<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Setup Guide</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Setup Guide</h1>
<p><a href="#Introduction">1.0 Introduction</a><br>
<a href="#Concepts">2.0 Shorewall Concepts</a><br>
<a href="#Interfaces">3.0 Network Interfaces</a><br>
<a href="#Addressing">4.0 Addressing, Subnets and Routing</a></p>
<blockquote>
<p><a href="#Addresses">4.1 IP Addresses</a><br>
<a href="#Subnets">4.2 Subnets</a><br>
<a href="#Routing">4.3 Routing</a><br>
<a href="#ARP">4.4 Address Resolution Protocol</a><br>
<a href="#RFC1918">4.5 RFC 1918</a></p>
</blockquote>
<p><a href="#Options">5.0 Setting up your Network</a></p>
<blockquote>
<p><a href="#Routed">5.1 Routed</a><br>
<a href="#NonRouted">5.2 Non-routed</a></p>
<blockquote>
<p><a href="#SNAT">5.2.1 SNAT</a><br>
<a href="#DNAT">5.2.2 DNAT</a><br>
<a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
<a href="#NAT">5.2.4 Static NAT</a></p>
</blockquote>
<p><a href="#Rules">5.3 Rules</a><br>
<a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
</blockquote>
<p><a href="#DNS">6.0 DNS</a><br>
<a href="#StartingAndStopping">7.0 Starting and Stopping the Firewall</a></p>
<h2><a name="Introduction"></a>1.0 Introduction</h2>
<p>This guide is intended for users who are setting up Shorewall in an
environment where a set of public IP addresses must be managed or who want to
know more about Shorewall than is contained in the
<a href="shorewall_quickstart_guide.htm">single-address
guides</a>. Because the
range of possible applications is so broad, the Guide will give you general
guidelines and will point you to other resources as necessary.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]#</pre><p>I recommend that you first read through the
guide to familiarize yourself with what's involved then go back through it again
making your configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
If you edit your configuration files on a Windows system, you must save them as
Unix files if your editor supports that option or you must run them through
dos2unix before trying to use them with Shorewall. Similarly, if you copy a configuration file
from your Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
<h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for most setups, you will only need to deal with a few of
these as described in this guide. Skeleton files are created during the
<a href="Install.htm">Shorewall Installation Process</a>.</p>
<p>As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and some contain default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the default installation, the following zone names are used:</p>
<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
<tr>
<td><b>loc</b></td>
<td><b>Your Local Network</b></td>
</tr>
<tr>
<td><b>dmz</b></td>
<td><b>Demilitarized Zone</b></td>
</tr>
</table>
<p>Zones are defined in the <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a> file.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b> but that may be changed in the
<a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a> file. In
this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you should
not expect Shorewall to do something special "because this is the internet zone"
or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> Edit the
/etc/shorewall/zones file and make any changes necessary.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>
Shorewall is built on top of the <a href="http://www.netfilter.org">Netfilter</a> kernel facility. Netfilter
implements a
<a href="http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html">connection tracking function</a> that allows what is often referred
to as <i>stateful inspection</i> of packets. This stateful property allows
firewall rules to be defined in terms of <i>connections</i> rather than in
terms of packets. With Shorewall, you:</p>
<ol>
<li>
Identify the source zone.</li>
<li>
Identify the destination zone.</li>
<li>
If the POLICY from the client's zone to the server's zone is what you
want for this client/server pair, you need do nothing further.</li>
<li>
If the POLICY is not what you want, then you must add a rule. That rule
is expressed in terms of the client's zone and the server's zone.</li>
</ol>
<p>
Just because connections of a particular type are allowed from zone A to the
firewall and are also allowed from the firewall to zone B <font color="#ff6633"><b><u>
DOES NOT mean that these connections are allowed from zone A to zone
B</u></b></font>. It rather means that you can have a proxy running on
the firewall that accepts a connection from zone A and then establishes
its own separate connection from the firewall to zone B.</p>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP the
request is first checked against the rules in /etc/shorewall/common.def.</p>
<p>The default /etc/shorewall/policy file has the
following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><u><b>Source Zone</b></u></td>
<td><u><b>Destination Zone</b></u></td>
<td><u><b>Policy</b></u></td>
<td><u><b>Log Level</b></u></td>
<td><u><b>Limit:Burst</b></u></td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</table>
</blockquote>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network and log a message at the <i>info</i> level (see "man syslog").</li>
<li>reject all other connection requests and log a message at the <i>info</i>
level. When a request is rejected, the firewall will return an RST (if the
protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
<p align="left">For the remainder of this guide, we'll refer to the following
diagram. While it may not look like your own network, it can be used to
illustrate the important aspects of Shorewall configuration.</p>
<p align="left">In this diagram:</p>
<ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to isolate your
internet-accessible servers from your local systems so that if one of those
servers is compromised, you still have the firewall between the compromised
system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone. </li>
</ul>
<p align="center">
<img border="0" src="images/dmz3.png" width="692" height="635"></p>
<p align="left">The simplest way to define zones is to simply associate the zone
name (previously defined in /etc/shorewall/zones) with a network interface. This
is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</p>
<p align="left">The firewall illustrated above has three network interfaces.
