shorewall_code/Shorewall-docs2/myfiles.xml

1175 lines
42 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>About My Network</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-12-20</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>My Current Network</title>
<caution>
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
which are relevant to a simple configuration with a single public IP
address. If you have just a single public IP address, most of what you
see here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may or
may not work in your environment.</para>
</caution>
<caution>
<para>The configuration shown here corresponds to Shorewall version
2.2.0 RC2. My configuration uses features not available in earlier
Shorewall releases.</para>
</caution>
<para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200 running
in Bridge mode) is connected to eth1 and has IP address 192.168.1.1
(factory default). The modem is configured in <quote>bridge</quote> mode
so PPPoE is not involved. I have a local network connected to eth0 (subnet
192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note
that I configure the same IP address on both <filename
class="devicefile">eth1</filename> and <filename
class="devicefile">eth2</filename>.</para>
<para>In this configuration:</para>
<itemizedlist>
<listitem>
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE
9.2) - Internal address 192.168.1.5 and external address
206.124.146.178.</para>
</listitem>
<listitem>
<para>I use one-to-one NAT for EastepLaptop (My work system -- Windows
XP SP1). Internal address 192.168.1.7 and external address
206.124.146.180.</para>
</listitem>
<listitem>
<para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
<para>While the distance between the WAP and where I usually use
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old
radio tinkerer (K7JPV), I was also able to eliminate the
disconnects by hanging a piece of aluminum foil on the family room
wall. Needless to say, my wife Tarry rejected that as a permanent
solution :-).</para>
</note></para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>I have Ursa (192.168.1.5/192.168.3.254/206.124.146.178)
configured as an IPSEC gateway for the Wireless network.</para>
</listitem>
<listitem>
<para>Squid runs on the firewall and is configured as a transparent
proxy.</para>
</listitem>
</itemizedlist>
<para>The firewall runs on a P-II/233 with Debian Sarge (testing).</para>
<para>Ursa runs Samba for file sharing with the Windows systems and is
configured as a Wins server.</para>
<para>The wireless network connects to Ursa's eth1 via a LinkSys
WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
(64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink> and <ulink
url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink>.</para>
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd) under Fedora Core 3. The system also runs fetchmail to
fetch our email from our old and current ISPs. That server is managed
through Proxy ARP.</para>
<para>The firewall system itself runs a DHCP server that serves the local
network.</para>
<para>I have one system (Roadwarrior, 206.124.146.179) outside the
firewall. This system, which runs Debian Sarge (testing) is used for
roadwarrior IPSEC testing and for checking my firewall "from the
outside".</para>
<para>All administration and publishing is done using ssh/scp. I have a
desktop environment installed on the firewall but I am not usually logged
in to it. X applications tunnel through SSH to Ursa. The server also has a
desktop environment installed and that desktop environment is available
via XDMCP from the local zone. For the most part though, X tunneled
through SSH is used for server administration and the server runs at run
level 3 (multi-user console mode on Fedora).</para>
<para>I run an SNMP server on my firewall to serve <ulink
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
in the DMZ.</para>
<para>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same default gateway used
by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with OpenVPN for VPN access
from our second home in <ulink url="http://www.omakchamber.com/">Omak,
Washington</ulink> or when we are otherwise out of town.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
<section>
<title>Firewall Configuration</title>
<section>
<title>Shorewall.conf</title>
<blockquote>
<programlisting>LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s "
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=$LOG
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
IPTABLES=
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SHOREWALL_SHELL=/bin/dash
SUBSYSLOCK=
STATEDIR=/var/state/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
RESTOREFILE=standard
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
RETAIN_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=Yes
DYNAMIC_ZONES=No
DISABLE_IPV6=Yes
PKTTYPE=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP</programlisting>
</blockquote>
</section>
<section>
<title>Params File (Edited)</title>
<blockquote>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=info
EXT_IF=eth1
INT_IF=eth2
DMZ_IF=eth0</programlisting></para>
</blockquote>
</section>
<section>
<title>Zones File</title>
