mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
ebe6ff9749
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1903 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
1148 lines
42 KiB
XML
1148 lines
42 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>About My Network</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2005-01-12</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>My Current Network</title>
|
|
|
|
<caution>
|
|
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
|
which are relevant to a simple configuration with a single public IP
|
|
address. If you have just a single public IP address, most of what you
|
|
see here won't apply to your setup so beware of copying parts of this
|
|
configuration and expecting them to work for you. What you copy may or
|
|
may not work in your environment.</para>
|
|
</caution>
|
|
|
|
<caution>
|
|
<para>The configuration shown here corresponds to Shorewall version
|
|
2.2.0 RC2. My configuration uses features not available in earlier
|
|
Shorewall releases.</para>
|
|
</caution>
|
|
|
|
<para>I have DSL service and have 5 static IP addresses
|
|
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200 running
|
|
in Bridge mode) is connected to eth1 and has IP address 192.168.1.1
|
|
(factory default). The modem is configured in <quote>bridge</quote> mode
|
|
so PPPoE is not involved. I have a local network connected to eth0 (subnet
|
|
192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note
|
|
that I configure the same IP address on both <filename
|
|
class="devicefile">eth1</filename> and <filename
|
|
class="devicefile">eth2</filename>.</para>
|
|
|
|
<para>In this configuration:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE
|
|
9.2) - Internal address 192.168.1.5 and external address
|
|
206.124.146.178.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>I use one-to-one NAT for Eastepnc6000 (My work system -- Windows
|
|
XP SP1). Internal address 192.168.1.7 and external address
|
|
206.124.146.180.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>I use SNAT through 206.124.146.176 for my Wife's Windows XP
|
|
system <quote>Tarry</quote>, and our dual-booting (SuSE
|
|
9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
|
|
the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
|
|
<para>While the distance between the WAP and where I usually use
|
|
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
|
|
wireless card) has proved very unsatisfactory (lots of lost
|
|
connections). By replacing the WAC11 with the WET11 wireless
|
|
bridge, I have virtually eliminated these problems (Being an old
|
|
radio tinkerer (K7JPV), I was also able to eliminate the
|
|
disconnects by hanging a piece of aluminum foil on the family room
|
|
wall. Needless to say, my wife Tarry rejected that as a permanent
|
|
solution :-).</para>
|
|
</note></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>I have Ursa (192.168.1.5/192.168.3.254/206.124.146.178)
|
|
configured as an IPSEC gateway for the Wireless network.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Squid runs on the firewall and is configured as a transparent
|
|
proxy.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The firewall runs on a P-II/233 with Debian Sarge (testing).</para>
|
|
|
|
<para>Ursa runs Samba for file sharing with the Windows systems and is
|
|
configured as a Wins server.</para>
|
|
|
|
<para>The wireless network connects to Ursa's eth1 via a LinkSys
|
|
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
|
(64-bit with the 24-bit preamble), I use <ulink
|
|
url="MAC_Validation.html">MAC verification</ulink> and <ulink
|
|
url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink>.</para>
|
|
|
|
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
|
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
|
server (Pure-ftpd) under Fedora Core 3. The system also runs fetchmail to
|
|
fetch our email from our old and current ISPs. That server is managed
|
|
through Proxy ARP.</para>
|
|
|
|
<para>The firewall system itself runs a DHCP server that serves the local
|
|
network.</para>
|
|
|
|
<para>I have one system (Roadwarrior, 206.124.146.179) outside the
|
|
firewall. This system, which runs Debian Sarge (testing) is used for
|
|
roadwarrior VPN testing and for checking my firewall "from the
|
|
outside".</para>
|
|
|
|
<para>All administration and publishing is done using ssh/scp. I have a
|
|
desktop environment installed on the firewall but I am not usually logged
|
|
in to it. X applications tunnel through SSH to Ursa. The server also has a
|
|
desktop environment installed and that desktop environment is available
|
|
