From 9350da941ec925ff07308442393ee88f4d0669b5 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 13 May 2005 18:27:08 +0000 Subject: [PATCH] Documentation updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2109 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Actions.xml | 10 +- Shorewall-docs2/Documentation_Index.xml | 6 +- Shorewall-docs2/FAQ.xml | 59 ++++++-- Shorewall-docs2/IPSEC-2.6.xml | 75 ++++++++-- Shorewall-docs2/Install.xml | 5 +- Shorewall-docs2/PortKnocking.xml | 129 ++++++++++++++++++ .../shorewall_extension_scripts.xml | 49 ++++++- 7 files changed, 310 insertions(+), 23 deletions(-) create mode 100644 Shorewall-docs2/PortKnocking.xml diff --git a/Shorewall-docs2/Actions.xml b/Shorewall-docs2/Actions.xml index 520ea8aa5..fe3fd3c56 100644 --- a/Shorewall-docs2/Actions.xml +++ b/Shorewall-docs2/Actions.xml @@ -15,7 +15,7 @@ - 2005-01-19 + 2005-05-13 2005 @@ -151,7 +151,7 @@ Reject:REJECT #Common Action for REJECT policy
- Defining your own Actions + Defining your own Actions To define a new action: @@ -477,6 +477,9 @@ acton:info:test fw net $TAG="test" + + For an example of how to use these variables, see this article.
@@ -499,5 +502,8 @@ acton:info:test fw net /etc/shorewall/DropBcastsrun_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP + + For a richer example, see this + article.
\ No newline at end of file diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 9b1720f5e..ed06eb47c 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2005-05-09 + 2005-05-12 2001-2005 @@ -439,6 +439,10 @@ + + Port Knocking + + PPTP diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index b12448286..52fff6014 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2005-05-09 + 2005-05-10 2001-2005 @@ -77,7 +77,7 @@ not modify those files. -
+
(FAQ 44) I can't install/upgrade the RPM — I keep getting the message "error: failed dependencies:iproute is needed..." @@ -320,6 +320,14 @@ DNAT net fw:192.168.1.1:22 tcp 4104 url="http://ian.idallen.ca/dnat.txt">Paper about DNAT and Linux.
+ +
+ (FAQ 48) How do I Set up Transparent Proxy with + Shorewall? + + Answer: See Shorewall_Squid_Usage.html. +
@@ -554,10 +562,9 @@ really dumb and does not deserve to exist at all. It was an excellent tool to debug/develop the newnat interface. - Look here - for a solution for MSN IM but be aware that there are significant - security risks involved with this solution. Also check the Netfilter - mailing list archives at Look here for a solution for MSN IM + but be aware that there are significant security risks involved with + this solution. Also check the Netfilter mailing list archives at http://www.netfilter.org.
@@ -757,6 +764,33 @@ SPT=33120 DPT=5000 LEN=22 # ZONE generic:udp:5000 net 69.145.71.133 + +
+ (FAQ 47) This Rule Doesn't Work as Documented + + I want to allow access from the local zone to the net except for + two systems (192.168.100.101 and 192.168.100.115). I use the following + rule but find that 192.168.100.115 can still access the net. Is this a + bug? + + #ACTION SOURCE DEST PROTO +ACCEPT loc:!192.168.100.101,192.168.100.115 net + + Answer: Shorewall is currently + inconsistent as to where it correctly supports the "!" before a list of + addresses. In some places, it works as you would expect and in other + cases such as this one it does not. You will need to take a different + approach to accomplish what you want. I recommend that you change your + loc->net policy to ACCEPT and then use this rule: + + #ACTION SOURCE DEST PROTO +REJECT loc:192.168.100.101,192.168.100.115 net + + Author's Note: I have looked + several times at correcting this problem but it really isn't feasible + until I muster the energy to rewrite the Shorewall rules parser. + Sorry. +
@@ -2183,9 +2217,14 @@ REJECT fw net:216.239.39.99 allGiven that (FAQ 42) How can I tell which features my kernel and iptables support? - Answer: At a root prompt, enter the command shorewall - check. There is a section near the top of the resulting output - that gives you a synopsis of your kernel/iptables capabilities. + Answer: Users running Shorewall 2.2.4 or later can simply use the + shorewall show capabilities command at a root + prompt. + + For those running older versions, at a root prompt, enter the + command shorewall check. There is a section near the + top of the resulting output that gives you a synopsis of your + kernel/iptables capabilities. gateway:/etc/shorewall # shorewall check Loading /usr/share/shorewall/functions... @@ -2210,4 +2249,4 @@ Verifying Configuration... ...