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
road Roadwarrior Our Laptop on the Road
tx Texas Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>Interfaces File</title>
<blockquote>
<para>This is set up so that I can start the firewall before bringing
up my Ethernet interfaces.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
road tun+ -
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Hosts File</title>
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
tx texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Routestopped File</title>
<blockquote>
<programlisting>#INTERFACE HOST(S)
$DMZ_IF 206.124.146.177
$INT_IF -
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Blacklist File (Partial)</title>
<blockquote>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
0.0.0.0/0 udp 1434
0.0.0.0/0 tcp 1433
0.0.0.0/0 tcp 3127
0.0.0.0/0 tcp 8081
0.0.0.0/0 tcp 57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>RFC1918 File</title>
<blockquote>
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
is connected to eth0, I need to make an exception for that address in
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
/etc/shorewall/rfc1918 and changed it as follows:</para>
<programlisting>#SUBNET TARGET
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>Policy File</title>
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT
loc net ACCEPT
fw road ACCEPT
road loc ACCEPT
loc road ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
dmz tx ACCEPT
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Masq File</title>
<blockquote>
<para>Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
does our laptop (192.168.1.8) and visitors with laptops.</para>
<para>The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
rule to be placed before rules generated by the /etc/shorewall/nat
file below. The double colons ("::") causes the entry to be exempt
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
$EXT_IF:2 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>NAT File</title>
<blockquote>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.180 eth0:1 192.168.1.7 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section id="ProxyARP">
<title>Proxy ARP File</title>
<blockquote>
<para>I configure the host route to 206.124.146.177 on <filename
class="devicefile">eth1</filename> using the Yast2 Network Interface
tool; the <quote>Gateway</quote> is specified as 0.0.0.0 which
indicates that the host is directly attached to the LAN on that
interface.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 Yes
192.168.1.1 eth0 eth2 yes # Allow access to DSL modem from the local zone
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Tunnels File (Shell variable TEXAS set in
/etc/shorewall/params)</title>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
openvpn:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section id="Actions">
<title>Actions File</title>
<blockquote>
<programlisting>#ACTION
Mirrors #Accept traffic from the Shorewall Mirror sites
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>action.Mirrors File</title>
<blockquote>
<para>The $MIRRORS variable expands to a list of approximately 10 IP
addresses. So moving these checks into a separate chain reduces the
number of rules that most net-&gt;dmz traffic needs to
traverse.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/shorewall/action.Reject</title>
<blockquote>
<para>This is my common action for the REJECT policy. It is like the
standard <emphasis role="bold">Reject</emphasis> action except that it
allows <quote>Ping</quote> and contains one rule that guards against
log flooding by broken software running in my local zone.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
RejectAuth
AllowPing
dropBcast
RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).</programlisting>
</blockquote>
</section>
<section>
<title>/etc/racoon/setkey.conf</title>
<blockquote>
<para>This defines the policies for encryption to/from our second
home.</para>
<programlisting>flush;
spdflush;
spdadd 192.168.1.0/24 64.139.97.48/32 any -P out ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
spdadd 64.139.97.48/32 192.168.1.0/24 any -P in ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
spdadd 64.139.97.48/32 206.124.146.176/32 any -P in ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
spdadd 206.124.146.176/32 64.139.97.48/32 any -P out ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
</programlisting>
</blockquote>
</section>
<section>
<title>/etc/racoon/racoon.conf</title>
<blockquote>
<para>SA parameters for communication with our second home.</para>
<programlisting> path certificate "/etc/certs" ;
listen
{
isakmp 206.124.146.176;
}
remote 64.139.97.48
{
exchange_mode main ;
certificate_type x509 "gateway.pem" "gateway_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address 192.168.1.0/24 any address 64.139.97.48/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address 206.124.146.176/32 any address 64.139.97.48/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
</programlisting>
</blockquote>
</section>
<section>
<title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<blockquote>
