2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>About My Network</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2004-04-05 23:13:45 +02:00
|
|
|
<pubdate>2004-04-03</pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2001-2004</year>
|
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>My Current Network</title>
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
|
|
|
which are relevant to a simple configuration with a single public IP
|
|
|
|
address. If you have just a single public IP address, most of what you
|
|
|
|
see here won't apply to your setup so beware of copying parts of
|
|
|
|
this configuration and expecting them to work for you. What you copy may
|
|
|
|
or may not work in your configuration.</para>
|
|
|
|
</caution>
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
<para>The configuration shown here corresponds to Shorewall version
|
2004-03-17 16:03:46 +01:00
|
|
|
2.0.1 (that's right -- I am running a version of Shorewall that is
|
|
|
|
not yet released). My configuration uses features not available in
|
|
|
|
earlier Shorewall releases.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</caution>
|
|
|
|
|
|
|
|
<para>I have DSL service and have 5 static IP addresses
|
|
|
|
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
|
|
|
|
connected to eth0. I have a local network connected to eth2 (subnet
|
2004-03-17 16:03:46 +01:00
|
|
|
192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note
|
|
|
|
that the IP address of eth1 is a duplicate of one on eth0.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-03-17 16:03:46 +01:00
|
|
|
<para>In this configuration:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
2004-03-17 16:03:46 +01:00
|
|
|
<para>I use one-to-one NAT for Ursa (my personal system that
|
|
|
|
dual-boots Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5
|
|
|
|
and external address 206.124.146.178.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-03-17 16:03:46 +01:00
|
|
|
<para>I use one-to-one NAT for EastepLaptop (My work system -- Windows
|
|
|
|
XP SP2). Internal address 192.168.1.7 and external address
|
2004-02-14 19:06:39 +01:00
|
|
|
206.124.146.180.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-03-17 16:03:46 +01:00
|
|
|
<para>I use SNAT through 206.124.146.179 for  my SuSE 9.0 Linux
|
2004-02-14 19:06:39 +01:00
|
|
|
system (Wookie), my Wife's Windows XP system (Tarry), and
|
|
|
|
our  Windows XP laptop (Tipper) which connects through the
|
2004-03-17 16:03:46 +01:00
|
|
|
Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While
|
2004-02-14 19:06:39 +01:00
|
|
|
the distance between the WAP and where I usually use the laptop
|
|
|
|
isn't very far (25 feet or so), using a WAC11 (CardBus wireless
|
|
|
|
card) has proved very unsatisfactory (lots of lost connections). By
|
|
|
|
replacing the WAC11 with the WET11 wireless bridge, I have virtually
|
|
|
|
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
|
|
|
|
also able to eliminate the disconnects by hanging a piece of aluminum
|
|
|
|
foil on the family room wall. Needless to say, my wife Tarry rejected
|
|
|
|
that as a permanent solution :-).</para></note></para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2004-03-17 16:03:46 +01:00
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>I have Wookie (193.168.1.3) configured as a 3-port bridge. Squid
|
|
|
|
runs on this system and is configured as a transparent proxy.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
|
|
|
|
|
2004-03-17 16:03:46 +01:00
|
|
|
<para>Wookie and Ursa run Samba and the Wookie acts as a WINS server.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-03-17 16:03:46 +01:00
|
|
|
<para>The wireless network connects to Wookie's eth2 via a LinkSys
|
|
|
|
WAP11.  In additional to using the rather weak WEP 40-bit
|
|
|
|
encryption (64-bit with the 24-bit preamble), I use <ulink
|
|
|
|
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
|
|
|
|
combination and if I lived near a wireless <quote>hot spot</quote>, I
|
|
|
|
would probably add IPSEC or something similar to my WiFi->local
|
|
|
|
connections.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
|
|
|
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
