shorewall_code/Shorewall-docs2/myfiles.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>About My Network</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2005-02-06</pubdate>

    <copyright>
      <year>2001-2005</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>My Current Network</title>

    <caution>
      <para>I use a combination of One-to-one NAT and Proxy ARP, neither of
      which are relevant to a simple configuration with a single public IP
      address. If you have just a single public IP address, most of what you
      see here won't apply to your setup so beware of copying parts of this
      configuration and expecting them to work for you. What you copy may or
      may not work in your environment.</para>
    </caution>

    <caution>
      <para>The configuration shown here corresponds to Shorewall version
      2.2.0. My configuration uses features not available in earlier Shorewall
      releases.</para>
    </caution>

    <para>I have DSL service and have 5 static IP addresses
    (206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200 running
    in Bridge mode) is connected to eth2 and has IP address 192.168.1.1
    (factory default). The modem is configured in <quote>bridge</quote> mode
    so PPPoE is not involved. I have a local network connected to eth3 (subnet
    192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
    and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
    the same IP address on both <filename class="devicefile">eth1</filename>
    and <filename class="devicefile">eth2</filename>.</para>

    <para>In this configuration:</para>

    <itemizedlist>
      <listitem>
        <para>I use one-to-one NAT for Ursa (my personal system that run SuSE
        9.2) - Internal address 192.168.1.5 and external address
        206.124.146.178.</para>
      </listitem>

      <listitem>
        <para>I use one-to-one NAT for Eastepnc6000 (My work system -- Windows
        XP SP1). Internal address 192.168.1.7 and external address
        206.124.146.180.</para>
      </listitem>

      <listitem>
        <para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP
        system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
        9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
        the Wireless Access Point (wap) via a Wireless Bridge (wet), and my
        work laptop when it is not docked in my office.<note>
            <para>While the distance between the WAP and where I usually use
            the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
            wireless card) has proved very unsatisfactory (lots of lost
            connections). By replacing the WAC11 with the WET11 wireless
            bridge, I have virtually eliminated these problems (Being an old
            radio tinkerer (K7JPV), I was also able to eliminate the
            disconnects by hanging a piece of aluminum foil on the family room
            wall. Needless to say, my wife Tarry rejected that as a permanent
            solution :-).</para>
          </note></para>
      </listitem>
    </itemizedlist>

    <itemizedlist>
      <listitem>
        <para>Squid runs on the firewall and is configured as a transparent
        proxy.</para>
      </listitem>
    </itemizedlist>

    <para>The firewall runs on a P-II/233 with Debian Sarge (testing).</para>

    <para>Ursa runs Samba for file sharing with the Windows systems and is
    configured as a Wins server.</para>

    <para>The wireless network connects to the firewall's eth0 via a LinkSys
    WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
    (64-bit with the 24-bit preamble), I use <ulink
    url="MAC_Validation.html">MAC verification</ulink> and <ulink
    url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink> or <ulink
    url="OPENVPN.html">OpenVPN</ulink>.</para>

    <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
    Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
    server (Pure-ftpd) under Fedora Core 3. The system also runs fetchmail to
    fetch our email from our old and current ISPs. That server is managed
    through Proxy ARP.</para>

    <para>The firewall system itself runs a DHCP server that serves the local
    network.</para>

    <para>I have one system (Roadwarrior, 206.124.146.179) outside the
    firewall. This system, which runs Debian Sarge (testing) is used for
    roadwarrior VPN testing and for checking my firewall "from the
    outside".</para>

    <para>All administration and publishing is done using ssh/scp. I have a
    desktop environment installed on the firewall but I am not usually logged
    in to it. X applications tunnel through SSH to Ursa. The server also has a
    desktop environment installed and that desktop environment is available
    via XDMCP from the local zone. For the most part though, X tunneled
    through SSH is used for server administration and the server runs at run
    level 3 (multi-user console mode on Fedora).</para>

    <para>I run an SNMP server on my firewall to serve <ulink
    url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
    in the DMZ.</para>

