmz                             net:$COM_IF             tcp     smtp
ACCEPT          dmz                             net                     tcp     echo,ftp,ssh,smtp,whois,domain,www,81,nntp,https,2401,2702,2703,8080
ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command  and setting up the proper expectation. The following rule allows active FTP to work in these cases
# but logs the connection so I can keep an eye on this potential security hole.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
###############################################################################################################################################################################
# DMZ to Local
#
ACCEPT          dmz                             loc                     tcp     22                                      -               -        s:ssh:3/min:3
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp Silently reject Auth
#
ACCEPT          dmz                             fw                      tcp     161,ssh
ACCEPT          dmz                             fw                      udp     161,ntp
REJECT          dmz                             fw                      tcp     auth
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www,ftp,https
DROP            net                             fw                      icmp    8
ACCEPT          net                             fw                      udp     33434:33454
ACCEPT          net                             fw                      tcp     22                                      -               -        s:ssh:3/min:3
ACCEPT          net                             fw                      udp     33434:33524 
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     domain,www,ftp,ssh,smtp,https,993,465,587,5901
ACCEPT          fw                              dmz                     udp     domain
REJECT          fw                              dmz                     udp     137:139
##############################################################################################################################################################################
#
COMMENT Freenode Probes
DROP            net:82.96.96.3,85.190.0.3       any
COMMENT
##############################################################################################################################################################################
# Allow Ping except where disallowed earlier
#
ACCEPT          any                             any                     icmp    8</programlisting></para>
    </section>

    <section id="started">
      <title>/etc/shorewall/started</title>

      <para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
    start_lsm
fi

chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
      Make the state file world-readable.</para>
    </section>

    <section id="stopped">
      <title>/etc/shorewall/stopped</title>

      <para><programlisting>if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then
   killall lsm 2&gt; /dev/null
fi

chmod 744 ${VARDIR}/state</programlisting>Kill lsm if the command is stop or
      clear. Make the state file world-readable.</para>
    </section>

    <section>
      <title>/etc/shorewall/tcdevices</title>

      <para><programlisting>#INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS
$EXT_IF		-		300kbit		classify
$INT_IF		-		80mbit		classify
$COM_IF		-		4mbit		classify,hfsc
</programlisting>The use of HFSC on the Comcast link is largely to provide a
      test bed for that qdisc; I really don't have any real-time requirement
      such as VOIP.</para>
    </section>

    <section>
      <title>/etc/shorewall/tcclasses</title>

      <para><programlisting>#INTERFACE	MARK	RATE			CEIL		PRIORITY	OPTIONS
1:110		-	full/4			full		1		tcp-ack,tos-minimize-delay
1:120		-	full/4			full		2		flow=nfct-src
1:130		-	full/4			230kbit		3		default,flow=nfct-src
1:140		-	full/4			230kbit		4		flow=nfct-src

2:10		-  95*full/100			full		1		flow=dst
2:100		-	14mbit			20mbit		2
2:100:101	-	 7mbit			20mbit		3		default,flow=dst
2:100:102	-	 7mbit			20mbit		3		flow=dst

3:10		-	 2mbit:4ms		full		1	        flow=nfct-src
3:100		-	 2mbit			full		2
3:100:101	-	 1mbit			full		3		default,flow=nfct-src
3:100:102	-	 1mbit			full		3		flow=nfct-src
</programlisting>Note that most of the outgoing bandwidth on the local
      interface is allocated to one class. That class is used for local
      traffic.</para>
    </section>

    <section>
      <title>/etc/shorewall/tcfilters</title>

      <para><programlisting>#INTERFACE:	SOURCE			DEST		PROTO	DEST	SOURCE	TOS	LENGTH
#CLASS								PORT(S)	PORT(S)

# =============================== AVVANTA ====================================
#
# Give Highest priority to LSM's pings to the gateway and to DNS queries
#
1:110		206.124.146.176	  	206.124.146.254	icmp
1:110		206.124.146.177		-		udp	53
#
# Second Highest priority to IPv6 Tunnel
#
1:120		206.124.146.180
#
# Lowest priority to bulk traffic
#
1:140		206.124.146.177	-		tcp	-	873	-	2048
1:140		206.124.146.177 -		-	-	-	tos-minimize-cost
</programlisting>The tcfilters file is only used for the Avvanta provider
      because it has static public IP addresses.</para>
    </section>

    <section>
      <title>/etc/shorewall/tcrules</title>

      <para><programlisting>#MARK		SOURCE			DEST		PROTO	PORT(S)	CLIENT	USER	TEST	LENGTH	TOS
#									PORT(S)

COMMENT Shape incoming traffic

#
# Most of the bandwidth is reserved for local traffic since the downlinks aren't that fast
#
2:10		206.124.146.176/30	$INT_IF
2:10		206.124.146.177		$INT_IF
2:10		172.20.1.254		$INT_IF
#
# Guarantee 1/2 of the incoming bandwidth for my work system
#
2:102		0.0.0.0/0		$INT_IF:172.20.1.107

COMMENT Shape outgoing traffic to Comcast
#
# Give 1/2 to my work system and add a latency guarantee
#
3:10		172.20.1.107		$COM_IF
#
# Restrict Torrent uploads
#
3:102		172.20.1.0/24		$COM_IF		tcp	-	6881:6889
</programlisting>The tcrules file is used to classify traffic that deals with
      the local network and/or with Comcast.</para>
    </section>

    <section id="tunnels">
      <title>/etc/shorewall/tunnels</title>

      <para><programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpnserver:udp       net
6to4                    net
ipsec                   net
ipsec                   loc
ipip                    vpn     0.0.0.0/0</programlisting>The ipip tunnel from
      the vpn zone handles IP compression on IPSEC connections.</para>
    </section>
  </section>
</article>