|
|
|
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
|
|
|
|
fetch our email from our old and current ISPs. That server is managed
|
|
|
|
through Proxy ARP.</para>
|
|
|
|
|
|
|
|
<para>The firewall system itself runs a DHCP server that serves the local
|
|
|
|
network.</para>
|
|
|
|
|
|
|
|
<para>All administration and publishing is done using ssh/scp. I have a
|
|
|
|
desktop environment installed on the firewall but I am not usually logged
|
|
|
|
in to it. X applications tunnel through SSH to Ursa. The server also has a
|
|
|
|
desktop environment installed and that desktop environment is available
|
|
|
|
via XDMCP from the local zone. For the most part though, X tunneled
|
|
|
|
through SSH is used for server administration and the server runs at run
|
|
|
|
level 3 (multi-user console mode on RedHat).</para>
|
|
|
|
|
|
|
|
<para>I run an SNMP server on my firewall to serve <ulink
|
|
|
|
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
|
|
|
|
in the DMZ.<graphic align="center" fileref="images/network.png" />The
|
|
|
|
ethernet interface in the Server is configured with IP address
|
|
|
|
206.124.146.177, netmask 255.255.255.0. The server's default gateway
|
|
|
|
is 206.124.146.254 (Router at my ISP. This is the same default gateway
|
|
|
|
used by the firewall itself). On the firewall, an entry in my
|
|
|
|
/etc/network/interfaces file (see below) adds a host route to
|
|
|
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
|
|
|
|
2004-04-05 23:13:45 +02:00
|
|
|
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para>
|
2004-03-17 16:03:46 +01:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Firewall Configuration</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Shorewall.conf</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>LOGFILE=/var/log/messages
|
|
|
|
LOGRATE=
|
|
|
|
LOGBURST=
|
|
|
|
LOGUNCLEAN=$LOG
|
|
|
|
BLACKLIST_LOGLEVEL=
|
|
|
|
LOGNEWNOTSYN=$LOG
|
|
|
|
MACLIST_LOG_LEVEL=$LOG
|
|
|
|
TCP_FLAGS_LOG_LEVEL=$LOG
|
|
|
|
RFC1918_LOG_LEVEL=$LOG
|
|
|
|
SMURF_LOG_LEVEL=
|
|
|
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
|
|
SHOREWALL_SHELL=/bin/ash
|
|
|
|
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
|
|
|
STATEDIR=/var/state/shorewall
|
|
|
|
MODULESDIR=
|
|
|
|
FW=fw
|
|
|
|
IP_FORWARDING=On
|
|
|
|
ADD_IP_ALIASES=Yes
|
|
|
|
ADD_SNAT_ALIASES=Yes
|
|
|
|
TC_ENABLED=Yes
|
|
|
|
CLEAR_TC=No
|
|
|
|
MARK_IN_FORWARD_CHAIN=No
|
|
|
|
CLAMPMSS=Yes
|
|
|
|
ROUTE_FILTER=No
|
|
|
|
DETECT_DNAT_IPADDRS=Yes
|
|
|
|
MUTEX_TIMEOUT=60
|
|
|
|
NEWNOTSYN=Yes
|
|
|
|
BLACKLISTNEWONLY=Yes
|
|
|
|
BLACKLIST_DISPOSITION=DROP
|
|
|
|
MACLIST_DISPOSITION=REJECT
|
|
|
|
TCP_FLAGS_DISPOSITION=DROP
|
|
|
|
</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Params File (Edited)</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
|
|
|
NTPSERVERS=<list of the NTP servers I sync with>
|
|
|
|
TEXAS=<ip address of gateway in Dallas>
|
|
|
|
LOG=info</programlisting></para>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Zones File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
|
|
net Internet Internet
|
|
|
|
dmz DMZ Demilitarized zone
|
|
|
|
loc Local Local networks
|
|
|
|
tx Texas Peer Network in Dallas
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Interfaces File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This is set up so that I can start the firewall before bringing
|
|
|
|
up my Ethernet interfaces.</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
|
|
|
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
|
|
|
loc eth2 192.168.1.255 dhcp,detectnets
|
|
|
|
dmz eth1 -
|
|
|
|
- texas 192.168.9.255
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Hosts File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
|
|
tx              texas:192.168.8.0/22
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Routestopped File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#INTERFACE HOST(S)
|
|
|
|
eth1 206.124.146.177
|
|
|
|
eth2 -
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="RFC1918">
|
|
|
|
<title>RFC1918 File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>I use a stripped-down file which doesn't have to be updated
