About My Network Tom Eastep 2005-01-12 2001-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
My Current Network I use a combination of One-to-one NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. What you copy may or may not work in your environment. The configuration shown here corresponds to Shorewall version 2.2.0 RC2. My configuration uses features not available in earlier Shorewall releases. I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL modem (Westell 2200 running in Bridge mode) is connected to eth1 and has IP address 192.168.1.1 (factory default). The modem is configured in bridge mode so PPPoE is not involved. I have a local network connected to eth0 (subnet 192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note that I configure the same IP address on both eth1 and eth2. In this configuration: I use one-to-one NAT for Ursa (my personal system that run SuSE 9.2) - Internal address 192.168.1.5 and external address 206.124.146.178. I use one-to-one NAT for Eastepnc6000 (My work system -- Windows XP SP1). Internal address 192.168.1.7 and external address 206.124.146.180. I use SNAT through 206.124.146.176 for my Wife's Windows XP system Tarry, and our  dual-booting (SuSE 9.2/Windows XP) laptop Tipper which connects through the Wireless Access Point (wap) via a Wireless Bridge (wet). While the distance between the WAP and where I usually use the laptop isn't very far (50 feet or so), using a WAC11 (CardBus wireless card) has proved very unsatisfactory (lots of lost connections). By replacing the WAC11 with the WET11 wireless bridge, I have virtually eliminated these problems (Being an old radio tinkerer (K7JPV), I was also able to eliminate the disconnects by hanging a piece of aluminum foil on the family room wall. Needless to say, my wife Tarry rejected that as a permanent solution :-). I have Ursa (192.168.1.5/192.168.3.254/206.124.146.178) configured as an IPSEC gateway for the Wireless network. Squid runs on the firewall and is configured as a transparent proxy. The firewall runs on a P-II/233 with Debian Sarge (testing). Ursa runs Samba for file sharing with the Windows systems and is configured as a Wins server. The wireless network connects to Ursa's eth1 via a LinkSys WAP11.  In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification and Kernel 2.6 IPSEC. The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd) under Fedora Core 3. The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP. The firewall system itself runs a DHCP server that serves the local network. I have one system (Roadwarrior, 206.124.146.179) outside the firewall. This system, which runs Debian Sarge (testing) is used for roadwarrior VPN testing and for checking my firewall "from the outside". All administration and publishing is done using ssh/scp. I have a desktop environment installed on the firewall but I am not usually logged in to it. X applications tunnel through SSH to Ursa. The server also has a desktop environment installed and that desktop environment is available via XDMCP from the local zone. For the most part though, X tunneled through SSH is used for server administration and the server runs at run level 3 (multi-user console mode on Fedora). I run an SNMP server on my firewall to serve MRTG running in the DMZ. The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, an entry in my /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up. Ursa (206.124.146.178/192.168.1.5) is configured with OpenVPN for VPN access from our second home in Omak, Washington or when we are otherwise out of town.
Firewall Configuration
Shorewall.conf
LOGFILE=/var/log/ulog/syslogemu.log LOGFORMAT="Shorewall:%s:%s " LOGRATE= LOGBURST= LOGUNCLEAN=$LOG BLACKLIST_LOGLEVEL= LOGNEWNOTSYN=$LOG MACLIST_LOG_LEVEL=$LOG TCP_FLAGS_LOG_LEVEL=$LOG RFC1918_LOG_LEVEL=$LOG SMURF_LOG_LEVEL= IPTABLES= PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin SHOREWALL_SHELL=/bin/dash SUBSYSLOCK= STATEDIR=/var/state/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall RESTOREFILE=standard FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=Yes RETAIN_ALIASES=Yes TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=Yes ROUTE_FILTER=No DETECT_DNAT_IPADDRS=Yes MUTEX_TIMEOUT=60 NEWNOTSYN=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=Yes DYNAMIC_ZONES=No DISABLE_IPV6=Yes PKTTYPE=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP
Params File (Edited)
MIRRORS=<list of shorewall mirror ip addresses> NTPSERVERS=<list of the NTP servers I sync with> TEXAS=<ip address of gateway in Plano> LOG=ULOG EXT_IF=eth1 INT_IF=eth2 DMZ_IF=eth0
Zones File
#ZONE DISPLAY COMMENTS net Internet Internet dmz DMZ Demilitarized zone loc Local Local networks tx Texas Peer Network in Dallas #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces File
This is set up so that I can start the firewall before bringing up my Ethernet interfaces. #ZONE INTERFACE BROADCAST OPTIONS net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs loc $INT_IF detect dhcp dmz $DMZ_IF - - texas - #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Hosts File
#ZONE HOST(S) OPTIONS tx texas:192.168.8.0/22 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Routestopped File
#INTERFACE HOST(S) $DMZ_IF 206.124.146.177 $INT_IF - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Blacklist File (Partial)
