forked from extern/shorewall_code
More changes to my config docs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1843 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
64dba9e73f
commit
f26d2243f6
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-12-18</pubdate>
|
<pubdate>2004-12-20</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -29,8 +29,7 @@
|
|||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
License</ulink></quote>.</para>
|
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -41,9 +40,9 @@
|
|||||||
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
||||||
which are relevant to a simple configuration with a single public IP
|
which are relevant to a simple configuration with a single public IP
|
||||||
address. If you have just a single public IP address, most of what you
|
address. If you have just a single public IP address, most of what you
|
||||||
see here won't apply to your setup so beware of copying parts of this
|
see here won't apply to your setup so beware of copying parts of
|
||||||
configuration and expecting them to work for you. What you copy may or
|
this configuration and expecting them to work for you. What you copy may
|
||||||
may not work for you.</para>
|
or may not work for you.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
@ -58,9 +57,8 @@
|
|||||||
(factory default). The modem is configured in <quote>bridge</quote> mode
|
(factory default). The modem is configured in <quote>bridge</quote> mode
|
||||||
so PPPoE is not involved. I have a local network connected to eth0 (subnet
|
so PPPoE is not involved. I have a local network connected to eth0 (subnet
|
||||||
192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note
|
192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note
|
||||||
that I configure the same IP address on both <filename
|
that I configure the same IP address on both <filename class="devicefile">eth1</filename>
|
||||||
class="devicefile">eth1</filename> and <filename
|
and <filename class="devicefile">eth2</filename>.</para>
|
||||||
class="devicefile">eth2</filename>.</para>
|
|
||||||
|
|
||||||
<para>In this configuration:</para>
|
<para>In this configuration:</para>
|
||||||
|
|
||||||
@ -78,20 +76,18 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>I use SNAT through 206.124.146.176 for my Wife's Windows XP
|
<para>I use SNAT through 206.124.146.176 for my Wife's
|
||||||
system <quote>Tarry</quote>, and our dual-booting (SuSE
|
Windows XP system <quote>Tarry</quote>, and our  dual-booting
|
||||||
9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
|
(SuSE 9.2/Windows XP) laptop <quote>Tipper</quote> which connects
|
||||||
the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
|
through the Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While
|
||||||
<para>While the distance between the WAP and where I usually use
|
the distance between the WAP and where I usually use the laptop
|
||||||
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
|
isn't very far (50 feet or so), using a WAC11 (CardBus wireless
|
||||||
wireless card) has proved very unsatisfactory (lots of lost
|
card) has proved very unsatisfactory (lots of lost connections). By
|
||||||
connections). By replacing the WAC11 with the WET11 wireless
|
replacing the WAC11 with the WET11 wireless bridge, I have virtually
|
||||||
bridge, I have virtually eliminated these problems (Being an old
|
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
|
||||||
radio tinkerer (K7JPV), I was also able to eliminate the
|
also able to eliminate the disconnects by hanging a piece of aluminum
|
||||||
disconnects by hanging a piece of aluminum foil on the family room
|
foil on the family room wall. Needless to say, my wife Tarry rejected
|
||||||
wall. Needless to say, my wife Tarry rejected that as a permanent
|
that as a permanent solution :-).</para></note></para>
|
||||||
solution :-).</para>
|
|
||||||
</note></para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -112,9 +108,9 @@
|
|||||||
