diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm index cda8c5640..b2d977b30 100644 --- a/Shorewall-Website/Shorewall_index_frame.htm +++ b/Shorewall-Website/Shorewall_index_frame.htm @@ -34,7 +34,9 @@ work href="http://lists.shorewall.net">
  • Mirrors
  • News Archive
    • -
  • CVS Repository
    • +
  • CVS +Repository
  • Quotes from Users
  • About the Author
  • Donations
    • @@ -46,7 +48,14 @@ work

    Valid XHTML 1.0!

    -

    Copyright © 2001-2003 Thomas -M. Eastep.

    +

    Copyright © 2001-2004 Thomas +M. Eastep.
    +

    +
    (Protected by Shorewall)
    +


    +

    diff --git a/Shorewall-Website/Shorewall_sfindex_frame.htm b/Shorewall-Website/Shorewall_sfindex_frame.htm index 4136620b8..9acf4080e 100644 --- a/Shorewall-Website/Shorewall_sfindex_frame.htm +++ b/Shorewall-Website/Shorewall_sfindex_frame.htm @@ -48,7 +48,9 @@ work
  • News Archive
    • -
  • CVS Repository
    • +
  • CVS +Repository
  • Quotes from Users
    • @@ -60,7 +62,7 @@ work

    Copyright © 2001-2003 Thomas M. Eastep.
    + size="2">2001-2004 Thomas M. Eastep.



    diff --git a/Shorewall-Website/mailing_list.htm b/Shorewall-Website/mailing_list.htm index 49b47e486..98f0fc52e 100755 --- a/Shorewall-Website/mailing_list.htm +++ b/Shorewall-Website/mailing_list.htm @@ -13,7 +13,7 @@

    Shorewall Mailing Lists

    Tom Eastep

    -Copyright @ 2001-2003 Thomas M. Eastep
    +Copyright © 2001-2003 Thomas M. Eastep

    @@ -167,8 +167,6 @@ reporting guidelines.

    To subscribe: https//lists.shorewall.net/mailman/listinfo/shorewall-users

    -

    To post to the list, post to shorewall-users@lists.shorewall.net. IMPORTANT: If you are not @@ -192,7 +190,6 @@ OR ASKING FOR HELP.

    To subscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-announce. -

    More News

    (Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF + alt="(Leaf Logo)" + style="border: 0px solid ; height: 36px; width: 49px;" + src="images/leaflogo.gif" title=""> Jacques Nilo and Eric Wolzak +have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.4.2 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

    Congratulations to Jacques and Eric on the recent release of -Bering 1.2!!!
    -
    -     -
    (Protected by Shorewall)
    - +Bering 1.2!!!
    diff --git a/Shorewall-Website/three-interface.htm b/Shorewall-Website/three-interface.htm deleted file mode 100644 index 50b01becf..000000000 --- a/Shorewall-Website/three-interface.htm +++ /dev/null @@ -1,1080 +0,0 @@ - - - - - - - - Three-Interface Firewall - - -

    Three-Interface Firewall
    -

    -

    Setting up a Linux system as a firewall for a small -network with DMZ is a fairly straight-forward task if you understand -the basics and follow the documentation.

    -

    This guide doesn't attempt to acquaint you with all of the features -of Shorewall. It rather focuses on what is required to configure -Shorewall in one of its more popular configurations:

    - -

    Here is a schematic of a typical installation.

    -

    -

    Shorewall requires that you have the iproute/iproute2 package -installed (on RedHat, the package is called iproute). You -can tell if this package is installed by the presence of an ip -program on your firewall system. As root, you can use the 'which' -command to check for this program:

    -
         [root@gateway root]# which ip
         /sbin/ip
         [root@gateway root]#
    -

    I recommend that you first read through the guide to familiarize -yourself with what's involved then go back through it again making your -configuration changes. Points at which configuration changes are -recommended are flagged with . Configuration notes that are unique to -LEAF/Bering are marked with (LEAF Logo)

    -

    -    If you edit your configuration files on a Windows -system, you must save them as Unix files if your editor supports that -option or you must run them through dos2unix before trying -to use them. Similarly, if you copy a configuration file from your -Windows hard drive to a floppy disk, you must run dos2unix against the -copy before using it with Shorewall.