    <para>The ethernet interface in the Server is configured with IP address
    206.124.146.177, netmask 255.255.255.0. The server's default gateway is
    206.124.146.254 (Router at my ISP. This is the same default gateway used
    by the firewall itself). On the firewall, an entry in my
    /etc/network/interfaces file (see below) adds a host route to
    206.124.146.177 through eth1 when that interface is brought up.</para>

    <para>The firewall is configured with OpenVPN for VPN access from our
    second home in <ulink url="http://www.omakchamber.com/">Omak,
    Washington</ulink> or when we are otherwise out of town. Secure remote
    access via IPSEC is also available.</para>

    <para><graphic align="center" fileref="images/network.png" /></para>
  </section>

  <section>
    <title>Firewall Configuration</title>

    <section>
      <title>Shorewall.conf</title>

      <blockquote>
        <programlisting>LOGFILE=/var/log/ulog/syslogemu.log
LOGFORMAT="Shorewall:%s:%s "
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=$LOG
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
IPTABLES=
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SHOREWALL_SHELL=/bin/dash
SUBSYSLOCK=
STATEDIR=/var/state/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
RESTOREFILE=standard
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
RETAIN_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=Yes
DYNAMIC_ZONES=No
DISABLE_IPV6=Yes
PKTTYPE=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Params File (Edited)</title>

      <blockquote>
        <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=ULOG
WIFI_IF=eth0
EXT_IF=eth2
INT_IF=eth3
DMZ_IF=eth1</programlisting></para>
      </blockquote>
    </section>

    <section>
      <title>Zones File</title>

      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
net     Internet        Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks
tx      Texas           Peer Network in Dallas
Wifi    Wireless        Wirewall Network
sec     Secure          Secure Wireless Zone
vpn     OpenVPN         Open VPN Clients
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Interfaces File</title>

      <blockquote>
        <para>This is set up so that I can start the firewall before bringing
        up my Ethernet interfaces.</para>

        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     $EXT_IF         206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc     $INT_IF         detect          dhcp
dmz     $DMZ_IF         -
-       texas           -
vpn     tun+            -
Wifi    $WIFI_IF        -               maclist
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Hosts File</title>

      <blockquote>
        <programlisting>#ZONE           HOST(S)                 OPTIONS
tx              texas:192.168.8.0/22
sec             $WIFI_IF:192.168.3.0/24
sec             $EXT_IF:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Ipsec File</title>

      <para><blockquote>
          <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
#       ONLY                            OPTIONS                 OPTIONS
sec     Yes     mode=tunnel             mss=1400
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
        </blockquote></para>
    </section>

    <section>
      <title>Routestopped File</title>

      <blockquote>
        <programlisting>#INTERFACE      HOST(S)
$DMZ_IF         206.124.146.177
$INT_IF         -
$WIFI_IF        192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Blacklist File (Partial)</title>

      <blockquote>
        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
0.0.0.0/0               udp             1434
0.0.0.0/0               tcp             1433
0.0.0.0/0               tcp             3127
0.0.0.0/0               tcp             8081
0.0.0.0/0               tcp             57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>RFC1918 File</title>

      <blockquote>
        <para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
        is connected to eth0, I need to make an exception for that address in
        my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
        /etc/shorewall/rfc1918 and changed it as follows:</para>

        <programlisting>#SUBNET           TARGET
<emphasis role="bold">192.168.1.1    RETURN</emphasis>
172.16.0.0/12     logdrop        # RFC 1918
192.168.0.0/16    logdrop        # RFC 1918
10.0.0.0/8        logdrop        # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Policy File</title>