via XDMCP from the local zone. For the most part though, X tunneled
|
|
through SSH is used for server administration and the server runs at run
|
|
level 3 (multi-user console mode on Fedora).</para>
|
|
|
|
<para>I run an SNMP server on my firewall to serve <ulink
|
|
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
|
|
in the DMZ.</para>
|
|
|
|
<para>The ethernet interface in the Server is configured with IP address
|
|
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
|
|
206.124.146.254 (Router at my ISP. This is the same default gateway used
|
|
by the firewall itself). On the firewall, an entry in my
|
|
/etc/network/interfaces file (see below) adds a host route to
|
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
|
|
|
<para>Ursa (206.124.146.178/192.168.1.5) is configured with OpenVPN for
|
|
VPN access from our second home in <ulink
|
|
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
|
|
otherwise out of town.</para>
|
|
|
|
<para><graphic align="center" fileref="images/network.png" /></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Firewall Configuration</title>
|
|
|
|
<section>
|
|
<title>Shorewall.conf</title>
|
|
|
|
<blockquote>
|
|
<programlisting>LOGFILE=/var/log/ulog/syslogemu.log
|
|
LOGFORMAT="Shorewall:%s:%s "
|
|
LOGRATE=
|
|
LOGBURST=
|
|
LOGUNCLEAN=$LOG
|
|
BLACKLIST_LOGLEVEL=
|
|
LOGNEWNOTSYN=$LOG
|
|
MACLIST_LOG_LEVEL=$LOG
|
|
TCP_FLAGS_LOG_LEVEL=$LOG
|
|
RFC1918_LOG_LEVEL=$LOG
|
|
SMURF_LOG_LEVEL=
|
|
IPTABLES=
|
|
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
|
|
SHOREWALL_SHELL=/bin/dash
|
|
SUBSYSLOCK=
|
|
STATEDIR=/var/state/shorewall
|
|
MODULESDIR=
|
|
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
|
|
RESTOREFILE=standard
|
|
FW=fw
|
|
IP_FORWARDING=On
|
|
ADD_IP_ALIASES=Yes
|
|
ADD_SNAT_ALIASES=Yes
|
|
RETAIN_ALIASES=Yes
|
|
TC_ENABLED=Yes
|
|
CLEAR_TC=Yes
|
|
MARK_IN_FORWARD_CHAIN=No
|
|
CLAMPMSS=Yes
|
|
ROUTE_FILTER=No
|
|
DETECT_DNAT_IPADDRS=Yes
|
|
MUTEX_TIMEOUT=60
|
|
NEWNOTSYN=Yes
|
|
BLACKLISTNEWONLY=Yes
|
|
DELAYBLACKLISTLOAD=Yes
|
|
DYNAMIC_ZONES=No
|
|
DISABLE_IPV6=Yes
|
|
PKTTYPE=No
|
|
BLACKLIST_DISPOSITION=DROP
|
|
MACLIST_DISPOSITION=REJECT
|
|
TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Params File (Edited)</title>
|
|
|
|
<blockquote>
|
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
|
NTPSERVERS=<list of the NTP servers I sync with>
|
|
TEXAS=<ip address of gateway in Plano>
|
|
LOG=ULOG
|
|
EXT_IF=eth1
|
|
INT_IF=eth2
|
|
DMZ_IF=eth0</programlisting></para>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Zones File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
net Internet Internet
|
|
dmz DMZ Demilitarized zone
|
|
loc Local Local networks
|
|
tx Texas Peer Network in Dallas
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Interfaces File</title>
|
|
|
|
<blockquote>
|
|
<para>This is set up so that I can start the firewall before bringing
|
|
up my Ethernet interfaces.</para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
|
loc $INT_IF detect dhcp
|
|
dmz $DMZ_IF -
|
|
- texas -
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
tx texas:192.168.8.0/22
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Routestopped File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#INTERFACE HOST(S)
|
|
$DMZ_IF 206.124.146.177
|
|
$INT_IF -
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Blacklist File (Partial)</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
|
0.0.0.0/0 udp 1434
|
|
0.0.0.0/0 tcp 1433
|
|
0.0.0.0/0 tcp 3127
|
|
0.0.0.0/0 tcp 8081
|
|
0.0.0.0/0 tcp 57
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>RFC1918 File</title>
|
|
|
|
<blockquote>
|
|
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
|
|
is connected to eth0, I need to make an exception for that address in
|
|
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
|
|
/etc/shorewall/rfc1918 and changed it as follows:</para>
|
|
|
|
<programlisting>#SUBNET TARGET
|
|
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
|
|
172.16.0.0/12 logdrop # RFC 1918
|
|
192.168.0.0/16 logdrop # RFC 1918
|
|
10.0.0.0/8 logdrop # RFC 1918
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Policy File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
|
fw fw ACCEPT
|
|
loc net ACCEPT
|
|
$FW loc ACCEPT
|
|
$FW tx ACCEPT
|
|
loc tx ACCEPT
|
|
loc fw REJECT $LOG
|
|
dmz tx ACCEPT
|
|
net all DROP $LOG 10/sec:40
|
|
all all REJECT $LOG
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Masq File</title>
|
|
|
|
<blockquote>
|
|
<para>Although most of our internal systems use one-to-one NAT, my
|
|
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
|
|
does our laptop (192.168.1.8) and visitors with laptops.</para>
|
|
|
|
<para>The first entry allows access to the DSL modem and uses features