- \ No newline at end of file + diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml index 8dcad7a6e..66799910f 100644 --- a/Shorewall-docs2/IPSEC-2.6.xml +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -15,7 +15,7 @@ - 2005-05-02 + 2005-05-11 2004 @@ -50,6 +50,48 @@ You must have BOTH the Netfilter+ipsec patches and the policy match patch. One without the other will not work. + + Here's a combination of components that I know works: + + + + Kernel 2.6.11 from kernel.org. Patched with: + + + + The five patches in http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.11 + + + + The "policy match" extension from the Patch-o-matic-ng CVS + snapshot from 2005-May-04 (be sure to NOT try to apply the + ipsec-NN patches from patch-o-matic-ng). + + + + + + iptables 1.3.1 patched with the "policy match" extension from + the Patch-o-matic-ng CVS snapshot from 2005-May-04. + + + + ipsec-tools 0.5.2 compiled from source. I've also had success + with: + + + + ipsec-tools 0.5.2 and racoon 0.5.2 from Debian + Sarge/testing + + + + The ipsec-tools 0.5 rpm from SuSE 9.3. + + + + @@ -194,6 +236,13 @@ of) SA(s) used to encrypt and decrypt traffic to/from the zone and the security policies that select which traffic to encrypt/decrypt. + This article assumes the use of ipsec-tools (http://ipsec-tools.sourceforge.net). + As of this writing, I recommend that you run at least version 0.5.2. + Debian users, please note that there are separate Debian packages for + ipsec-tools and racoon although the ipsec-tools project releases them as a + single package. + For more information on IPSEC, Kernel 2.6 and Shorewall see my presentation on the subject given at LinuxFest NW 2005. @@ -773,7 +822,7 @@ all all REJECT info url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/. One piece of information that may not be so easy to find is "How - to I generate a PKCS#12 certificate to import into Windows?". Here's the + do I generate a PKCS#12 certificate to import into Windows?". Here's the openssl command that I used: openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless" @@ -785,18 +834,19 @@ all all REJECT info - eastepnc6000.pem was the laptop's certificate in PEM - format. + eastepnc6000.pem was the laptop's + certificate in PEM format. - eastepnc6000_key.pem was the laptop's private key (actually, - it's the original signing request which includes the private - key). + eastepnc6000_key.pem was the laptop's + private key (actually, it's the original signing request which + includes the private key). - eastepnc6000.pfx is the PKCS#12 output file. + eastepnc6000.pfx is the PKCS#12 output + file. @@ -813,4 +863,13 @@ all all REJECT info different dialog boxes on Windows XP!!! + +
+ Source of Additional Samples + + Be sure to check out the src/racoon/samples subdirectory in the + ipsec-tools source tree. It has a wide variety of sample racoon + configuration files. +
\ No newline at end of file diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml index 1fcf956a7..416f15b4c 100644 --- a/Shorewall-docs2/Install.xml +++ b/Shorewall-docs2/Install.xml @@ -185,10 +185,13 @@ INIT="rc.firewall" If you are running Slackware and are installing Shorewall 2.0.3 - Beta 1 or later, then type: + Beta 1 to Shorewall 2.2.3, then type: DEST=/etc/rc.d INIT=rc.firewall ./install.sh + If you are running Slackware and are installing Shorewall 2.2.4 or later, then type: + ./install.sh + Otherwise, type: ./install.sh diff --git a/Shorewall-docs2/PortKnocking.xml b/Shorewall-docs2/PortKnocking.xml new file mode 100644 index 000000000..c8a6987e2 --- /dev/null +++ b/Shorewall-docs2/PortKnocking.xml @@ -0,0 +1,129 @@ + + +
