shorewall_code/Shorewall-docs2/myfiles.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>About My Network</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2004-12-18</pubdate>

    <copyright>
      <year>2001-2004</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>My Current Network</title>

    <caution>
      <para>I use a combination of One-to-one NAT and Proxy ARP, neither of
      which are relevant to a simple configuration with a single public IP
      address. If you have just a single public IP address, most of what you
      see here won't apply to your setup so beware of copying parts of this
      configuration and expecting them to work for you. What you copy may or
      may not work for you.</para>
    </caution>

    <caution>
      <para>The configuration shown here corresponds to Shorewall version
      2.1.12. My configuration uses features not available in earlier
      Shorewall releases.</para>
    </caution>

    <para>I have DSL service and have 5 static IP addresses
    (206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200 running
    in Bridge mode) is connected to eth1 and has IP address 192.168.1.1
    (factory default). The modem is configured in <quote>bridge</quote> mode
    so PPPoE is not involved. I have a local network connected to eth0 (subnet
    192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note
    that I configure the same IP address on both <filename
    class="devicefile">eth1</filename> and <filename
    class="devicefile">eth2</filename>.</para>

    <para>In this configuration:</para>

    <itemizedlist>
      <listitem>
        <para>I use one-to-one NAT for Ursa (my personal system that run SuSE
        9.2) - Internal address 192.168.1.5 and external address
        206.124.146.178.</para>
      </listitem>

      <listitem>
        <para>I use one-to-one NAT for EastepLaptop (My work system -- Windows
        XP SP1). Internal address 192.168.1.7 and external address
        206.124.146.180.</para>
      </listitem>

      <listitem>
        <para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP
        system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
        9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
        the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
            <para>While the distance between the WAP and where I usually use
            the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
            wireless card) has proved very unsatisfactory (lots of lost
            connections). By replacing the WAC11 with the WET11 wireless
            bridge, I have virtually eliminated these problems (Being an old
            radio tinkerer (K7JPV), I was also able to eliminate the
            disconnects by hanging a piece of aluminum foil on the family room
            wall. Needless to say, my wife Tarry rejected that as a permanent
            solution :-).</para>
          </note></para>
      </listitem>
    </itemizedlist>

    <itemizedlist>
      <listitem>
        <para>I have Ursa (192.168.1.5/192.168.3.254/206.124.146.178)
        configured as an IPSEC gateway for the Wireless network.</para>
      </listitem>

      <listitem>
        <para>Squid runs on the firewall and is configured as a transparent
        proxy.</para>
      </listitem>
    </itemizedlist>

    <para>The firewall runs on a P-II/233 with Debian Sarge (testing).</para>

    <para>Ursa runs Samba for file sharing with the Windows systems and is
    configured as a Wins server.</para>

    <para>The wireless network connects to Ursa's eth1 via a LinkSys
    WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
    (64-bit with the 24-bit preamble), I use <ulink
    url="MAC_Validation.html">MAC verification</ulink> and <ulink
    url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink>.</para>

    <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
    Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
    server (Pure-ftpd) under Fedora Core 3. The system also runs fetchmail to
    fetch our email from our old and current ISPs. That server is managed
    through Proxy ARP.</para>

    <para>The firewall system itself runs a DHCP server that serves the local
    network.</para>

    <para>I have one system (Roadwarrior, 206.124.146.179) outside the
    firewall. This system, which runs Debian Sarge (testing) is used for
    roadwarrior IPSEC testing and for checking my firewall "from the
    outside".</para>

    <para>All administration and publishing is done using ssh/scp. I have a
    desktop environment installed on the firewall but I am not usually logged
    in to it. X applications tunnel through SSH to Ursa. The server also has a
    desktop environment installed and that desktop environment is available
    via XDMCP from the local zone. For the most part though, X tunneled
    through SSH is used for server administration and the server runs at run
    level 3 (multi-user console mode on Fedora).</para>