<para>Ursa runs Samba for file sharing with the Windows systems and is
|
<para>Ursa runs Samba for file sharing with the Windows systems and is
|
||||||
configured as a Wins server.</para>
|
configured as a Wins server.</para>
|
||||||
|
|
||||||
<para>The wireless network connects to Ursa's eth1 via a LinkSys
|
<para>The wireless network connects to Ursa's eth1 via a LinkSys
|
||||||
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
WAP11.  In additional to using the rather weak WEP 40-bit
|
||||||
(64-bit with the 24-bit preamble), I use <ulink
|
encryption (64-bit with the 24-bit preamble), I use <ulink
|
||||||
url="MAC_Validation.html">MAC verification</ulink> and <ulink
|
url="MAC_Validation.html">MAC verification</ulink> and <ulink
|
||||||
url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink>.</para>
|
url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink>.</para>
|
||||||
|
|
||||||
@ -145,16 +141,16 @@
|
|||||||
in the DMZ.</para>
|
in the DMZ.</para>
|
||||||
|
|
||||||
<para>The ethernet interface in the Server is configured with IP address
|
<para>The ethernet interface in the Server is configured with IP address
|
||||||
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
|
206.124.146.177, netmask 255.255.255.0. The server's default gateway
|
||||||
206.124.146.254 (Router at my ISP. This is the same default gateway used
|
is 206.124.146.254 (Router at my ISP. This is the same default gateway
|
||||||
by the firewall itself). On the firewall, an entry in my
|
used by the firewall itself). On the firewall, an entry in my
|
||||||
/etc/network/interfaces file (see below) adds a host route to
|
/etc/network/interfaces file (see below) adds a host route to
|
||||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||||
|
|
||||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
|
||||||
my work laptop and the Firewall is configured with IPSEC for tunnel mode
|
my work laptop and the Firewall is configured with OpenVPN for VPN access
|
||||||
access from our second home in <ulink
|
from our second home in <ulink url="http://www.omakchamber.com/">Omak,
|
||||||
url="http://www.omakchamber.com/">Omak, Washington</ulink>.</para>
|
Washington</ulink> or when we are otherwise out of town.</para>
|
||||||
|
|
||||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||||
</section>
|
</section>
|
||||||
@ -167,7 +163,7 @@
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>LOGFILE=/var/log/messages
|
<programlisting>LOGFILE=/var/log/messages
|
||||||
LOGFORMAT="Shorewall:%s:%s "
|
LOGFORMAT="Shorewall:%s:%s "
|
||||||
LOGRATE=
|
LOGRATE=
|
||||||
LOGBURST=
|
LOGBURST=
|
||||||
LOGUNCLEAN=$LOG
|
LOGUNCLEAN=$LOG
|
||||||
@ -213,10 +209,9 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|||||||
<title>Params File (Edited)</title>
|
<title>Params File (Edited)</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||||
NTPSERVERS=<list of the NTP servers I sync with>
|
NTPSERVERS=<list of the NTP servers I sync with>
|
||||||
TEXAS=<ip address of gateway in Plano>
|
TEXAS=<ip address of gateway in Plano>
|
||||||
OMAK=64.139.97.48
|
|
||||||
LOG=info
|
LOG=info
|
||||||
EXT_IF=eth1
|
EXT_IF=eth1
|
||||||
INT_IF=eth2
|
INT_IF=eth2
|
||||||
@ -232,7 +227,7 @@ DMZ_IF=eth0</programlisting></para>
|
|||||||
net Internet Internet
|
net Internet Internet
|
||||||
dmz DMZ Demilitarized zone
|
dmz DMZ Demilitarized zone
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
omak Omak Our Laptop in Omak
|
road Roadwarrior Our Laptop on the Road
|
||||||
tx Texas Peer Network in Dallas
|
tx Texas Peer Network in Dallas
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -251,6 +246,7 @@ net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist
|
|||||||
loc $INT_IF detect dhcp
|
loc $INT_IF detect dhcp
|
||||||
dmz $DMZ_IF -
|
dmz $DMZ_IF -
|
||||||
- texas -
|
- texas -
|
||||||
|
road tun+ -
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -261,23 +257,10 @@ dmz $DMZ_IF -
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#ZONE HOST(S) OPTIONS
|
<programlisting>#ZONE HOST(S) OPTIONS
|
||||||
