<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>About My Network</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2006-03-10</pubdate>

    <copyright>
      <year>2001-2006</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>My Current Network</title>

    <caution>
      <para>I use a combination of One-to-one NAT and Xen paravirtualization,
      neither of which are relevant to a simple configuration with a single
      public IP address. If you have just a single public IP address, most of
      what you see here won't apply to your setup so beware of copying parts
      of this configuration and expecting them to work for you. What you copy
      may or may not work in your environment.</para>
    </caution>

    <caution>
      <para>The configuration shown here corresponds to Shorewall version
      3.0.3. My configuration uses features not available in earlier Shorewall
      releases.</para>
    </caution>

    <para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
    My DSL <quote>modem</quote> (<ulink
    url="http://www.westell.com/pages/index.jsp">Westell</ulink> 2200) is
    connected to eth2 and has IP address 192.168.1.1 (factory default). The
    modem is configured in <quote>bridge</quote> mode so PPPoE is not
    involved. I have a local network connected to eth1 which is bridged to
    interface tun0 via bridge br0 (subnet 192.168.1.0/24) and a wireless
    network (192.168.3.0/24) connected to eth0.</para>

    <para>In this configuration:</para>

    <itemizedlist>
      <listitem>
        <para>I use one-to-one NAT for <emphasis>"Ursa"</emphasis> (my
        personal system that run SuSE 10.0) - Internal address 192.168.1.5 and
        external address 206.124.146.178.</para>
      </listitem>

      <listitem>
        <para>I use one-to-one NAT for "<emphasis>lists</emphasis>" (My server
        system that runs SuSE 10.0 in a Xen virtual system on
        <emphasis>ursa</emphasis>) - Internal address 192.168.1.7 and external
        address 206.124.146.177.</para>
      </listitem>

      <listitem>
        <para>I use one-to-one NAT for <emphasis>"Eastepnc6000</emphasis>" (My
        work system -- Windows XP SP1/SuSE 10.0). Internal address 192.168.1.6
        and external address 206.124.146.180.</para>
      </listitem>
    </itemizedlist>

    <itemizedlist>
      <listitem>
        <para>use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
        system <quote><emphasis>Tarry</emphasis></quote> and our SUSE 10.0
        laptop <quote><emphasis>Tipper</emphasis></quote> which connects
        through the Wireless Access Point (wap).</para>
      </listitem>
    </itemizedlist>

    <para>The firewall runs on a Celeron 1.4Ghz under SuSE 10.0.</para>

    <para><emphasis>Ursa</emphasis> runs Samba for file sharing with the
    Windows systems and is configured as a Wins server.</para>

    <para>The wireless network connects to the firewall's eth0 via a LinkSys
    WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
    (64-bit with the 24-bit preamble), I use <ulink
    url="MAC_Validation.html">MAC verification</ulink> and <ulink
    url="OPENVPN.html#Bridge">OpenVPN in bridge mode</ulink>.</para>

    <para>The server in runs <ulink
    url="http://www.postfix.org">Postfix</ulink>, <ulink
    url="http://www.courier-mta.org/imap/">Courier IMAP</ulink> (imap and
    imaps), <ulink url="http://www.isc.org/sw/bind/">DNS (Bind 9)</ulink>, a
    <ulink url="http://www.apache.org">Web server (Apache)</ulink> and an
    <ulink url="http://www.pureftpd.org/">FTP server
    (Pure-ftpd)</ulink>.</para>

    <para>The firewall system itself runs a <ulink
    url="http://www.isc.org/sw/dhcp/">DHCP server</ulink> that serves the
    local and wireless networks.</para>

    <para>All administration and publishing is done using ssh/scp. I have a
    desktop environment installed on the firewall but I usually don't start
    it. X applications tunnel through SSH to <emphasis>Ursa</emphasis> or one
    of the laptops. The server also has a desktop environment installed but it
    is never started. For the most part, X tunneled through SSH is used for
    server administration and the server runs at run level 3 (multi-user
    console mode on SuSE).</para>

