forked from extern/shorewall_code
Shorewall 2.2.0 RC4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1892 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-01-03</pubdate>
|
<pubdate>2005-01-06</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2005</year>
|
<year>2001-2005</year>
|
||||||
@ -152,9 +152,12 @@
|
|||||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||||
|
|
||||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
||||||
my work laptop and the Firewall is configured with OpenVPN for VPN access
|
my work laptop and Ursa (206.124.146.178/192.168.1.5) is configured with
|
||||||
from our second home in <ulink url="http://www.omakchamber.com/">Omak,
|
OpenVPN for VPN access from our second home in <ulink
|
||||||
Washington</ulink> or when we are otherwise out of town.</para>
|
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
|
||||||
|
otherwise out of town. I have a new work laptop that is not yet in
|
||||||
|
service; when it is, I will install OpenVPN on it as well and use OpenVPN
|
||||||
|
exclusively for remote access.</para>
|
||||||
|
|
||||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||||
</section>
|
</section>
|
||||||
@ -216,7 +219,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|||||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||||
NTPSERVERS=<list of the NTP servers I sync with>
|
NTPSERVERS=<list of the NTP servers I sync with>
|
||||||
TEXAS=<ip address of gateway in Plano>
|
TEXAS=<ip address of gateway in Plano>
|
||||||
LOG=ULOGD
|
LOG=ULOG
|
||||||
EXT_IF=eth1
|
EXT_IF=eth1
|
||||||
INT_IF=eth2
|
INT_IF=eth2
|
||||||
DMZ_IF=eth0</programlisting></para>
|
DMZ_IF=eth0</programlisting></para>
|
||||||
@ -231,7 +234,6 @@ DMZ_IF=eth0</programlisting></para>
|
|||||||
net Internet Internet
|
net Internet Internet
|
||||||
dmz DMZ Demilitarized zone
|
dmz DMZ Demilitarized zone
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
road Roadwarrior Our Laptop on the Road
|
|
||||||
tx Texas Peer Network in Dallas
|
tx Texas Peer Network in Dallas
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -250,7 +252,6 @@ net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blackli
|
|||||||
loc $INT_IF detect dhcp
|
loc $INT_IF detect dhcp
|
||||||
dmz $DMZ_IF -
|
dmz $DMZ_IF -
|
||||||
- texas -
|
- texas -
|
||||||
road tun+ - routeback
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -316,9 +317,6 @@ $INT_IF -
|
|||||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||||
fw fw ACCEPT
|
fw fw ACCEPT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
fw road ACCEPT
|
|
||||||
road loc ACCEPT
|
|
||||||
loc road ACCEPT
|
|
||||||
$FW loc ACCEPT
|
$FW loc ACCEPT
|
||||||
$FW tx ACCEPT
|
$FW tx ACCEPT
|
||||||
loc tx ACCEPT
|
loc tx ACCEPT
|
||||||
@ -384,7 +382,6 @@ $EXT_IF:: eth2 206.124.146.176
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||||
gre net $TEXAS
|
gre net $TEXAS
|
||||||
openvpn:1194 net 0.0.0.0/0
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -504,7 +501,7 @@ AllowPing net dmz
|
|||||||
#
|
#
|
||||||
# Net to Local
|
# Net to Local
|
||||||
#
|
#
|
||||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
# When I'm "on the road", the following two rules allow me VPN access back home via PPTP.
|
||||||
#
|
#
|
||||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||||
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
||||||
@ -581,46 +578,6 @@ ACCEPT tx loc:192.168.1.5 all
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>/etc/openvpn/server.conf</title>
|
|
||||||
|
|
||||||
<para>This is my OpenVPN server configuration file:</para>
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<programlisting>ddev tun
|
|
||||||
|
|
||||||
server 192.168.2.0 255.255.255.0
|
|
||||||
|
|
||||||
dh dh1024.pem
|
|
||||||
|
|
||||||
ca /etc/certs/cacert.pem
|
|
||||||
|
|
||||||
crl-verify /etc/certs/crl.pem
|
|
||||||
|
|
||||||
cert /etc/certs/gateway.pem
|
|
||||||
key /etc/certs/gateway_key.pem
|
|
||||||
|
|
||||||
port 1194
|
|
||||||
|
|
||||||
comp-lzo
|
|
||||||
|
|
||||||
user nobody
|
|
||||||
group nogroup
|
|
||||||
|
|
||||||
ping 15
|
|
||||||
ping-restart 45
|
|
||||||
ping-timer-rem
|
|
||||||
persist-tun
|
|
||||||
persist-key
|
|
||||||
|
|
||||||
client-config-dir /etc/openvpn/clients
|
|
||||||
ccd-exclusive
|
|
||||||
client-to-client
|
|
||||||
|
|
||||||
verb 3</programlisting>
|
|
||||||
</blockquote>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section id="debian_interfaces">
|
<section id="debian_interfaces">
|
||||||
<title>/etc/network/interfaces</title>
|
<title>/etc/network/interfaces</title>
|
||||||
|
|
||||||
@ -680,11 +637,12 @@ syslogsync 1</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
|
<title>Wireless IPSEC/OpenVPN Gateway (Ursa) Configuration</title>
|
||||||
|
|
||||||
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
||||||
network. It's view of the network is diagrammed in the following
|
network and as an OpenVPN gateway for roadwarrior access from Tipper and
|
||||||
figure.</para>
|
my new work laptop. It's view of the network is diagrammed in the
|
||||||
|
following figure.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
||||||
|
|
||||||
@ -703,6 +661,7 @@ loc Local Local networks
|
|||||||