Where Internet connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the Ethernet adapter that is connected to that "Modem"
(e.g., <b>eth0</b>)
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a ppp
interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your External
Interface will also be <b>ppp0</b>. If you connect using ISDN, you external
interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" height="13"> If
your external interface is <b>ppp0</b> or <b>ippp0 </b>then you will want to set
CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single local system,
you can connect the firewall directly to the computer using a <i>cross-over </i>
cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your DMZ computers will
be connected to the same switch (note: If you have only a single DMZ system,
you can connect the firewall directly to the computer using a <i>cross-over </i>
cable).</p>
<p align="left"><u><b>
<img border="0" src="images/j0213519.gif" width="60" height="60"></b></u>Do not connect more than one interface
to the same hub or switch (even for testing). It won't work the way that you
expect it to and you will end up confused and believing that Linux networking doesn't work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p>
<ul>
<li>
<p align="left">The external interface is <b>eth0</b>.</p>
</li>
<li>
<p align="left">The Local interface is <b>eth1</b>.</p>
</li>
<li>
<p align="left">The DMZ interface is <b>eth2</b>.</p>
</li>
</ul>
<p align="left">The Shorewall default configuration does not define the contents
of any zone. To define the above configuration using the
/etc/shorewall/interfaces file, that file would might contain:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><u><b>Zone</b></u></td>
<td><u><b>Interface</b></u></td>
<td><u><b>Broadcast</b></u></td>
<td><u><b>Options</b></u></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>detect</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth1</td>
<td>detect</td>
<td> </td>
</tr>
<tr>
<td>dmz</td>
<td>eth2</td>
<td>detect</td>
<td> </td>
</tr>
</table>
</blockquote>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" height="13">
Edit the /etc/shorewall/interfaces file and define the network interfaces on
your firewall and associate each interface with a zone. If you have a zone that
is interfaced through more than one interface, simply include one entry for each
interface and repeat the zone name as many times as necessary.</p>
<p align="left">Example:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><u><b>Zone</b></u></td>
<td><u><b>Interface</b></u></td>
<td><u><b>Broadcast</b></u></td>
<td><u><b>Options</b></u></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>detect</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth1</td>
<td>detect</td>
<td> </td>
</tr>
<tr>
<td>loc</td>
<td>eth2</td>
<td>detect</td>
<td>dhcp</td>
</tr>
</table>
</blockquote>
<div align="left">
<p align="left">When you have more than one interface to a zone, you will
usually want a policy that permits intra-zone traffic:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><u><b>Source Zone</b></u></td>
<td><u><b>Destination Zone</b></u></td>
<td><u><b>Policy</b></u></td>
<td><u><b>Log Level</b></u></td>
<td><u><b>Limit:Burst</b></u></td>
</tr>
<tr>
<td>loc</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
</table>
</blockquote>
</div>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" height="13">
You may define more complicated zones using the
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file but in most
cases, that isn't necessary.</p>
<h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
<p align="left">Normally, your ISP will assign you a set of <i>
Public</i> IP addresses. You will configure your firewall's external interface to use
one of those addresses permanently and you will then have to decide how you are
going to use the rest of your addresses. Before we tackle that question though, some
background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p>
<p align="left">The following discussion barely scratches the surface of addressing and routing. If you are interested in learning more about
this subject, I highly recommend <i>"IP Fundamentals: What Everyone
Needs to Know about Addressing & Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
<p align="left">IP version 4 (<i>IPv4) </i>addresses are 32-bit numbers. The notation w.x.y.z refers to an address where the high-order byte has value "w", the next
byte has value "x", etc. If we take the address 192.0.2.14 and express it in
hexadecimal,
we get:</p>
<blockquote>
<p align="left">C0.00.02.0E</p>
</blockquote>
<p align="left">or looking at it as a 32-bit integer</p>
<blockquote>
<p align="left">C000020E</p>
</blockquote>
<h3 align="left"><a name="Subnets"></a>4.2 Subnets</h3>
<p align="left">You will still hear the terms "Class A network", "Class B
network" and "Class C network". In the early days of IP, networks only came
in three sizes (there were also Class D networks but they were used differently):</p>
<blockquote>
<p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
<p align="left">Class B - netmask 255.255.0.0, size = 2 ** 16</p>
<p align="left">Class C - netmask 255.255.255.0, size = 256</p>
</blockquote>
<p align="left">The class of a network was uniquely determined by the value of the high
order byte of its address so you could look at an IP address and immediately
determine the associated <i>netmask</i>. The netmask is a number that when
logically ANDed with an address isolates the <i>network number</i>; the
remainder of the address is the <i>host number</i>. For example, in the Class C
address 192.0.2.14, the network number is hex C00002 and the host number is hex
0E.</p>
<p align="left">As the internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting (early
on, large corporations and universities were assigned their own class A
network!). After some false starts, the current technique of <i>subnetting</i>
these networks into smaller <i>subnetworks</i> evolved -- today, any system that
you are likely to work with will understand subnetting and Class-based networking is largely a
thing of the past.</p>
<p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is
a contiguous set of IP addresses such that:</p>
<ol>
<li>
<p align="left">The number of addresses in the set is a power of 2; and</p>
</li>
<li>
<p align="left">The first address in the set is a multiple of the set size.</p>
</li>
<li>
<p align="left">The first address in the subnet is reserved and is referred to as the <i>
subnet address.</i></p>
</li>
<li>
<p align="left">The last address in the subnet is reserved as the <i>subnet's broadcast
address.</i></p>
</li>
</ol>
<p align="left">As you can see by this definition, in each subnet of size <b>n</b>
there are (<b>n</b> - 2) usable addresses (addresses that can be assigned to
hosts). The first and last address in the subnet are used for the subnet
address and subnet broadcast address respectively. Consequently, small
subnetworks are more wasteful of IP addresses than are large ones. </p>
<p align="left">Since <b>n</b> is a power of two, we can easily calculate the
<i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more common subnet sizes, the size and its natural logarithm are given in the
following table:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
<tr>
<td><u><b>n</b></u></td>
<td><u><b>log2 n</b></u></td>
<td><u><b>(32 - log2 n)</b></u></td>
</tr>
<tr>
<td>8</td>
<td>3</td>
<td>29</td>
</tr>
<tr>
<td>16</td>
<td>4</td>
<td>28</td>
</tr>
<tr>
<td>32</td>
<td>5</td>
<td>27</td>
</tr>
<tr>
<td>64</td>
<td>6</td>
<td>26</td>
</tr>
<tr>
<td>128</td>
<td>7</td>
<td>25</td>
</tr>
<tr>
<td>256</td>
<td>8</td>
<td>24</td>
</tr>
<tr>
<td>512</td>
<td>9</td>
<td>23</td>
</tr>
<tr>
<td>1024</td>
<td>10</td>
<td>22</td>
</tr>
<tr>
<td>2048</td>
<td>11</td>
<td>21</td>
</tr>
<tr>
<td>4096</td>
<td>12</td>
<td>20</td>
</tr>
<tr>
<td>8192</td>
<td>13</td>
<td>19</td>
</tr>
<tr>
<td>16384</td>
<td>14</td>
<td>18</td>
</tr>
<tr>
<td>32768</td>
<td>15</td>
<td>17</td>
</tr>
<tr>
<td>65536</td>
<td>16</td>
<td>16</td>
</tr>
</table>
</blockquote>
<p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet Mask</i> for a network of size <b>n</b>.