|
|
|
|
when the IANA allocates a block of IP addresses.</para>
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#SUBNET TARGET
|
|
|
|
169.254.0.0/16 DROP # DHCP autoconfig
|
|
|
|
172.16.0.0/12 logdrop # RFC 1918
|
|
|
|
192.0.2.0/24 logdrop # Example addresses
|
|
|
|
192.168.0.0/16 logdrop # RFC 1918
|
|
|
|
10.24.60.56 DROP # Some idiot in my broadcast domain
|
|
|
|
# has a box configured with this
|
|
|
|
# address.
|
|
|
|
10.0.0.0/8 logdrop # Reserved (RFC 1918)</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Blacklist File (Partial)</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
|
|
|
0.0.0.0/0 udp 1434
|
|
|
|
0.0.0.0/0 tcp 1433
|
2004-03-17 16:03:46 +01:00
|
|
|
0.0.0.0/0 tcp 3127
|
2004-02-14 19:06:39 +01:00
|
|
|
0.0.0.0/0 tcp 8081
|
|
|
|
0.0.0.0/0 tcp 57
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Policy File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
|
|
|
fw fw ACCEPT # For testing fw->fw rules
|
|
|
|
loc net ACCEPT # Allow all net traffic from local net
|
|
|
|
$FW loc ACCEPT # Allow local access from the firewall
|
|
|
|
$FW tx ACCEPT # Allow firewall access to texas
|
|
|
|
loc tx ACCEPT # Allow local net access to texas
|
|
|
|
loc fw REJECT $LOG # Reject loc->fw and log
|
|
|
|
net all DROP $LOG 10/sec:40 # Rate limit and
|
|
|
|
# DROP net->all
|
|
|
|
all all REJECT $LOG # Reject and log the rest
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Masq File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>Although most of our internal systems use one-to-one NAT, my
|
|
|
|
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
|
2004-03-17 16:03:46 +01:00
|
|
|
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
2004-02-14 19:06:39 +01:00
|
|
|
visitors with laptops.</para>
|
|
|
|
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
|
|
|
eth0:2 eth2 206.124.146.179
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
|
|
</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>NAT File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
|
|
|
206.124.146.178 eth0:0 192.168.1.5 No No
|
|
|
|
206.124.146.180 eth0:1 192.168.1.7 No No
|
|
|
|
#
|
|
|
|
# The following entry allows the server to be accessed through an address in
|
|
|
|
# the local network. This is convenient when I'm on the road and connected
|
|
|
|
# to the PPTP server. By doing this, I don't need to set my client's default
|
|
|
|
# gateway to route through the tunnel.
|
|
|
|
#
|
|
|
|
192.168.1.193 eth2:0 206.124.146.177 No No
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ProxyARP">
|
|
|
|
<title>Proxy ARP File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
|
|
206.124.146.177 eth1 eth0 Yes
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
|
|
|
gre net $TEXAS
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="Actions">
|
|
|
|
<title>Actions File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ACTION
|
|
|
|
Mirrors #Accept traffic from the Shorewall Mirror sites
|
|
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>action.Mirrors File</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>The $MIRRORS variable expands to a list of approximately 10 IP
|
|
|
|
addresses. So moving these checks into a separate chain reduces the
|
|
|
|
number of rules that most net->dmz traffic needs to traverse.</para>
|
|
|
|
|
|
|
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
|
|
# PORT PORT(S) DEST LIMIT
|
|
|
|
ACCEPT $MIRRORS
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
2004-02-15 18:29:58 +01:00
|
|
|
<title>/etc/shorewall/action.Drop</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This is my common action for the DROP policy. It is like the
|
2004-02-15 18:29:58 +01:00
|
|
|
standard <emphasis role="bold">Drop</emphasis> action except that it
|
2004-02-14 19:06:39 +01:00
|
|
|
allows <quote>Ping</quote>.</para>
|
|
|
|
|
|
|
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
|
|
# PORT(S) PORT(S) LIMIT GROUP
|
|
|
|
RejectAuth
|
|
|
|
AllowPing
|
|
|
|
dropBcast
|
|
|
|
DropSMB
|
|
|
|
DropUPnP
|
|
|
|
dropNonSyn
|
|
|
|
DropDNSrep</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
2004-02-15 18:29:58 +01:00
|
|
|
<title>/etc/shorewall/action.Reject</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This is my common action for the REJECT policy. It is like the
|
2004-02-15 18:29:58 +01:00
|
|
|
standard <emphasis role="bold">Reject</emphasis> action except that it
|
|
|
|
allows <quote>Ping</quote> and contains one rule that guards against
|
|
|
|
log flooding by broken software running in my local zone.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
|
|
# PORT(S) PORT(S) LIMIT GROUP
|
|
|
|
RejectAuth
|
|
|
|
AllowPing
|
|
|
|
dropBcast
|
|
|
|
RejectSMB
|
|
|
|
DropUPnP
|
|
|
|
dropNonSyn
|
|
|
|
DropDNSrep
|
|
|
|
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
|
|
|
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
|
|
|
#its PPTP tunnel to HP).</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>###############################################################################################################################################################################
|
|
|
|
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
|
|
|
# PORT(S) DEST:SNAT SET
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Local Network to Internet - Reject attempts by Trojans to call home
