mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-13 01:41:01 +01:00
109b948d42
to happend anymore. :) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
557 lines
19 KiB
XML
557 lines
19 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Corporate Network</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
|
|
<author>
|
|
<firstname>Graeme</firstname>
|
|
|
|
<surname>Boyle</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2003</year>
|
|
|
|
<year>2005</year>
|
|
|
|
<holder>Thomas M. Eastep and Graeme Boyle</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<warning>
|
|
<para><emphasis role="bold">This document has not been updated yet, to
|
|
reflect a correct configuration for Shorewall 3</emphasis>.</para>
|
|
</warning>
|
|
|
|
<section>
|
|
<title>The Network</title>
|
|
|
|
<note>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>This configuration is used on a corporate network that has a
|
|
Linux (RedHat 8.0) server with three interfaces, running Shorewall
|
|
1.4.5 release,</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Make sure you know what public IP addresses are currently
|
|
being used and verify these <emphasis>before</emphasis>
|
|
starting.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Verify your DNS settings <emphasis>before</emphasis> starting
|
|
any Shorewall configuration especially if you have split DNS.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>System names and Internet IP addresses have been changed to
|
|
protect the innocent.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</note>
|
|
|
|
<warning>
|
|
<para>This configuration uses a combination of One-to-one NAT and Proxy
|
|
ARP. This is generally not relevant to a simple configuration with a
|
|
single public IP address. If you have just a single public IP address,
|
|
most of what you see here won't apply to your setup so beware of copying
|
|
parts of this configuration and expecting them to work for you. What you
|
|
copy may or may not work in your configuration.</para>
|
|
</warning>
|
|
|
|
<para>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
|
internet is connected to eth0. The local network is connected via eth1
|
|
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
|
|
an IPSec tunnel connecting our offices in Germany to our offices in the
|
|
US. I host two Microsoft Exchange servers for two different companies
|
|
behind the firewall hence, the two Exchange servers in the diagram
|
|
below.</para>
|
|
|
|
<section>
|
|
<title>Summary</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SNAT for all systems connected to the LAN - Internal addresses
|
|
10.10.x.x to external address 192.0.18.127.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>One-to-one NAT for <emphasis>Polaris</emphasis> (Exchange
|
|
Server #2). Internal address 10.10.1.8 and external address
|
|
192.0.18.70.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>One-to-one NAT for <emphasis>Sims</emphasis> (Inventory
|
|
Management server). Internal address 10.10.1.56 and external address
|
|
192.0.18.75.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>One-to-one NAT for <emphasis>Project</emphasis> (Project Web
|
|
Server). Internal address 10.10.1.55 and external address
|
|
192.0.18.84.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>One-to-one NAT for <emphasis>Fortress</emphasis> (Exchange
|
|
Server). Internal address 10.10.1.252 and external address
|
|
192.0.18.93.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>One-to-one NAT for <emphasis>BBSRV</emphasis> (Blackberry
|
|
Server). Internal address 10.10.1.230 and external address
|
|
192.0.18.97.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>One-to-one NAT for <emphasis>Intweb</emphasis> (Intranet Web
|
|
Server). Internal address 10.10.1.60 and external address
|
|
192.0.18.115.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
|
|
with RH8.0.</para>
|
|
|
|
<para>The Firewall is also a proxy server running Privoxy 3.0.</para>
|
|
|
|
<para>The single system in the DMZ (address 192.0.18.80) runs sendmail,
|
|
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
|
|
That server is managed through Proxy ARP.</para>
|
|
|
|
<para>All administration and publishing is done using ssh/scp. I have X
|
|
installed on the firewall and the system in the DMZ. X applications
|
|
tunnel through SSH to Hummingbird Exceed running on a PC located in the
|
|
LAN. Access to the firewall using SSH is restricted to systems in the
|
|
LAN, DMZ or the system Kaos which is on the Internet and managed by
|
|
me.</para>
|
|
|
|
<graphic fileref="images/CorpNetwork.gif" />
|
|
|
|
<para>The Ethernet 0 interface in the Server is configured with IP
|
|
address 192.0.18.68, netmask 255.255.255.192. The server's default
|
|
gateway is 192.0.18.65, the Router connected to my network and the ISP.