    <para>In addition to the OpenVPN bridge, the firewall hosts an OpenVPN
    Tunnel server for VPN access from our second home in <ulink
    url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
    otherwise out of town.</para>

    <para><graphic align="center" fileref="images/network.png" /><note>
        <para><emphasis>Eastepnc6000</emphasis> is shown in both the local LAN
        and in the Wifi zone with IP address 192.168.1.6 -- clearly, the
        computer can only be in one place or the other.
        <emphasis>Tipper</emphasis> can also be in either place and will have
        the IP address 192.168.1.8 regardless.</para>
      </note></para>
  </section>

  <section>
    <title>Ursa (Xen) Configuration</title>

    <para>Ursa runs two domains. Domain 0 is my personal Linux desktop
    environment. The other domains comprise my DMZ. There is currently only
    one system (lists) in the DMZ.</para>

    <graphic align="center" fileref="images/Xen3.png" />

    <para>Ursa's Shorewall configuration is described in <ulink
    url="Xen.html">the article about Xen and Shorewall</ulink>.</para>

    <para>About the only thing that is unique about the configuration of
    Domain 1 (lists) is that its (virtualized) eth0 has two addresses:</para>

    <itemizedlist>
      <listitem>
        <para>192.168.1.7/24</para>
      </listitem>

      <listitem>
        <para>206.124.146.177/32</para>
      </listitem>
    </itemizedlist>

    <para>This prevents the DNS server from getting confused due to the fact
    that the two different views have a different IP addresses for the primary
    name server for the domain shorewall.net.</para>
  </section>

  <section>
    <title>Firewall Configuration</title>

    <section>
      <title>Shorewall.conf</title>

      <blockquote>
        <programlisting>STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=$LOG
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/dash
SUBSYSLOCK=
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=standard
IPSECFILE=zones
FW=
IP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=Yes
TC_ENABLED=Internal
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=Yes
MACLIST_TTL=60
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
BLACKLIST_DISPOSITION=DROP
MACLIST_TABLE=mangle
MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Params File (Edited)</title>

      <blockquote>
        <para><programlisting>NTPSERVERS=&lt;list of NTP server IP addresses&gt;
POPSERVERS=&lt;list of external POP3 servers accessed by fetchmail running on the DMZ server&gt;
LOG=info
WIFI_IF=eth0
EXT_IF=eth2
INT_IF=br0
OMAK=&lt;ip address of the gateway at our second home&gt;
MIRRORS=&lt;list IP addresses of Shorewall mirrors&gt;</programlisting></para>
      </blockquote>
    </section>

    <section>
      <title>Zones File</title>

      <blockquote>
        <programlisting>#ZONE   TYPE   OPTTIONS                IN                 OUT
#                                      OPTIONS            OPTIONS
fw      firewall
net     ipv4
loc     ipv4
dmz:loc ipv4
vpn     ipv4
Wifi    ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Interfaces File</title>

      <blockquote>
        <programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
net     $EXT_IF         206.124.146.255         dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
loc     $INT_IF         detect                  dhcp,routeback
vpn     tun+            -
Wifi    $WIFI_IF        -                       dhcp,maclist
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Hosts File</title>

      <para>This file is used to define the dmz zone -- the single (virtual)
      system with internal IP address 192.168.1.7.</para>

      <blockquote>
        <programlisting>#ZONE   HOST(S)                                 OPTIONS
dmz     $INT_IF:192.168.1.7
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Routestopped File</title>

      <blockquote>
        <programlisting>#INTERFACE      HOST(S)         OPTIONS
$INT_IF         -               source,dest
$WIFI_IF        -               source,dest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Providers File</title>

      <blockquote>
        <para>This entry isn't necessary but it allows me to smoke test
        parsing of the providers file.</para>

        <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS                 COPY
Blarg   1       1       main            $EXT_IF         206.124.146.254 track,balance=1         $INT_IF,$WIFI_IF,tun0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Blacklist File (Edited)</title>