From the above table, we can derive the following one which is a little easier to use.</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
<tr>
<td><u><b>Size of Subnet</b></u></td>
<td><u><b>VLSM</b></u></td>
<td><u><b>Subnet Mask</b></u></td>
</tr>
<tr>
<td>8</td>
<td>/29</td>
<td>255.255.255.248</td>
</tr>
<tr>
<td>16</td>
<td>/28</td>
<td>255.255.255.240</td>
</tr>
<tr>
<td>32</td>
<td>/27</td>
<td>255.255.255.224</td>
</tr>
<tr>
<td>64</td>
<td>/26</td>
<td>255.255.255.192</td>
</tr>
<tr>
<td>128</td>
<td>/25</td>
<td>255.255.255.128</td>
</tr>
<tr>
<td>256</td>
<td>/24</td>
<td>255.255.255.0</td>
</tr>
<tr>
<td>512</td>
<td>/23</td>
<td>255.255.254.0</td>
</tr>
<tr>
<td>1024</td>
<td>/22</td>
<td>255.255.252.0</td>
</tr>
<tr>
<td>2048</td>
<td>/21</td>
<td>255.255.248.0</td>
</tr>
<tr>
<td>4096</td>
<td>/20</td>
<td>255.255.240.0</td>
</tr>
<tr>
<td>8192</td>
<td>/19</td>
<td>255.255.224.0</td>
</tr>
<tr>
<td>16384</td>
<td>/18</td>
<td>255.255.192.0</td>
</tr>
<tr>
<td>32768</td>
<td>/17</td>
<td>255.255.128.0</td>
</tr>
<tr>
<td>65536</td>
<td>/16</td>
<td>255.255.0.0</td>
</tr>
<tr>
<td>2 ** 24</td>
<td>/8</td>
<td>255.0.0.0</td>
</tr>
</table>
</blockquote>
<p align="left">Notice that the VLSM is written with a slash ("/") -- you will
often hear a subnet of size 64 referred to as a "slash 26" subnet and one of
size 8 referred to as a "slash 29".</p>
<p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is simply a 32-bit number with the first "VLSM"
bits set to one and the remaining bits set to zero. For example, for a subnet
of size 64, the subnet mask has 26 leading one bits:</p>
<blockquote>
<p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 =
255.255.255.192</p>
</blockquote>
<p align="left">The subnet mask has the property that if you logically AND the
subnet mask with an address in the subnet, the result is the subnet address.
Just as important, if you logically AND the subnet mask with an address
outside the subnet, the result is NOT the subnet address. As we will see
below, this property of subnet masks is very useful in routing.</p>
<p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as "<b>a.b.c.d/v</b>"
using <i>VLSM Notation</i>. </p>
<p align="left">Example:</p>
<blockquote>
<table border="2" style="border-collapse: collapse" id="AutoNumber1" cellpadding="2">
<tr>
<td><b>Subnet:</b></td>
<td>10.10.10.0 - 10.10.10.127</td>
</tr>
<tr>
<td><b>Subnet Size:</b></td>
<td>128</td>
</tr>
<tr>
<td><b>Subnet Address:</b></td>
<td>10.10.10.0</td>
</tr>
<tr>
<td><b>Broadcast Address:</b></td>
<td>10.10.10.127</td>
</tr>
<tr>
<td><b>VLSM Notation:</b></td>
<td>10.10.10.0/25</td>
</tr>
</table>
</blockquote>
<p align="left">There are two degenerate subnets that need mentioning; namely, the
subnet with one member and the subnet with 2 ** 32 members.</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
<tr>
<td><u><b>Size of Subnetwork</b></u></td>
<td><u><b>VLSM Length</b></u></td>
<td><u><b>Subnet Mask</b></u></td>
<td><u><b>VLSM Notation</b></u></td>
</tr>
<tr>
<td>1</td>
<td>32</td>
<td>255.255.255.255</td>
<td>a.b.c.d/32</td>
</tr>
<tr>
<td>2 ** 32</td>
<td>0</td>
<td>0.0.0.0</td>
<td>0.0.0.0/0</td>
</tr>
</table>
</blockquote>
<p align="left">So any address <b>a.b.c.d </b>may also be written <b>
a.b.c.d/32</b> and the set of all possible IP addresses is written <b>0.0.0.0/0</b>.</p>
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip' utility
also uses this syntax). This simply means that the interface is configured with
ip address <b>a.b.c.d</b> and with the netmask that corresponds to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p>
<p align="left"> The interface is configured with IP address
192.0.2.65 and netmask 255.255.255.248.</p>
<h3 align="left"><a name="Routing"></a>4.3 Routing</h3>
<p align="left">One of the purposes of subnetting is that it forms the basis
for routing. Here's the routing table on <a href="myfiles.htm">my firewall</a>:</p>
<div align="left">
<blockquote>
<pre>[root@gateway root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas
206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1
206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0
[root@gateway root]#</pre>
</blockquote>
</div>
<p align="left">The device <i>texas</i> is a GRE tunnel to a peer site in the
Dallas, Texas area.<br>
<br>
The first three routes are <i>host routes</i> since they indicate how to get to
a single host. In the 'netstat' output this can be seen by the "Genmask" (Subnet
Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder are 'net' routes since they tell the
kernel how to route packets to a subnetwork. The last route is the <i>default
route</i> and the gateway mentioned in that route is called the <i>default
gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
it starts at the top of the routing table and:</p>
<ul>
<li>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in the
table entry.</p>
</li>
<li>
<p align="left">The result is compared with the 'Destination' value in the table
entry.</p>
</li>
<li>
<p align="left">If the result and the 'Destination' value are the same, then:</p>
<ul>
<li>
<p align="left">If the 'Gateway' column is non-zero, the packet is sent to the
gateway over the interface named in the 'Iface' column.</p>
</li>
<li>
<p align="left">Otherwise, the packet is sent directly to <b>A </b>over the
interface named in the 'iface' column.</p>
</li>
</ul>
</li>
<li>
<p align="left">Otherwise, the above steps are repeated on the next entry in the
table.</p>
</li>
</ul>
<p align="left">Since the default route matches any IP address (<b>A</b> land
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
entries are sent to the <i>default gateway</i> which is usually a router at your
ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet to
192.168.1.5. That address clearly doesn't match any of the host routes in the
table but if we logically and that address with 255.255.255.0, the result is
192.168.1.0 which matches this routing table entry:</p>
<div align="left">
<blockquote>
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</div>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
addresses. Each Ethernet device has it's own unique MAC address which is
burned into a PROM on the device during manufacture. You can obtain the MAC of
an Ethernet device using the 'ip' utility:</p>
<blockquote>
<div align="left">
<pre>[root@gateway root]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether <u>02:00:08:e3:fa:55</u> brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
[root@gateway root]#</pre>
</div>
</blockquote>
<div align="left">
<p align="left">As you can see from the above output, the MAC is 6 bytes (48
bits) wide. A card's MAC is usually also printed on a label attached to the card
itself.