#ADDRESS/SUBNET PROTOCOL PORT 0.0.0.0/0 udp 1434 0.0.0.0/0 tcp 1433 0.0.0.0/0 tcp 3127 0.0.0.0/0 tcp 8081 0.0.0.0/0 tcp 57 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
RFC1918 File
Because my DSL modem has an RFC 1918 address (192.168.1.1) and is connected to eth0, I need to make an exception for that address in my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918 and changed it as follows: #SUBNET TARGET 192.168.1.1 RETURN 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy File
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT fw fw ACCEPT loc net ACCEPT $FW loc ACCEPT $FW tx ACCEPT loc tx ACCEPT loc fw REJECT $LOG dmz tx ACCEPT net all DROP $LOG 10/sec:40 all all REJECT $LOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Masq File
Although most of our internal systems use one-to-one NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as does our laptop (192.168.1.8) and visitors with laptops. The first entry allows access to the DSL modem and uses features introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the rule to be placed before rules generated by the /etc/shorewall/nat file below. The double colons ("::") causes the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above. #INTERFACE SUBNET ADDRESS +$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254 $EXT_IF:: eth2 206.124.146.176 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
NAT File
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 206.124.146.178 eth0:0 192.168.1.5 No No 206.124.146.180 eth0:1 192.168.1.7 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Proxy ARP File
I configure the host route to 206.124.146.177 on eth1 in /etc/network/interfaces. #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 206.124.146.177 eth1 eth0 Yes 192.168.1.1 eth0 eth2 yes # Allow access to DSL modem from the local zone #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)
#TYPE ZONE GATEWAY GATEWAY ZONE PORT gre net $TEXAS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Actions File
#ACTION Mirrors #Accept traffic from the Shorewall Mirror sites #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
action.Mirrors File
The $MIRRORS variable expands to a list of approximately 10 IP addresses. So moving these checks into a separate chain reduces the number of rules that most net->dmz traffic needs to traverse. #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT ACCEPT $MIRRORS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/action.Reject
This is my common action for the REJECT policy. It is like the standard Reject action except that it allows Ping and contains one rule that guards against log flooding by broken software running in my local zone. #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP RejectAuth AllowPing dropBcast RejectSMB DropUPnP dropNotSyn DropDNSrep DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log #with NTP requests with a source address in 16.0.0.0/8 (address of #its PPTP tunnel to HP).
Rules File (The shell variables are set in /etc/shorewall/params)
############################################################################################################################################################################### #RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER # PORT(S) DEST:SNAT SET ############################################################################################################################################################################### # Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service # REJECT:$LOG loc net tcp 6667,25 REJECT:$LOG loc net udp 1025:1031 # # Stop NETBIOS crap # REJECT loc net tcp 137,445 REJECT loc net udp 137:139 # # Stop my idiotic XP box from sending to the net with an HP source IP address # DROP loc:!192.168.0.0/22 net # # SQUID # REDIRECT loc 3128 tcp 80 ############################################################################################################################################################################### # Local Network to Firewall # DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box ACCEPT loc fw tcp ssh,time ACCEPT loc fw udp 161,ntp ############################################################################################################################################################################### # Local Network to DMZ # DROP loc:!192.168.0.0/22 dmz ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,ftp,10027,pop3 - ############################################################################################################################################################################### # Internet to ALL -- drop NewNotSyn packets # dropNotSyn net fw tcp dropNotSyn net loc tcp dropNotSyn net dmz tcp # # Drop ping to firewall and local # DropPing net fw DropPing net loc ############################################################################################################################################################################### # Internet to DMZ # DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178 ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver - ACCEPT net dmz udp domain ACCEPT net dmz udp 33434:33436 Mirrors net dmz tcp rsync ACCEPT net dmz tcp 22 AllowPing net dmz ############################################################################################################################################################################### # # Net to Local # # When I'm "on the road", the following two rules allow me VPN access back home via PPTP. # DNAT net loc:192.168.1.4 tcp 1723 - DNAT net:!