|
|
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
|
|
rule to be placed before rules generated by the /etc/shorewall/nat
|
|
file below. The double colons ("::") causes the entry to be exempt
|
|
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
|
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
|
|
$EXT_IF:: eth2 206.124.146.176
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NAT File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
|
206.124.146.178 eth0:0 192.168.1.5 No No
|
|
206.124.146.180 eth0:1 192.168.1.7 No No
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section id="ProxyARP">
|
|
<title>Proxy ARP File</title>
|
|
|
|
<blockquote>
|
|
<para>I configure the host route to 206.124.146.177 on <filename
|
|
class="devicefile">eth1</filename> in <link
|
|
linkend="debian_interfaces">/etc/network/interfaces</link>.</para>
|
|
|
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
206.124.146.177 eth1 eth0 Yes
|
|
192.168.1.1 eth0 eth2 yes # Allow access to DSL modem from the local zone
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tunnels File (Shell variable TEXAS set in
|
|
/etc/shorewall/params)</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
|
gre net $TEXAS
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section id="Actions">
|
|
<title>Actions File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION
|
|
Mirrors #Accept traffic from the Shorewall Mirror sites
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>action.Mirrors File</title>
|
|
|
|
<blockquote>
|
|
<para>The $MIRRORS variable expands to a list of approximately 10 IP
|
|
addresses. So moving these checks into a separate chain reduces the
|
|
number of rules that most net->dmz traffic needs to
|
|
traverse.</para>
|
|
|
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
# PORT PORT(S) DEST LIMIT
|
|
ACCEPT $MIRRORS
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/action.Reject</title>
|
|
|
|
<blockquote>
|
|
<para>This is my common action for the REJECT policy. It is like the
|
|
standard <emphasis role="bold">Reject</emphasis> action except that it
|
|
allows <quote>Ping</quote> and contains one rule that guards against
|
|
log flooding by broken software running in my local zone.</para>
|
|
|
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
# PORT(S) PORT(S) LIMIT GROUP
|
|
RejectAuth
|
|
AllowPing
|
|
dropBcast
|
|
RejectSMB
|
|
DropUPnP
|
|
dropNotSyn
|
|
DropDNSrep
|
|
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
|
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
|
#its PPTP tunnel to HP).</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Rules File (The shell variables are set in
|
|
/etc/shorewall/params)</title>
|
|
|
|
<blockquote>
|
|
<programlisting>###############################################################################################################################################################################
|
|
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
|
# PORT(S) DEST:SNAT SET
|
|
###############################################################################################################################################################################
|
|
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
|
|
#
|
|
REJECT:$LOG loc net tcp 6667,25
|
|
REJECT:$LOG loc net udp 1025:1031
|
|
#
|
|
# Stop NETBIOS crap
|
|
#
|
|
REJECT loc net tcp 137,445
|
|
REJECT loc net udp 137:139
|
|
#
|
|
# Stop my idiotic XP box from sending to the net with an HP source IP address
|
|
#
|
|
DROP loc:!192.168.0.0/22 net
|
|
#
|
|
# SQUID
|
|
#
|
|
REDIRECT loc 3128 tcp 80
|
|
###############################################################################################################################################################################
|
|
# Local Network to Firewall
|
|
#
|
|
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
|
|
ACCEPT loc fw tcp ssh,time
|
|
ACCEPT loc fw udp 161,ntp
|
|
###############################################################################################################################################################################
|
|
# Local Network to DMZ
|
|
#
|
|
DROP loc:!192.168.0.0/22 dmz
|
|
ACCEPT loc dmz udp domain,xdmcp
|
|
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10027,pop3 -
|
|
###############################################################################################################################################################################
|
|
# Internet to ALL -- drop NewNotSyn packets
|
|
#
|
|
dropNotSyn net fw tcp
|
|
dropNotSyn net loc tcp
|
|
dropNotSyn net dmz tcp
|
|
|
|
#
|
|
# Drop ping to firewall and local
|
|
#
|
|
|
|