</div>
<div align="left">
<p align="left">Because IP uses IP addresses and Ethernet uses MAC addresses,
a mechanism is required to translate an IP address into a MAC address; that is
the purpose of the <i>Address Resolution Protocol</i> (ARP). Here is ARP in
action:</div>
<div align="left">
<blockquote>
<div align="left">
<pre>[root@gateway root]# tcpdump -nei eth2 arp
tcpdump: listening on eth2
09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0
2 packets received by filter
0 packets dropped by kernel
[root@gateway root]#
</pre>
</div>
</blockquote>
</div>
<p align="left">In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants to
know the MAC of the device with IP address 192.168.1.19. The system having that
IP address is responding that the MAC address of the device with IP address
192.168.1.19 is 0:6:25:aa:8a:f0.</p>
<p align="left">In order to avoid having to exchange ARP information each time
that an IP packet is to be sent, systems maintain an <i>ARP cache</i> of
IP<->MAC correspondences. You can see the ARP cache on your system (including
your Windows system) using the 'arp' command:</p>
<blockquote>
<div align="left">
<pre>[root@gateway root]# arp -na
? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</pre>
</div>
</blockquote>
<p align="left">The leading question marks are a result of my having specified
the 'n' option (Windows 'arp' doesn't allow that option) which causes the 'arp'
program to forego IP->DNS name translation. Had I not given that option, the
question marks would have been replaced with the FQDN corresponding to each IP
address. Notice that the last entry in the table records the information we saw
using tcpdump above.</p>
<h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
<p align="left">IP addresses are allocated by the <i>
<a href="http://www.iana.org">Internet Assigned Number Authority</a> </i>(IANA)
who delegates allocations on a geographic basis to <i>Regional Internet
Registries</i> (RIRs). For example, allocation for the Americas and for
sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American
Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn delegate to
national registries. Most of us don't deal with these registrars but rather get
our IP addresses from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many Public
IP addresses as we have devices to assign them to so we end up making use of <i>
Private </i>IP addresses. RFC 1918 reserves several IP address ranges for this
purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</pre>
</div>
<div align="left">
<p align="left">The addresses reserved by RFC 1918 are sometimes referred to
as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. This is understandable
given that anyone can select any of these addresses for their private use.</div>
<div align="left">
<p align="left">When selecting addresses from these ranges, there's a couple
of things to keep in mind:</div>
<div align="left">
<ul>
<li><p align="left">As the IPv4 address space becomes depleted, more and more
organizations (including ISPs) are beginning to use RFC 1918 addresses in
their infrastructure.</li>
<li><p align="left">You don't want to use addresses that are being used by
your ISP or by another organization with whom you want to establish a VPN
relationship. </li>
</ul>
</div>
<div align="left">
<p align="left">So it's a good idea to check with your ISP to see if they are
using (or are planning to use) private addresses before you decide the
addresses that you are going to use.</div>
<div align="left">
<h2 align="left"><a name="Options"></a>5.0 Setting up your Network</h2>
</div>
<div align="left">
<p align="left">The choice of how to set up your network depends primarily on
how many Public IP addresses you have vs. how many addressable entities you
have in your network. Regardless of how many addresses you have, your ISP will
handle that set of addresses in one of two ways:</div>
<div align="left">
<ol>
<li>
<p align="left"><b>Routed - </b>Traffic to any of your addresses will be
routed through a single <i>gateway address</i>. This will generally only be
done if your ISP has assigned you a complete subnet (/29 or larger). In this
case, you will assign the gateway address as the IP address of your
firewall/router's external interface.</li>
<li>
<p align="left"><b>Non-routed - </b>Your ISP will send traffic to each of your
addresses directly.</li>
</ol>
</div>
<div align="left">
<p align="left">In the subsections that follow, we'll look at each of these
separately.</div>
<div align="left">
<h3 align="left"><a name="Routed"></a>5.1 Routed</h3>
</div>
<div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
192.0.2.65. Your ISP has also told you that you should use a netmask of
255.255.255.0 (so your /28 is part of a larger /24). With this many IP
addresses, you are able to subnet your /28 into two /29's and set up your
network as shown in the following diagram.</div>
<div align="left">
<p align="center">
<img border="0" src="images/dmz4.png" width="726" height="635"></div>
<div align="left">
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be
configured to 192.0.2.66 and the default gateway for hosts in the local
network would be 192.0.2.73.</div>
<div align="left">
<p align="left">Notice that this arrangement is rather wasteful of public IP
addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses,
192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66 and
168.0.2.73 for internal addresses on the firewall/router. Nevertheless, it
shows how subnetting can work and if we were dealing with a /24 rather than a
/28 network, the use of 6 IP addresses out of 256 would be justified because
of the simplicity of the setup.</div>
<div align="left">
<p align="left">The astute reader may have noticed that the Firewall/Router's
external interface is actually part of the DMZ subnet (192.0.2.64/29). What if
DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing table on
DMZ 1 will look like this:</div>
<div align="left">
<blockquote>
<pre>Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.0.2.64 0.0.0.0 255.255.255.248 U 40 0 0 eth0
0.0.0.0 192.0.2.66 0.0.0.0 UG 40 0 0 eth0</pre>
</blockquote>
</div>
<div align="left">
<p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
request and no device on the DMZ Ethernet segment has that IP address. Oddly
enough, the firewall will respond to the request with the MAC address of its
<u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames addressed to that
MAC address and the frames will be received (correctly) by the firewall/router.</div>
<div align="left">
<p align="left">It is this rather unexpected ARP behavior on the part of the
Linux Kernel that prompts the warning earlier in this guide regarding the
connecting of multiple firewall/router interfaces to the same hub or switch.