    <para>I run an SNMP server on my firewall to serve <ulink
    url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
    in the DMZ.</para>

    <para>The ethernet interface in the Server is configured with IP address
    206.124.146.177, netmask 255.255.255.0. The server's default gateway is
    206.124.146.254 (Router at my ISP. This is the same default gateway used
    by the firewall itself). On the firewall, an entry in my
    /etc/network/interfaces file (see below) adds a host route to
    206.124.146.177 through eth1 when that interface is brought up.</para>

    <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
    my work laptop and the Firewall is configured with IPSEC for tunnel mode
    access from our second home in <ulink
    url="http://www.omakchamber.com/">Omak, Washington</ulink>.</para>

    <para><graphic align="center" fileref="images/network.png" /></para>
  </section>

  <section>
    <title>Firewall Configuration</title>

    <section>
      <title>Shorewall.conf</title>

      <blockquote>
        <programlisting>LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s "
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=$LOG
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
IPTABLES=
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SHOREWALL_SHELL=/bin/dash
SUBSYSLOCK=
STATEDIR=/var/state/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
RESTOREFILE=standard
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
RETAIN_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=Yes
DYNAMIC_ZONES=No
DISABLE_IPV6=Yes
PKTTYPE=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Params File (Edited)</title>

      <blockquote>
        <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
OMAK=64.139.97.48
LOG=info
EXT_IF=eth1
INT_IF=eth2
DMZ_IF=eth0</programlisting></para>
      </blockquote>
    </section>

    <section>
      <title>Zones File</title>

      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
net     Internet        Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks
omak    Omak            Our Laptop in Omak
tx      Texas           Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Interfaces File</title>

      <blockquote>
        <para>This is set up so that I can start the firewall before bringing
        up my Ethernet interfaces.</para>

        <programlisting>#ZONE   INTERFACE BROADCAST       OPTIONS
net     $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc     $INT_IF detect          dhcp
dmz     $DMZ_IF -
-       texas   -
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Hosts File</title>

      <blockquote>
        <programlisting>#ZONE           HOST(S)                 OPTIONS
tx              texas:192.168.8.0/22
omak            $EXT_IF:$OMAK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Ipsec File</title>

      <blockquote>
        <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
#       ONLY                            OPTIONS                 OPTIONS
omak    yes     mode=tunnel
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Routestopped File</title>

      <blockquote>
        <programlisting>#INTERFACE      HOST(S)
$DMZ_IF         206.124.146.177
$INT_IF         -
$EXT_IF         $OMAK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Blacklist File (Partial)</title>

      <blockquote>
        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
0.0.0.0/0               udp             1434
0.0.0.0/0               tcp             1433
0.0.0.0/0               tcp             3127
0.0.0.0/0               tcp             8081
0.0.0.0/0               tcp             57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>RFC1918 File</title>

      <blockquote>
        <para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
        is connected to eth0, I need to make an exception for that address in
        my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
        /etc/shorewall/rfc1918 and changed it as follows:</para>

        <programlisting>#SUBNET           TARGET
<emphasis role="bold">192.168.1.1    RETURN</emphasis>
172.16.0.0/12     logdrop        # RFC 1918
192.168.0.0/16    logdrop        # RFC 1918
10.0.0.0/8        logdrop        # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Policy File</title>

      <blockquote>
        <programlisting>#SOURCE         DESTINATION     POLICY          LOG LEVEL       BURST:LIMIT
fw              fw              ACCEPT
loc             net             ACCEPT
omak            fw              ACCEPT
fw              omak            ACCEPT
omak            loc             ACCEPT
loc             omak            ACCEPT
omak            net             NONE
net             omak            NONE
omak            dmz             NONE
dmz             omak            NONE
omak            tx              NONE
tx              omak            NONE
$FW             loc             ACCEPT
$FW             tx              ACCEPT
loc             tx              ACCEPT
loc             fw              REJECT          $LOG
dmz             tx              ACCEPT
net             all             DROP            $LOG            10/sec:40
all             all             REJECT          $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Masq File</title>

      <blockquote>
        <para>Although most of our internal systems use one-to-one NAT, my
        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
        does our laptop (192.168.1.8) and visitors with laptops.</para>

        <para>The first entry allows access to the DSL modem and uses features
        introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
        rule to be placed before rules generated by the /etc/shorewall/nat
        file below. The double colons ("::") causes the entry to be exempt
        from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>

        <programlisting>#INTERFACE              SUBNET          ADDRESS
+$EXT_IF::192.168.1.1      0.0.0.0/0       192.168.1.254
$EXT_IF:2                  eth2            206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>NAT File</title>

      <blockquote>
        <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
206.124.146.178 eth0:0          192.168.1.5     No                      No
206.124.146.180 eth0:1          192.168.1.7     No                      No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section id="ProxyARP">
      <title>Proxy ARP File</title>

      <blockquote>
        <para>I configure the host route to 206.124.146.177 on <filename
        class="devicefile">eth1</filename> using the Yast2 Network Interface
        tool; the <quote>Gateway</quote> is specified as 0.0.0.0 which
        indicates that the host is directly attached to the LAN on that
        interface.</para>

        <programlisting>#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE          PERSISTENT
206.124.146.177         eth1            eth0            Yes
192.168.1.1             eth0            eth2            yes # Allow access to DSL modem from the local zone
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Tunnels File (Shell variables TEXAS and OMAK set in
      /etc/shorewall/params)</title>

      <blockquote>
        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY ZONE    PORT
gre                     net     $TEXAS
ipsec:noah              net     $OMAK           omak
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section id="Actions">
      <title>Actions File</title>

      <blockquote>
        <programlisting>#ACTION
Mirrors             #Accept traffic from the Shorewall Mirror sites
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>action.Mirrors File</title>

      <blockquote>
        <para>The $MIRRORS variable expands to a list of approximately 10 IP
        addresses. So moving these checks into a separate chain reduces the
        number of rules that most net-&gt;dmz traffic needs to
        traverse.</para>

        <programlisting>#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
#                                               PORT    PORT(S)    DEST         LIMIT
ACCEPT   $MIRRORS                      
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/shorewall/action.Reject</title>

      <blockquote>
        <para>This is my common action for the REJECT policy. It is like the
        standard <emphasis role="bold">Reject</emphasis> action except that it
        allows <quote>Ping</quote> and contains one rule that guards against
        log flooding by broken software running in my local zone.</para>

        <programlisting>#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
#                                         PORT(S)   PORT(S)     LIMIT        GROUP
RejectAuth
AllowPing
dropBcast
RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
DROP      loc:eth2:!192.168.1.0/24       #So that my braindead Windows[tm] XP system doesn't flood my log
                                         #with NTP requests with a source address in 16.0.0.0/8 (address of
                                         #its PPTP tunnel to HP).</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/setkey.conf</title>

      <blockquote>
        <para>This defines the policies for encryption to/from our second
        home.</para>

        <programlisting>flush;
spdflush;

spdadd 192.168.1.0/24     64.139.97.48/32     any -P out ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
spdadd 64.139.97.48/32    192.168.1.0/24      any -P in  ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
spdadd 64.139.97.48/32    206.124.146.176/32  any -P in  ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
spdadd 206.124.146.176/32 64.139.97.48/32     any -P out ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/racoon.conf</title>

      <blockquote>
        <para>SA parameters for communication with our second home.</para>

        <programlisting> path certificate "/etc/certs" ;
 listen
 {
         isakmp 206.124.146.176;
 }
 
remote 64.139.97.48
{
        exchange_mode main ;
        certificate_type x509 "gateway.pem" "gateway_key.pem";
        verify_cert on;
        my_identifier asn1dn ;
        peers_identifier asn1dn ;
        verify_identifier on ;
        lifetime time 24 hour ;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}

sainfo address 192.168.1.0/24 any address 64.139.97.48/32 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

sainfo address 206.124.146.176/32 any address 64.139.97.48/32 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Rules File (The shell variables are set in
      /etc/shorewall/params)</title>