|
|
This is the same default gateway used by the firewall itself. On the
|
|
firewall, Shorewall automatically adds a host route to 192.0.18.80
|
|
through Ethernet 2 (192.168.21.1) because of the entry in
|
|
/etc/shorewall/proxyarp (see below). I modified the start, stop and init
|
|
scripts to include the fixes suggested when having an IPSec
|
|
tunnel.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Some Mistakes I Made</title>
|
|
|
|
<para>Yes, believe it or not, I made some really basic mistakes when
|
|
building this firewall. Firstly, I had the new firewall setup in
|
|
parallel with the old firewall so that there was no interruption of
|
|
service to my users. During my out-bound testing, I set up systems on
|
|
the LAN to utilize the firewall which worked fine. When testing my NAT
|
|
connections, from the outside, these would fail and I could not
|
|
understand why. Eventually, I changed the default route on the internal
|
|
system I was trying to access, to point to the new firewall and
|
|
<quote>bingo</quote>, everything worked as expected. This oversight
|
|
delayed my deployment by a couple of days not to mention level of
|
|
frustration it produced.</para>
|
|
|
|
<para>Another problem that I encountered was in setting up the Proxyarp
|
|
system in the DMZ. Initially I forgot to remove the entry for the eth2
|
|
from the /etc/shorewall/masq file. Once my file settings were correct, I
|
|
started verifying that the ARP caches on the firewall, as well as the
|
|
outside system <quote>kaos</quote>, were showing the correct Ethernet
|
|
MAC address. However, in testing remote access, I could access the
|
|
system in the DMZ only from the firewall and LAN but not from the
|
|
Internet. The message I received was <quote>connection denied</quote> on
|
|
all protocols. What I did not realize was that a <quote>helpful</quote>
|
|
administrator that had turned on an old system and assigned the same
|
|
address as the one I was using for Proxyarp without notifying me. How
|
|
did I work this out. I shutdown the system in the DMZ, rebooted the
|
|
router and flushed the ARP cache on the firewall and kaos. Then, from
|
|
kaos, I started pinging that IP address and checked the updated ARP
|
|
cache and lo-and-behold a different MAC address showed up. High levels
|
|
of frustration etc., etc. The administrator will not be doing that
|
|
again! :-)</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Lessons Learned</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Read the documentation.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Draw your network topology before starting.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Understand what services you are going to allow in and out of
|
|
the firewall, whether they are TCP or UDP packets and make a note of
|
|
these port numbers.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Try to get quiet time to build the firewall - you need to
|
|
focus on the job at hand.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>When asking for assistance, be honest and include as much
|
|
detail as requested. Don't try and hide IP addresses etc., you will
|
|
probably screw up the logs and make receiving assistance
|
|
harder.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Read the documentation.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Futures</title>
|
|
|
|
<para>This is by no means the final configuration. In the near future, I
|
|
will be moving more systems from the LAN to the DMZ. I will also be
|
|
watching the logs for port scan programs etc. but, this should be
|
|
standard security maintenance.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuration Files</title>
|
|
|
|
<para>Here are copies of my files. I have removed most of the internal
|
|
documentation for the purpose of this space however, my system still has
|
|