<programlisting>###############################################################################################################################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
# PORT(S) DEST:SNAT SET
###############################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
#
REJECT:$LOG loc net tcp 6667,25
REJECT:$LOG loc net udp 1025:1031
#
# Stop NETBIOS crap
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
# Stop my idiotic XP box from sending to the net with an HP source IP address
#
DROP loc:!192.168.0.0/22 net
#
# SQUID
#
REDIRECT loc 3128 tcp 80
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
ACCEPT loc fw tcp ssh,time
ACCEPT loc fw udp 161,ntp
###############################################################################################################################################################################
# Local Network to DMZ
#
DROP loc:!192.168.0.0/22 dmz
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10027,pop3 -
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn net fw tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
#
# Drop ping to firewall and local
#
DropPing net fw
DropPing net loc
###############################################################################################################################################################################
# Internet to DMZ
#
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
ACCEPT net dmz udp domain
ACCEPT net dmz udp 33434:33436
Mirrors net dmz tcp rsync
ACCEPT net dmz tcp 22
AllowPing net dmz
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!$TEXAS loc:192.168.1.4 gre -
ACCEPT net loc:192.168.1.5 tcp 22
#
# ICQ
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6970:7170
#
# Overnet
#
#ACCEPT net loc:192.168.1.5 tcp 4662
#ACCEPT net loc:192.168.1.5 udp 12112
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT dmz net udp domain
REJECT:$LOG dmz net udp 1025:1031
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth
###############################################################################################################################################################################
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
ACCEPT net dmz udp 33434:33435
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
#ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp
REJECT:$LOG fw net udp 1025:1031
DROP fw net udp ntp
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
###############################################################################################################################################################################
ACCEPT tx loc:192.168.1.5 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>This is my OpenVPN server configuration file:</para>
<blockquote>
<programlisting>dev tun
server 192.168.2.0 255.255.255.0
dh /etc/openvpn/dh1024.pem
ca /etc/certs/cacert.pem
cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3</programlisting>
</blockquote>
</section>
<section>
<title>/etc/network/interfaces</title>
<para>This file is Debian-specific and defines the configuration of the
network interfaces.</para>
<blockquote>
<programlisting># The loopback network interface
auto lo
iface lo inet loopback
# DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the
# HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has
# the same IP address as the Internet interface but has no broadcast address or network.
auto eth0
iface eth0 inet static
address 206.124.146.176
netmask 255.255.255.255
broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth0
# Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200).
auto eth1
iface eth1 inet static
address 206.124.146.176
netmask 255.255.255.0
gateway 206.124.146.254
up ip route add 192.168.1.1 dev eth1
# Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'.
auto eth2
iface eth2 inet static
address 192.168.1.254
netmask 255.255.255.0
up ip route add 192.168.3.0/24 via 192.168.1.5
</programlisting>
</blockquote>
</section>
</section>
<section>
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
network. It's view of the network is diagrammed in the following
figure.</para>
<graphic align="center" fileref="images/network1.png" valign="middle" />
<para>I've included the files that I used to configure that system.</para>
<section>
<title>zones</title>
<blockquote>
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
<emphasis role="bold">net</emphasis>, <emphasis
role="bold">loc</emphasis> must be defined first.</para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local networks
net Internet The Big Bad Internet
WiFi Wireless Wireless Network
sec Secure Secure Wireless Network
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>policy</title>
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
loc fw ACCEPT
loc net NONE
loc sec ACCEPT
net fw ACCEPT
net loc NONE
net sec ACCEPT
sec fw ACCEPT
sec loc ACCEPT
sec net ACCEPT
fw loc ACCEPT
fw net ACCEPT
fw sec ACCEPT
fw WiFi ACCEPT
sec WiFi NONE
WiFi sec NONE
all all REJECT info
#LAST LINE -- DO NOT REMOVE</programlisting>
<blockquote>
<para></para>
</blockquote>
</blockquote>
</section>
<section>
<title>interfaces</title>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.168.1.255 dhcp,nobogons,blacklist
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>ipsec</title>
<blockquote>