When an ARP request for one of the firewall/router's IP addresses is sent by
another system connected to the hub/switch, all
of the firewall's interfaces that connect to the hub/switch can respond! It
is then a race as to which "here-is" response reaches the sender first.</div>
<div align="left">
<h3 align="left"><a name="NonRouted"></a>5.2 Non-routed</h3>
</div>
<div align="left">
<p align="left">If you have the above situation but it is
non-routed, you can configure your network exactly as described above with one
additional twist; simply specify the "proxyarp" option on all three firewall
interfaces in the /etc/shorewall/interfaces file.</div>
<div align="left">
<p align="left">Most of us don't have the luxury of having enough public IP
addresses to set up our networks as shown in the preceding example (even if
the setup is routed). </div>
<div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP has
assigned you IP addresses 192.0.2.176-180 and has told you to use netmask
255.255.255.0 and default gateway 192.0.2.254.</b></div>
<div align="left">
<p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
and there aren't enough addresses for all of the network interfaces. There are
four different techniques that can be used to work around this problem.</div>
<div align="left">
<ul>
<li>
<p align="left"><i>Source Network Address Translation </i>(SNAT).</li>
<li>
<p align="left"><i>Destination Network Address Translation </i>(DNAT) also
known as <i>Port Forwarding.</i></li>
<li>
<p align="left"><i>Proxy ARP.</i></li>
<li>
<p align="left"><i>Network Address Translation</i> (NAT) also referred to as
<i>Static NAT</i>.</li>
</ul>
</div>
<div align="left">
<p align="left">Often a combination of these techniques is used. Each of these
will be discussed in the sections that follow.</div>
<div align="left">
<h4 align="left"><a name="SNAT"></a> 5.2.1 SNAT</h4>
</div>
<div align="left">
<p align="left">With SNAT, an internal LAN segment is configured using RFC 1918
addresses. When a host <b>A </b>on this internal segment initiates a
connection to host <b>B</b> on the internet, the firewall/router rewrites the
IP header in the request to use one of your public IP addresses as the source
address. When <b>B</b> responds and the response is received by the firewall,
the firewall changes the destination address back to the RFC 1918 address of
<b>A</b> and forwards the response back to <b>A.</b></div>
<div align="left">
<p align="left">Let's suppose that you decide to use SNAT on your local zone
and use public address 192.0.2.176 as both your firewall's external IP address
and the source IP address of internet requests sent from that zone.</div>
<div align="left">
<h2 align="center">
<img border="0" src="images/dmz5.png" width="745" height="635"></h2>
</div>
<div align="left">
The local zone has been subnetted as 192.168.201.0/29 (netmask
255.255.255.248).</div>
<div align="left">
</div>
<div align="left">
<img border="0" src="images/BD21298_2.gif" width="13" height="13"> The systems in
the local zone would be configured with a default gateway of 192.168.201.1
(the IP address of the firewall's local interface).</div>
<div align="left">
</div>
<div align="left">
<img border="0" src="images/BD21298_2.gif" width="13" height="13"> SNAT is
configured in Shorewall using the <a href="Documentation.htm#Masq">
/etc/shorewall/masq file</a>.</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber6">
<tr>
<td width="33%"><u><b>INTERFACE</b></u></td>
<td width="33%"><u><b>SUBNET</b></u></td>
<td width="34%"><u><b>ADDRESS</b></u></td>
</tr>
<tr>
<td width="33%">eth0</td>
<td width="33%">192.168.201.0/29</td>
<td width="34%">192.0.2.176</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. If you
wanted to use a different IP address, you would either have to use your
distributions network configuration tools to add that IP address to the
external interface or you could set ADD_SNAT_ALIASES=Yes in
/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</div>
<div align="left">
<h4 align="left"><a name="DNAT"></a>5.2.2 DNAT</h4>
</div>
<div align="left">
<p align="left">When SNAT is used, it is impossible for hosts on the internet
to initiate a connection to one of the internal systems since those systems do
not have a public IP address. DNAT provides a way to allow selected
connections from the internet.</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" height="13">
Suppose that your daughter wants to run a web server on her system "Local 3". You
could allow connections to the internet to her server by adding the following
entry in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL DESTINATION</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:192.168.201.4</td>
<td>tcp</td>
<td>www</td>
<td>-</td>
<td>192.0.2.176</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">If one of your daughter's friends at address <b>A</b> wants to
access your daughter's server, she can connect to <a href="http://192.0.2.176">
http://192.0.2.176</a> (the firewall's external IP address) and the firewall
will rewrite the destination IP address to 192.168.201.4 (your daughter's system)
and forward the request. When your daughter's server responds, the firewall will
rewrite the source address back to 192.0.2.176 and send the response back to
<b>A.</b></div>
<div align="left">
<p align="left">This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses but Shorewall will not add
that address to the firewall's external interface for you.</div>
<div align="left">
<h4 align="left"><a name="ProxyARP"></a>5.2.3 Proxy ARP</h4>
</div>
<div align="left">
<p align="left">The idea behind proxy ARP is that:</div>
<div align="left">
<ul>
<li>
<p align="left">A host <b>H </b>behind your firewall is assigned one of your
public IP addresses (<b>A)</b> and is assigned the same netmask <b>(M) </b>as
the firewall's external interface.</li>
<li>
<p align="left">The firewall responds to ARP "who has" requests for <b>A.</b></li>
<li>
<p align="left">When <b>H</b> issues an ARP "who has" request for an address
in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will respond
(with the MAC if the firewall interface to <b>H</b>).</li>
</ul>
</div>
<div align="left">
<p align="left">Let suppose that we decide to use Proxy ARP on the DMZ in our
example network.</div>
<div align="left">
<p align="center">
<img border="0" src="images/dmz6.png" width="745" height="635"></div>
<div align="left">
Here, we've assigned the IP addresses 192.0.2.177 to system DMZ 1 and
192.0.2.178 to DMZ 2. Notice that we've just assigned an arbitrary RFC 1918 IP
address and subnet mask to the DMZ interface on the firewall. That address and
netmask isn't relevant - just be sure it doesn't overlap another subnet that
you've defined.</div>
<div align="left">
</div>
<div align="left">
<img border="0" src="images/BD21298_2.gif" width="13" height="13"> The Shorewall
configuration of Proxy ARP is done using the
<a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" id="AutoNumber8" style="border-collapse: collapse">
<tr>
<td><u><b>ADDRESS</b></u></td>
<td><u><b>INTERFACE</b></u></td>
<td><u><b>EXTERNAL</b></u></td>
<td><u><b>HAVE ROUTE</b></u></td>
</tr>
<tr>
<td>192.0.2.177</td>
<td>eth2</td>
<td>eth0</td>
<td>No</td>
</tr>
<tr>
<td>192.0.2.178</td>
<td>eth2</td>
<td>eth0</td>
<td>No</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Because the HAVE ROUTE column contains No, Shorewall will add
host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
there routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. You
can call your ISP and ask them to purge the stale ARP cache entry but many
either can't or won't purge individual entries. You can determine if your
ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we
suspect that the gateway router has a stale ARP cache entry for 192.0.2.177.
