diff --git a/docs/SharedConfig.xml b/docs/SharedConfig.xml index 03fcc12e0..1c2efd847 100644 --- a/docs/SharedConfig.xml +++ b/docs/SharedConfig.xml @@ -2,7 +2,7 @@
- + Shared Shorewall and Shorewall6 Configuration @@ -20,6 +20,8 @@ 2017 + 2020 + Thomas M. Eastep @@ -37,7 +39,7 @@
Introduction - Netfilter separates management of IPv4 and IPv6 configurations. Each + Iptables separates management of IPv4 and IPv6 configurations. Each address family has its own utility (iptables and ip6tables), and changes made to the configuration of one address family do not affect the other. While Shorewall also separates the address families in this way, it is @@ -68,7 +70,7 @@ Here is a diagram of this installation: - +
@@ -76,36 +78,40 @@ Here are the contents of /etc/shorewall/ and /etc/shorewal6/: - root@gateway:~# ls -l /etc/shorewall/ -total 92 + root@gateway:~# ls -l /etc/shorewall +total 120 -rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors --rw-r--r-- 1 root root 109 Oct 20 09:18 actions --rw-r--r-- 1 root root 654 Oct 13 13:46 conntrack --rw-r--r-- 1 root root 104 Oct 13 13:21 hosts --rw-r--r-- 1 root root 867 Jul 1 10:50 interfaces --rw-r--r-- 1 root root 107 Jun 29 15:14 isusable --rw-r--r-- 1 root root 240 Oct 13 13:34 macro.FTP --rw-r--r-- 1 root root 559 Oct 19 12:56 mangle --rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors --rw-r--r-- 1 root root 2687 Oct 15 14:20 params --rw-r--r-- 1 root root 738 Oct 15 12:16 policy --rw-r--r-- 1 root root 1838 Oct 11 08:29 providers +-rw-r--r-- 1 root root 109 Oct 20 2017 actions +-rw-r--r-- 1 root root 82 Oct 5 2018 arprules +-rw-r--r-- 1 root root 528 Oct 7 2019 blrules +-rw-r--r-- 1 root root 1797 Sep 16 2019 capabilities +-rw-r--r-- 1 root root 656 Jun 10 2018 conntrack +-rw-r--r-- 1 root root 104 Oct 13 2017 hosts +-rw-r--r-- 1 root root 867 Jun 10 2018 interfaces +-rw-r--r-- 1 root root 107 Jun 29 2017 isusable +-rw-r--r-- 1 root root 240 Oct 13 2017 macro.FTP +-rw-r--r-- 1 root root 705 Oct 22 2019 mangle +-rw-r--r-- 1 root root 1308 Apr 2 2018 mirrors +-rw-r--r-- 1 root root 2889 Apr 23 17:13 params +-rw-r--r-- 1 root root 1096 Oct 14 2019 policy +-rw-r--r-- 1 root root 2098 Apr 23 17:19 providers -rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp --rw-r--r-- 1 root root 738 Nov 8 09:34 routes --rw-r--r-- 1 root root 729 Nov 7 12:52 rtrules --rw-r--r-- 1 root root 6367 Oct 13 13:21 rules --rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf --rw-r--r-- 1 root root 1090 Oct 25 15:17 snat --rw-r--r-- 1 root root 181 Jun 29 15:12 started --rw-r--r-- 1 root root 435 Oct 13 13:21 tunnels --rw-r--r-- 1 root root 941 Oct 15 11:27 zones -root@gateway:~# ls -l /etc/shorewall6/ -total 8 -lrwxrwxrwx 1 root root 20 Jul 6 16:35 mirrors -> ../shorewall/mirrors -lrwxrwxrwx 1 root root 19 Jul 6 12:48 params -> ../shorewall/params --rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf -root@gateway:~# - +-rw-r--r-- 1 root root 726 Oct 24 2018 routes +-rw-r--r-- 1 root root 729 Mar 1 11:08 rtrules +-rw-r--r-- 1 root root 8593 Feb 25 08:49 rules +-rw-r--r-- 1 root root 5490 Mar 1 18:34 shorewall.conf +-rw-r--r-- 1 root root 1090 Sep 16 2019 snat +-rw-r--r-- 1 root root 180 Jan 30 2018 started +-rw-r--r-- 1 root root 539 Feb 6 14:33 stoppedrules +-rw-r--r-- 1 root root 435 Oct 13 2017 tunnels +-rw-r--r-- 1 root root 941 Oct 15 2017 zones +root@gateway:~# ls -l /etc/shorewall6 +total 12 +-rw-r--r-- 1 root root 1786 Sep 16 2019 capabilities +lrwxrwxrwx 1 root root 20 Jul 6 2017 mirrors -> ../shorewall/mirrors +lrwxrwxrwx 1 root root 19 Jul 6 2017 params -> ../shorewall/params +-rw-r--r-- 1 root root 5324 Oct 18 2019 shorewall6.conf +root@gateway:~# The various configuration files are described in the sections that follow. Note that in all cases, these files use the +ZONE_BITS=0
@@ -348,34 +352,35 @@ ZONE_BITS=0 # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at -# https://shorewall.org/manpages/shorewall.conf.html +# http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### -# S T A R T U P E N A B L E D +# S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### -# V E R B O S I T Y +# V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### -# P A G E R +# P A G E R ############################################################################### PAGER=pager ############################################################################### -# F I R E W A L L +# F I R E W A L L ############################################################################### FIREWALL= ############################################################################### -# L O G G I N G +# L O G G I N G ############################################################################### LOG_LEVEL="NFLOG(0,64,1)" BLACKLIST_LOG_LEVEL="none" INVALID_LOG_LEVEL= LOG_BACKEND=netlink LOG_VERBOSITY=2 +LOG_ZONE=Src LOGALLNEW= LOGFILE=/var/log/ulogd/ulogd.syslogemu.log -LOGFORMAT="%s %s " +LOGFORMAT="%s %s" LOGLIMIT="s:5/min" LOGTAGONLY=Yes MACLIST_LOG_LEVEL="$LOG_LEVEL" @@ -387,7 +392,7 @@ STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" UNTRACKED_LOG_LEVEL= ############################################################################### -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE @@ -404,7 +409,7 @@ SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall6 TC= ############################################################################### -# D E F A U L T A C T I O N S / M A C R O S +# D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" @@ -413,12 +418,12 @@ NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### -# R S H / R C P C O M M A N D S +# R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### -# F I R E W A L L O P T I O N S +# F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=mangle @@ -443,11 +448,9 @@ FORWARD_CLEAR_MARK=No HELPERS=ftp IGNOREUNKNOWNVARIABLES=No IMPLICIT_CONTINUE=No -INLINE_MATCHES=No IPSET_WARNINGS=Yes IP_FORWARDING=Keep KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes @@ -458,6 +461,7 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=No REQUIRE_INTERFACE=No RESTART=restart RESTORE_DEFAULT_ROUTE=No @@ -470,7 +474,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_NFLOG_SIZE=Yes -USE_PHYSICAL_NAMES=No +USE_PHYSICAL_NAMES=Yes USE_RT_NAMES=No VERBOSE_MESSAGES=No WARNOLDCAPVERSION=Yes @@ -478,7 +482,7 @@ WORKAROUNDS=No ZERO_MARKS=No ZONE2ZONE=- ############################################################################### -# P A C K E T D I S P O S I T I O N +# P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE @@ -490,13 +494,14 @@ SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP ################################################################################ -# P A C K E T M A R K L A Y O U T +# P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS=8 PROVIDER_BITS=2 PROVIDER_OFFSET=8 MASK_BITS=8 ZONE_BITS=0 +#LAST LINE -- DO NOT REMOVE
@@ -524,47 +529,50 @@ if [ $g_family = 4 ]; then # # IPv4 compilation # - FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface + FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface # See /etc/shorewall/providers - STATISTICAL=No # Don't use statistical load balancing - LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX) - MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS) - SERVER=70.90.191.125 # IP address of shorewall.org - PROXY= # Use TPROXY for local web access - ALL=0.0.0.0/0 # Entire address space + STATISTICAL= # Use statistical load balancing + LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX) + MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS) + SERVER=70.90.191.125 # IP address of www.shorewall.org + IRSSIEXT=10.2.10.2 # External address of irssi.shorewall.net + IRSSIINT=172.20.2.44 # Internal IP address of irssi.shorewall.net + PROXY=Yes # Use TPROXY for local web access + ALL=0.0.0.0/0 # Entire address space LOC_ADDR=172.20.1.253 # IP address of the local LAN interface FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface - FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST + FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST IPSECMSS=1460 # # Interface Options # LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2 - FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0 - PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1 - DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0 + FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth0 + PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth1 + DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodbl,physical=br0 IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1 else # # IPv6 compilation # - FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface - # See /etc/shorewall/providers - STATISTICAL=No # Don't use statistical load balancing - LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS) - MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS) - SERVER=[2001:470:b:227::43] # IP address of shorewall.org (HTTP, FTP and RSYNC) - PROXY=3 # Use TPROXY for local web access - ALL=[::]/0 # Entire address space - LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interface - FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface - FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST + FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface + # See /etc/shorewall/providers + STATISTICAL=No # Don't use statistical load balancing + LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS) + MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS) + SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC) + IRSSI=[2601:601:a000:16f1::]/64 # IP address of asus.shorewall.org (Bit Torrent) + PROXY=Yes # Use TPROXY for local web access + ALL=[::]/0 # Entire address space + LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interface + FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf + FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST IPSECMSS=1440 # # Interface Options # - PROD_OPTIONS=forward=1,optional,physical=sit1 - FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0 + PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1 + FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0 LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2 DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0 IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1 @@ -579,11 +587,9 @@ fi ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS - # # By using the 'ip' type, both Shorewall and Shorewall6 can share this file # - fw { TYPE=firewall } net { TYPE=ip } loc { TYPE=ip } @@ -599,7 +605,11 @@ vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS } /etc/shorewall/interfaces makes heavy use of variables set in /etc/shorewall/params: - # + ?