      <blockquote>
        <para>I blacklist a number of ports globally to cut down on the amount
        of noise in my firewall log. Note that the syntax shown below was
        introduced in Shorewall 3.0.3 ("-" in the ADDRESS/SUBNET column);
        earlier versions must use "0.0.0.0/0".</para>

        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
-                       udp             1024:1033
-                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>RFC1918 File</title>

      <blockquote>
        <para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
        is connected to eth0, I need to make an exception for that address in
        my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
        /etc/shorewall/rfc1918 and changed it as follows:</para>

        <programlisting>#SUBNET           TARGET
<emphasis role="bold">192.168.1.1       RETURN</emphasis>
172.16.0.0/12     logdrop        # RFC 1918
192.168.0.0/16    logdrop        # RFC 1918
10.0.0.0/8        logdrop        # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Policy File</title>

      <blockquote>
        <programlisting>#SOURCE         DESTINATION     POLICY          LOG LEVEL       BURST:LIMIT
$FW             $FW             ACCEPT
loc             net             ACCEPT
$FW             vpn             ACCEPT
vpn             net             ACCEPT
vpn             loc             ACCEPT
fw              Wifi            ACCEPT
loc             vpn             ACCEPT
$FW             loc             ACCEPT          #Firewall to Local
loc             $FW             REJECT          $LOG
net             all             DROP            $LOG            10/sec:40
all             all             REJECT          $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Masq File</title>

      <blockquote>
        <para>Although most of our internal systems use one-to-one NAT, my
        wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
        our wireless network systems and visitors with laptops.</para>

        <para>The first entry allows access to the DSL modem and uses features
        introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
        rule to be placed before rules generated by the /etc/shorewall/nat
        file below.</para>

        <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+$EXT_IF:192.168.1.1    0.0.0.0/0       192.168.1.254
$EXT_IF                 192.168.0.0/22  206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>NAT File</title>

      <blockquote>
        <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALL             LOCAL
#                                                       INTERFACES
206.124.146.177         $EXT_IF         192.168.1.7     No              No
206.124.146.178         $EXT_IF         192.168.1.5     No              No
206.124.146.180         $EXT_IF         192.168.1.6     No              No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Tunnels</title>

      <blockquote>
        <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY ZONE    PORT
openvpnserver:1194      net     0.0.0.0/0
openvpnserver:1194      Wifi    192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section id="Actions">
      <title>Actions File</title>

      <blockquote>
        <para>The Limit action is described in a <ulink
        url="PortKnocking.html#Limit">separate article</ulink>.</para>

        <programlisting>#ACTION
Mirrors             #Accept traffic from the Shorewall Mirror sites
Limit               #Limit connection rate from each individual Host
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>action.Mirrors File</title>

      <blockquote>
        <para>$MIRRORS is set in <filename>/etc/shorewall/params</filename>
        above.</para>

        <programlisting>#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
#                                               PORT    PORT(S)    DEST         LIMIT
ACCEPT   $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Accounting File</title>

      <blockquote>
        <programlisting>#ACTION CHAIN   SOURCE          DESTINATION                                     PROTO   DEST            SOURCE  USER/
#                                                                                       PORT(S)         PORT(S) GROUP
hp:COUNT        accounting      $EXT_IF                 $INT_IF:192.168.1.6     UDP
hp:COUNT        accounting      $INT_IF:192.168.1.6     $EXT_IF                 UDP
DONE            hp

mail:COUNT      -               $EXT_IF                 $INT_IF:192.168.1.7     tcp     25
mail:COUNT      -               $INT_IF:192.168.1.7     $EXT_IF                 tcp     25
DONE            mail

web             -               $EXT_IF                 $INT_IF:192.168.1.7     tcp     80
web             -               $EXT_IF                 $INT_IF:192.168.1.7     tcp     443
web             -               $INT_IF:192.168.1.7     $EXT_IF                 tcp     80
web             -               $INT_IF:192.168.1.7     $EXT_IF                 tcp     443