|
|
|
|
#
|
|
|
|
REJECT:$LOG loc net tcp 6667
|
|
|
|
#
|
|
|
|
# Stop NETBIOS crap since our policy is ACCEPT
|
|
|
|
#
|
|
|
|
REJECT loc net tcp 137,445
|
|
|
|
REJECT loc net udp 137:139
|
|
|
|
#
|
|
|
|
QUEUE loc net udp
|
|
|
|
QUEUE loc fw udp
|
|
|
|
QUEUE loc net tcp
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Local Network to Firewall
|
|
|
|
#
|
2004-03-17 16:03:46 +01:00
|
|
|
ACCEPT loc fw tcp ssh,time
|
|
|
|
ACCEPT loc fw udp snmp,ntp
|
2004-02-14 19:06:39 +01:00
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Local Network to DMZ
|
|
|
|
#
|
|
|
|
REJECT loc dmz tcp 465
|
|
|
|
ACCEPT loc dmz udp domain,xdmcp
|
|
|
|
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Internet to DMZ
|
|
|
|
#
|
|
|
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
|
|
|
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
|
|
|
|
ACCEPT net dmz udp domain
|
|
|
|
ACCEPT net dmz udp 33434:33436
|
|
|
|
Mirrors net dmz tcp rsync
|
|
|
|
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
#
|
|
|
|
# Net to Local
|
|
|
|
#
|
|
|
|
# When I'm "on the road", the following two rules allow me VPN access back home.
|
|
|
|
#
|
2004-04-05 23:13:45 +02:00
|
|
|
DNAT net loc:192.168.1.4 tcp 1723
|
|
|
|
DNAT net loc:192.168.1.4 gre
|
2004-02-14 19:06:39 +01:00
|
|
|
#
|
|
|
|
# ICQ
|
|
|
|
#
|
|
|
|
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
|
|
|
#
|
|
|
|
# Real Audio
|
|
|
|
#
|
|
|
|
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
|
|
|
#
|
|
|
|
# Overnet
|
|
|
|
#
|
|
|
|
#ACCEPT net loc:192.168.1.5 tcp 4662
|
|
|
|
#ACCEPT net loc:192.168.1.5 udp 12112
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# DMZ to Internet
|
|
|
|
#
|
|
|
|
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
|
|
|
ACCEPT dmz net udp domain
|
|
|
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
|
|
|
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
|
|
|
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
|
|
|
#
|
|
|
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
|
|
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
|
|
|
# the following works around the problem.
|
|
|
|
#
|
|
|
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
|
|
|
#
|
|
|
|
ACCEPT dmz fw udp ntp ntp
|
|
|
|
ACCEPT dmz fw tcp snmp,ssh
|
|
|
|
ACCEPT dmz fw udp snmp
|
|
|
|
REJECT dmz fw tcp auth
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# DMZ to Local Network
|
|
|
|
#
|
|
|
|
ACCEPT dmz loc tcp smtp,6001:6010
|
2004-03-17 16:03:46 +01:00
|
|
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
|
|
|
|
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
|
2004-02-14 19:06:39 +01:00
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Internet to Firewall
|
|
|
|
#
|
|
|
|
REJECT net fw tcp www
|
|
|
|
ACCEPT net dmz udp 33434:33435
|
2004-03-17 16:03:46 +01:00
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Firewall to Internet
|
|
|
|
#
|
|
|
|
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
|
|
|
#ACCEPT fw net:$POPSERVERS tcp pop3
|
|
|
|
ACCEPT fw net udp domain
|
|
|
|
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
|
|
|
ACCEPT fw net udp 33435:33535
|
|
|
|
ACCEPT fw net icmp
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Firewall to DMZ