DropPing net fw
|
|
DropPing net loc
|
|
###############################################################################################################################################################################
|
|
# Internet to DMZ
|
|
#
|
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
|
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
|
|
ACCEPT net dmz udp domain
|
|
ACCEPT net dmz udp 33434:33436
|
|
Mirrors net dmz tcp rsync
|
|
ACCEPT net dmz tcp 22
|
|
AllowPing net dmz
|
|
###############################################################################################################################################################################
|
|
#
|
|
# Net to Local
|
|
#
|
|
# When I'm "on the road", the following two rules allow me VPN access back home via PPTP.
|
|
#
|
|
DNAT net loc:192.168.1.4 tcp 1723 -
|
|
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
|
ACCEPT net loc:192.168.1.5 tcp 22
|
|
#
|
|
# ICQ
|
|
#
|
|
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
|
#
|
|
# Real Audio
|
|
#
|
|
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
|
#
|
|
# Overnet
|
|
#
|
|
#ACCEPT net loc:192.168.1.5 tcp 4662
|
|
#ACCEPT net loc:192.168.1.5 udp 12112
|
|
#
|
|
# Silently Handle common probes
|
|
#
|
|
REJECT net loc tcp www,ftp,https
|
|
###############################################################################################################################################################################
|
|
# DMZ to Internet
|
|
#
|
|
ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080
|
|
ACCEPT dmz net udp domain
|
|
REJECT:$LOG dmz net udp 1025:1031
|
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
|
#
|
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
|
# the following works around the problem.
|
|
#
|
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
|
###############################################################################################################################################################################
|
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
|
#
|
|
ACCEPT dmz fw udp ntp ntp
|
|
ACCEPT dmz fw tcp 161,ssh
|
|
ACCEPT dmz fw udp 161
|
|
REJECT dmz fw tcp auth
|
|
###############################################################################################################################################################################
|
|
# DMZ to Local Network
|
|
#
|
|
ACCEPT dmz loc tcp smtp,6001:6010
|
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 tcp 111
|
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
|
|
###############################################################################################################################################################################
|
|
# Internet to Firewall
|
|
#
|
|
REJECT net fw tcp www,ftp,https
|
|
ACCEPT net dmz udp 33434:33435
|
|
###############################################################################################################################################################################
|
|
# Firewall to Internet
|
|
#
|
|
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
|
#ACCEPT fw net:$POPSERVERS tcp pop3
|
|
ACCEPT fw net udp domain
|
|
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
|
ACCEPT fw net udp 33435:33535
|
|
ACCEPT fw net icmp
|
|
REJECT:$LOG fw net udp 1025:1031
|
|
DROP fw net udp ntp
|
|
###############################################################################################################################################################################
|
|
# Firewall to DMZ
|
|
#
|
|
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
|
ACCEPT fw dmz udp domain
|
|
REJECT fw dmz udp 137:139
|
|
###############################################################################################################################################################################
|
|
ACCEPT tx loc:192.168.1.5 all
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section id="debian_interfaces">
|
|
<title>/etc/network/interfaces</title>
|
|
|
|
<para>This file is Debian-specific and defines the configuration of the
|
|
network interfaces.</para>
|
|
|
|
<blockquote>
|
|
<programlisting># The loopback network interface
|
|
|
|
auto lo
|
|
iface lo inet loopback
|
|
|
|
# DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the
|
|
# HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has
|
|
# the same IP address as the Internet interface but has no broadcast address or network.
|
|
|
|
auto eth0
|
|
iface eth0 inet static
|
|
address 206.124.146.176
|
|
netmask 255.255.255.255
|
|
broadcast 0.0.0.0
|
|
up ip route add 206.124.146.177 dev eth0
|
|
|
|
# Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200).