    - -

    PPTP/ADSL

    -    If you -have an ADSL Modem and you use PPTP to communicate with a server in -that modem, you must make the changes -recommended here in addition to those detailed below.  ADSL -with PPTP is most commonly found in Europe, notably in Austria.
    -

    Shorewall Concepts

    -

        The configuration files for Shorewall are -contained in the directory /etc/shorewall -- for simple setups, you -will only need -to deal with a few of these as described in this guide. After you have -installed Shorewall, download the three-interface -sample, un-tar it (tar -zxvf three-interfaces.tgz) and and copy the -files to /etc/shorewall (the files will replace files with the same -names that were placed in /etc/shorewall when Shorewall was -installed).

    -

    As each file is introduced, I suggest that you look through the -actual file on your system -- each file contains detailed configuration -instructions and default entries.

    -

    Shorewall views the network where it is running as being composed of -a set of zones. In the three-interface sample configuration, -the following zone names are used:

    - - - - - - - - - - - - - - - - - - - -
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    -

    Zone names are defined in -/etc/shorewall/zones.

    -

    Shorewall also recognizes the firewall system as its own zone - by -default, the firewall itself is known as fw.

    -

    Rules about what traffic to allow and what traffic to deny are -expressed in terms of zones.

    - -

    For each connection request entering the firewall, the request is -first checked against the /etc/shorewall/rules file. If no rule in that -file matches the connection request then the first policy in -/etc/shorewall/policy that matches the request is applied. If that -policy is REJECT -or DROP  the request is first checked against the rules in -/etc/shorewall/common if that file exists; otherwise the file -/etc/shorewall/common.def is checked
    -

    -

    The /etc/shorewall/policy file included with the three-interface -sample has the following policies:

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    -
    -
    -

    In the three-interface sample, the line below is included but -commented out. If you want your firewall system to have full access to -servers on the internet, uncomment that line.

    - - - - - - - - - - - - - - - - - -
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    fwnetACCEPT  
    -
    -

    The above policy will:

    -
      -
    1. allow all connection requests from your local -network to the internet
      2. -
    2. drop (ignore) all connection requests from the internet to your -firewall or local network
      3. -
    3. optionally accept all connection requests from the firewall to -the internet (if you uncomment the additional policy)
      4. -
    4. reject all other connection requests.
      5. -
    -

    -    At this point, edit your /etc/shorewall/policy file -and make any changes that you wish.

    -

    Network Interfaces

    -

    -

    The firewall has three network interfaces. Where -Internet connectivity is through a cable or DSL "Modem", the External -Interface will be the ethernet adapter that is connected to -that "Modem" (e.g., eth0unless you connect via Point-to-Point -Protocol over Ethernet (PPPoE) or Point-to-Point -Tunneling Protocol (PPTP) in which case the -External Interface will be a ppp interface (e.g., ppp0). If you -connect via a regular modem, your External Interface will also be ppp0. -If you connect using ISDN, you external interface will be ippp0.

    -

        If your external interface is ppp0 -or ippp0 then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    -

    Your Local Interface will be an ethernet -adapter (eth0, eth1 or eth2) and will be connected to a hub or switch. -Your local computers will be connected to the same switch (note: If you -have only a single local system, you can connect the firewall directly -to the computer using a cross-over cable).

    -

    Your DMZ Interface will also be an ethernet -adapter (eth0, eth1 or eth2) and will be connected to a hub or switch. -Your DMZ computers will be connected to the same switch (note: If -you have only a single DMZ system, you can connect the firewall -directly to the computer using a cross-over cable).

    -

    Do not connect the internal and -external interface to the same hub or switch except for testing AND you -are running Shorewall version 1.4.7 or later.  When using these -recent -versions, you can test using this kind of configuration if you specify -the arp_filter -option in /etc/shorewall/interfaces for all interfaces connected to the -common hub/switch. Using such a setup with a production firewall is -strongly recommended against.

