From 52d567afa2a4654f852a396ba78fc27e0fd2da0b Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Wed, 10 Dec 2003 19:40:40 +0000 Subject: [PATCH] Content moved to CorpNetwork.xml git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@827 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/CorpNetwork.htm | 229 --------------------------------- 1 file changed, 229 deletions(-) delete mode 100644 Shorewall-docs/CorpNetwork.htm diff --git a/Shorewall-docs/CorpNetwork.htm b/Shorewall-docs/CorpNetwork.htm deleted file mode 100644 index d6e05e68b..000000000 --- a/Shorewall-docs/CorpNetwork.htm +++ /dev/null @@ -1,229 +0,0 @@ - - - - - Corporate Shorewall Configuration - - - - - - - - -
-

Corporate Network

-

Notes:

-
- -

Warning: This -configuration -uses a combination of One-to-one NAT and Proxy ARP. This is generally -not -relevant to a simple configuration with a single public IP address. -If you have just a single public IP address, most of what you see here -won't apply to your setup so beware of copying parts of this -configuration -and expecting them to work for you. What you copy may or may not work -in your configuration.
-

-

-

I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The -internet is connected to eth0. The local network is connected via eth1 -(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I -have an IPSec tunnel connecting our offices in Germany to our offices -in the US. I host two Microsoft Exchange servers for two different -companies behind -the firewall hence, the two Exchange servers in the diagram below.

-

Summary:
-

- -

The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard -with RH8.0.

-

The Firewall is also a proxy server running Privoxy 3.0.

-

The single system in the DMZ (address 192.0.18.80) runs sendmail, -imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd -1.1.0). That server is managed through Proxy ARP.

-

All administration and publishing is done using ssh/scp. I have X -installed on the firewall and the system in the DMZ. X applications -tunnel through SSH to Hummingbird Exceed running on a PC located in the -LAN. Access to the firewall using SSH is restricted to systems in the -LAN, DMZ or the system Kaos which is on the Internet and managed by me.

-

(Corporate Network Diagram)

-

-

The Ethernet 0 interface in the Server is configured with IP -address 192.0.18.68, netmask 255.255.255.192. The server's default -gateway is 192.0.18.65, the Router connected to my network and the ISP. -This is the same default gateway used by the firewall itself. On the -firewall, Shorewall automatically adds a host route to 192.0.18.80 -through Ethernet 2 (192.168.21.1) because of the entry in -/etc/shorewall/proxyarp (see below). I modified the start, stop and -init scripts to include the fixes suggested when having an IPSec tunnel.

-

Some Mistakes I Made:

-

Yes, believe it or not, I made some really basic mistakes when -building this firewall. Firstly, I had the new firewall setup in -parallel with the -old firewall so that there was no interruption of service to my users. -During my out-bound testing, I set up systems on the LAN to utilize the -firewall which worked fine. When testing my NAT connections, from the -outside, -these would fail and I could not understand why. Eventually, I changed -the default route on the internal system I was trying to access, to -point -to the new firewall and "bingo", everything worked as expected. This -oversight -delayed my deployment by a couple of days not to mention level of -frustration -it produced.

-

Another problem that I encountered was in setting up the Proxyarp -system in the DMZ. Initially I forgot to remove the entry for the eth2 -from the /etc/shorewall/masq file. Once my file settings were correct, -I started verifying that the ARP caches on the firewall, as well as the -outside system "kaos", were showing the correct Ethernet MAC address. -However, in testing remote access, I could access the system in the DMZ -only from the firewall -and LAN but not from the Internet. The message I received was -"connection -denied" on all protocols. What I did not realize was that a "helpful" -administrator that had turned on an old system and assigned the same -address -as the one I was using for Proxyarp without notifying me. How did I -work -this out. I shutdown the system in the DMZ, rebooted the router and -flushed -the ARP cache on the firewall and kaos. Then, from kaos, I started -pinging -that IP address and checked the updated ARP cache and lo-and-behold a -different MAC address showed up. High levels of frustration etc., etc. -The administrator will not be doing that again! :-)

-

Lessons Learned:

- -

Futures:

-

This is by no means the final configuration. In the near future, I -will be moving more systems from the LAN to the DMZ. I will also be -watching the logs for port scan programs etc. but, this should be -standard security maintenance.

