About My Network Tom Eastep 2004-02-08 2001-2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
My Current Network I use a combination of One-to-one NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. What you copy may or may not work in your configuration. The configuration shown here corresponds to Shorewall version 2.0.0-Beta1. It may use features not available in earlier Shorewall releases. I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL modem (Fujitsu Speedport) is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless network connected to eth3 (192.168.3.0/24). I use: One-to-one NAT for Ursa (my personal system that dual-boots Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and external address 206.124.146.178. One-to-one NAT for EastepLaptop (My work system -- Windows XP SP2). Internal address 192.168.1.7 and external address 206.124.146.180. SNAT through 206.124.146.179 for  my SuSE 9.0 Linux system (Wookie), my Wife's Windows XP system (Tarry), and our  Windows XP laptop (Tipper) which connects through the Wireless Access Point (wap) via a Wireless Bridge (bridge).While the distance between the WAP and where I usually use the laptop isn't very far (25 feet or so), using a WAC11 (CardBus wireless card) has proved very unsatisfactory (lots of lost connections). By replacing the WAC11 with the WET11 wireless bridge, I have virtually eliminated these problems (Being an old radio tinkerer (K7JPV), I was also able to eliminate the disconnects by hanging a piece of aluminum foil on the family room wall. Needless to say, my wife Tarry rejected that as a permanent solution :-). The firewall runs on a 256MB PII/233 with Debian Sarge (Testing). Wookie, Ursa and the Firewall all run Samba and the Firewall acts as a WINS server. The wireless network connects to eth3 via a LinkSys WAP11.  In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification. This is still a weak combination and if I lived near a wireless hot spot, I would probably add IPSEC or something similar to my WiFi->local connections. The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP. The firewall system itself runs a DHCP server that serves the local network. All administration and publishing is done using ssh/scp. I have a desktop environment installed on the firewall but I am not usually logged in to it. X applications tunnel through SSH to Ursa. The server also has a desktop environment installed and that desktop environment is available via XDMCP from the local zone. For the most part though, X tunneled through SSH is used for server administration and the server runs at run level 3 (multi-user console mode on RedHat). I run an SNMP server on my firewall to serve MRTG running in the DMZ.The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, an entry in my /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up. Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for Road Warrior access.
Shorewall.conf
LOGFILE=/var/log/messages LOGRATE= LOGBURST= LOGUNCLEAN=$LOG BLACKLIST_LOGLEVEL= LOGNEWNOTSYN=$LOG MACLIST_LOG_LEVEL=$LOG TCP_FLAGS_LOG_LEVEL=$LOG RFC1918_LOG_LEVEL=$LOG SMURF_LOG_LEVEL= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/ash SUBSYSLOCK= #I run Debian which doesn't use service locks STATEDIR=/var/state/shorewall MODULESDIR= FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=Yes TC_ENABLED=Yes CLEAR_TC=No MARK_IN_FORWARD_CHAIN=No CLAMPMSS=Yes ROUTE_FILTER=No DETECT_DNAT_IPADDRS=Yes MUTEX_TIMEOUT=60 NEWNOTSYN=Yes BLACKLISTNEWONLY=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP
Params File (Edited)
MIRRORS=<list of shorewall mirror ip addresses> NTPSERVERS=<list of the NTP servers I sync with> TEXAS=<ip address of gateway in Dallas> LOG=info
Zones File
#ZONE DISPLAY COMMENTS net Internet Internet WiFi Wireless Wireless Network on eth3 dmz DMZ Demilitarized zone loc Local Local networks tx Texas Peer Network in Dallas #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces File
This is set up so that I can start the firewall before bringing up my Ethernet interfaces. #ZONE INERFACE BROADCAST OPTIONS net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs loc eth2 192.168.1.255 dhcp,detectnets dmz eth1 192.168.2.255 WiFi eth3 192.168.3.255 dhcp,maclist,detectnets - texas 192.168.9.255 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Hosts File
#ZONE HOST(S) OPTIONS tx              texas:192.168.8.0/22 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Routestopped File
#INTERFACE HOST(S) eth1 206.124.146.177 eth2 - eth3 192.168.3.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
RFC1918 File
I use a stripped-down file which doesn't have to be updated when the IANA allocates a block of IP addresses.