tx texas:192.168.8.0/22
|
tx texas:192.168.8.0/22
|
||||||
omak $EXT_IF:$OMAK
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>Ipsec File</title>
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
|
||||||
# ONLY OPTIONS OPTIONS
|
|
||||||
omak yes mode=tunnel
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
</programlisting>
|
|
||||||
</blockquote>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Routestopped File</title>
|
<title>Routestopped File</title>
|
||||||
|
|
||||||
@ -285,7 +268,6 @@ omak yes mode=tunnel
|
|||||||
<programlisting>#INTERFACE HOST(S)
|
<programlisting>#INTERFACE HOST(S)
|
||||||
$DMZ_IF 206.124.146.177
|
$DMZ_IF 206.124.146.177
|
||||||
$INT_IF -
|
$INT_IF -
|
||||||
$EXT_IF $OMAK
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -330,16 +312,9 @@ $EXT_IF $OMAK
|
|||||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||||
fw fw ACCEPT
|
fw fw ACCEPT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
omak fw ACCEPT
|
fw road ACCEPT
|
||||||
fw omak ACCEPT
|
road loc ACCEPT
|
||||||
omak loc ACCEPT
|
loc road ACCEPT
|
||||||
loc omak ACCEPT
|
|
||||||
omak net NONE
|
|
||||||
net omak NONE
|
|
||||||
omak dmz NONE
|
|
||||||
dmz omak NONE
|
|
||||||
omak tx NONE
|
|
||||||
tx omak NONE
|
|
||||||
$FW loc ACCEPT
|
$FW loc ACCEPT
|
||||||
$FW tx ACCEPT
|
$FW tx ACCEPT
|
||||||
loc tx ACCEPT
|
loc tx ACCEPT
|
||||||
@ -356,14 +331,15 @@ all all REJECT $LOG
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>Although most of our internal systems use one-to-one NAT, my
|
<para>Although most of our internal systems use one-to-one NAT, my
|
||||||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
|
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
|
||||||
does our laptop (192.168.1.8) and visitors with laptops.</para>
|
as does our laptop (192.168.1.8) and visitors with laptops.</para>
|
||||||
|
|
||||||
<para>The first entry allows access to the DSL modem and uses features
|
<para>The first entry allows access to the DSL modem and uses features
|
||||||
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
|
introduced in Shorewall 2.1.1. The leading plus sign ("+_")
|
||||||
rule to be placed before rules generated by the /etc/shorewall/nat
|
causes the rule to be placed before rules generated by the
|
||||||
file below. The double colons ("::") causes the entry to be exempt
|
/etc/shorewall/nat file below. The double colons ("::") causes
|
||||||
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
|
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
|
||||||
|
file above.</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||||
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
|
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||||
@ -401,13 +377,12 @@ $EXT_IF:2 eth2 206.124.146.176
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Tunnels File (Shell variables TEXAS and OMAK set in
|
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
|
||||||
/etc/shorewall/params)</title>
|
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||||
gre net $TEXAS
|
gre net $TEXAS
|
||||||
ipsec:noah net $OMAK omak
|
openvpn:1194 net 0.0.0.0/0
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -428,8 +403,7 @@ Mirrors #Accept traffic from the Shorewall Mirror sites
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The $MIRRORS variable expands to a list of approximately 10 IP
|
<para>The $MIRRORS variable expands to a list of approximately 10 IP
|
||||||
addresses. So moving these checks into a separate chain reduces the
|
addresses. So moving these checks into a separate chain reduces the
|
||||||
number of rules that most net->dmz traffic needs to
|
number of rules that most net->dmz traffic needs to traverse.</para>
|
||||||
traverse.</para>
|
|
||||||
|
|
||||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
# PORT PORT(S) DEST LIMIT
|
# PORT PORT(S) DEST LIMIT
|
||||||
@ -456,7 +430,7 @@ RejectSMB
|
|||||||
DropUPnP
|
DropUPnP
|
||||||
dropNotSyn
|
dropNotSyn
|
||||||
DropDNSrep
|
DropDNSrep
|
||||||