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
the 'net' zone to 1400. This works around a problem whereby ICMP
fragmentation-needed packets are being dropped somewhere between my
main firewall and the IMAP server at my work.</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
sec yes mode=tunnel
net no - - <emphasis
role="bold">mss=1400</emphasis>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>hosts</title>
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
sec eth1:0.0.0.0/0 routeback
loc eth0:192.168.1.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>rules</title>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>routestopped</title>
<blockquote>
<programlisting>#INTERFACE HOST(S) OPTIONS
eth0 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>maclist</title>
<blockquote>
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
eth1 00:A0:1C:DB:0C:A0 192.168.3.7 #Work Laptop
eth1 00:04:59:0e:85:b9 #WAP11
eth1 00:06:D5:45:33:3c #WET11
eth1 00:0b:c1:53:cc:97 192.168.3.8 #TIPPER
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/racoon/setkey.conf</title>
<blockquote>
<para>This defines encryption policies to/from the wireless
network.</para>
<programlisting>flush;
spdflush;
spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
</blockquote>
</section>
<section>
<title>/etc/racoon/racoon.conf</title>
<blockquote>
<para>SA parameters for communication with our wireless network
(Tipper is currently the only Wireless host).</para>
<programlisting>path certificate "/etc/certs";
listen
{
isakmp 192.168.3.254;
}
remote 192.168.3.8
{
exchange_mode main ;
certificate_type x509 "ursa.pem" "ursa_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
</blockquote>
</section>
</section>
<section>
<title>Tipper Configuration while at Home</title>
<para>This laptop is either configured on our wireless network
(192.168.3.8) or as a standalone system on the road. While this system is
connected via our wireless network, it uses IPSEC tunnel mode for all
access.</para>
<para>Tipper's view of the world is shown in the following diagram:</para>
<graphic align="center" fileref="images/network2.png" valign="middle" />
<para>The key configuration files are shown in the following
sections.</para>
<section>
<title>zones</title>
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
home Home Shorewall Network
net Net Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>policy</title>
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
fw home ACCEPT
home fw ACCEPT
net home NONE
home net NONE
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>interfaces</title>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>ipsec</title>
<blockquote>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
home yes mode=tunnel
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>hosts</title>
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
home eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>rules</title>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT net fw tcp 22
ACCEPT net fw tcp 4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/racoon/setkey.conf</title>
<blockquote>
<programlisting>flush;
spdflush;
# Policies for while we're connected via Wireless at home
spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none;
spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none;
spdadd 127.0.0.0/8 127.0.0.0/8 any -P in none;
spdadd 127.0.0.0/8 127.0.0.0/8 any -P out none;
spdadd 0.0.0.0/0 192.168.3.8/32 any -P in ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
</programlisting>
</blockquote>
</section>
<section>
<title>/etc/racoon/racoon.conf</title>
<blockquote>
<programlisting>path certificate "/etc/certs";
listen
{
isakmp 192.168.3.8;
}
remote 192.168.3.254
{
exchange_mode main ;
certificate_type x509 "tipper.pem" "tipper_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
</blockquote>
</section>
</section>
<section>
<title>Tipper Configuration on the Road</title>
<para>When Tipper is on the road, it's world view is the same as in the
diagram above.</para>
<section>
<title>zones</title>
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
home Home Shorewall Network
net Net Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>policy</title>
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
fw home ACCEPT
home fw ACCEPT
net home NONE
home net NONE
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>interfaces</title>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
home tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>rules</title>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT net fw tcp 22
ACCEPT net fw tcp 4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/home.conf</title>
<blockquote>
<programlisting>dev tun
remote gateway.shorewall.net
up /etc/openvpn/home.up
tls-client
pull
ca /etc/certs/cacert.pem
cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem
port 1194
user nobody
group nogroup
comp-lzo
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/home.up</title>
<blockquote>
<programlisting>#!/bin/bash
ip route add 192.168.1.0/24 via $5 #Access to Home Network
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
#Internal zone because the source IP will
#be in 192.168.2.0/24</programlisting>
</blockquote>
</section>
</section>
</article>