      <blockquote>
        <programlisting>#SOURCE         DESTINATION     POLICY          LOG LEVEL       BURST:LIMIT
fw              fw              ACCEPT
loc             net             ACCEPT
$FW             vpn             ACCEPT
vpn             net             ACCEPT
vpn             loc             ACCEPT
sec             vpn             ACCEPT
vpn             sec             ACCEPT
sec             loc             ACCEPT
loc             sec             ACCEPT
fw              sec             ACCEPT
sec             net             ACCEPT
Wifi            sec             NONE
sec             Wifi            NONE
fw              Wifi            ACCEPT
loc             vpn             ACCEPT
$FW             loc             ACCEPT
$FW             tx              ACCEPT
loc             tx              ACCEPT
loc             fw              REJECT          $LOG
dmz             tx              ACCEPT
net             all             DROP            $LOG            10/sec:40
all             all             REJECT          $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Masq File</title>

      <blockquote>
        <para>Although most of our internal systems use one-to-one NAT, my
        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
        does our laptop (192.168.1.8) and visitors with laptops.</para>

        <para>The first entry allows access to the DSL modem and uses features
        introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
        rule to be placed before rules generated by the /etc/shorewall/nat
        file below. The double colons ("::") causes the entry to be exempt
        from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>

        <programlisting>#INTERFACE              SUBNET          ADDRESS
+$EXT_IF::192.168.1.1      0.0.0.0/0       192.168.1.254
$EXT_IF::                  eth2            206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>NAT File</title>

      <blockquote>
        <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
206.124.146.178 eth0:0          192.168.1.5     No                      No
206.124.146.180 eth0:1          192.168.1.7     No                      No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section id="ProxyARP">
      <title>Proxy ARP File</title>

      <blockquote>
        <para>I configure the host route to 206.124.146.177 on <filename
        class="devicefile">eth1</filename> in <link
        linkend="debian_interfaces">/etc/network/interfaces</link>.</para>

        <programlisting>#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE          PERSISTENT
206.124.146.177         eth1            eth0            Yes
192.168.1.1             eth0            eth2            yes # Allow access to DSL modem from the local zone
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Tunnels File (Shell variable TEXAS set in
      /etc/shorewall/params)</title>

      <blockquote>
        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY ZONE    PORT
gre                     net     $TEXAS
openvpn:1194            net     0.0.0.0/0
openvpn:1194            Wifi    192.168.3.0/24
ipsec                   Wifi    192.168.3.0/24  sec
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section id="Actions">
      <title>Actions File</title>

      <blockquote>
        <programlisting>#ACTION
Mirrors             #Accept traffic from the Shorewall Mirror sites
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>action.Mirrors File</title>

      <blockquote>
        <para>The $MIRRORS variable expands to a list of approximately 10 IP
        addresses. So moving these checks into a separate chain reduces the
        number of rules that most net-&gt;dmz traffic needs to
        traverse.</para>

        <programlisting>#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
#                                               PORT    PORT(S)    DEST         LIMIT
ACCEPT   $MIRRORS                      
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/shorewall/action.Reject</title>

      <blockquote>
        <para>This is my common action for the REJECT policy. It is like the
        standard <emphasis role="bold">Reject</emphasis> action except that it
        allows <quote>Ping</quote> and contains one rule that guards against
        log flooding by broken software running in my local zone.</para>

        <programlisting>#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
#                                         PORT(S)   PORT(S)     LIMIT        GROUP
RejectAuth
AllowPing
dropBcast
RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
DROP      loc:eth2:!192.168.1.0/24       #So that my braindead Windows[tm] XP system doesn't flood my log
                                         #with NTP requests with a source address in 16.0.0.0/8 (address of
                                         #its PPTP tunnel to HP).</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Rules File (The shell variables are set in
      /etc/shorewall/params)</title>