    -

        The Shorewall three-interface sample -configuration assumes that the external interface is eth0, the -local interface is eth1 and the DMZ interface is eth2. -If your configuration is different, you will have to modify the sample -/etc/shorewall/interfaces file accordingly. While you are there, you -may wish to review the list of options that are specified for the -interfaces. Some hints:

    - -

    IP Addresses

    -

    Before going further, we should say a few words about -Internet Protocol (IP) addresses. Normally, your ISP will -assign -you a single Public IP address. This address may be assigned -via the Dynamic Host Configuration Protocol (DHCP) or as part -of establishing your connection when you dial in (standard modem) or -establish your PPP connection. In rare cases, your ISP may assign you -a static IP address; that means that you configure your -firewall's -external interface to use that address permanently. Regardless -of how the address is assigned, it will be shared by all of your -systems -when you access the Internet. You will have to assign your own -addresses for your internal network (the local and DMZ Interfaces on -your firewall -plus your other computers). RFC 1918 reserves several Private IP -address ranges for this purpose:

    -
    -
         10.0.0.0    - 10.255.255.255
         172.16.0.0  - 172.31.255.255
         192.168.0.0 - 192.168.255.255
    -
    -
    -

        Before starting Shorewall, you should -look at -the IP address of your external interface and if it is one of -the above ranges, you should remove the 'norfc1918' option from -the external interface's entry in /etc/shorewall/interfaces.

    -
    -
    -

    You will want to assign your local addresses from one -sub-network or subnet and your DMZ addresses from -another subnet. For our purposes, we can consider a subnet to -consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet -will have a Subnet Mask of 255.255.255.0. The address x.y.z.0 -is reserved as the Subnet Address and x.y.z.255 is reserved -as the Subnet Broadcast Address. In Shorewall, a subnet -is described using Classless -InterDomain Routing (CIDR) notation with consists of the -subnet address followed by "/24". The "24" refers to the number of -consecutive "1" bits from the left of the subnet mask.

    -
    -
    -

    Example sub-network:

    -
    -
    -
    - - - - - - - - - - - - - - - - - - - -
    Range:10.10.10.0 - 10.10.10.255
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.255
    CIDR Notation:10.10.10.0/24
    -
    -
    -
    -

    It is conventional to assign the internal interface -either the first usable address in the subnet (10.10.10.1 in the above -example) or the last usable address (10.10.10.254).

    -
    -
    -

    One of the purposes of subnetting is to allow all -computers in the subnet to understand which other computers can be -communicated with directly. To communicate with systems outside of the -subnetwork, systems send packets through a  gateway  -(router).

    -
    -
    -

        Your local computers (Local Computers -1 & 2) should be configured with their default gateway set -to -the IP address of the firewall's internal interface and your DMZ -computers ( DMZ Computers 1 & 2) should be configured with their -default gateway set to the IP address of the firewall's DMZ -interface.   -

    -
    -

    The foregoing short discussion barely scratches the -surface regarding subnetting and routing. If you are interested in -learning more about IP addressing and routing, I highly recommend "IP -Fundamentals: What Everyone Needs to Know about Addressing & -Routing", Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    -

    The remainder of this quide will assume that you have -configured your network as shown here:

    -

    -

    The default gateway for the DMZ computers would be -10.10.11.254 and the default gateway for the Local computers would be -10.10.10.254.
    -

    -

        WARNING: -Your ISP  might assign your external interface an -RFC 1918 address. If that address is in the 10.10.10.0/24 subnet then -you will need to select a DIFFERENT RFC 1918 subnet for your local -network and if it is in the 10.10.11.0/24 subnet then you will need to -select a different RFC 1918 subnet for your DMZ.
    -

    -

    IP Masquerading (SNAT)

    -

    The addresses reserved by RFC 1918 are sometimes -referred to as non-routable because the Internet backbone -routers -don't forward packets which have an RFC-1918 destination address. -When one of your local systems (let's assume local computer 1) sends -a connection request to an internet host, the firewall must perform -Network Address Translation (NAT). The firewall rewrites the -source address in the packet to be the address of the firewall's -external -interface; in other words, the firewall makes it look as if the -firewall itself is initiating the connection.  This is necessary -so that the destination host will be able to route return packets back -to the firewall (remember that packets whose destination address is -reserved by RFC -1918 can't be routed accross the internet). When the firewall receives -a return packet, it rewrites the destination address back to 10.10.10.1 -and forwards the packet on to local computer 1.