net Internet The Big Bad Internet
|
net Internet The Big Bad Internet
|
||||||
WiFi Wireless Wireless Network
|
WiFi Wireless Wireless Network
|
||||||
sec Secure Secure Wireless Network
|
sec Secure Secure Wireless Network
|
||||||
|
road Roadwarriors Roadwarriors
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -716,16 +675,22 @@ sec Secure Secure Wireless Network
|
|||||||
loc fw ACCEPT
|
loc fw ACCEPT
|
||||||
loc net NONE
|
loc net NONE
|
||||||
loc sec ACCEPT
|
loc sec ACCEPT
|
||||||
|
loc road ACCEPT
|
||||||
net fw ACCEPT
|
net fw ACCEPT
|
||||||
net loc NONE
|
net loc NONE
|
||||||
net sec ACCEPT
|
net sec ACCEPT
|
||||||
sec fw ACCEPT
|
sec fw ACCEPT
|
||||||
sec loc ACCEPT
|
sec loc ACCEPT
|
||||||
sec net ACCEPT
|
sec net ACCEPT
|
||||||
|
road sec ACCEPT
|
||||||
|
road loc ACCEPT
|
||||||
|
road net ACCEPT
|
||||||
|
road fw ACCEPT
|
||||||
fw loc ACCEPT
|
fw loc ACCEPT
|
||||||
fw net ACCEPT
|
fw net ACCEPT
|
||||||
fw sec ACCEPT
|
fw sec ACCEPT
|
||||||
fw WiFi ACCEPT
|
fw WiFi ACCEPT
|
||||||
|
fw Road ACCEPT
|
||||||
sec WiFi NONE
|
sec WiFi NONE
|
||||||
WiFi sec NONE
|
WiFi sec NONE
|
||||||
all all REJECT info
|
all all REJECT info
|
||||||
@ -744,6 +709,7 @@ all all REJECT info
|
|||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net eth0 192.168.1.255 dhcp,nobogons,blacklist
|
net eth0 192.168.1.255 dhcp,nobogons,blacklist
|
||||||
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
||||||
|
road tun0 -
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -779,12 +745,26 @@ loc eth0:192.168.1.0/24
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>tunnels</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting># TYPE ZONE GATEWAY GATEWAY
|
||||||
|
# ZONE
|
||||||
|
ipsec:noah WiFi 192.168.3.8
|
||||||
|
openvpn:1194 net 0.0.0.0/0
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>rules</title>
|
<title>rules</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
# PORT PORT(S) DEST
|
# PORT PORT(S) DEST
|
||||||
|
allowBcast WiFi fw
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -794,7 +774,7 @@ loc eth0:192.168.1.0/24
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#INTERFACE HOST(S) OPTIONS
|
<programlisting>#INTERFACE HOST(S) OPTIONS
|
||||||
eth0 0.0.0.0/0
|
eth1 0.0.0.0/0
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -868,6 +848,46 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
|||||||
}</programlisting>
|
}</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>/etc/openvpn/server.conf</title>
|
||||||
|
|
||||||
|
<para>This is my OpenVPN server configuration file:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>dev tun
|
||||||
|
|
||||||
|
server 192.168.2.0 255.255.255.0
|
||||||
|
|
||||||
|
dh dh1024.pem
|
||||||
|
|
||||||
|
ca /etc/certs/cacert.pem
|
||||||
|
|
||||||
|
crl-verify /etc/certs/crl.pem
|
||||||
|
|
||||||
|
cert /etc/certs/ursa.pem
|
||||||
|
key /etc/certs/ursa_key.pem
|
||||||
|
|
||||||
|
port 1194
|
||||||
|
|
||||||
|
comp-lzo
|
||||||
|
|
||||||
|
user nobody
|
||||||
|
group nogroup
|
||||||
|
|
||||||
|
ping 15
|
||||||
|
ping-restart 45
|
||||||
|
ping-timer-rem
|
||||||
|
persist-tun
|
||||||
|
persist-key
|
||||||
|
|
||||||
|
client-config-dir /etc/openvpn/clients
|
||||||
|
ccd-exclusive
|
||||||
|
client-to-client
|
||||||
|
|
||||||
|
verb 3</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -878,6 +898,12 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
|||||||
connected via our wireless network, it uses IPSEC tunnel mode for all
|
connected via our wireless network, it uses IPSEC tunnel mode for all
|
||||||
access.</para>
|
access.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>Given that I use OpenVPN for remote access, it would be more
|
||||||
|
convenient to also use it for wireless access at home. I use IPSEC just
|
||||||
|
so that I always have a working IPSEC testbed.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
<para>Tipper's view of the world is shown in the following diagram:</para>
|
<para>Tipper's view of the world is shown in the following diagram:</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
||||||
@ -1081,7 +1107,7 @@ ACCEPT net fw tcp 4000:4100
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>dev tun
|
<programlisting>dev tun
|
||||||
remote gateway.shorewall.net
|
remote ursa.shorewall.net
|
||||||
up /etc/openvpn/home.up
|
up /etc/openvpn/home.up
|
||||||
|
|
||||||
tls-client
|
tls-client
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-01-01</pubdate>
|
<pubdate>2005-01-07</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2005</year>
|
<year>2001-2005</year>
|
||||||
@ -103,8 +103,9 @@
|
|||||||
<title>Guides that Others have Written</title>
|
<title>Guides that Others have Written</title>
|
||||||
|
|
||||||
<para>Andrew Allen has provided <ulink
|
<para>Andrew Allen has provided <ulink
|
||||||
url="http://unofficial-support.com/node/view/46">this guide</ulink> for
|
url="http://unofficial-support.com/article/how-to/shorewall">this
|
||||||
installing Shorewall on standalone webhosting servers.</para>
|
guide</ulink> for installing Shorewall on standalone webhosting
|
||||||
|
servers.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
Reference in New Issue
Block a user