#SUBNET TARGET 169.254.0.0/16 DROP # DHCP autoconfig 172.16.0.0/12 logdrop # RFC 1918 192.0.2.0/24 logdrop # Example addresses 192.168.0.0/16 logdrop # RFC 1918 10.24.60.56 DROP # Some idiot in my broadcast domain # has a box configured with this # address. 10.0.0.0/8 logdrop # Reserved (RFC 1918)
Blacklist File (Partial)
#ADDRESS/SUBNET PROTOCOL PORT 0.0.0.0/0 udp 1434 0.0.0.0/0 tcp 1433 0.0.0.0/0 tcp 8081 0.0.0.0/0 tcp 57 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Policy File
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT fw fw ACCEPT # For testing fw->fw rules loc net ACCEPT # Allow all net traffic from local net $FW loc ACCEPT # Allow local access from the firewall $FW tx ACCEPT # Allow firewall access to texas loc tx ACCEPT # Allow local net access to texas loc fw REJECT $LOG # Reject loc->fw and log WiFi net ACCEPT # Allow internet access from wirless net all DROP $LOG 10/sec:40 # Rate limit and # DROP net->all all all REJECT $LOG # Reject and log the rest #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Masq File
Although most of our internal systems use one-to-one NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors with laptops. #INTERFACE SUBNET ADDRESS eth0:2 eth2 206.124.146.179 eth0 eth3 206.124.146.179 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
NAT File
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 206.124.146.178 eth0:0 192.168.1.5 No No 206.124.146.180 eth0:1 192.168.1.7 No No # # The following entry allows the server to be accessed through an address in # the local network. This is convenient when I'm on the road and connected # to the PPTP server. By doing this, I don't need to set my client's default # gateway to route through the tunnel. # 192.168.1.193 eth2:0 206.124.146.177 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Proxy ARP File
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 206.124.146.177 eth1 eth0 Yes #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)
#TYPE ZONE GATEWAY GATEWAY ZONE PORT gre net $TEXAS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Actions File
#ACTION DropSMB #Silently Drops Microsoft SMB Traffic RejectSMB #Silently Reject Microsoft SMB Traffic DropUPnP #Silently Drop UPnP Probes RejectAuth #Silently Reject Auth DropPing #Silently Drop Ping DropDNSrep #Silently Drop DNS Replies AllowPing #Accept Ping Mirrors #Accept traffic from the Shorewall Mirror sites MyDrop:DROP #My DROP common action MyReject:REJECT #My REJECT common action #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
action.Mirrors File
The $MIRRORS variable expands to a list of approximately 10 IP addresses. So moving these checks into a separate chain reduces the number of rules that most net->dmz traffic needs to traverse. #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT ACCEPT $MIRRORS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
action.MyDrop
This is my common action for the DROP policy. It is like the standard Reject action except that it allows Ping. #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP RejectAuth AllowPing dropBcast DropSMB DropUPnP dropNonSyn DropDNSrep
action.MyReject
This is my common action for the REJECT policy. It is like the standard Drop action except that it allows Ping. #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP RejectAuth AllowPing dropBcast RejectSMB DropUPnP dropNonSyn DropDNSrep DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log #with NTP requests with a source address in 16.0.0.0/8 (address of #its PPTP tunnel to HP).
Rules File (The shell variables are set in /etc/shorewall/params)
############################################################################################################################################################################### #RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER # PORT(S) DEST:SNAT SET ############################################################################################################################################################################### # Local Network to Internet - Reject attempts by Trojans to call home # REJECT:$LOG loc net tcp 6667 # # Stop NETBIOS crap since our policy is ACCEPT # REJECT loc net tcp 137,445 REJECT loc net udp 137:139 # DROP loc:!192.168.1.0/24 net QUEUE loc net udp QUEUE loc fw udp QUEUE loc net tcp ############################################################################################################################################################################### # Local Network to Firewall # DROP loc:!192.168.1.0/24 fw ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445 ACCEPT loc fw udp snmp,ntp,445 ACCEPT loc fw udp 137:139 ACCEPT loc fw udp 1024: 137 ############################################################################################################################################################################### # Local Network to DMZ # DROP loc:!192.168.1.0/24 dmz REJECT loc dmz tcp 465 ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 - ############################################################################################################################################################################### # Internet to DMZ # DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178 ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https - ACCEPT net dmz udp domain ACCEPT net dmz udp 33434:33436 Mirrors net dmz tcp rsync #ACCEPT:$LOG net dmz tcp 32768:61000 20 ############################################################################################################################################################################### # # Net to Local # # When I'm "on the road", the following two rules allow me VPN access back home. # ACCEPT net loc:192.168.1.5 tcp 1723 ACCEPT net loc:192.168.1.5 gre # # ICQ # ACCEPT net loc:192.168.1.5 tcp 4000:4100 # # Real Audio # ACCEPT net loc:192.168.1.5 udp 6970:7170 # # Overnet # #ACCEPT net loc:192.168.1.5 tcp 4662 #ACCEPT net loc:192.168.1.5 udp 12112 ############################################################################################################################################################################### # DMZ to Internet # ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080 ACCEPT dmz net udp domain ACCEPT dmz net:$POPSERVERS tcp pop3 #ACCEPT dmz net:206.191.151.2 tcp pop3 #ACCEPT dmz net:66.216.26.115 tcp pop3 # # Something is wrong with the FTP connection tracking code or there is some client out there # that is sending a PORT command which that code doesn't understand. Either way, # the following works around the problem. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT dmz fw udp ntp ntp ACCEPT dmz fw tcp snmp,ssh ACCEPT dmz fw udp snmp REJECT dmz fw tcp auth ############################################################################################################################################################################### # DMZ to Internet # ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080 ACCEPT dmz net udp domain ACCEPT dmz net:$POPSERVERS tcp pop3 #ACCEPT dmz net:206.191.151.2 tcp pop3 #ACCEPT dmz net:66.216.26.115 tcp pop3 # # Something is wrong with the FTP connection tracking code or there is some client out there # that is sending a PORT command which that code doesn't understand. Either way, # the following works around the problem. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT dmz fw udp ntp ntp ACCEPT dmz fw tcp snmp,ssh ACCEPT dmz fw udp snmp REJECT dmz fw tcp auth ############################################################################################################################################################################### # # DMZ to Local Network # ACCEPT dmz loc tcp smtp,6001:6010 ACCEPT dmz loc tcp 111 ACCEPT dmz loc udp ############################################################################################################################################################################### # Internet to Firewall # REJECT net fw tcp www ACCEPT net dmz udp 33434:33435 ############################################################################################################################################################################### # WIFI to Firewall # ACCEPT WiFi fw tcp ssh,137,139,445 ACCEPT WiFi fw udp 137:139,445 ACCEPT WiFi fw udp 1024: 137 ACCEPT WiFi fw udp ntp ntp ############################################################################################################################################################################### # Firewall to WIFI # ACCEPT fw WiFi tcp 137,139,445 ACCEPT fw WiFi udp 137:139,445 ACCEPT fw WiFi udp 1024: 137 ACCEPT fw WiFi udp ntp ntp ############################################################################################################################################################################## # WIFI to DMZ # DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193 ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh,8080 - ACCEPT WiFi dmz udp domain ############################################################################################################################################################################## # WIFI to loc # ACCEPT WiFi loc udp 137:139 ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389 ACCEPT WiFi loc udp 1024: 137 ACCEPT WiFi loc udp 177 ############################################################################################################################################################################## # loc to WiFi # ACCEPT loc WiFi udp 137:139 ACCEPT loc WiFi tcp 137,139,445 ACCEPT loc WiFi udp 1024: 137 ACCEPT loc WiFi tcp 6000:6010 ############################################################################################################################################################################### # Firewall to Internet # ACCEPT fw net:$NTPSERVERS udp ntp ntp #ACCEPT fw net:$POPSERVERS tcp pop3 ACCEPT fw net udp domain ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7 ACCEPT fw net udp 33435:33535 ACCEPT fw net icmp ############################################################################################################################################################################### # Firewall to DMZ # ACCEPT fw dmz tcp www,ftp,ssh,smtp ACCEPT fw dmz udp domain REJECT fw dmz udp 137:139 ############################################################################################################################################################################### # Ping # ACCEPT all all icmp 8 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/network/interfaces
This file is Debian specific. My additional entry (which is displayed in bold type) adds a route to my DMZ server when eth1 is brought up. It allows me to enter Yes in the HAVEROUTE column of my Proxy ARP file. ... auto eth1 iface eth1 inet static address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 up ip route add 206.124.146.177 dev eth1 ...
/etc/dhcpd.conf (MAC Addresses Omitted)
While this is a little off-topic, I've included it to show how to set up DHCP on two interfaces.default-lease-time 67200; max-lease-time 67200; get-lease-hostnames on; group { option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option ntp-servers 192.168.1.254; option domain-name-servers 192.168.1.193; option netbios-name-servers 192.168.1.254; option domain-name "shorewall.net"; option netbios-dd-server 192.168.1.254; option netbios-node-type 8; option netbios-scope ""; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.11 192.168.1.20; } host ursa.shorewall.net { hardware ethernet …; fixed-address 192.168.1.5; } host eastept1 { hardware ethernet …; fixed-address 192.168.1.7; } host tarry { hardware ethernet …; fixed-address 192.168.1.4; } host wookie.shorewall.net { hardware ethernet …; fixed-address 192.168.1.3; } host testws.shorewall.net { hardware ethernet …; fixed-address 192.168.1.6; } host printer.shorewall.net { hardware ethernet …; fixed-address 192.168.1.10; } } group { option subnet-mask 255.255.255.0; option broadcast-address 192.168.3.255; option routers 192.168.3.254; option ntp-servers 192.168.3.254; option domain-name-servers 206.124.146.177; option netbios-name-servers 192.168.3.254; option domain-name "shorewall.net"; option netbios-dd-server 192.168.3.254; option netbios-node-type 8; option netbios-scope ""; subnet 192.168.3.0 netmask 255.255.255.0 { range 192.168.3.11 192.168.3.20; } host easteplaptop { hardware ethernet …; fixed-address 192.168.3.7; } host tipper.shorewall.net { hardware ethernet …; fixed-address 192.168.3.8; }