    -

    On Linux systems, the above process is often referred -to -as IP Masquerading and you will also see the term Source -Network -Address Translation (SNAT) used. Shorewall follows the convention -used -with Netfilter:

    - -

    In Shorewall, both Masquerading and SNAT are configured -with entries in the /etc/shorewall/masq file.

    -

        If your external firewall interface is -eth0, your local interface eth1 and your DMZ interface -is eth2 then you do not need to modify the file provided with -the sample. -Otherwise, edit /etc/shorewall/masq and change it to match your -configuration.

    -

        If your external IP is static, you can -enter it -in the third column in the /etc/shorewall/masq entry if you like -although your firewall will work fine if you leave that column empty. -Entering your static IP in column 3 makes
    -processing outgoing packets a little more efficient.
    -

    -

        If you are using the Debian -package, please check your shorewall.conf file to ensure that the -following are set correctly; if they are not, change them appropriately:
    -

    - -

    Port Forwarding (DNAT)

    -

    One of your goals will be to run one or more servers on -your DMZ computers. Because these computers have RFC-1918 addresses, -it is not possible for clients on the internet to connect directly -to them. It is rather necessary for those clients to address their -connection requests to your firewall who rewrites the destination -address to the address of your server and forwards the packet to that -server. When your server responds, the firewall automatically performs -SNAT to rewrite the source address in the response.

    -

    The above process is called Port Forwarding or -Destination Network Address Translation (DNAT). You configure port -forwarding using DNAT rules in the /etc/shorewall/rules file.

    -

    The general form of a simple port forwarding rule in -/etc/shorewall/rules is:

    -
    - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:<server local ip address> [:<server -port>]<protocol><port>  
    -
    -

    If you don't specify the <server port>, it is assumed -to -be the same as <port>.

    -

    Example - you run a Web Server on DMZ 2 and you want to forward -incoming TCP port 80 to that system:

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2tcp80# Forward port 80from the internet
    ACCEPTlocdmz:10.10.11.2tcp80#Allow connections from the local network
    -
    -

    A couple of important points to keep in mind:

    - -
    - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp5000  
    -
    -

    If you want to be able to access your server from the local network -using your external address, then if you have a static external IP you -can replace the loc->dmz rule above with:

    -
    - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp80-<external IP>
    -
    -

    If you have a dynamic ip then you must ensure that your external -interface is up before starting Shorewall and you must take steps as -follows (assume that your external interface is eth0):

    -
      -
    1. Include the following in /etc/shorewall/params:
      -
      -ETH0_IP=`find_interface_address eth0`
      2. -
    2. Make your loc->dmz rule:
      3. -
    -
    - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATloc
    -     		dmz:10.10.11.2:80tcp80-$ETH0_IP
    -
    -

    If you want to access your server from the DMZ using your external -IP address, see FAQ 2a.

    -

    -    At this point, add the DNAT and ACCEPT rules for -your servers.

    -

    Domain Name Server (DNS)

    -

    Normally, when you connect to your ISP, as part of -getting an IP address your firewall's Domain Name Service (DNS) -resolver will be automatically configured (e.g., the /etc/resolv.conf -file will be written). Alternatively, your ISP may have given you -the IP address of a pair of DNS name servers for you to -manually -configure as your primary and secondary name servers. It is your -responsibility to configure the resolver in your internal systems. -You can take one of two approaches:

    - -
    -

    If you run the name server on the firewall: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp53  
    ACCEPTlocfwudp53  
    ACCEPTdmzfwtcp53  
    ACCEPTdmzfwudp53  
    -