$TEXAS loc:192.168.1.4 gre - ACCEPT net loc:192.168.1.5 tcp 22 # # ICQ # ACCEPT net loc:192.168.1.5 tcp 4000:4100 # # Real Audio # ACCEPT net loc:192.168.1.5 udp 6970:7170 # # Overnet # #ACCEPT net loc:192.168.1.5 tcp 4662 #ACCEPT net loc:192.168.1.5 udp 12112 # # Silently Handle common probes # REJECT net loc tcp www,ftp,https ############################################################################################################################################################################### # DMZ to Internet # ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080 ACCEPT dmz net udp domain REJECT:$LOG dmz net udp 1025:1031 ACCEPT dmz net:$POPSERVERS tcp pop3 # # Something is wrong with the FTP connection tracking code or there is some client out there # that is sending a PORT command which that code doesn't understand. Either way, # the following works around the problem. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT dmz fw udp ntp ntp ACCEPT dmz fw tcp 161,ssh ACCEPT dmz fw udp 161 REJECT dmz fw tcp auth ############################################################################################################################################################################### # DMZ to Local Network # ACCEPT dmz loc tcp smtp,6001:6010 ACCEPT dmz:206.124.146.177 loc:192.168.1.5 tcp 111 ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp ############################################################################################################################################################################### # Internet to Firewall # REJECT net fw tcp www,ftp,https ACCEPT net dmz udp 33434:33435 ############################################################################################################################################################################### # Firewall to Internet # ACCEPT fw net:$NTPSERVERS udp ntp ntp #ACCEPT fw net:$POPSERVERS tcp pop3 ACCEPT fw net udp domain ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7 ACCEPT fw net udp 33435:33535 ACCEPT fw net icmp REJECT:$LOG fw net udp 1025:1031 DROP fw net udp ntp ############################################################################################################################################################################### # Firewall to DMZ # ACCEPT fw dmz tcp www,ftp,ssh,smtp ACCEPT fw dmz udp domain REJECT fw dmz udp 137:139 ############################################################################################################################################################################### ACCEPT tx loc:192.168.1.5 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/network/interfaces This file is Debian-specific and defines the configuration of the network interfaces.
# The loopback network interface auto lo iface lo inet loopback # DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the # HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has # the same IP address as the Internet interface but has no broadcast address or network. auto eth0 iface eth0 inet static address 206.124.146.176 netmask 255.255.255.255 broadcast 0.0.0.0 up ip route add 206.124.146.177 dev eth0 # Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200). auto eth1 iface eth1 inet static address 206.124.146.176 netmask 255.255.255.0 gateway 206.124.146.254 up ip route add 192.168.1.1 dev eth1 # Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'. auto eth2 iface eth2 inet static address 192.168.1.254 netmask 255.255.255.0 up ip route add 192.168.3.0/24 via 192.168.1.5
/etc/ulogd.conf This is the default /etc/ulogd.conf from the Debian package. Only the relevant entries are shown.
# where to write to syslogfile /var/log/ulog/syslogemu.log # do we want to fflush() the file after each write? syslogsync 1
Wireless IPSEC/OpenVPN Gateway (Ursa) Configuration As mentioned above, Ursa acts as an IPSEC gateway for the wireless network and as an OpenVPN gateway for roadwarrior access from Tipper and my new work laptop. It's view of the network is diagrammed in the following figure. I've included the files that I used to configure that system.
zones
Because loc is a sub-zone of net, loc must be defined first. #ZONE DISPLAY COMMENTS loc Local Local networks net Internet The Big Bad Internet WiFi Wireless Wireless Network sec Secure Secure Wireless Network road Roadwarriors Roadwarriors #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
policy
#SOURCE DEST POLICY LOG LIMIT:BURST loc fw ACCEPT loc net NONE loc sec ACCEPT loc road ACCEPT net fw ACCEPT net loc NONE net sec ACCEPT sec fw ACCEPT sec loc ACCEPT sec net ACCEPT road sec ACCEPT road loc ACCEPT road net ACCEPT road fw ACCEPT fw loc ACCEPT fw net ACCEPT fw sec ACCEPT fw WiFi ACCEPT fw Road ACCEPT sec WiFi NONE WiFi sec NONE all all REJECT info #LAST LINE -- DO NOT REMOVE
interfaces
#ZONE INTERFACE BROADCAST OPTIONS net eth0 192.168.1.255 dhcp,nobogons,blacklist WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback road tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
ipsec
The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to the 'net' zone to 1400. This works around a problem whereby ICMP fragmentation-needed packets are being dropped somewhere between my main firewall and the IMAP server at my work. #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS sec yes mode=tunnel net no - - mss=1400 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