      <blockquote>
        <programlisting>##########################################################################################################################################################################
#####
#RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL        RATE    USER
#                                                                                                                       PORT(S)         DEST:SNAT               SET
##########################################################################################################################################################################
#####
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
#
REJECT:$LOG     loc                             net                     tcp     25
REJECT:$LOG     loc                             net                     udp     1025:1031
#
# Stop NETBIOS crap
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
REJECT          sec                             net                     tcp     137,445
REJECT          sec                             net                     udp     137:139
#
# Stop my idiotic XP box from sending to the net with an HP source IP address
#
DROP            loc:!192.168.0.0/22             net
#
# SQUID
#
REDIRECT        loc                             3128                    tcp     80
REDIRECT        sec                             3128                    tcp     80
##########################################################################################################################################################################
#####
# Local Network to Firewall 
#
DROP            loc:!192.168.0.0/22             fw                      # Silently drop traffic with an HP source IP from my XP box
ACCEPT          loc                             fw                      tcp     ssh,time,631,8080
ACCEPT          loc                             fw                      udp     161,ntp,631
DROP            loc                             fw                      tcp     3185          #SuSE Meta pppd
##########################################################################################################################################################################
#####
# Secure wireless to Firewall 
#
ACCEPT          sec                             fw                      tcp     ssh,time,631,8080
ACCEPT          sec                             fw                      udp     161,ntp,631
DROP            sec                             fw                      tcp     3185          #SuSE Meta pppd
##########################################################################################################################################################################
#####
# Roadwarriors to Firewall 
#
ACCEPT          vpn                             fw                      tcp     ssh,time,631,8080
ACCEPT          vpn                             fw                      udp     161,ntp,631
##########################################################################################################################################################################
#####
# Local Network to DMZ
#
DROP            loc:!192.168.0.0/22             dmz
ACCEPT          loc                             dmz                     udp     domain,xdmcp
ACCEPT          loc                             dmz                     tcp     www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10023,pop3    -
##########################################################################################################################################################################
#####
# Insecure Wireless to DMZ
#
ACCEPT          Wifi                            dmz                     udp     domain
ACCEPT          Wifi                            dmz                     tcp     domain
##########################################################################################################################################################################
#####
# Secure Wireless to DMZ
#
DROP            sec:!192.168.0.0/22             dmz
ACCEPT          sec                             dmz                     udp     domain,xdmcp
ACCEPT          sec                             dmz                     tcp     www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10023,pop3    -
##########################################################################################################################################################################
#####
# Road Warriors to DMZ
#
ACCEPT          vpn                             dmz                     udp     domain
ACCEPT          vpn                             dmz                     tcp     www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10023,pop3    -
##########################################################################################################################################################################
#####
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn      net             fw              tcp
dropNotSyn      net             loc             tcp
dropNotSyn      net             dmz             tcp

#
# Drop ping to firewall and local
#

DropPing        net             fw
DropPing        net             loc
##########################################################################################################################################################################
#####
# Internet to DMZ 
#
DNAT-           net                             dmz:206.124.146.177     tcp     smtp                                    -               206.124.146.178 
ACCEPT          net                             dmz                     tcp     smtp,smtps,www,ftp,imaps,domain,https,cvspserver        -
ACCEPT          net                             dmz                     udp     domain
ACCEPT          net                             dmz                     udp     33434:33454
Mirrors         net                             dmz                     tcp     rsync
ACCEPT          net:$OMAK                       dmz                     tcp     22      #SSH from Omak
AllowPing       net                             dmz
##########################################################################################################################################################################
#####
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT            net                             loc:192.168.1.4         tcp     1723    -
DNAT            net:!$TEXAS                     loc:192.168.1.4         gre     -
ACCEPT          net                             loc:192.168.1.5         tcp     22
#
# ICQ
#
ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
#
# Real Audio
#
ACCEPT          net                             loc:192.168.1.5         udp     6970:7170
#
# Overnet
#
#ACCEPT         net                             loc:192.168.1.5         tcp     4662
#ACCEPT         net                             loc:192.168.1.5         udp     12112
#
# OpenVPN
#
ACCEPT          net                             loc:192.168.1.5         udp     1194
#
# Silently Handle common probes
#
REJECT          net                             loc                     tcp     www,ftp,https
##########################################################################################################################################################################
#####
# DMZ to Internet
#
ACCEPT          dmz                             net                     tcp     smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT          dmz                             net                     udp     domain,ntp
REJECT:$LOG     dmz                             net                     udp     1025:1031
ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
##########################################################################################################################################################################
#####
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     161,ssh
ACCEPT          dmz                             fw                      udp     161
REJECT          dmz                             fw                      tcp     auth
##########################################################################################################################################################################
#####
# DMZ to Local Network  
#
ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
ACCEPT          dmz:206.124.146.177             loc:192.168.1.5         tcp     111
ACCEPT          dmz:206.124.146.177             loc:192.168.1.5         udp
##########################################################################################################################################################################
#####
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www,ftp,https
ACCEPT          net                             dmz                     udp     33434:33454
ACCEPT          net:$OMAK                       fw                      udp     ntp
ACCEPT          net:$OMAK                       fw                      tcp     22      #SSH from Omak
##########################################################################################################################################################################
#####
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
#ACCEPT         fw                              net:$POPSERVERS         tcp     pop3
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp
REJECT:$LOG     fw                              net                     udp     1025:1031
DROP            fw                              net                     udp     ntp
##########################################################################################################################################################################
#####
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp,993,465
ACCEPT          fw                              dmz                     udp     domain
REJECT          fw                              dmz                     udp     137:139
##########################################################################################################################################################################
#####
ACCEPT          tx                              loc:192.168.1.5         all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section id="debian_interfaces">
      <title>/etc/network/interfaces</title>