|
|
|
|
#
|
|
|
|
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
|
|
|
ACCEPT fw dmz udp domain
|
|
|
|
REJECT fw dmz udp 137:139
|
|
|
|
###############################################################################################################################################################################
|
|
|
|
# Ping
|
|
|
|
#
|
|
|
|
ACCEPT all all icmp 8
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="Interfaces">
|
|
|
|
<title>/etc/network/interfaces</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This file is Debian specific. My additional entry (which is
|
|
|
|
displayed in <emphasis role="bold">bold type</emphasis>) adds a route
|
|
|
|
to my DMZ server when eth1 is brought up. It allows me to enter
|
|
|
|
<quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
|
|
|
|
Proxy ARP file</link>.</para>
|
|
|
|
|
|
|
|
<programlisting>...
|
|
|
|
auto eth1
|
|
|
|
iface eth1 inet static
|
|
|
|
address 206.124.146.176
|
|
|
|
netmask 255.255.255.255
|
|
|
|
broadcast 0.0.0.0
|
|
|
|
<emphasis role="bold">up ip route add 206.124.146.177 dev eth1
|
|
|
|
</emphasis>...</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="Dhcpd">
|
|
|
|
<title>/etc/dhcpd.conf (MAC Addresses Omitted)</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>While this is a little off-topic, I've included it to show
|
|
|
|
how to set up DHCP on two interfaces.<programlisting>default-lease-time 67200; max-lease-time 67200;
|
|
|
|
get-lease-hostnames on;
|
|
|
|
|
|
|
|
group {
|
|
|
|
option subnet-mask 255.255.255.0;
|
|
|
|
option broadcast-address 192.168.1.255;
|
|
|
|
option routers 192.168.1.254;
|
|
|
|
option ntp-servers 192.168.1.254;
|
|
|
|
option domain-name-servers 192.168.1.193;
|
|
|
|
option netbios-name-servers 192.168.1.254;
|
|
|
|
option domain-name "shorewall.net";
|
|
|
|
option netbios-dd-server 192.168.1.254;
|
|
|
|
option netbios-node-type 8;
|
|
|
|
option netbios-scope "";
|
|
|
|
|
|
|
|
subnet 192.168.1.0 netmask 255.255.255.0 {
|
|
|
|
range 192.168.1.11 192.168.1.20;
|
|
|
|
}
|
|
|
|
|
|
|
|
host ursa.shorewall.net {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.1.5;
|
|
|
|
}
|
|
|
|
|
|
|
|
host eastept1 {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.1.7;
|
|
|
|
}
|
|
|
|
|
|
|
|
host tarry {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.1.4;
|
|
|
|
}
|
|
|
|
|
|
|
|
host wookie.shorewall.net {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.1.3;
|
|
|
|
}
|
|
|
|
|
|
|
|
host testws.shorewall.net {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.1.6;
|
|
|
|
}
|
|
|
|
|
|
|
|
host printer.shorewall.net {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.1.10;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
group {
|
|
|
|
option subnet-mask 255.255.255.0;
|
|
|
|
option broadcast-address 192.168.3.255;
|
|
|
|
option routers 192.168.3.254;
|
|
|
|
option ntp-servers 192.168.3.254;
|
|
|
|
option domain-name-servers 206.124.146.177;
|
|
|
|
option netbios-name-servers 192.168.3.254;
|
|
|
|
option domain-name "shorewall.net";
|
|
|
|
option netbios-dd-server 192.168.3.254;
|
|
|
|
option netbios-node-type 8;
|
|
|
|
option netbios-scope "";
|
|
|
|
|
|
|
|
subnet 192.168.3.0 netmask 255.255.255.0 {