      <blockquote>
        <programlisting>###############################################################################################################################################################################
#RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL        RATE    USER
#                                                                                                                       PORT(S)         DEST:SNAT               SET
###############################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
#
REJECT:$LOG     loc                             net                     tcp     6667,25
REJECT:$LOG     loc                             net                     udp     1025:1031
#
# Stop NETBIOS crap
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
#
# Stop my idiotic XP box from sending to the net with an HP source IP address
#
DROP            loc:!192.168.0.0/22             net
#
# SQUID
#
REDIRECT        loc                             3128                    tcp     80
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP            loc:!192.168.0.0/22             fw                      # Silently drop traffic with an HP source IP from my XP box
ACCEPT          loc                             fw                      tcp     ssh,time
ACCEPT          loc                             fw                      udp     161,ntp
###############################################################################################################################################################################
# Local Network to DMZ
#
DROP            loc:!192.168.0.0/22             dmz
ACCEPT          loc                             dmz                     udp     domain,xdmcp
ACCEPT          loc                             dmz                     tcp     www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10027,pop3    -
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn      net             fw              tcp
dropNotSyn      net             loc             tcp
dropNotSyn      net             dmz             tcp

#
# Drop ping to firewall and local
#

DropPing        net             fw
DropPing        net             loc
###############################################################################################################################################################################
# Internet to DMZ
#
DNAT-           net                             dmz:206.124.146.177     tcp     smtp                                    -               206.124.146.178
ACCEPT          net                             dmz                     tcp     smtp,smtps,www,ftp,imaps,domain,https,cvspserver        -
ACCEPT          net                             dmz                     udp     domain
ACCEPT          net                             dmz                     udp     33434:33436
Mirrors         net                             dmz                     tcp     rsync
ACCEPT          net:$OMAK                       dmz                     tcp     22      #SSH from Omak
AllowPing       net                             dmz
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT            net                             loc:192.168.1.4         tcp     1723    -
DNAT            net:!$TEXAS                     loc:192.168.1.4         gre     -
ACCEPT          net                             loc:192.168.1.5         tcp     22
#
# ICQ
#
ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
#
# Real Audio
#
ACCEPT          net                             loc:192.168.1.5         udp     6970:7170
#
# Overnet
#
#ACCEPT         net                             loc:192.168.1.5         tcp     4662
#ACCEPT         net                             loc:192.168.1.5         udp     12112
#
# Silently Handle common probes
#
REJECT          net                             loc                     tcp     www,ftp,https
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     tcp     smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT          dmz                             net                     udp     domain
REJECT:$LOG     dmz                             net                     udp     1025:1031
ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     161,ssh
ACCEPT          dmz                             fw                      udp     161
REJECT          dmz                             fw                      tcp     auth
###############################################################################################################################################################################
# DMZ to Local Network
#
ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
ACCEPT          dmz:206.124.146.177             loc:192.168.1.5         tcp     111
ACCEPT          dmz:206.124.146.177             loc:192.168.1.5         udp
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www,ftp,https
ACCEPT          net                             dmz                     udp     33434:33435
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
#ACCEPT         fw                              net:$POPSERVERS         tcp     pop3
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp
REJECT:$LOG     fw                              net                     udp     1025:1031
DROP            fw                              net                     udp     ntp
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp
ACCEPT          fw                              dmz                     udp     domain
REJECT          fw                              dmz                     udp     137:139
###############################################################################################################################################################################
ACCEPT          tx                              loc:192.168.1.5         all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/network/interfaces</title>

      <para>This file is Debian-specific and defines the configuration of the
      network interfaces.</para>

      <blockquote>
        <programlisting># The loopback network interface

auto lo
iface lo inet loopback

# DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the
#                  HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has
#                  the same IP address as the Internet interface but has no broadcast address or network.