the original files with all the comments and I highly recommend you do the
|
|
same.</para>
|
|
|
|
<section>
|
|
<title>Shorewall.conf</title>
|
|
|
|
<programlisting>##############################################################################
|
|
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
|
|
# match your setup
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
#
|
|
# This file should be placed in /etc/shorewall
|
|
#
|
|
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
|
##############################################################################
|
|
# L O G G I N G
|
|
##############################################################################
|
|
LOGFILE=/var/log/messages
|
|
LOGFORMAT=<quote>Shorewall:%s:%s:</quote>
|
|
LOGRATE=
|
|
LOGBURST=
|
|
LOGUNCLEAN=info
|
|
BLACKLIST_LOGLEVEL=
|
|
LOGNEWNOTSYN=
|
|
MACLIST_LOG_LEVEL=info
|
|
TCP_FLAGS_LOG_LEVEL=debug
|
|
RFC1918_LOG_LEVEL=debug
|
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
SUBSYSLOCK=/var/lock/subsys/shorewall
|
|
STATEDIR=/var/lib/shorewall
|
|
MODULESDIR=
|
|
FW=fw
|
|
NAT_ENABLED=Yes
|
|
MANGLE_ENABLED=Yes
|
|
IP_FORWARDING=On
|
|
ADD_IP_ALIASES=Yes
|
|
ADD_SNAT_ALIASES=Yes
|
|
TC_ENABLED=Yes
|
|
CLEAR_TC=No
|
|
MARK_IN_FORWARD_CHAIN=No
|
|
CLAMPMSS=No
|
|
ROUTE_FILTER=Yes
|
|
NAT_BEFORE_RULES=No
|
|
MULTIPORT=Yes
|
|
DETECT_DNAT_IPADDRS=Yes
|
|
MUTEX_TIMEOUT=60
|
|
NEWNOTSYN=Yes
|
|
BLACKLIST_DISPOSITION=DROP
|
|
MACLIST_DISPOSITION=REJECT
|
|
TCP_FLAGS_DISPOSITION=DROP
|
|
#LAST LINE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Zones File</title>
|
|
|
|
<programlisting>#
|
|
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
|
|
# /etc/shorewall/zones
|
|
#
|
|
# This file determines your network zones. Columns are:
|
|
#
|
|
# ZONE Short name of the zone
|
|
# DISPLAY Display name of the zone
|
|
# COMMENTS Comments about the zone
|
|
#
|
|
#ZONE DISPLAY COMMENTS
|
|
net Net Internet
|
|
loc Local Local Networks
|
|
dmz DMZ Demilitarized Zone
|
|
vpn1 VPN1 VPN to Germany
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Interfaces File</title>
|
|
|
|
<programlisting>##############################################################################
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags
|
|
loc eth1 detect dhcp,routefilter
|
|
dmz eth2 detect
|
|
vpn1 ipsec0
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Routestopped File</title>
|
|
|
|
<programlisting>#INTERFACE HOST(S)
|
|
eth1 -
|
|
eth2 -
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Policy File</title>
|
|
|
|
<programlisting>###############################################################################
|
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
loc net ACCEPT
|
|
loc fw ACCEPT
|
|
loc dmz ACCEPT
|
|
# If you want open access to the Internet from your Firewall
|
|
# remove the comment from the following line.
|
|
fw net ACCEPT
|
|
fw loc ACCEPT
|
|
fw dmz ACCEPT
|
|
dmz fw ACCEPT
|
|
dmz loc ACCEPT
|
|
dmz net ACCEPT
|
|
#
|
|
# Adding VPN Access
|
|
loc vpn1 ACCEPT
|
|
dmz vpn1 ACCEPT
|
|
fw vpn1 ACCEPT
|
|
vpn1 loc ACCEPT
|
|
vpn1 dmz ACCEPT
|
|
vpn1 fw ACCEPT
|
|
#
|
|
net all DROP info
|
|
all all REJECT info
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Masq File</title>
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
|
eth0 eth1 192.0.18.126
|
|
#
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NAT File</title>
|
|
|
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
|
#
|
|
# Intranet Web Server
|
|
192.0.18.115 eth0:0 10.10.1.60 No No
|
|
#
|
|
# Project Web Server
|
|
192.0.18.84 eth0:1 10.10.1.55 No No
|
|
#
|
|
# Blackberry Server
|
|
192.0.18.97 eth0:2 10.10.1.55 No No
|
|
#
|
|
# Corporate Mail Server
|
|
192.0.18.93 eth0:3 10.10.1.252 No No
|
|
#
|
|
# Second Corp Mail Server
|
|
192.0.18.70 eth0:4 10.10.1.8 No No
|
|
#
|
|
# Sims Server
|
|
192.0.18.75 eth0:5 10.10.1.56 No No
|
|