|
|
|
|
range 192.168.3.11 192.168.3.20;
|
|
|
|
}
|
|
|
|
|
|
|
|
host easteplaptop {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.3.7;
|
|
|
|
}
|
|
|
|
|
|
|
|
host tipper.shorewall.net {
|
|
|
|
hardware ethernet …;
|
|
|
|
fixed-address 192.168.3.8;
|
|
|
|
}</programlisting></para>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
</section>
|
2004-03-17 16:03:46 +01:00
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Bridge (Wookie) Configuration</title>
|
|
|
|
|
|
|
|
<para>As mentioned above, Wookie acts as a bridge. It's view of the
|
|
|
|
network is diagrammed in the following figure.</para>
|
|
|
|
|
|
|
|
<graphic fileref="images/network1.png" />
|
|
|
|
|
|
|
|
<para>I've included the files that I used to configure that system --
|
|
|
|
some of them are SuSE-specific.</para>
|
|
|
|
|
|
|
|
<para>The configuration on Wookie can be modified to test various bridging
|
|
|
|
features -- otherwise, it serves to isolate the Wireless network from the
|
|
|
|
rest of our systems.</para>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>shorewall.conf</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>Only the changes from the defaults are shown.</para>
|
|
|
|
|
|
|
|
<programlisting>BRIDGING=Yes</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>zones</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
|
|
net Net Internet
|
|
|
|
loc Local Local networks
|
|
|
|
WiFi WireLess Wireless Network
|
|
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
|
|
</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>policy</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
|
|
|
fw fw ACCEPT
|
|
|
|
loc net ACCEPT
|
|
|
|
net loc ACCEPT
|
|
|
|
net fw ACCEPT
|
|
|
|
loc fw ACCEPT
|
|
|
|
loc WiFi ACCEPT
|
|
|
|
fw WiFi ACCEPT
|
|
|
|
fw net ACCEPT
|
|
|
|
fw loc ACCEPT
|
|
|
|
#
|
|
|
|
# THE FOLLOWING POLICY MUST BE LAST
|
|
|
|
#
|
|
|
|
all all REJECT info
|
|
|
|
#LAST LINE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>interfaces</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
- br0 192.168.1.255
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>hosts</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
|
|
net br0:eth1
|
|
|
|
loc br0:eth0
|
|
|
|
WiFi br0:eth2 maclist
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>rules</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>The first rule allows a transparent WWW proxy (Squid) to run on
|
|
|
|
my bridge/firewall. Squid listens on port 3128.</para>
|
|
|
|
|
|
|
|
<para>The remaining rules protect the local systems and bridge from
|
|
|
|
the WiFi network. Note that we don't restrict WiFi→net traffic
|
|
|
|
since the only directly-accessible system in the net zone is the
|
|
|
|
firewall (Wookie and the Firewall are connected by a cross-over
|
|
|
|
cable).</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
REDIRECT loc 3128 tcp www - !192.168.1.0/24
|
|
|
|
|
|
|
|
ACCEPT WiFi loc udp 137:139
|
|
|
|
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
|
|
|
|
ACCEPT WiFi loc udp 1024: 137
|
|
|
|
ACCEPT WiFi loc udp 177
|
|
|
|
|
|
|
|
ACCEPT loc WiFi udp 137:139
|
|
|
|
ACCEPT loc WiFi tcp 137,139,445
|
|
|
|
ACCEPT loc WiFi udp 1024: 137
|
|
|
|
ACCEPT loc WiFi tcp 6000:6010