On the firewall, run tcpdump as follows:</div>
<div align="left">
<pre> tcpdump -nei eth0 icmp</pre>
</div>
<div align="left">
<p align="left">Now from 192.0.2.177, ping the default gateway (which we are
assuming is 192.0.2.254):</div>
<div align="left">
<pre> ping 192.0.2.254</pre>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this case
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of DMZ 1. In other words, the gateway's ARP cache still
associates 192.0.2.177 with the NIC in DMZ 1 rather than with the firewall's
eth0.</div>
<div align="left">
<h4 align="left"><a name="NAT"></a>5.2.4 Static NAT</h4>
</div>
<div align="left">
<p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public IP
addresses. For outgoing connections SNAT occurs and on incoming connections
DNAT occurs. Let's go back to our earlier example involving your daughter's web
server running on system Local 3.</div>
<div align="left">
<p align="center"><img border="0" src="images/dmz5.png" width="745" height="635"></div>
<div align="left">
<p align="left">Recall that in this setup, the local network is using SNAT and
is sharing the firewall external IP (192.0.2.176) for outbound connections.
This is done with the following entry in /etc/shorewall/masq:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber6">
<tr>
<td width="33%"><u><b>INTERFACE</b></u></td>
<td width="33%"><u><b>SUBNET</b></u></td>
<td width="34%"><u><b>ADDRESS</b></u></td>
</tr>
<tr>
<td width="33%">eth0</td>
<td width="33%">192.168.201.0/29</td>
<td width="34%">192.0.2.176</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" height="13">
Suppose now that you have decided to give your daughter her own IP address
(192.0.2.179) for both inbound and outbound connections. You would do that by
adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</div>
<div align="left">
<blockquote>
<table border="1" cellspacing="0" cellpadding="2" id="AutoNumber9" style="border-collapse: collapse">
<tr>
<td>EXTERNAL</td>
<td>INTERFACE</td>
<td>INTERNAL</td>
<td>ALL INTERFACES </td>
<td>LOCAL</td>
</tr>
<tr>
<td>192.0.2.179</td>
<td>eth0</td>
<td>192.168.201.4</td>
<td>No</td>
<td>No</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">With this entry in place, you daughter has her own IP address
and the other two local systems share the firewall's IP address.</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" height="13">
Once the relationship between 192.0.2.179 and 192.168.201.4 is established by
the nat file entry above, it is no longer
appropriate to use a DNAT rule for you daughter's web server -- you would
rather just use an ACCEPT rule:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL DESTINATION</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>loc:192.168.201.4</td>
<td>tcp</td>
<td>www</td>
<td> </td>
<td> </td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<h3 align="left"><a name="Rules"></a>5.3 Rules</h3>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" height="13">
With the default policies, your local systems (Local 1-3) can access any
servers on the internet and the DMZ can't access any other host (including the
firewall). With the exception of <a href="#DNAT">DNAT rules</a> which cause
address translation and allow the translated connection request to pass
through the firewall, the way to allow connection requests through your
firewall is to use ACCEPT rules.</div>
<div align="left">
<p align="left"><b>NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't
used in this section, they won't be shown</b></div>
<div align="left">
<p align="left">You probably want to allow ping between your zones:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz</td>
<td>icmp</td>
<td>echo-request</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>loc</td>
<td>icmp</td>
<td>echo-request</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz</td>
<td>loc</td>
<td>icmp</td>
<td>echo-request</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz</td>
<td>icmp</td>
<td>echo-request</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Let's suppose that you run mail and pop3 servers on DMZ 2 and
a Web Server on DMZ 1. The rules that you would need are:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>COMMENTS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail from the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>pop3</td>
<td># Pop3 from the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail from the Local Network</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>pop3</td>
<td># Pop3 from the Local Network</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail from the Firewall</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz:192.0.2.178</td>
<td>net</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail to the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>http</td>
<td># WWW from the Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>https</td>
<td># Secure HTTP from the Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>https</td>
<td># Secure HTTP from the Local Net</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">If you run a public DNS server on 192.0.2.177, you would need
to add the following rules:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>COMMENTS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.177</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS from the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS from the internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>dmz:192.0.2.177</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS from firewall</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS from firewall</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.177</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS from the local Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS from the local Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz:192.0.2.177</td>
<td>net</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS to the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz:192.0.2.177</td>
<td>net</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS to the Internet</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">You probably want some way to communicate with your firewall
and DMZ systems from the local network -- I recommend SSH which through its
scp utility can also do publishing and software update distribution.</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>COMMENTS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz</td>
<td>tcp</td>
<td>ssh</td>
<td># SSH to the DMZ</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>ssh</td>
<td># SSH to the Firewall</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<h3 align="left"><a name="OddsAndEnds"></a>5.4 Odds and Ends</h3>