COUNT           web             $EXT_IF                 $INT_IF:192.168.1.7
COUNT           web             $INT_IF:192.168.1.7     $EXT_IF
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>Rules File (The shell variables are set in
      /etc/shorewall/params)</title>

      <blockquote>
        <programlisting>SECTION NEW
###############################################################################################################################################################################
#ACTION         SOURCE                          DEST                    PROTO   DEST                                    SOURCE          ORIGINAL        RATE    USER/
#                                                                               PORT                                    PORT(S)         DEST            LIMIT   GROUP
###############################################################################################################################################################################
REJECT:$LOG     loc                             net                     tcp     25
REJECT:$LOG     loc                             net                     udp     1025:1031
#
# Stop NETBIOS crap
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
#
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
#
DROP            loc:!192.168.0.0/22             net
DROP            Wifi                            net:15.0.0.0/8
DROP            Wifi                            net:16.0.0.0/8
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP            loc:!192.168.0.0/22             fw                      # Silently drop traffic with an HP source IP from my XP box
Limit:$LOG:SSHA,3,60\
                loc                             fw                      tcp     22
ACCEPT          loc                             fw                      tcp     time,631,8080
ACCEPT          loc                             fw                      udp     161,ntp,631
ACCEPT          loc:192.168.1.5                 fw                      udp     111
DROP            loc                             fw                      tcp     3185          #SuSE Meta pppd
Ping/ACCEPT     loc                             fw
###############################################################################################################################################################################
# Local Network to Wireless
#
Ping/ACCEPT     loc                             Wifi
###############################################################################################################################################################################
# Insecure Wireless to DMZ
#
ACCEPT          Wifi                            dmz                     udp     domain
ACCEPT          Wifi                            dmz                     tcp     domain
###############################################################################################################################################################################
# Insecure Wireless to Internet
#
ACCEPT          Wifi                            net                     udp     500
ACCEPT          Wifi                            net                     udp     4500
ACCEPT          Wifi:192.168.3.9                net                     all
Ping/ACCEPT     Wifi                            net
###############################################################################################################################################################################
# Insecure Wireless to Firewall
#
SSH/ACCEPT      Wifi                            fw
###############################################################################################################################################################################
# Road Warriors to Firewall
#
ACCEPT            vpn                             fw                      tcp     ssh,time,631,8080
ACCEPT            vpn                             fw                      udp     161,ntp,631
Ping/ACCEPT       vpn                             fw
###############################################################################################################################################################################
# Road Warriors to DMZ
#
ACCEPT            vpn                             dmz                     udp     domain
ACCEPT            vpn                             dmz                     tcp     www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3       -
Ping/ACCEPT       vpn                             dmz
###############################################################################################################################################################################
# Local network to DMZ
#
ACCEPT            loc                             dmz                     udp     domain
ACCEPT            loc                             dmz                     tcp     ssh,smtps,www,ftp,imaps,domain,https	-
ACCEPT            loc                             dmz                     tcp     smtp
ACCEPT            loc                             dmz                     udp     33434:33454
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn      net             fw              tcp
dropNotSyn      net             loc             tcp
dropNotSyn      net             dmz             tcp
###############################################################################################################################################################################
# Internet to DMZ
#
ACCEPT          net                             dmz                     udp     domain
LOG:$LOG        net:64.126.128.0/18             dmz                     tcp     smtp
ACCEPT          net                             dmz                     tcp     smtps,www,ftp,imaps,domain,https        -
ACCEPT          net                             dmz                     tcp     smtp                                    -               206.124.146.177,206.124.146.178
ACCEPT          net                             dmz                     udp     33434:33454
Mirrors         net                             dmz                     tcp     rsync
Limit:$LOG:SSHA,3,60\
                net                             dmz                     tcp     22
Ping/ACCEPT     net                             dmz
###############################################################################################################################################################################
#
# Net to Local
#
##########################################################################################
# Test Server
#
ACCEPT          net                             loc:192.168.1.9         tcp     80
ACCEPT          net                             loc:192.168.1.9         tcp     443
ACCEPT          net                             loc:192.168.1.9         tcp     21
Ping/ACCEPT     net                             loc:192.168.1.9
#
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
#
DNAT            net                             loc:192.168.1.4         tcp     1729
DNAT            net                             loc:192.168.1.4         gre
#
# Roadwarrior access to Ursa
#
ACCEPT          net:$OMAK                       loc                     tcp     22
Limit:$LOG:SSHA,3,60\
                net                             loc                     tcp     22
#
# ICQ
#
ACCEPT          net                             loc:192.168.1.5         tcp     113,4000:4100
#
# Bittorrent
#
ACCEPT          net                             loc:192.168.1.5         tcp     6881:6889,6969
ACCEPT          net                             loc:192.168.1.5         udp     6881:6889,6969
#
# Real Audio
#
ACCEPT          net                             loc:192.168.1.5         udp     6970:7170
#
# Overnet
#
#ACCEPT         net                             loc:192.168.1.5         tcp     4662
#ACCEPT         net                             loc:192.168.1.5         udp     12112
#
# OpenVPN
#
ACCEPT          net                             loc:192.168.1.5         udp     1194
#
# Skype
#
ACCEPT          net                             loc:192.168.1.6         tcp     1194
#
# Silently Handle common probes
#
REJECT          net                             loc                     tcp     www,ftp,https
DROP            net                             loc                     icmp    8
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     udp     domain,ntp
ACCEPT          dmz                             net                     tcp     echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
Ping/ACCEPT     dmz                             net
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command  and setting up the proper expectation. The following rule allows active FTP to work in these cases
# but logs the connection so I can keep an eye on this potential security hole.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     161,ssh
ACCEPT          dmz                             fw                      udp     161
REJECT          dmz                             fw                      tcp     auth
Ping/ACCEPT     dmz                             fw
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www,ftp,https
DROP            net                             fw                      icmp    8
ACCEPT          net                             fw                      udp     33434:33454
ACCEPT          net:$OMAK                       fw                      udp     ntp
ACCEPT          net                             fw                      tcp     auth
ACCEPT          net:$OMAK                       fw                      tcp     22
Limit:$LOG:SSHA,3,60\
                net                             fw                      tcp     22
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
#ACCEPT         fw                              net:$POPSERVERS         tcp     pop3
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp
REJECT:$LOG     fw                              net                     udp     1025:1031
DROP            fw                              net                     udp     ntp
Ping/ACCEPT     fw                              net
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     domain,www,ftp,ssh,smtp,993,465
ACCEPT          fw                              dmz                     udp     domain
REJECT          fw                              dmz                     udp     137:139
Ping/ACCEPT     fw                              dmz
###############################################################################################################################################################################
# Firewall to Insecure Wireless
#
Ping/ACCEPT     fw                              Wifi
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/shorewall/tcdevices</title>

