From 23bdfeb970c085eb76e2f11257e780eef64b2c1e Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 6 Feb 2005 17:24:23 +0000 Subject: [PATCH] More topology updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1945 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/myfiles.xml | 108 +++++++++++++++++++++++++++++------- 1 file changed, 87 insertions(+), 21 deletions(-) diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index 576dbfbdc..3ea10688f 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -81,7 +81,8 @@ I use SNAT through 206.124.146.176 for my Wife's Windows XP system Tarry, and our  dual-booting (SuSE 9.2/Windows XP) laptop Tipper which connects through - the Wireless Access Point (wap) via a Wireless Bridge (wet). + the Wireless Access Point (wap) via a Wireless Bridge (wet), and my + work laptop when it is not docked in my office. While the distance between the WAP and where I usually use the laptop isn't very far (50 feet or so), using a WAC11 (CardBus wireless card) has proved very unsatisfactory (lots of lost @@ -111,7 +112,8 @@ WAP11.  In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification and Kernel 2.6 IPSEC. + url="IPSEC-2.6.html">Kernel 2.6 IPSEC or OpenVPN. The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP @@ -148,7 +150,8 @@ The firewall is configured with OpenVPN for VPN access from our second home in Omak, - Washington or when we are otherwise out of town. + Washington or when we are otherwise out of town. Secure remote + access via IPSEC is also available. @@ -246,7 +249,7 @@ net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,b loc $INT_IF detect dhcp dmz $DMZ_IF - - texas - -road tun+ - +vpn tun+ - Wifi $WIFI_IF - maclist #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE @@ -269,7 +272,7 @@ sec eth0:192.168.3.0/24
#ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS -sec yes mode=tunnel +sec yes mode=tunnel mss=1400 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
@@ -326,17 +329,19 @@ $INT_IF - #SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT fw fw ACCEPT loc net ACCEPT -$FW road ACCEPT -road net ACCEPT -road loc ACCEPT -sec road ACCEPT -road sec ACCEPT +$FW vpn ACCEPT +vpn net ACCEPT +vpn loc ACCEPT +sec vpn ACCEPT +vpn sec ACCEPT sec loc ACCEPT loc sec ACCEPT fw sec ACCEPT sec net ACCEPT +Wifi sec NONE +sec Wifi NONE fw Wifi ACCEPT -loc road ACCEPT +loc vpn ACCEPT $FW loc ACCEPT $FW tx ACCEPT loc tx ACCEPT @@ -509,8 +514,8 @@ DROP sec fw tcp ##### # Roadwarriors to Firewall # -ACCEPT road fw tcp ssh,time,631,8080 -ACCEPT road fw udp 161,ntp,631 +ACCEPT vpn fw tcp ssh,time,631,8080 +ACCEPT vpn fw udp 161,ntp,631 ########################################################################################################################################################################## ##### # Local Network to DMZ @@ -535,8 +540,8 @@ ACCEPT sec dmz tcp ##### # Road Warriors to DMZ # -ACCEPT road dmz udp domain -ACCEPT road dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10023,pop3 - +ACCEPT vpn dmz udp domain +ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10023,pop3 - ########################################################################################################################################################################## ##### # Internet to ALL -- drop NewNotSyn packets @@ -652,8 +657,7 @@ REJECT fw dmz udp ########################################################################################################################################################################## ##### ACCEPT tx loc:192.168.1.5 all -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE @@ -668,7 +672,9 @@ ACCEPT tx loc:192.168.1.5 all auto lo iface lo inet loopback -# DMZ interface +# DMZ interface -- After the interface is up, add a route to the server. This allows the 'Yes' setting +# in the HAVEROUTE column of /etc/shorewall/proxyarp above. + auto eth1 iface eth1 inet static address 206.124.146.176 @@ -676,7 +682,8 @@ iface eth1 inet static broadcast 0.0.0.0 up ip route add 206.124.146.177 dev eth1 -# Internet interface +# Internet interface -- After the interface is up, add a route to the Westell 2200 DSL "Modem" + auto eth2 iface eth2 inet static address 206.124.146.176 @@ -685,17 +692,18 @@ iface eth2 inet static up ip route add 192.168.1.1 dev eth2 # Wireless interface + auto eth0 iface eth0 inet static address 192.168.3.254 netmask 255.255.255.0 # LAN interface + auto eth3 iface eth3 inet static address 192.168.1.254 - netmask 255.255.255.0 - + netmask 255.255.255.0 @@ -712,6 +720,64 @@ syslogfile /var/log/ulog/syslogemu.log syslogsync 1 + +
+ /etc/racoon/racoon.conf + +
+ path certificate "/etc/certs" ; + + listen + { + isakmp 206.124.146.176; + isakmp 192.168.3.254; + } + + remote anonymous + { + exchange_mode main ; + generate_policy on ; + passive on ; + certificate_type x509 "gateway.pem" "gateway_key.pem"; + verify_cert on; + my_identifier asn1dn ; + peers_identifier asn1dn ; + verify_identifier on ; + lifetime time 24 hour ; + proposal { + encryption_algorithm blowfish; + hash_algorithm sha1; + authentication_method rsasig ; + dh_group 2 ; + } + } + + sainfo anonymous + { + pfs_group 2; + lifetime time 12 hour ; + encryption_algorithm blowfish, 3des; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; + } +
+
+ +
+ /etc/racoon/setkey.conf + +
+ # First of all flush the SAD and SPD databases + +flush; +spdflush; + +# Add some SPD rules + +spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require; +spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require; +
+