hosts
#ZONE HOST(S) OPTIONS sec eth1:0.0.0.0/0 routeback loc eth0:192.168.1.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
tunnels
# TYPE ZONE GATEWAY GATEWAY # ZONE ipsec:noah WiFi 192.168.3.8 openvpn:1194 net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST allowBcast WiFi fw #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
routestopped
#INTERFACE HOST(S) OPTIONS eth1 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
maclist
#INTERFACE MAC IP ADDRESSES (Optional) eth1 00:A0:1C:DB:0C:A0 192.168.3.7 #Work Laptop eth1 00:04:59:0e:85:b9 #WAP11 eth1 00:06:D5:45:33:3c #WET11 eth1 00:0b:c1:53:cc:97 192.168.3.8 #TIPPER #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/racoon/setkey.conf
This defines encryption policies to/from the wireless network. flush; spdflush; spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require; spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
/etc/racoon/racoon.conf
SA parameters for communication with our wireless network (Tipper is currently the only Wireless host). path certificate "/etc/certs"; listen { isakmp 192.168.3.254; } remote 192.168.3.8 { exchange_mode main ; certificate_type x509 "ursa.pem" "ursa_key.pem"; verify_cert on; my_identifier asn1dn ; peers_identifier asn1dn ; verify_identifier on ; lifetime time 24 hour ; proposal { encryption_algorithm blowfish ; hash_algorithm sha1; authentication_method rsasig ; dh_group 2 ; } } sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any { pfs_group 2; lifetime time 12 hour ; encryption_algorithm blowfish ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; }
/etc/openvpn/server.conf This is my OpenVPN server configuration file:
dev tun server 192.168.2.0 255.255.255.0 dh dh1024.pem ca /etc/certs/cacert.pem crl-verify /etc/certs/crl.pem cert /etc/certs/ursa.pem key /etc/certs/ursa_key.pem port 1194 comp-lzo user nobody group nogroup ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key client-config-dir /etc/openvpn/clients ccd-exclusive client-to-client verb 3
Tipper Configuration while at Home This laptop is either configured on our wireless network (192.168.3.8) or as a standalone system on the road. While this system is connected via our wireless network, it uses IPSEC tunnel mode for all access. Given that I use OpenVPN for remote access, it would be more convenient to also use it for wireless access at home. I use IPSEC just so that I always have a working IPSEC testbed. Tipper's view of the world is shown in the following diagram: The key configuration files are shown in the following sections.
zones
#ZONE DISPLAY COMMENTS home Home Shorewall Network net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT fw home ACCEPT home fw ACCEPT net home NONE home net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
interfaces
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
ipsec
#ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS home yes mode=tunnel #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
hosts
#ZONE HOST(S) OPTIONS home eth0:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net fw icmp 8 ACCEPT net fw tcp 22 ACCEPT net fw tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/racoon/setkey.conf
flush; spdflush; # Policies for while we're connected via Wireless at home spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none; spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none; spdadd 127.0.0.0/8 127.0.0.0/8 any -P in none; spdadd 127.0.0.0/8 127.0.0.0/8 any -P out none; spdadd 0.0.0.0/0 192.168.3.8/32 any -P in ipsec esp/tunnel/192.168.3.254-192.168.3.8/require; spdadd 192.168.3.8/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
/etc/racoon/racoon.conf
path certificate "/etc/certs"; listen { isakmp 192.168.3.8; } remote 192.168.3.254 { exchange_mode main ; certificate_type x509 "tipper.pem" "tipper_key.pem"; verify_cert on; my_identifier asn1dn ; peers_identifier asn1dn ; verify_identifier on ; lifetime time 24 hour ; proposal { encryption_algorithm blowfish ; hash_algorithm sha1; authentication_method rsasig ; dh_group 2 ; } } sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any { pfs_group 2; lifetime time 12 hour ; encryption_algorithm blowfish ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; }
Tipper Configuration on the Road When Tipper is on the road, it's world view is the same as in the diagram above.
zones
#ZONE DISPLAY COMMENTS home Home Shorewall Network net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT fw home ACCEPT home fw ACCEPT net home NONE home net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
interfaces
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags home tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net fw icmp 8 ACCEPT net fw tcp 22 ACCEPT net fw tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/openvpn/home.conf
dev tun remote ursa.shorewall.net up /etc/openvpn/home.up tls-client pull ca /etc/certs/cacert.pem cert /etc/certs/tipper.pem key /etc/certs/tipper_key.pem port 1194 user nobody group nogroup comp-lzo ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3
/etc/openvpn/home.up
#!/bin/bash ip route add 192.168.1.0/24 via $5 #Access to Home Network ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my #Internal Bind 9 view because the source IP will #be in 192.168.2.0/24