      <para>This file is Debian-specific and defines the configuration of the
      network interfaces.</para>

      <blockquote>
        <programlisting># The loopback network interface
auto lo
iface lo inet loopback

# DMZ interface -- After the interface is up, add a route to the server. This allows the 'Yes' setting
#                  in the HAVEROUTE column of /etc/shorewall/proxyarp above.

auto eth1
iface eth1 inet static
        address 206.124.146.176
        netmask 255.255.255.255
        broadcast 0.0.0.0
        up ip route add 206.124.146.177 dev eth1

# Internet interface -- After the interface is up, add a route to the Westell 2200 DSL "Modem"

auto eth2
iface eth2 inet static
        address 206.124.146.176
        netmask 255.255.255.0
        gateway 206.124.146.254
        up ip route add 192.168.1.1 dev eth2

# Wireless interface

auto eth0
iface eth0 inet static
        address 192.168.3.254
        netmask 255.255.255.0

# LAN interface

auto eth3
iface eth3 inet static
        address 192.168.1.254
        netmask 255.255.255.0</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/ulogd.conf</title>

      <para>This is the default /etc/ulogd.conf from the Debian package. Only
      the relevant entries are shown.</para>

      <blockquote>
        <programlisting># where to write to
syslogfile /var/log/ulog/syslogemu.log
# do we want to fflush() the file after each write?
syslogsync 1</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/racoon.conf</title>

      <blockquote>
        <programlisting>        path certificate "/etc/certs" ;

        listen
        {
                isakmp 206.124.146.176;
                isakmp 192.168.3.254;
        }

        remote anonymous
        {
                exchange_mode main ;
                generate_policy on ;
                passive on ;
                certificate_type x509 "gateway.pem" "gateway_key.pem";
                verify_cert on;
                my_identifier asn1dn ;
                peers_identifier asn1dn ;
                verify_identifier on ;
                lifetime time 24 hour ;
                proposal {
                        encryption_algorithm blowfish;
                        hash_algorithm sha1;
                        authentication_method rsasig ;
                        dh_group 2 ;
                }
        }

        sainfo anonymous
        {
                pfs_group 2;
                lifetime time 12 hour ;
                encryption_algorithm blowfish, 3des;
                authentication_algorithm hmac_sha1, hmac_md5 ;
                compression_algorithm deflate ;
        }</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/setkey.conf</title>

      <blockquote>
        <programlisting># First of all flush the SAD and SPD databases

flush;
spdflush;

# Add some SPD rules

spdadd 0.0.0.0/0          192.168.3.8/32     any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32     0.0.0.0/0          any -P in  ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
      </blockquote>
    </section>
  </section>

  <section>
    <title>Tipper Configuration while at Home</title>

    <para>This laptop is either configured on our wireless network
    (192.168.3.8) or as a standalone system on the road. While this system is
    connected via our wireless network, it uses IPSEC tunnel mode for all
    access.</para>