#
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Proxy ARP File</title>
|
|
|
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
|
#
|
|
# The Corporate email server in the DMZ
|
|
192.0.18.80 eth2 eth0 No
|
|
#
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tunnels File</title>
|
|
|
|
<programlisting># TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
|
ipsec net 134.147.129.82
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Rules File (The shell variables are set in
|
|
/etc/shorewall/params)</title>
|
|
|
|
<programlisting>##############################################################################
|
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
#
|
|
# Accept DNS connections from the firewall to the network
|
|
#
|
|
ACCEPT fw net tcp 53
|
|
ACCEPT fw net udp 53
|
|
#
|
|
# Accept SSH from internet interface from kaos only
|
|
#
|
|
ACCEPT net:192.0.18.98 fw tcp 22
|
|
#
|
|
# Accept connections from the local network for administration
|
|
#
|
|
ACCEPT loc fw tcp 20:22
|
|
ACCEPT loc net tcp 22
|
|
ACCEPT loc fw tcp 53
|
|
ACCEPT loc fw udp 53
|
|
ACCEPT loc net tcp 53
|
|
ACCEPT loc net udp 53
|
|
#
|
|
# Allow Ping To And From Firewall
|
|
#
|
|
ACCEPT loc fw icmp 8
|
|
ACCEPT loc dmz icmp 8
|
|
ACCEPT loc net icmp 8
|
|
ACCEPT dmz fw icmp 8
|
|
ACCEPT dmz loc icmp 8
|
|
ACCEPT dmz net icmp 8
|
|
DROP net fw icmp 8
|
|
DROP net loc icmp 8
|
|
DROP net dmz icmp 8
|
|
ACCEPT fw loc icmp 8
|
|
ACCEPT fw dmz icmp 8
|
|
DROP fw net icmp 8
|
|
#
|
|
# Accept proxy web connections from the inside
|
|
#
|
|
ACCEPT loc fw tcp 8118
|
|
#
|
|
# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems
|
|
# From a specific IP Address on the Internet.
|
|
#
|
|
# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http
|
|
# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632
|
|
#
|
|
# Intranet web server
|
|
ACCEPT net loc:10.10.1.60 tcp 443
|
|
ACCEPT dmz loc:10.10.1.60 tcp 443
|
|
#
|
|
# Projects web server
|
|
ACCEPT net loc:10.10.1.55 tcp 80
|
|
ACCEPT dmz loc:10.10.1.55 tcp 80
|
|
#
|
|
# Blackberry Server
|
|
ACCEPT net loc:10.10.1.230 tcp 3101
|
|
#
|
|
# Corporate Email Server
|
|
ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443
|
|
#
|
|
# Corporate #2 Email Server
|
|
ACCEPT net loc:10.10.1.8 tcp 25,80,110,443
|
|
#
|
|
# Sims Server
|
|
ACCEPT net loc:10.10.1.56 tcp 80,443
|
|
ACCEPT net loc:10.10.1.56 tcp 7001:7002
|
|
ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632
|
|
#
|
|
# Access to DMZ
|
|
ACCEPT loc dmz udp 53,177
|
|
ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110
|
|
ACCEPT net dmz udp 53
|
|
ACCEPT net dmz tcp 25,53,22,21,123
|
|
ACCEPT dmz net tcp 25,53,80,123,443,21,22
|
|
ACCEPT dmz net udp 53
|
|
#
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Start File</title>
|
|
|
|
<programlisting>############################################################################
|
|
# Shorewall 1.4 -- /etc/shorewall/start
|
|
#
|
|
# Add commands below that you want to be executed after shorewall has
|
|
# been started or restarted.
|
|
#
|
|
qt service ipsec start</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Stop File</title>
|
|
|
|
<programlisting>############################################################################
|
|
# Shorewall 1.4 -- /etc/shorewall/stop
|
|
#
|
|
# Add commands below that you want to be executed at the beginning of a
|
|
# <quote>shorewall stop</quote> command.
|
|
#
|
|
qt service ipsec stop</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Init File</title>
|
|
|
|
<programlisting>############################################################################
|
|
# Shorewall 1.4 -- /etc/shorewall/init
|
|
#
|
|
# Add commands below that you want to be executed at the beginning of
|
|
# a <quote>shorewall start</quote> or <quote>shorewall restart</quote> command.
|
|
#
|
|
qt service ipsec stop</programlisting>
|
|
</section>
|
|
</section>
|
|
</article> |