auto eth0
iface eth0 inet static
	address 206.124.146.176
	netmask 255.255.255.255
	broadcast 0.0.0.0
	up ip route add 206.124.146.177 dev eth0

# Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200).

auto eth1
iface eth1 inet static
	address 206.124.146.176
	netmask 255.255.255.0
	gateway 206.124.146.254
	up ip route add 192.168.1.1 dev eth1

# Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'.

auto eth2
iface eth2 inet static
	address 192.168.1.254
	netmask 255.255.255.0
	up ip route add 192.168.3.0/24 via 192.168.1.5
</programlisting>
      </blockquote>
    </section>
  </section>

  <section>
    <title>Wireless IPSEC Gateway (Ursa) Configuration</title>

    <para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
    network. It's view of the network is diagrammed in the following
    figure.</para>

    <graphic align="center" fileref="images/network1.png" valign="middle" />

    <para>I've included the files that I used to configure that system.</para>

    <section>
      <title>zones</title>

      <blockquote>
        <para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
        <emphasis role="bold">net</emphasis>, <emphasis
        role="bold">loc</emphasis> must be defined first.</para>

        <programlisting>#ZONE   DISPLAY         COMMENTS
loc     Local           Local networks
net     Internet        The Big Bad Internet
WiFi    Wireless        Wireless Network
sec     Secure          Secure Wireless Network
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>policy</title>

      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
loc             fw              ACCEPT
loc             net             NONE
loc             sec             ACCEPT
net             fw              ACCEPT
net             loc             NONE
net             sec             ACCEPT
sec             fw              ACCEPT
sec             loc             ACCEPT
sec             net             ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT
fw              sec             ACCEPT
fw              WiFi            ACCEPT
sec             WiFi            NONE
WiFi            sec             NONE
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE</programlisting>

        <blockquote>
          <para></para>
        </blockquote>
      </blockquote>
    </section>

    <section>
      <title>interfaces</title>

      <blockquote>
        <programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0            192.168.1.255   dhcp,nobogons,blacklist
WiFi    eth1            192.168.3.255   nobogons,blacklist,maclist,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>ipsec</title>

      <blockquote>
        <para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
        added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
        the 'net' zone to 1400. This works around a problem whereby ICMP
        fragmentation-needed packets are being dropped somewhere between my
        main firewall and the IMAP server at my work.</para>

        <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
#       ONLY                            OPTIONS                 OPTIONS
sec     yes     mode=tunnel             
net     no      -                       -                       <emphasis
            role="bold">mss=1400</emphasis>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>hosts</title>

      <blockquote>
        <programlisting>#ZONE           HOST(S)                         OPTIONS
sec             eth1:0.0.0.0/0                  routeback
loc             eth0:192.168.1.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>rules</title>

      <blockquote>
        <programlisting>#ACTION    SOURCE          DEST            PROTO   DEST    SOURCE  ORIGINAL
#                                          PORT            PORT(S) DEST
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>routestopped</title>

      <blockquote>
        <programlisting>#INTERFACE      HOST(S)         OPTIONS
eth0            0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>maclist</title>

      <blockquote>
        <programlisting>#INTERFACE              MAC                     IP ADDRESSES (Optional)
eth1                    00:A0:1C:DB:0C:A0       192.168.3.7     #Work Laptop
eth1                    00:04:59:0e:85:b9                       #WAP11
eth1                    00:06:D5:45:33:3c                       #WET11
eth1                    00:0b:c1:53:cc:97       192.168.3.8     #TIPPER
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/setkey.conf</title>

      <blockquote>
        <para>This defines encryption policies to/from the wireless
        network.</para>

        <programlisting>flush;
spdflush;

spdadd 0.0.0.0/0          192.168.3.8/32     any -P out  ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32     0.0.0.0/0          any -P in   ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/racoon.conf</title>

      <blockquote>
        <para>SA parameters for communication with our wireless network
        (Tipper is currently the only Wireless host).</para>