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS + +# # The two address families use different production interfaces and different # # LOC_IF is the local LAN for both families @@ -614,8 +624,7 @@ loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS } net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS } net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS } dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS } -apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS } - +apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }
@@ -623,11 +632,10 @@ apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS } /etc/shorewall/hosts is used to define the vpn zone: - #ZONE HOSTS OPTIONS + ##ZONE HOSTS OPTIONS vpn { HOSTS=PROD_IF:$ALL } vpn { HOSTS=FAST_IF:$ALL } -vpn { HOSTS=LOC_IF:$ALL } - +vpn { HOSTS=LOC_IF:$ALL }
@@ -638,20 +646,29 @@ vpn { HOSTS=LOC_IF:$ALL } #SOURCE DEST POLICY LOGLEVEL RATE $FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } -$FW { DEST=all, POLICY=ACCEPT } -loc { DEST=net, POLICY=ACCEPT } +?if __IPV4 +$FW { DEST=all, POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT), LOGLEVEL=$LOG_LEVEL } +?else +$FW { DEST=all, POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multicast(ACCEPT) LOGLEVEL=$LOG_LEVEL } +?endif + +loc,apps { DEST=net, POLICY=ACCEPT } loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT } loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } +?if __IPV4 net { DEST=net, POLICY=NONE } +?else +net { DEST=net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } +?endif net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } -dmz { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } +dmz { DEST=fw POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } +dmz { DEST=dmz POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } -all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } - +all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
@@ -676,7 +693,9 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } - # + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY + +# # This could be cleaned up a bit, but I'm leaving it as is for now # # - The two address families use different fw mark geometry @@ -687,7 +706,9 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } ?if $FALLBACK # FAST_IF is primary, PROD_IF is fallback # - ?info Compiling with FALLBACK + ?if $VERBOSITY > 0 + ?info Compiling with FALLBACK + ?endif IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc } ?if __IPV4 ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent } @@ -696,25 +717,29 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } ?endif ?elsif $STATISTICAL # Statistically balance traffic between FAST_IF and PROD_IF - ?info Compiling with STATISTICAL + ?if $VERBOSITY > 0 + ?info Compiling with STATISTICAL + ?endif ?if __IPV4 - IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary } + IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary,persistent } + ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,load=0.33333333,fallback,persistent } ?else HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=track,load=0.33333333,persistent } ?endif ?else - ?INFO Compiling with BALANCE - IPv6Beta { NUMBER=1, MARK=0x100, INTERFACE=eth0, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent } + ?if $VERBOSITY > 0 + ?info Compiling with BALANCE + ?endif + IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent } ?if __IPV4 - ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1, OPTIONS=nohostroute,loose,balance,persistent } + ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=nohostroute,loose,balance,persistent } ?else ?warning No BALANCE IPv6 configuration HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent } ?endif ?endif -Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy } - +Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
@@ -754,7 +779,7 @@ Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy } # not effective in routing the 'ping' request packets out of FAST_IF. # The following route solves that problem. # - { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent } + { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE=FAST_IF, OPTIONS=persistent } ?endif