|
|
|
|
auto eth1
|
|
iface eth1 inet static
|
|
address 206.124.146.176
|
|
netmask 255.255.255.0
|
|
gateway 206.124.146.254
|
|
up ip route add 192.168.1.1 dev eth1
|
|
|
|
# Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'.
|
|
|
|
auto eth2
|
|
iface eth2 inet static
|
|
address 192.168.1.254
|
|
netmask 255.255.255.0
|
|
up ip route add 192.168.3.0/24 via 192.168.1.5
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/ulogd.conf</title>
|
|
|
|
<para>This is the default /etc/ulogd.conf from the Debian package. Only
|
|
the relevant entries are shown.</para>
|
|
|
|
<blockquote>
|
|
<programlisting># where to write to
|
|
syslogfile /var/log/ulog/syslogemu.log
|
|
# do we want to fflush() the file after each write?
|
|
syslogsync 1</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Wireless IPSEC/OpenVPN Gateway (Ursa) Configuration</title>
|
|
|
|
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
|
network and as an OpenVPN gateway for roadwarrior access from Tipper and
|
|
my new work laptop. It's view of the network is diagrammed in the
|
|
following figure.</para>
|
|
|
|
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
|
|
|
<para>I've included the files that I used to configure that system.</para>
|
|
|
|
<section>
|
|
<title>zones</title>
|
|
|
|
<blockquote>
|
|
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
|
|
<emphasis role="bold">net</emphasis>, <emphasis
|
|
role="bold">loc</emphasis> must be defined first.</para>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
loc Local Local networks
|
|
net Internet The Big Bad Internet
|
|
WiFi Wireless Wireless Network
|
|
sec Secure Secure Wireless Network
|
|
road Roadwarriors Roadwarriors
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>policy</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
|
loc fw ACCEPT
|
|
loc net NONE
|
|
loc sec ACCEPT
|
|
loc road ACCEPT
|
|
net fw ACCEPT
|
|
net loc NONE
|
|
net sec ACCEPT
|
|
sec fw ACCEPT
|
|
sec loc ACCEPT
|
|
sec net ACCEPT
|
|
road sec ACCEPT
|
|
road loc ACCEPT
|
|
road net ACCEPT
|
|
road fw ACCEPT
|
|
fw loc ACCEPT
|
|
fw net ACCEPT
|
|
fw sec ACCEPT
|
|
fw WiFi ACCEPT
|
|
fw Road ACCEPT
|
|
sec WiFi NONE
|
|
WiFi sec NONE
|
|
all all REJECT info
|
|
#LAST LINE -- DO NOT REMOVE</programlisting>
|
|
|
|
<blockquote>
|
|
<para></para>
|
|
</blockquote>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>interfaces</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 192.168.1.255 dhcp,nobogons,blacklist
|
|
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
|
road tun0 -
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>ipsec</title>
|
|
|
|
<blockquote>
|
|
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
|
|
added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
|
|
the 'net' zone to 1400. This works around a problem whereby ICMP
|
|
fragmentation-needed packets are being dropped somewhere between my
|
|
main firewall and the IMAP server at my work.</para>
|
|
|
|
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
|
# ONLY OPTIONS OPTIONS
|
|
sec yes mode=tunnel
|
|
net no - - <emphasis
|
|
role="bold">mss=1400</emphasis>
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>hosts</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
sec eth1:0.0.0.0/0 routeback
|
|
loc eth0:192.168.1.0/24
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>tunnels</title>
|
|
|
|
<blockquote>
|
|
<programlisting># TYPE ZONE GATEWAY GATEWAY
|
|
# ZONE
|
|
ipsec:noah WiFi 192.168.3.8
|
|
openvpn:1194 net 0.0.0.0/0
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>rules</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
allowBcast WiFi fw
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>routestopped</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#INTERFACE HOST(S) OPTIONS