</div>
<div align="left">
<p align="left">The above discussion reflects my personal preference for using
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I prefer
to use NAT only in cases where a system that is part of an RFC 1918 subnet
needs to have it's own public IP. </div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" height="13">
If you haven't already, it would be a good idea to browse through
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just to see
if there is anything there that might be of interest. You might also want to
look at the other configuration files that you haven't touched yet just to get
a feel for the other things that Shorewall can do.</div>
<div align="left">
<p align="left">In case you haven't been keeping score, here's the final set
of configuration files for our sample network. Only those that were modified
from the original installation are shown.</div>
<div align="left">
<p align="left">/etc/shorewall/interfaces (The "options" will be very
site-specific).</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><u><b>Zone</b></u></td>
<td><u><b>Interface</b></u></td>
<td><u><b>Broadcast</b></u></td>
<td><u><b>Options</b></u></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>detect</td>
<td>norfc1918,routefilter </td>
</tr>
<tr>
<td>loc</td>
<td>eth1</td>
<td>detect</td>
<td> </td>
</tr>
<tr>
<td>dmz</td>
<td>eth2</td>
<td>detect</td>
<td> </td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">The setup described here requires that your network interfaces
be brought up before Shorewall can start. This opens a short window during
which you have no firewall protection. If you replace 'detect' with the actual
broadcast addresses in the entries above, you can bring up Shorewall before
you bring up your network interfaces.</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><u><b>Zone</b></u></td>
<td><u><b>Interface</b></u></td>
<td><u><b>Broadcast</b></u></td>
<td><u><b>Options</b></u></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>192.0.2.255</td>
<td>norfc1918,routefilter </td>
</tr>
<tr>
<td>loc</td>
<td>eth1</td>
<td>192.168.201.7</td>
<td> </td>
</tr>
<tr>
<td>dmz</td>
<td>eth2</td>
<td>192.168.202.7</td>
<td> </td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">/etc/shorewall/masq - Local subnet</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber6">
<tr>
<td width="33%"><u><b>INTERFACE</b></u></td>
<td width="33%"><u><b>SUBNET</b></u></td>
<td width="34%"><u><b>ADDRESS</b></u></td>
</tr>
<tr>
<td width="33%">eth0</td>
<td width="33%">192.168.201.0/29</td>
<td width="34%">192.0.2.176</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">/etc/shorewall/proxyarp - DMZ</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" id="AutoNumber8" style="border-collapse: collapse">
<tr>
<td><u><b>ADDRESS</b></u></td>
<td><u><b>INTERFACE</b></u></td>
<td><u><b>EXTERNAL</b></u></td>
<td><u><b>HAVE ROUTE</b></u></td>
</tr>
<tr>
<td>192.0.2.177</td>
<td>eth2</td>
<td>eth0</td>
<td>No</td>
</tr>
<tr>
<td>192.0.2.178</td>
<td>eth2</td>
<td>eth0</td>
<td>No</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">/etc/shorewall/nat- Daughter's System</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" id="AutoNumber9" style="border-collapse: collapse">
<tr>
<td>EXTERNAL</td>
<td>INTERFACE</td>
<td>INTERNAL</td>
<td>ALL INTERFACES </td>
<td>LOCAL</td>
</tr>
<tr>
<td>192.0.2.179</td>
<td>eth0</td>
<td>192.168.201.4</td>
<td>No</td>
<td>No</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">/etc/shorewall/rules</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber7">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>COMMENTS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail from the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>pop3</td>
<td># Pop3 from the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail from the Local Network</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>pop3</td>
<td># Pop3 from the Local Network</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail from the Firewall</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz:192.0.2.178</td>
<td>net</td>
<td>tcp</td>
<td>smtp</td>
<td># Mail to the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>http</td>
<td># WWW from the Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>https</td>
<td># Secure HTTP from the Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.178</td>
<td>tcp</td>
<td>https</td>
<td># Secure HTTP from the Local Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.177</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS from the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS from the internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>dmz:192.0.2.177</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS from firewall</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS from firewall</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.177</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS from the local Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz:192.0.2.177</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS from the local Net</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz:192.0.2.177</td>
<td>net</td>
<td>udp</td>
<td>domain</td>
<td># UDP DNS to the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz:192.0.2.177</td>
<td>net</td>
<td>tcp</td>
<td>domain</td>
<td># TCP DNS to the Internet</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>dmz</td>
<td>icmp</td>
<td>echo-request</td>
<td># Ping</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>loc</td>
<td>icmp</td>
<td>echo-request</td>
<td># "</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>dmz</td>
<td>loc</td>
<td>icmp</td>
<td>echo-request</td>
<td># "</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz</td>
<td>icmp</td>
<td>echo-request</td>
<td># "</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>dmz</td>
<td>tcp</td>
<td>ssh</td>
<td># SSH to the DMZ</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>ssh</td>
<td># SSH to the Firewall</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<h2 align="left"><a name="DNS"></a>6.0 DNS</h2>
</div>
<div align="left">
<p align="left">Given the collection of RFC 1918 and public addresses in this
setup, it only makes sense to have separate internal and external DNS servers.
You can combine the two into a single BIND 9 server using <i>Views.
</i>
If you are not interested in Bind 9 views, you can
<a href="#StartingAndStopping">go to the next section</a>.</div>
<div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the three
local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net.