    -
    -
    -
    -

    Run name server on DMZ computer 1

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocdmz:10.10.11.1tcp53  
    ACCEPTlocdmz:10.10.11.1udp53  
    ACCEPTfwdmz:10.10.10.1tcp53  
    ACCEPTfwdmz:10.10.10.1udp53  
    -
    -
    -
    -

    Other Connections

    -
    -
    -

    The three-interface sample includes the following rules:

    -
    -
    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwnetudp53  
    ACCEPTfwnettcp53  
    -
    -
    -
    -

    Those rules allow DNS access from your firewall and may -be removed if you commented out the line in /etc/shorewall/policy -allowing all connections from the firewall to the internet.

    -
    -
    -

    The sample also includes:

    -
    -
    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  
    ACCEPTlocdmztcp22  
    -
    -
    -
    -

    That rule allows you to run an SSH server on your -firewall and in each of your DMZ systems and to connect to those -servers from your local systems.

    -
    -
    -

    If you wish to enable other connections between your -systems, the general format is:

    -
    -
    -
    - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone><protocol><port>  
    -
    -
    -
    -

    Example - You want to run a publicly-available DNS -server on your firewall system:

    -
    -
    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp53#Allow DNS accessfrom the internet
    ACCEPTnetfwudp
    -     		53#Allow DNS accessfrom the internet
    -
    -
    -
    -

    Those two rules would of course be in addition to the -rules listed above under "If you run the name server on your firewall".

    -
    -
    -

    If you don't know what port and protocol a particular -application uses, look here.

    -
    -
    -

    Important: I don't recommend enabling telnet -to/from the internet because it uses clear text (even for login!). If -you want shell access to your firewall from the internet, use -SSH:

    -
    -
    -
    - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  
    -
    -
    -
    -

    -

    (LEAF Logo)     Bering users will want to -add the following two rules to be compatible with Jacques's Shorewall -configuration.
    -

    -
    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTloc
    -     		fwudp
    -     		53
    -     		#Allow DNS Cache towork
    -
    ACCEPTlocfwtcp80#Allow weblet to work
    -
    -
    -
    -

        Now modify /etc/shorewall/rules to add -or remove other connections as required.

    -
    -
    -

    Starting and Stopping Your Firewall

    -
    -
    -

    Arrow     The installation -procedure configures your system to start Shorewall at system -boot  but beginning with Shorewall version 1.3.9 startup is -disabled so that your system won't try to start Shorewall before -configuration is complete. Once you have completed configuration of -your firewall, you can enable Shorewall startup by removing the file -/etc/shorewall/startup_disabled.
    -

    -

    IMPORTANT: Users of the .deb package must edit -/etc/default/shorewall and set 'startup=1'.
    -

    -
    -
    -

    The firewall is started using the "shorewall start" -command and stopped using "shorewall stop". When the firewall is -stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. -A running firewall may be restarted using the "shorewall restart" -command. If you want to totally remove any trace of Shorewall -from your Netfilter configuration, use "shorewall clear".

    -
    -
    -

        The three-interface sample assumes -that you want -to enable routing to/from eth1 (your local network) and eth2 -(DMZ) when Shorewall is stopped. If these two interfaces don't -connect to your local network and DMZ or if you want to enable a -different set of hosts, modify /etc/shorewall/routestopped accordingly.

    -
    -
    -

    WARNING: If you are connected to your firewall -from the internet, do not issue a "shorewall stop" command unless -you have added an entry for the IP address that you are connected -from to /etc/shorewall/routestopped. -Also, I don't recommend using "shorewall restart"; it is better to -create an alternate -configuration and test it using the "shorewall try" command.
    -

    -

    Additional Recommended Reading

    -I highly recommend that you review the Common Configuration File -Features page -- it contains helpful tips about Shorewall features -than make administering your firewall easier. -
    -

    Last updated 11/15/2003 - Tom Eastep

    -

    Copyright 2002, -2003 Thomas M. Eastep
    -

    -
    -
    - -