-

Here are copies of my files. I have removed most of the internal -documentation -for the purpose of this space however, my system still has the original -files with all the comments and I highly recommend you do the same.

-
-

Shorewall.conf

-
-
##############################################################################
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATE=
LOGBURST=
LOGUNCLEAN=info
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=debug
RFC1918_LOG_LEVEL=debug
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIR=
FW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

-
-

Zones File

-
-
#
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks
dmz DMZ Demilitarized Zone
vpn1 VPN1 VPN to Germany
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

-
-

Interfaces File:

-
-

##############################################################################
-#ZONE INTERFACE BROADCAST OPTIONS
-net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags
-loc eth1 detect dhcp,routefilter
-dmz eth2 detect
-vpn1 ipsec0
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

-
-

Routestopped File:

-
-
#INTERFACE HOST(S)
eth1 -
eth2 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-

Policy File:

-
-
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc fw ACCEPT
loc dmz ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
fw loc ACCEPT
fw dmz ACCEPT
dmz fw ACCEPT
dmz loc ACCEPT
dmz net ACCEPT
#
# Adding VPN Access
loc vpn1 ACCEPT
dmz vpn1 ACCEPT
fw vpn1 ACCEPT
vpn1 loc ACCEPT
vpn1 dmz ACCEPT
vpn1 fw ACCEPT
#
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-

Masq File:

-
-
#INTERFACE SUBNET ADDRESS
eth0 eth1 1192.0.18.126
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-

NAT File:

-
-
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#
# Intranet Web Server
192.0.18.115 eth0:0 10.10.1.60 No No
#
# Project Web Server
192.0.18.84 eth0:1 10.10.1.55 No No
#
# Blackberry Server
192.0.18.97 eth0:2 10.10.1.55 No No
#
# Corporate Mail Server
192.0.18.93 eth0:3 10.10.1.252 No No
#
# Second Corp Mail Server
192.0.18.70 eth0:4 10.10.1.8 No No
#
# Sims Server
192.0.18.75 eth0:5 10.10.1.56 No No
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-

Proxy ARP File:

-
-
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
#
# The Corporate email server in the DMZ
192.0.18.80 eth2 eth0 No
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-

Tunnels File:

-
-
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
ipsec net 134.147.129.82
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-

Rules File (The shell variables are set in /etc/shorewall/params):

-
-
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH from internet interface from kaos only
#
ACCEPT net:192.0.18.98 fw tcp 22
#
# Accept connections from the local network for administration
#
ACCEPT loc fw tcp 20:22
ACCEPT loc net tcp 22
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT loc net tcp 53
ACCEPT loc net udp 53
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT loc net icmp 8
ACCEPT dmz fw icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
DROP net fw icmp 8
DROP net loc icmp 8
DROP net dmz icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
DROP fw net icmp 8
#
# Accept proxy web connections from the inside
#
ACCEPT loc fw tcp 8118
#
# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems
# From a specific IP Address on the Internet.
#
# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http
# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632
#
# Intranet web server
ACCEPT net loc:10.10.1.60 tcp 443
ACCEPT dmz loc:10.10.1.60 tcp 443
#
# Projects web server
ACCEPT net loc:10.10.1.55 tcp 80
ACCEPT dmz loc:10.10.1.55 tcp 80
#
# Blackberry Server
ACCEPT net loc:10.10.1.230 tcp 3101
#
# Corporate Email Server
ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443
#
# Corporate #2 Email Server
ACCEPT net loc:10.10.1.8 tcp 25,80,110,443
#
# Sims Server
ACCEPT net loc:10.10.1.56 tcp 80,443
ACCEPT net loc:10.10.1.56 tcp 7001:7002
ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632
#
# Access to DMZ
ACCEPT loc dmz udp 53,177
ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -
ACCEPT net dmz udp 53
ACCEPT net dmz tcp 25,53,22,21,123
ACCEPT dmz net tcp 25,53,80,123,443,21,22
ACCEPT dmz net udp 53
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-

Start File:

-
-
############################################################################
# Shorewall 1.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
qt service ipsec start
-
-

Stop File:

-
-
############################################################################
# Shorewall 1.4 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
qt service ipsec stop
-
-

Init File:

-
-
############################################################################
# Shorewall 1.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
qt service ipsec stop
-
-

Last updated 11/13/2003 -
-

-

Copyright 2003 Thomas M. Eastep -and -Graeme Boyle
-

-
-
- -