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
||||||
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
||||||
#its PPTP tunnel to HP).</programlisting>
|
#its PPTP tunnel to HP).</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -486,7 +460,7 @@ spdadd 206.124.146.176/32 64.139.97.48/32 any -P out ipsec esp/tunnel/206.12
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para>SA parameters for communication with our second home.</para>
|
<para>SA parameters for communication with our second home.</para>
|
||||||
|
|
||||||
<programlisting> path certificate "/etc/certs" ;
|
<programlisting> path certificate "/etc/certs" ;
|
||||||
listen
|
listen
|
||||||
{
|
{
|
||||||
isakmp 206.124.146.176;
|
isakmp 206.124.146.176;
|
||||||
@ -495,7 +469,7 @@ spdadd 206.124.146.176/32 64.139.97.48/32 any -P out ipsec esp/tunnel/206.12
|
|||||||
remote 64.139.97.48
|
remote 64.139.97.48
|
||||||
{
|
{
|
||||||
exchange_mode main ;
|
exchange_mode main ;
|
||||||
certificate_type x509 "gateway.pem" "gateway_key.pem";
|
certificate_type x509 "gateway.pem" "gateway_key.pem";
|
||||||
verify_cert on;
|
verify_cert on;
|
||||||
my_identifier asn1dn ;
|
my_identifier asn1dn ;
|
||||||
peers_identifier asn1dn ;
|
peers_identifier asn1dn ;
|
||||||
@ -531,8 +505,7 @@ sainfo address 206.124.146.176/32 any address 64.139.97.48/32 any
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Rules File (The shell variables are set in
|
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
|
||||||
/etc/shorewall/params)</title>
|
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>###############################################################################################################################################################################
|
<programlisting>###############################################################################################################################################################################
|
||||||
@ -589,13 +562,13 @@ ACCEPT net dmz tcp
|
|||||||
ACCEPT net dmz udp domain
|
ACCEPT net dmz udp domain
|
||||||
ACCEPT net dmz udp 33434:33436
|
ACCEPT net dmz udp 33434:33436
|
||||||
Mirrors net dmz tcp rsync
|
Mirrors net dmz tcp rsync
|
||||||
ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak
|
ACCEPT net dmz tcp 22
|
||||||
AllowPing net dmz
|
AllowPing net dmz
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
#
|
#
|
||||||
# Net to Local
|
# Net to Local
|
||||||
#
|
#
|
||||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||||
#
|
#
|
||||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||||
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
DNAT net:!$TEXAS loc:192.168.1.4 gre -
|
||||||
@ -626,12 +599,12 @@ REJECT:$LOG dmz net udp
|
|||||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||||
#
|
#
|
||||||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||||
# the following works around the problem.
|
# the following works around the problem.
|
||||||
#
|
#
|
||||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||||
#
|
#
|
||||||
ACCEPT dmz fw udp ntp ntp
|
ACCEPT dmz fw udp ntp ntp
|
||||||
ACCEPT dmz fw tcp 161,ssh
|
ACCEPT dmz fw tcp 161,ssh
|
||||||
@ -672,6 +645,40 @@ ACCEPT tx loc:192.168.1.5 all
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>/etc/openvpn/server.conf</title>
|
||||||
|
|
||||||
|
<para>This is my OpenVPN server configuration file:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>dev tun
|
||||||
|
|
||||||
|
server 192.168.2.0 255.255.255.0
|
||||||
|
|
||||||
|
dh /etc/openvpn/dh1024.pem
|
||||||
|
|
||||||
|
ca /etc/certs/cacert.pem
|
||||||
|
|
||||||
|
cert /etc/certs/gateway.pem
|
||||||
|
key /etc/certs/gateway_key.pem
|
||||||
|
|
||||||
|
port 1194
|
||||||
|
|
||||||
|
comp-lzo
|
||||||
|
|
||||||
|
user nobody
|
||||||
|
group nogroup
|
||||||
|
|
||||||
|
ping 15
|
||||||
|
ping-restart 45
|
||||||
|
ping-timer-rem
|
||||||
|
persist-tun
|
||||||
|
persist-key
|
||||||
|
|
||||||
|
verb 3</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>/etc/network/interfaces</title>