      <blockquote>
        <programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
$EXT_IF         1.5mbit         384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/shorewall/tcclasses</title>

      <blockquote>
        <para>My traffic shaping configuration is basically the "WonderShaper"
        <ulink
        url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
        from tc4shorewall</ulink> with a little tweaking.</para>

        <programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
$EXT_IF         10      full            ful             1               tcp-ack,tos-minimize-delay
$EXT_IF         20      9*full/10       9*full/10       2               default
$EXT_IF         30      6*full/10       6*full/10       3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/shorewall/tcrules</title>

      <blockquote>
        <para>I give full bandwidth to my local systems -- the server gets
        throttled and rsync gets throttled even more.</para>

        <note>
          <para>The class id for tc4shorewall-generated classes is
          &lt;<emphasis>device number</emphasis>&gt;:&lt;<emphasis>100 + mark
          value</emphasis>&gt; where the first device in
          <filename>/etc/shorewall/tcdevices</filename> is device number 1,
          the second is device number 2 and so on. The rules below are using
          the Netfilter CLASSIFY target to classify the traffic directly
          without having to first mark then classify based on the
          marks.</para>
        </note>

        <programlisting>#MARK           SOURCE                  DEST            PROTO   PORT(S) CLIENT  USER    TEST
#                                                                       PORT(S)
1:110           192.168.0.0/22          $EXT_IF
1:130           206.124.146.177         $EXT_IF         tcp     -       873 #Rsync to the Mirrors
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>

        <para>Here is the output of <command>shorewall show tc</command> while
        the Shorewall mirrors were receiving updates via rsync and the link
        was otherwise idle. Note the rate limiting imposed by the 1:30
        Class.</para>

        <programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005

...