        <programlisting>path certificate "/etc/certs";

listen
{
        isakmp 192.168.3.254;
}

remote 192.168.3.8
{
        exchange_mode main ;
        certificate_type x509 "ursa.pem" "ursa_key.pem";
        verify_cert on;
        my_identifier asn1dn ;
        peers_identifier asn1dn ;
        verify_identifier on ;
        lifetime time 24 hour ;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}

sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}</programlisting>
      </blockquote>
    </section>
  </section>

  <section>
    <title>Tipper Configuration</title>

    <para>This laptop is either configured on our wireless network
    (192.168.3.8) or as a standalone system in our second home (64.139.97.48).
    The Shorewall and Racoon configurations are the same regardless of where
    Tipper is connected -- only the IP configuration changes.</para>

    <para>Tipper's view of the work is shown in the following diagram:</para>

    <graphic align="center" fileref="images/network2.png" valign="middle" />

    <para>The key configuration files are shown in the following
    sections.</para>

    <section>
      <title>zones</title>

      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
home    Home            Shorewall Network
net     Net             Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>policy</title>

      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             ACCEPT
fw              home            ACCEPT
home            fw              ACCEPT
net             home            NONE
home            net             NONE
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>interfaces</title>

      <blockquote>
        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>ipsec</title>

      <blockquote>
        <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
#       ONLY                            OPTIONS                 OPTIONS
home    yes     mode=tunnel
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>hosts</title>

      <blockquote>
        <programlisting>#ZONE           HOST(S)                         OPTIONS
home            eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>rules</title>

      <blockquote>
        <programlisting>#ACTION         SOURCE                  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                                                       PORT    PORT(S) DEST            LIMIT   GROUP
ACCEPT          net                     fw      icmp    8
ACCEPT          net                     fw      tcp     22
ACCEPT          net                     fw      tcp     4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/setkey.conf</title>

      <blockquote>
        <programlisting>flush;
spdflush;

# Policies for while we are in Omak

spdadd 64.139.97.48/32    206.124.146.176/32 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
spdadd 206.124.146.176/32 64.139.97.48/32    any -P in  ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
spdadd 192.168.1.0/24     64.139.97.48/32    any -P in  ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
spdadd 64.139.97.48/32    192.168.1.0/24     any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;

# Policies for while we're connected via Wireless at home

spdadd 192.168.3.8/32     192.168.3.8/32     any -P in  none;
spdadd 192.168.3.8/32     192.168.3.8/32     any -P out none;
spdadd 127.0.0.0/8        127.0.0.0/8        any -P in  none;
spdadd 127.0.0.0/8        127.0.0.0/8        any -P out none;
spdadd 0.0.0.0/0          192.168.3.8/32     any -P in  ipsec esp/tunnel/192.168.3.254-192.168.3.8/require;
spdadd 192.168.3.8/32     0.0.0.0/0          any -P out ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/racoon/racoon.conf</title>

      <blockquote>
        <programlisting>path certificate "/etc/certs";

listen
{
        isakmp 64.139.97.48;
        isakmp 192.168.3.8;
}

remote 206.124.146.176
{
        exchange_mode main ;
        certificate_type x509 "tipper.pem" "tipper_key.pem";
        verify_cert on;
        my_identifier asn1dn ;
        peers_identifier asn1dn ;
        verify_identifier on ;
        lifetime time 24 hour ;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}

remote 192.168.3.254
{
        exchange_mode main ;
        certificate_type x509 "tipper.pem" "tipper_key.pem";
        verify_cert on;
        my_identifier asn1dn ;
        peers_identifier asn1dn ;
        verify_identifier on ;
        lifetime time 24 hour ;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}

sainfo address 64.139.97.48/32 any address 192.168.1.0/24 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

sainfo address 64.139.97.48/32 any address 206.124.146.176/32 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}</programlisting>
      </blockquote>
    </section>
  </section>
</article>