You want your firewall to be known as firewall.foobar.net externally and it's
interface to the local network to be know as gateway.foobar.net and its
interface to the dmz as dmz.foobar.net. Let's have the DNS server on
192.0.2.177 which will also be known by the name ns1.foobar.net.</div>
<div align="left">
<p align="left">The /etc/named.conf file would look like this:</div>
<div align="left">
<blockquote>
<div align="left">
<pre>options {
directory "/var/named";
listen-on { 127.0.0.1 ; 192.0.2.177; };
};
logging {
channel xfer-log {
file "/var/log/named/bind-xfer.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};</pre>
</div>
<div align="left">
<pre>#
# This is the view presented to our internal systems
#
view "internal" {
#
# These are the clients that see this view
#
match-clients { 192.168.201.0/29;
192.168.202.0/29;
127.0.0/24;
192.0.2.176/32;
192.0.2.178/32;
192.0.2.179/32;
192.0.2.180/32; };
#
# If this server can't complete the request, it should use outside
# servers to do so
#
recursion yes;
zone "." in {
type hint;
file "int/root.cache";
};
zone "foobar.net" in {
type master;
notify no;
allow-update { none; };
file "int/db.foobar";
};
zone "0.0.127.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.127.0.0";
};
zone "201.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.201";
};
zone "202.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.202";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.206.124.146.179";
};
};
#
# This is the view that we present to the outside world
#
view "external" {
match-clients { any; };
#
# If we can't answer the query, we tell the client so
#
recursion no;
zone "foobar.net" in {
type master;
notify yes;
allow-update {none; };
allow-transfer { <i><secondary NS IP></i>; };
file "ext/db.foobar";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <i><secondary NS IP></i>; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <i><secondary NS IP></i>; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <i><secondary NS IP></i>; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <i><secondary NS IP></i>; };
file "db.192.0.2.179";
};
};</pre>
</div>
</blockquote>
</div>
<div align="left">
<p align="left">Here are the files in /var/named (those not shown are usually
included in your bind disbribution).<p align="left">db.192.0.2.176 - This is
the reverse zone for the firewall's external interface<blockquote>
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
; Filename: db.192.0.2.176
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <i><name of secondary ns></i>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
</pre>
</blockquote>
</div>
<div align="left">
<div align="left">
db.192.0.2.177 - This is the reverse zone for the www/DNS server<blockquote>
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
; Filename: db.192.0.2.177
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <i><name of secondary ns></i>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
</pre>
</blockquote>
</div>
</div>
<div align="left">
<div align="left">
db.192.0.2.178 - This is the reverse zone for the mail server<blockquote>
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
; Filename: db.192.0.2.178
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <i><name of secondary ns></i>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
</pre>
</blockquote>
</div>
</div>
<div align="left">
<div align="left">
db.192.0.2.179 - This is the reverse zone for daughter's web server's public
IP<blockquote>
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
; Filename: db.192.0.2.179
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <i><name of secondary ns></i>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
</pre>
</blockquote>
</div>
</div>
<div align="left">
<p align="left">int/db.127.0.0 - The reverse zone for localhost</div>
<div align="left">
<blockquote>
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
; Filename: db.127.0.0
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001092901 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR localhost.foobar.net.</pre>
</blockquote>
</div>
<div align="left">
<p align="left">int/db.192.168.201 - Reverse zone for the local net. This is
only shown to internal clients</div>
<div align="left">
<blockquote>
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
; Filename: db.192.168.201
; ############################################################
@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
2002032501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR gateway.foobar.net.
2 86400 IN PTR winken.foobar.net.
3 86400 IN PTR blinken.foobar.net.
4 86400 IN PTR nod.foobar.net.</pre>
</blockquote>
</div>
<div align="left">
<p align="left">int/db.192.168.202 - Reverse zone for the firewall's DMZ
interface</div>
<div align="left">
<blockquote>
<div align="left">
<pre>; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
; Filename: db.192.168.202
; ############################################################
@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
2002032501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR dmz.foobar.net.</pre>
</div>
</blockquote>
</div>
<div align="left">
<p align="left">int/db.foobar - Forward zone for use by internal clients.</div>
<div align="left">
<blockquote>
<pre>;##############################################################
; Start of Authority for foobar.net.
; Filename: db.foobar
;##############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2002071501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ); minimum (1 day)
;############################################################
; foobar.net Nameserver Records (NS)
;############################################################
@ 604800 IN NS ns1.foobar.net.
;############################################################
; Foobar.net Office Records (ADDRESS)
;############################################################
localhost 86400 IN A 127.0.0.1
firewall 86400 IN A 192.0.2.176
www 86400 IN A 192.0.2.177
ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177
gateway 86400 IN A 192.168.201.1
winken 86400 IN A 192.168.201.2
blinken 86400 IN A 192.168.201.3
nod 86400 IN A 192.168.201.4</pre>
</blockquote>
</div>
<div align="left">
<p align="left">ext/db.foobar - Forward zone for external clients</div>
<div align="left">
<blockquote>
<div align="left">
<pre>;##############################################################
; Start of Authority for foobar.net.
; Filename: db.foobar
;##############################################################
@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2002052901 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ); minimum (1 day)
;############################################################
; Foobar.net Nameserver Records (NS)
;############################################################
@ 86400 IN NS ns1.foobar.net.
@ 86400 IN NS <i><secondary NS></i>.
;############################################################
; Foobar.net Foobar Wa Office Records (ADDRESS)
;############################################################
localhost 86400 IN A 127.0.0.1
;
; The firewall itself
;
firewall 86400 IN A 192.0.2.176
;
; The DMZ
;
ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177
mail 86400 IN A 192.0.2.178
;
; The Local Network
;
nod 86400 IN A 192.0.2.179
;############################################################
; Current Aliases for foobar.net (CNAME)
;############################################################
;############################################################
; foobar.net MX Records (MAIL EXCHANGER)
;############################################################
foobar.net. 86400 IN A 192.0.2.177
86400 IN MX 0 mail.foobar.net.
86400 IN MX 1 <i><backup MX></i>.</pre>
</div>
</blockquote>
</div>
<div align="left">
<h2 align="left"><a name="StartingAndStopping"></a>7.0 Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot.</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing is
enabled on those hosts that have an entry in
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. If
you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" height="13">
Edit the /etc/shorewall/routestopped file and configure those systems that you
want to be able to access the firewall when it is stopped.</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from the
internet, do not issue a "shorewall stop" command unless you have added an
entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create an
<i><a href="Documentation.htm#Configs">alternate configuration</a></i> and
test it using the <a href="Documentation.htm#Starting">"shorewall try" command</a>.</div>
<p align="left"><font size="2">Last updated
8/10/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
</body>
</html>