Device eth2:
qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
 Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
 backlog 20p
qdisc ingress ffff: ----------------
 Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
 backlog 20p
class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
 Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
 rate 424bit
 lended: 417516 borrowed: 0 giants: 0
 tokens: 36864 ctokens: 36864

class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
 Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
 rate 231568bit 19pps
 lended: 0 borrowed: 0 giants: 0
 tokens: -26280 ctokens: -26280

class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
 Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
 <emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
 lended: 48784 borrowed: 0 giants: 0
 tokens: -106401 ctokens: -106401

class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
 Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
 rate 1000bit
 lended: 177773 borrowed: 0 giants: 0
 tokens: 41126 ctokens: 41126

...</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/openvpn/server.conf</title>

      <para>Only the tunnel-mode OpenVPN configuration is described here --
      the bridge is described in the <ulink url="OPENVPN.html">OpenVPN
      documentation</ulink>.</para>

      <blockquote>
        <programlisting>dev tun

local 206.124.146.176

server 192.168.2.0 255.255.255.0

dh dh1024.pem

ca /etc/certs/cacert.pem

crl-verify /etc/certs/crl.pem

cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem

port 1194

comp-lzo

user nobody
group nogroup

keepalive 15 45
ping-timer-rem
persist-tun
persist-key

client-config-dir /etc/openvpn/clients
ccd-exclusive
client-to-client

verb 3</programlisting>
      </blockquote>
    </section>
  </section>

  <section>
    <title>Tipper and Eastepnc6000 Configuration in the Wireless
    Network</title>

    <para>Please find this information in the <ulink
    url="OPENVPN.html#Bridge">OpenVPN bridge mode</ulink>
    documentation.</para>
  </section>

  <section>
    <title>Tipper Configuration while on the Road</title>

    <para>This laptop is either configured on our wireless network
    (192.168.3.8) or as a standalone system on the road.</para>

    <para><emphasis>Tipper</emphasis>'s view of the world is shown in the
    following diagram:</para>

    <graphic align="center" fileref="images/network2.png" valign="middle" />

    <section>
      <title>zones</title>

      <blockquote>
        <programlisting>#ZONE   DISPLAY         COMMENTS
home    Home            Shorewall Network
net     Net             Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
      </blockquote>
    </section>

    <section>
      <title>policy</title>

      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
$FW             home            ACCEPT
home            $FW             ACCEPT
net             home            NONE
home            net             NONE
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>interfaces</title>

      <blockquote>
        <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,tcpflags
home    tun0            -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>rules</title>

      <blockquote>
        <programlisting>#ACTION         SOURCE                  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                                                       PORT    PORT(S) DEST            LIMIT   GROUP
ACCEPT          net                     $FW     icmp    8
ACCEPT          net                     $FW     tcp     22
ACCEPT          net                     $FW     tcp     4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/openvpn/home.conf</title>

      <blockquote>
        <programlisting>dev tun
remote gateway.shorewall.net
up /etc/openvpn/home.up

tls-client
pull

ca /etc/certs/cacert.pem

cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem

port 1194

user nobody
group nogroup

comp-lzo

ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

verb 3</programlisting>
      </blockquote>
    </section>

    <section>
      <title>/etc/openvpn/home.up</title>

      <blockquote>
        <programlisting>#!/bin/bash

ip route add 192.168.1.0/24 via $5     #Access to Home Network
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
                                       #Internal Bind 9 view because the source IP will
                                       #be in 192.168.2.0/24</programlisting>
      </blockquote>
    </section>
  </section>
</article>