@@ -822,12 +847,13 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 } /etc/shorewall/rules has only a couple of rules that are conditional based on address family: - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + ############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER ?SECTION ALL -Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 } -Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 } +Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 } +Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 } ?SECTION ESTABLISHED @@ -845,8 +871,8 @@ ACCEPT { SOURCE=dmz, DEST=dmz } ?SECTION INVALID RST(ACCEPT) { SOURCE=all, DEST=all } +FIN(ACCEPT) { SOURCE=all, DEST=all } DROP { SOURCE=net, DEST=all } -FIN { SOURCE=all, DEST=all } ?SECTION UNTRACKED @@ -863,17 +889,26 @@ CONTINUE { SOURCE=$FW, DEST=all } # Stop certain outgoing traffic to the net # REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 } #Stop direct loc->net SMTP (Comcast uses submission). -REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } #MS Messaging +#REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } #MS Messaging -REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" } -REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" } +REJECT { SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" } +REJECT { SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" } REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" } REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" } +?if __IPV6 +DROP { SOURCE=net:PROD_IF, DEST=net:PROD_IF } +?endif + ?COMMENT +###################################################################################################### +# SACK +# +DROP:$LOG_LEVEL { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535 + ###################################################################################################### # 6in4 # @@ -884,8 +919,9 @@ REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" } ###################################################################################################### # Ping # -Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn } -Ping(ACCEPT) { SOURCE=all, DEST=net } +Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn,apps, DEST=$FW,loc,dmz,vpn,apps } +Ping(ACCEPT) { SOURCE=dmz, DEST=dmz } +Ping(ACCEPT) { SOURCE=all, DEST=net } ###################################################################################################### # SSH # @@ -900,6 +936,11 @@ SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=ssh, # DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW } DNS(ACCEPT) { SOURCE=$FW, DEST=net } +?if $TEST +DNS(REDIRECT) loc 53 - 53 - !&LOC_IF +DNS(REDIRECT) fw 53 - 53 - !::1 +?endif +DropDNSrep { SOURCE=net, DEST=all } ###################################################################################################### # Traceroute # @@ -910,6 +951,7 @@ Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz } # SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS } SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF } +SMTP(ACCEPT) { SOURCE=dmz, DEST=dmz:$LISTS } SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net } IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL } Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } @@ -919,7 +961,6 @@ IMAP(ACCEPT) { SOURCE=loc,vpn, DEST=net } # NTP # NTP(ACCEPT) { SOURCE=all, DEST=net } -NTP(ACCEPT) { SOURCE=loc,vpn,dmz,apps DEST=$FW } ###################################################################################################### # Squid ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } @@ -929,8 +970,8 @@ ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy } Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" } -HTTP(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } -HTTPS(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL } +HTTP(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } +HTTPS(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep } @@ -938,13 +979,13 @@ Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=_apt } ###################################################################################################### # FTP # -FTP(ACCEPT) { SOURCE=loc,vpn,apps DEST=net } +FTP(ACCEPT) { SOURCE=loc,vpn,apps DEST=net } FTP(ACCEPT) { SOURCE=dmz, DEST=net } FTP(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER } # # Some FTP clients seem prone to sending the PORT command split over two packets. -# This prevents the FTP connection tracking code from processing the command and setting +# This prevents the FTP connection tracking code from processing the command and setting # up the proper expectation. # # The following rule allows active FTP to work in these cases @@ -952,6 +993,10 @@ FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER } # ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 } ###################################################################################################### +# Git +# +Git(ACCEPT) { source=all, DEST=dmz:$SERVER } +###################################################################################################### # whois # Whois(ACCEPT) { SOURCE=all, DEST=net } @@ -963,12 +1008,45 @@ SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW } ###################################################################################################### # IRC # -IRC(ACCEPT) { SOURCE=loc,apps, DEST=net } +SetEvent(IRC) { SOURCE=loc,apps, DEST=net, PROTO=tcp, DPORT=6667 } +IfEvent(IRC,ACCEPT,10,1,dst,reset) { SOURCE=net, DEST=loc,apps, PROTO=tcp, DPORT=113 } +###################################################################################################### +# AUTH +Auth(REJECT) { SOURCE=net, DEST=all } ###################################################################################################### # Rsync # Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 } - +###################################################################################################### +# IPSEC +# +?if __IPV4 +DNAT { SOURCE=loc,net, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,4500, ORIGDEST=70.90.191.123 } +?else +ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=udp, DPORT=500,4500 } +ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=esp } +?endif +ACCEPT { SOURCE=$FW, DEST=net, PROTO=udp, SPORT=4500 } +###################################################################################################### +# Bit Torrent +?if __IPV4 +DNAT { SOURCE=net, DEST=apps:$IRSSIINT, PROTO=udp,tcp, DPORT=59410, ORIGDEST=$IRSSIEXT } +?else +ACCEPT { SOURCE=net, DEST=apps:$IRSSI, PROTO=udp,tcp, DPORT=59410 } +?endif +REJECT { SOURCE=net, DEST=all, PROTO=udp,tcp, DPORT=51413,59410 } +###################################################################################################### +# VNC +ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, DPORT=5900 } +###################################################################################################### +# FIN & RST +RST(ACCEPT) { SOURCE=all, DEST=all } +FIN(ACCEPT) { SOURCE=all, DEST=all } +###################################################################################################### +# Multicast +?if __IPV4 +Multicast(ACCEPT) { SOURCE=all, DEST=$FW } +?endif
@@ -979,6 +1057,10 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 } #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP +?if $VERSION >= 50109 +TCPMSS(pmtu,none) { PROTO=tcp } +?endif + ?if __IPV4 # # I've had a checksum issue with certain IPv4 UDP packets @@ -989,13 +1071,12 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 } ?if $PROXY # - # Use TPROXY for web access from the local LAN + # Use TPROXY for IPv4 web access from the local LAN # DIVERT:R { PROTO=tcp, SPORT=80 } DIVERT:R { PROTO=tcp, DPORT=80 } TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 } -?endif - +?endif
@@ -1003,19 +1084,19 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 } NAT entries are quite dependent on the address family: - #ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY + ################################################################################################################### +#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY ?if __IPV4 - MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF } - MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_IF } - SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, PROBABILITY=0.50, COMMENT="Masquerade Local Network" } - SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" } - SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 } + MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF } + MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_IF } + SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, PROBABILITY=0.50, COMMENT="Masquerade Local Network" } + SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" } + SNAT(172.20.1.253) { SOURCE=!172.20.1.0/24, DEST=LOC_IF:172.20.1.100 } ?else - SNAT(&PROD_IF) { SOURCE=2601:601:8b00:bf0::/60, DEST=PROD_IF } - SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF } -?endif - + SNAT(&PROD_IF) { SOURCE=2601:601:a000:16f0::/60, DEST=PROD_IF } + SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF } +?endif
@@ -1032,8 +1113,6 @@ ipsecnat {ZONE=loc, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
proxyarp - This file is only used in the IPv4 configuration: - #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no } @@ -1068,5 +1147,14 @@ return $status fi
+ +
+ stoppedrules + + /etc/shorewall/stoppedrules allow SSH connections into the + firewall system when Shorewall[6] is in the stopped state. + + +
diff --git a/docs/images/Network2017.dia b/docs/images/Network2017.dia deleted file mode 100644 index 7ae190c36..000000000 Binary files a/docs/images/Network2017.dia and /dev/null differ diff --git a/docs/images/Network2017.png b/docs/images/Network2017.png deleted file mode 100644 index fb118af56..000000000 Binary files a/docs/images/Network2017.png and /dev/null differ diff --git a/docs/images/Network2020.dia b/docs/images/Network2020.dia new file mode 100644 index 000000000..2554722e2 Binary files /dev/null and b/docs/images/Network2020.dia differ diff --git a/docs/images/Network2020.png b/docs/images/Network2020.png new file mode 100644 index 000000000..4937e6dd6 Binary files /dev/null and b/docs/images/Network2020.png differ