|
<title>/etc/network/interfaces</title>
|
||||||
|
|
||||||
@ -684,7 +691,7 @@ ACCEPT tx loc:192.168.1.5 all
|
|||||||
auto lo
|
auto lo
|
||||||
iface lo inet loopback
|
iface lo inet loopback
|
||||||
|
|
||||||
# DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the
|
# DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the
|
||||||
# HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has
|
# HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has
|
||||||
# the same IP address as the Internet interface but has no broadcast address or network.
|
# the same IP address as the Internet interface but has no broadcast address or network.
|
||||||
|
|
||||||
@ -695,7 +702,7 @@ iface eth0 inet static
|
|||||||
broadcast 0.0.0.0
|
broadcast 0.0.0.0
|
||||||
up ip route add 206.124.146.177 dev eth0
|
up ip route add 206.124.146.177 dev eth0
|
||||||
|
|
||||||
# Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200).
|
# Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200).
|
||||||
|
|
||||||
auto eth1
|
auto eth1
|
||||||
iface eth1 inet static
|
iface eth1 inet static
|
||||||
@ -704,7 +711,7 @@ iface eth1 inet static
|
|||||||
gateway 206.124.146.254
|
gateway 206.124.146.254
|
||||||
up ip route add 192.168.1.1 dev eth1
|
up ip route add 192.168.1.1 dev eth1
|
||||||
|
|
||||||
# Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'.
|
# Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'.
|
||||||
|
|
||||||
auto eth2
|
auto eth2
|
||||||
iface eth2 inet static
|
iface eth2 inet static
|
||||||
@ -720,20 +727,20 @@ iface eth2 inet static
|
|||||||
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
|
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
|
||||||
|
|
||||||
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
||||||
network. It's view of the network is diagrammed in the following
|
network. It's view of the network is diagrammed in the following
|
||||||
figure.</para>
|
figure.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
||||||
|
|
||||||
<para>I've included the files that I used to configure that system.</para>
|
<para>I've included the files that I used to configure that system.</para>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>zones</title>
|
<title>zones</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
|
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
|
||||||
<emphasis role="bold">net</emphasis>, <emphasis
|
<emphasis role="bold">net</emphasis>, <emphasis role="bold">loc</emphasis>
|
||||||
role="bold">loc</emphasis> must be defined first.</para>
|
must be defined first.</para>
|
||||||
|
|
||||||
<programlisting>#ZONE DISPLAY COMMENTS
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
@ -789,11 +796,11 @@ WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
|||||||
<title>ipsec</title>
|
<title>ipsec</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
|
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a
|
||||||
added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
|
feature added in 2.1.12 and sets the MSS field in TCP SYN packets
|
||||||
the 'net' zone to 1400. This works around a problem whereby ICMP
|
forwarded to the 'net' zone to 1400. This works around a
|
||||||
fragmentation-needed packets are being dropped somewhere between my
|
problem whereby ICMP fragmentation-needed packets are being dropped
|
||||||
main firewall and the IMAP server at my work.</para>
|
somewhere between my main firewall and the IMAP server at my work.</para>
|
||||||
|
|
||||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||||
# ONLY OPTIONS OPTIONS
|
# ONLY OPTIONS OPTIONS
|
||||||
@ -853,8 +860,7 @@ eth1 00:0b:c1:53:cc:97 192.168.3.8 #TIPPER
|
|||||||