|
|
eth1 0.0.0.0/0
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>maclist</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
|
|
eth1 00:A0:1C:DB:0C:A0 192.168.3.7 #Work Laptop
|
|
eth1 00:04:59:0e:85:b9 #WAP11
|
|
eth1 00:06:D5:45:33:3c #WET11
|
|
eth1 00:0b:c1:53:cc:97 192.168.3.8 #TIPPER
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/racoon/setkey.conf</title>
|
|
|
|
<blockquote>
|
|
<para>This defines encryption policies to/from the wireless
|
|
network.</para>
|
|
|
|
<programlisting>flush;
|
|
spdflush;
|
|
|
|
spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
|
|
spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/racoon/racoon.conf</title>
|
|
|
|
<blockquote>
|
|
<para>SA parameters for communication with our wireless network
|
|
(Tipper is currently the only Wireless host).</para>
|
|
|
|
<programlisting>path certificate "/etc/certs";
|
|
|
|
listen
|
|
{
|
|
isakmp 192.168.3.254;
|
|
}
|
|
|
|
remote 192.168.3.8
|
|
{
|
|
exchange_mode main ;
|
|
certificate_type x509 "ursa.pem" "ursa_key.pem";
|
|
verify_cert on;
|
|
my_identifier asn1dn ;
|
|
peers_identifier asn1dn ;
|
|
verify_identifier on ;
|
|
lifetime time 24 hour ;
|
|
proposal {
|
|
encryption_algorithm blowfish ;
|
|
hash_algorithm sha1;
|
|
authentication_method rsasig ;
|
|
dh_group 2 ;
|
|
}
|
|
}
|
|
|
|
sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
|
{
|
|
pfs_group 2;
|
|
lifetime time 12 hour ;
|
|
encryption_algorithm blowfish ;
|
|
authentication_algorithm hmac_sha1, hmac_md5 ;
|
|
compression_algorithm deflate ;
|
|
}</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/openvpn/server.conf</title>
|
|
|
|
<para>This is my OpenVPN server configuration file:</para>
|
|
|
|
<blockquote>
|
|
<programlisting>dev tun
|
|
|
|
server 192.168.2.0 255.255.255.0
|
|
|
|
dh dh1024.pem
|
|
|
|
ca /etc/certs/cacert.pem
|
|
|
|
crl-verify /etc/certs/crl.pem
|
|
|
|
cert /etc/certs/ursa.pem
|
|
key /etc/certs/ursa_key.pem
|
|
|
|
port 1194
|
|
|
|
comp-lzo
|
|
|
|
user nobody
|
|
group nogroup
|
|
|
|
ping 15
|
|
ping-restart 45
|
|
ping-timer-rem
|
|
persist-tun
|
|
persist-key
|
|
|
|
client-config-dir /etc/openvpn/clients
|
|
ccd-exclusive
|
|
client-to-client
|
|
|
|
verb 3</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tipper Configuration while at Home</title>
|
|
|
|
<para>This laptop is either configured on our wireless network
|
|
(192.168.3.8) or as a standalone system on the road. While this system is
|
|
connected via our wireless network, it uses IPSEC tunnel mode for all
|
|
access.</para>
|
|
|
|
<note>
|
|
<para>Given that I use OpenVPN for remote access, it would be more
|
|
convenient to also use it for wireless access at home. I use IPSEC just
|
|
so that I always have a working IPSEC testbed.</para>
|
|
</note>
|
|
|
|
<para>Tipper's view of the world is shown in the following diagram:</para>
|
|
|
|
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
|
|
|
<para>The key configuration files are shown in the following
|
|
sections.</para>
|
|
|
|
<section>
|
|
<title>zones</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
home Home Shorewall Network
|
|
net Net Internet
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>policy</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
fw net ACCEPT
|
|
fw home ACCEPT
|
|
home fw ACCEPT
|
|
net home NONE
|
|
home net NONE
|
|
net all DROP info
|
|
# The FOLLOWING POLICY MUST BE LAST
|
|
all all REJECT info
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>interfaces</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect dhcp,tcpflags
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>ipsec</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