+ + + + Port Knocking + + + + Tom + + Eastep + + + + 2005-05-13 + + + 2005 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published SHby the Free Software Foundation; + with no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ What is Port Knocking? + + Port knocking is a technique whereby attempting to connect to port A + enables access to port B from that same host. For the example on which + this article is based, see http://www.soloport.com/iptables.html + which should be considered to be part of this documentation. +
+ +
+ Implementing Port Knocking in Shorewall + + In order to implement this solution, your iptables and kernel must + support the 'recent match' extension (see FAQ + 42). These instructions also assume Shorewall version 2.2.0 or + later. + + In this example: + + + + Attempting to connect to port 1600 enables SSH access. + + + + Attempting to connect to port 1601 disables SSH access (note + that in the article linked above, attempting to connect to port 1599 + also disables access. This is an port scan defence as explained in the + article). + + + + To implement that approach: + + + + Add an action named SSHKnock (see the Action documentation). Leave the + action.SSHKnock file empty. + + + + Create /etc/shorewall/SSHKnock with the following + contents: + + if [ -n "$LEVEL" ]; then + log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH + log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22 +fi +run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT +run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP +run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP +run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP + + + + Now if you want to protect SSH access to the firewall from the + Internet, add this rule in + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +SSHKnock net fw tcp 22,1599,1600,1601 + + If you want to log the DROPs and ACCEPTs done by SSHKnock, you + can just add a log level as in: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +SSHKnock:info net fw tcp 22,1599,1600,1601 + + + + If you wish to use SSHKnock with a forwarded connection, you + must be using Shorewall 2.3.1 or later for fullest protection. Assume + that you forward port 22 from external IP address 206.124.146.178 to + internal system 192.168.1.5 In /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178 +SSHKnock net fw tcp 1599,1600,1601 +SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178 + + + You can use SSHKnock with DNAT on earlier releases provided + that you omit the ORIGINAL DEST entry on the second SSHKnock rule. + This rule will be quite secure provided that you specify 'norfc1918' + on your external interface. + + + +
+
\ No newline at end of file diff --git a/Shorewall-docs2/shorewall_extension_scripts.xml b/Shorewall-docs2/shorewall_extension_scripts.xml index 740694986..bc16d02e2 100644 --- a/Shorewall-docs2/shorewall_extension_scripts.xml +++ b/Shorewall-docs2/shorewall_extension_scripts.xml @@ -15,7 +15,7 @@ - 2005-04-06 + 2005-05-13 2001-2005 @@ -131,6 +131,53 @@ /var/lib/shorewall/restore exists). + + If you wish to generate a log message, use log_rule_limit. Parameters are: + + + + Log Level + + + + Chain to insert the rule into + + + + Chain name to display in the message (this can be different + from the preceding argument — see the Port Knocking article for an example + of how to use this). + + + + Disposition to report in the message (ACCEPT, DROP, + etc) + + + + Rate Limit (if passed as "" then $LOGLIMIT is assumed — see + the LOGLIMIT option in /etc/shorewall/shorewall.conf) + + + + + Log Tag ("" if none) + + + + Command (-A or -I for append or insert). This argument applies + to Shorewall 2.2.0 and later only. + + + + The remaining arguments are passed "as is" to iptables + + + + With Shorewall 2.0.2 Beta 1 and later versions, if you run commands other than iptables that must be re-run in