<title>/etc/racoon/setkey.conf</title>
|
<title>/etc/racoon/setkey.conf</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>This defines encryption policies to/from the wireless
|
<para>This defines encryption policies to/from the wireless network.</para>
|
||||||
network.</para>
|
|
||||||
|
|
||||||
<programlisting>flush;
|
<programlisting>flush;
|
||||||
spdflush;
|
spdflush;
|
||||||
@ -871,7 +877,7 @@ spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.16
|
|||||||
<para>SA parameters for communication with our wireless network
|
<para>SA parameters for communication with our wireless network
|
||||||
(Tipper is currently the only Wireless host).</para>
|
(Tipper is currently the only Wireless host).</para>
|
||||||
|
|
||||||
<programlisting>path certificate "/etc/certs";
|
<programlisting>path certificate "/etc/certs";
|
||||||
|
|
||||||
listen
|
listen
|
||||||
{
|
{
|
||||||
@ -881,7 +887,7 @@ listen
|
|||||||
remote 192.168.3.8
|
remote 192.168.3.8
|
||||||
{
|
{
|
||||||
exchange_mode main ;
|
exchange_mode main ;
|
||||||
certificate_type x509 "ursa.pem" "ursa_key.pem";
|
certificate_type x509 "ursa.pem" "ursa_key.pem";
|
||||||
verify_cert on;
|
verify_cert on;
|
||||||
my_identifier asn1dn ;
|
my_identifier asn1dn ;
|
||||||
peers_identifier asn1dn ;
|
peers_identifier asn1dn ;
|
||||||
@ -908,19 +914,18 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Tipper Configuration</title>
|
<title>Tipper Configuration while at Home</title>
|
||||||
|
|
||||||
<para>This laptop is either configured on our wireless network
|
<para>This laptop is either configured on our wireless network
|
||||||
(192.168.3.8) or as a standalone system in our second home (64.139.97.48).
|
(192.168.3.8) or as a standalone system on the road. While this system is
|
||||||
The Shorewall and Racoon configurations are the same regardless of where
|
connected via our wireless network, it uses IPSEC tunnel mode for all
|
||||||
Tipper is connected -- only the IP configuration changes.</para>
|
access.</para>
|
||||||
|
|
||||||
<para>Tipper's view of the work is shown in the following diagram:</para>
|
<para>Tipper's view of the world is shown in the following diagram:</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
||||||
|
|
||||||
<para>The key configuration files are shown in the following
|
<para>The key configuration files are shown in the following sections.</para>
|
||||||
sections.</para>
|
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>zones</title>
|
<title>zones</title>
|
||||||
@ -1002,14 +1007,7 @@ ACCEPT net fw tcp 4000:4100
|
|||||||
<programlisting>flush;
|
<programlisting>flush;
|
||||||
spdflush;
|
spdflush;
|
||||||
|
|
||||||
# Policies for while we are in Omak
|
# Policies for while we're connected via Wireless at home
|
||||||
|
|
||||||
spdadd 64.139.97.48/32 206.124.146.176/32 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
|
|
||||||
spdadd 206.124.146.176/32 64.139.97.48/32 any -P in ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
|
|
||||||
spdadd 192.168.1.0/24 64.139.97.48/32 any -P in ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
|
|
||||||
spdadd 64.139.97.48/32 192.168.1.0/24 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
|
|
||||||
|
|
||||||
# Policies for while we're connected via Wireless at home
|
|
||||||
|
|
||||||
spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none;
|
spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none;
|
||||||
spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none;
|
spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none;
|
||||||
@ -1025,35 +1023,17 @@ spdadd 192.168.3.8/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168
|
|||||||