    <note>
      <para>Given that I use OpenVPN for remote access, it would be more
      convenient to also use it for wireless access at home. I use IPSEC just
      so that I always have a working IPSEC testbed.</para>
    </note>

    <para>Tipper's view of the world is shown in the following diagram:</para>

    <graphic align="center" fileref="images/network2.png" valign="middle" />

    <para>The key configuration files are shown in the following
    sections.</para>

    <section>
      <title>zones</title>

      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
home    Home            Shorewall Network
net     Net             Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>policy</title>

      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             ACCEPT
fw              home            ACCEPT
home            fw              ACCEPT
net             home            NONE
home            net             NONE
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>interfaces</title>

      <blockquote>
        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>ipsec</title>

      <blockquote>
        <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
#       ONLY                            OPTIONS                 OPTIONS
home    yes     mode=tunnel
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>hosts</title>

      <blockquote>
        <programlisting>#ZONE           HOST(S)                         OPTIONS
home            eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>rules</title>

      <blockquote>
        <programlisting>#ACTION         SOURCE                  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                                                       PORT    PORT(S) DEST            LIMIT   GROUP
ACCEPT          net                     fw      icmp    8
ACCEPT          net                     fw      tcp     22
ACCEPT          net                     fw      tcp     4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/setkey.conf</title>

      <blockquote>
        <programlisting>flush;
spdflush;

# Policies for while we're connected via Wireless at home

spdadd 192.168.3.8/32     192.168.3.8/32     any -P in  none;
spdadd 192.168.3.8/32     192.168.3.8/32     any -P out none;
spdadd 127.0.0.0/8        127.0.0.0/8        any -P in  none;
spdadd 127.0.0.0/8        127.0.0.0/8        any -P out none;
spdadd 0.0.0.0/0          192.168.3.8/32     any -P in  ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32     0.0.0.0/0          any -P out ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/racoon.conf</title>

      <blockquote>
        <programlisting>path certificate "/etc/certs";

listen
{
        isakmp 192.168.3.8;
}

remote 192.168.3.254
{
        exchange_mode main ;
        certificate_type x509 "tipper.pem" "tipper_key.pem";
        verify_cert on;
        my_identifier asn1dn ;
        peers_identifier asn1dn ;
        verify_identifier on ;
        lifetime time 24 hour ;
        proposal {
                encryption_algorithm blowfish ;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}

sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm blowfish ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}</programlisting>
      </blockquote>
    </section>
  </section>

  <section>
    <title>Tipper Configuration on the Road</title>

    <para>When Tipper is on the road, it's world view is the same as in the
    diagram above.</para>

    <section>
      <title>zones</title>

      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
home    Home            Shorewall Network
net     Net             Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>policy</title>

      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             ACCEPT
fw              home            ACCEPT
home            fw              ACCEPT
net             home            NONE
home            net             NONE
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>interfaces</title>

      <blockquote>
        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,tcpflags
home    tun0            -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>rules</title>

      <blockquote>
        <programlisting>#ACTION         SOURCE                  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                                                       PORT    PORT(S) DEST            LIMIT   GROUP
ACCEPT          net                     fw      icmp    8
ACCEPT          net                     fw      tcp     22
ACCEPT          net                     fw      tcp     4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/openvpn/home.conf</title>

      <blockquote>
        <programlisting>dev tun
remote ursa.shorewall.net
up /etc/openvpn/home.up
 
tls-client
pull
 
ca /etc/certs/cacert.pem
 
cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem
 
port 1194
 
user nobody
group nogroup
 
comp-lzo
 
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
 
verb 3</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/openvpn/home.up</title>

      <blockquote>
        <programlisting>#!/bin/bash
 
ip route add 192.168.1.0/24 via $5     #Access to Home Network
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
                                       #Internal Bind 9 view because the source IP will
                                       #be in 192.168.2.0/24</programlisting>
      </blockquote>
    </section>
  </section>
</article>