|
# ONLY OPTIONS OPTIONS
|
|
home yes mode=tunnel
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>hosts</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
home eth0:0.0.0.0/0
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>rules</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# PORT PORT(S) DEST LIMIT GROUP
|
|
ACCEPT net fw icmp 8
|
|
ACCEPT net fw tcp 22
|
|
ACCEPT net fw tcp 4000:4100
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/racoon/setkey.conf</title>
|
|
|
|
<blockquote>
|
|
<programlisting>flush;
|
|
spdflush;
|
|
|
|
# Policies for while we're connected via Wireless at home
|
|
|
|
spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none;
|
|
spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none;
|
|
spdadd 127.0.0.0/8 127.0.0.0/8 any -P in none;
|
|
spdadd 127.0.0.0/8 127.0.0.0/8 any -P out none;
|
|
spdadd 0.0.0.0/0 192.168.3.8/32 any -P in ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
|
|
spdadd 192.168.3.8/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/racoon/racoon.conf</title>
|
|
|
|
<blockquote>
|
|
<programlisting>path certificate "/etc/certs";
|
|
|
|
listen
|
|
{
|
|
isakmp 192.168.3.8;
|
|
}
|
|
|
|
remote 192.168.3.254
|
|
{
|
|
exchange_mode main ;
|
|
certificate_type x509 "tipper.pem" "tipper_key.pem";
|
|
verify_cert on;
|
|
my_identifier asn1dn ;
|
|
peers_identifier asn1dn ;
|
|
verify_identifier on ;
|
|
lifetime time 24 hour ;
|
|
proposal {
|
|
encryption_algorithm blowfish ;
|
|
hash_algorithm sha1;
|
|
authentication_method rsasig ;
|
|
dh_group 2 ;
|
|
}
|
|
}
|
|
|
|
sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
|
|
{
|
|
pfs_group 2;
|
|
lifetime time 12 hour ;
|
|
encryption_algorithm blowfish ;
|
|
authentication_algorithm hmac_sha1, hmac_md5 ;
|
|
compression_algorithm deflate ;
|
|
}</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tipper Configuration on the Road</title>
|
|
|
|
<para>When Tipper is on the road, it's world view is the same as in the
|
|
diagram above.</para>
|
|
|
|
<section>
|
|
<title>zones</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
home Home Shorewall Network
|
|
net Net Internet
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>policy</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
fw net ACCEPT
|
|
fw home ACCEPT
|
|
home fw ACCEPT
|
|
net home NONE
|
|
home net NONE
|
|
net all DROP info
|
|
# The FOLLOWING POLICY MUST BE LAST
|
|
all all REJECT info
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>interfaces</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect dhcp,tcpflags
|
|
home tun0 -
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>rules</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# PORT PORT(S) DEST LIMIT GROUP
|
|
ACCEPT net fw icmp 8
|
|
ACCEPT net fw tcp 22
|
|
ACCEPT net fw tcp 4000:4100
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/openvpn/home.conf</title>
|
|
|
|
<blockquote>
|
|
<programlisting>dev tun
|
|
remote ursa.shorewall.net
|
|
up /etc/openvpn/home.up
|
|
|
|
tls-client
|
|
pull
|
|
|
|
ca /etc/certs/cacert.pem
|
|
|
|
cert /etc/certs/tipper.pem
|
|
key /etc/certs/tipper_key.pem
|
|
|
|
port 1194
|
|
|
|
user nobody
|
|
group nogroup
|
|
|
|
comp-lzo
|
|
|
|
ping 15
|
|
ping-restart 45
|
|
ping-timer-rem
|
|
persist-tun
|
|
persist-key
|
|
|
|
verb 3</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/openvpn/home.up</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#!/bin/bash
|
|
|
|
ip route add 192.168.1.0/24 via $5 #Access to Home Network
|
|
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
|
|
#Internal Bind 9 view because the source IP will
|
|
#be in 192.168.2.0/24</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
</article> |