|
|
|
|
|
|
|
|
ACCEPT WiFi fw tcp ssh,137,139,445
|
|
|
|
ACCEPT WiFi fw udp 137:139,445
|
|
|
|
ACCEPT WiFi fw udp 1024: 137
|
|
|
|
ACCEPT WiFi fw udp ntp
|
|
|
|
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>routestopped</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#INTERFACE HOST(S) OPTIONS
|
|
|
|
br0 0.0.0.0/0 routeback
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>maclist</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
|
|
|
|
br0:eth2 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
|
|
|
|
br0:eth2 00:04:59:0e:85:b9 #WAP11
|
|
|
|
br0:eth2 00:06:D5:45:33:3c #WET11
|
|
|
|
br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>/etc/init.d/bridge</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This file is SuSE-specific and creates the bridge device
|
|
|
|
<filename class="devicefile">br0</filename>. A script for other
|
|
|
|
disbributions would be similar.</para>
|
|
|
|
|
|
|
|
<programlisting>#!/bin/sh
|
|
|
|
################################################################################
|
|
|
|
# Script to create a bridge between eth0, eth1 and eth2
|
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
|
|
#
|
|
|
|
# (c) 2004 - Tom Eastep (teastep@shorewall.net)
|
|
|
|
#
|
|
|
|
# Modify the following variables to match your configuration
|
|
|
|
#
|
|
|
|
# chkconfig: 2345 05 89
|
|
|
|
# description: Layer 2 Bridge
|
|
|
|
#
|
|
|
|
################################################################################
|
|
|
|
|
|
|
|
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
|
|
|
|
|
|
|
do_stop() {
|
|
|
|
echo "Stopping Bridge"
|
|
|
|
brctl delbr br0
|
|
|
|
ip link set eth0 down
|
|
|
|
ip link set eth1 down
|
|
|
|
ip link set eth2 down
|
|
|
|
}
|
|
|
|
|
|
|
|
do_start() {
|
|
|
|
|
|
|
|
echo "Starting Bridge"
|
|
|
|
ip link set eth0 up
|
|
|
|
ip link set eth1 up
|
|
|
|
ip link set eth2 up
|
|
|
|
brctl addbr br0
|
|
|
|
brctl addif br0 eth0
|
|
|
|
brctl addif br0 eth1
|
|
|
|
brctl addif br0 eth2
|
|
|
|
}
|
|
|
|
|
|
|
|
case "$1" in
|
|
|
|
start)
|
|
|
|
do_start
|
|
|
|
;;
|
|
|
|
stop)
|
|
|
|
do_stop
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
do_stop
|
|
|
|
sleep 1
|
|
|
|
do_start
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "Usage: $0 {start|stop|restart}"
|
|
|
|
exit 1
|
|
|
|
esac
|
|
|
|
exit 0</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>/etc/sysconfig/network/ifcfg-br0</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This file is SuSE-specific</para>
|
|
|
|
|
|
|
|
<programlisting>BOOTPROTO='static'
|
|
|
|
BROADCAST='192.168.1.255'
|
|
|
|
IPADDR='192.168.1.3'
|
|
|
|
NETWORK='192.168.1.0'
|
|
|
|
NETMASK='255.255.255.0'
|
|
|
|
REMOTE_IPADDR=''
|
|
|
|
STARTMODE='onboot'
|
|
|
|
UNIQUE='3hqH.MjuOqWfSZ+C'
|
|
|
|
WIRELESS='no'
|
|
|
|
MTU=''</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>/etc/sysconfig/network/routes</title>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para>This file is SuSE-specific</para>
|
|
|
|
|
|
|
|
<programlisting>192.168.1.0 - 255.255.255.0 br0
|
|
|
|
default 192.168.1.254 - -</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
</section>
|
|
|
|
</section>
|
2004-02-14 19:06:39 +01:00
|
|
|
</article>
|