<title>/etc/racoon/racoon.conf</title>
|
<title>/etc/racoon/racoon.conf</title>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>path certificate "/etc/certs";
|
<programlisting>path certificate "/etc/certs";
|
||||||
|
|
||||||
listen
|
listen
|
||||||
{
|
{
|
||||||
isakmp 64.139.97.48;
|
|
||||||
isakmp 192.168.3.8;
|
isakmp 192.168.3.8;
|
||||||
}
|
}
|
||||||
|
|
||||||
remote 206.124.146.176
|
|
||||||
{
|
|
||||||
exchange_mode main ;
|
|
||||||
certificate_type x509 "tipper.pem" "tipper_key.pem";
|
|
||||||
verify_cert on;
|
|
||||||
my_identifier asn1dn ;
|
|
||||||
peers_identifier asn1dn ;
|
|
||||||
verify_identifier on ;
|
|
||||||
lifetime time 24 hour ;
|
|
||||||
proposal {
|
|
||||||
encryption_algorithm 3des;
|
|
||||||
hash_algorithm sha1;
|
|
||||||
authentication_method rsasig ;
|
|
||||||
dh_group 2 ;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
remote 192.168.3.254
|
remote 192.168.3.254
|
||||||
{
|
{
|
||||||
exchange_mode main ;
|
exchange_mode main ;
|
||||||
certificate_type x509 "tipper.pem" "tipper_key.pem";
|
certificate_type x509 "tipper.pem" "tipper_key.pem";
|
||||||
verify_cert on;
|
verify_cert on;
|
||||||
my_identifier asn1dn ;
|
my_identifier asn1dn ;
|
||||||
peers_identifier asn1dn ;
|
peers_identifier asn1dn ;
|
||||||
@ -1067,24 +1047,6 @@ remote 192.168.3.254
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sainfo address 64.139.97.48/32 any address 192.168.1.0/24 any
|
|
||||||
{
|
|
||||||
pfs_group 2;
|
|
||||||
lifetime time 12 hour ;
|
|
||||||
encryption_algorithm 3des, blowfish, des, rijndael ;
|
|
||||||
authentication_algorithm hmac_sha1, hmac_md5 ;
|
|
||||||
compression_algorithm deflate ;
|
|
||||||
}
|
|
||||||
|
|
||||||
sainfo address 64.139.97.48/32 any address 206.124.146.176/32 any
|
|
||||||
{
|
|
||||||
pfs_group 2;
|
|
||||||
lifetime time 12 hour ;
|
|
||||||
encryption_algorithm 3des, blowfish, des, rijndael ;
|
|
||||||
authentication_algorithm hmac_sha1, hmac_md5 ;
|
|
||||||
compression_algorithm deflate ;
|
|
||||||
}
|
|
||||||
|
|
||||||
sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
|
sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
|
||||||
{
|
{
|
||||||
pfs_group 2;
|
pfs_group 2;
|
||||||
@ -1096,4 +1058,76 @@ sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Tipper Configuration on the Road</title>
|
||||||
|
|
||||||
|
<para>When Tipper is on the road, it's world view is the same as in
|
||||||
|
the diagram above.</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>zones</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
|
home Home Shorewall Network
|
||||||
|
net Net Internet
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>policy</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
fw net ACCEPT
|
||||||
|
fw home ACCEPT
|
||||||
|
home fw ACCEPT
|
||||||
|
net home NONE
|
||||||
|
home net NONE
|
||||||
|
net all DROP info
|
||||||
|
# The FOLLOWING POLICY MUST BE LAST
|
||||||
|
all all REJECT info
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>interfaces</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect dhcp,tcpflags
|
||||||
|
home tun0 -
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>rules</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
ACCEPT net fw icmp 8
|
||||||
|
ACCEPT net fw tcp 22
|
||||||
|
ACCEPT net fw tcp 4000:4100
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>/etc/openvpn/home.conf</title>
|
||||||
|
|
||||||
|
<para></para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para></para>
|
||||||
|
|
||||||
|
<programlisting></programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
</article>
|
</article>
|
||||||
Loading…
Reference in New Issue
Block a user