About My NetworkTomEastep2004-04-032001-2004Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation License.My Current NetworkI use a combination of One-to-one NAT and Proxy ARP, neither of
which are relevant to a simple configuration with a single public IP
address. If you have just a single public IP address, most of what you
see here won't apply to your setup so beware of copying parts of
this configuration and expecting them to work for you. What you copy may
or may not work in your configuration.The configuration shown here corresponds to Shorewall version
2.0.1 (that's right -- I am running a version of Shorewall that is
not yet released). My configuration uses features not available in
earlier Shorewall releases.I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL modem (Fujitsu Speedport) is
connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note
that the IP address of eth1 is a duplicate of one on eth0.In this configuration:I use one-to-one NAT for Ursa (my personal system that
dual-boots Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5
and external address 206.124.146.178.I use one-to-one NAT for EastepLaptop (My work system -- Windows
XP SP2). Internal address 192.168.1.7 and external address
206.124.146.180.I use SNAT through 206.124.146.179 for my SuSE 9.0 Linux
system (Wookie), my Wife's Windows XP system (Tarry), and
our Windows XP laptop (Tipper) which connects through the
Wireless Access Point (wap) via a Wireless Bridge (wet).While
the distance between the WAP and where I usually use the laptop
isn't very far (25 feet or so), using a WAC11 (CardBus wireless
card) has proved very unsatisfactory (lots of lost connections). By
replacing the WAC11 with the WET11 wireless bridge, I have virtually
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
also able to eliminate the disconnects by hanging a piece of aluminum
foil on the family room wall. Needless to say, my wife Tarry rejected
that as a permanent solution :-).I have Wookie (193.168.1.3) configured as a 3-port bridge. Squid
runs on this system and is configured as a transparent proxy.The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).Wookie and Ursa run Samba and the Wookie acts as a WINS server.The wireless network connects to Wookie's eth2 via a LinkSys
WAP11. In additional to using the rather weak WEP 40-bit
encryption (64-bit with the 24-bit preamble), I use MAC verification. This is still a weak
combination and if I lived near a wireless hot spot, I
would probably add IPSEC or something similar to my WiFi->local
connections.The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
fetch our email from our old and current ISPs. That server is managed
through Proxy ARP.The firewall system itself runs a DHCP server that serves the local
network.All administration and publishing is done using ssh/scp. I have a
desktop environment installed on the firewall but I am not usually logged
in to it. X applications tunnel through SSH to Ursa. The server also has a
desktop environment installed and that desktop environment is available
via XDMCP from the local zone. For the most part though, X tunneled
through SSH is used for server administration and the server runs at run
level 3 (multi-user console mode on RedHat).I run an SNMP server on my firewall to serve MRTG running
in the DMZ.The
ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server's default gateway
is 206.124.146.254 (Router at my ISP. This is the same default gateway
used by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.Firewall ConfigurationShorewall.conf
LOGFILE=/var/log/messages
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=$LOG
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK= #I run Debian which doesn't use service locks
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
Params File (Edited)
MIRRORS=<list of shorewall mirror ip addresses>
NTPSERVERS=<list of the NTP servers I sync with>
TEXAS=<ip address of gateway in Dallas>
LOG=info
Zones File
#ZONE DISPLAY COMMENTS
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces File
This is set up so that I can start the firewall before bringing
up my Ethernet interfaces.#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc eth2 192.168.1.255 dhcp,detectnets
dmz eth1 -
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Hosts File
#ZONE HOST(S) OPTIONS
tx texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Routestopped File
#INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
RFC1918 File
I use a stripped-down file which doesn't have to be updated
when the IANA allocates a block of IP addresses.
#SUBNET TARGET
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses
192.168.0.0/16 logdrop # RFC 1918
10.24.60.56 DROP # Some idiot in my broadcast domain
# has a box configured with this
# address.
10.0.0.0/8 logdrop # Reserved (RFC 1918)
Blacklist File (Partial)
#ADDRESS/SUBNET PROTOCOL PORT
0.0.0.0/0 udp 1434
0.0.0.0/0 tcp 1433
0.0.0.0/0 tcp 3127
0.0.0.0/0 tcp 8081
0.0.0.0/0 tcp 57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Policy File
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT # For testing fw->fw rules
loc net ACCEPT # Allow all net traffic from local net
$FW loc ACCEPT # Allow local access from the firewall
$FW tx ACCEPT # Allow firewall access to texas
loc tx ACCEPT # Allow local net access to texas
loc fw REJECT $LOG # Reject loc->fw and log
net all DROP $LOG 10/sec:40 # Rate limit and
# DROP net->all
all all REJECT $LOG # Reject and log the rest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Masq File
Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
visitors with laptops.#INTERFACE SUBNET ADDRESS
eth0:2 eth2 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
NAT File
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.180 eth0:1 192.168.1.7 No No
#
# The following entry allows the server to be accessed through an address in
# the local network. This is convenient when I'm on the road and connected
# to the PPTP server. By doing this, I don't need to set my client's default
# gateway to route through the tunnel.
#
192.168.1.193 eth2:0 206.124.146.177 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Proxy ARP File
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 Yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)
#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Actions File
#ACTION
Mirrors #Accept traffic from the Shorewall Mirror sites
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
action.Mirrors File
The $MIRRORS variable expands to a list of approximately 10 IP
addresses. So moving these checks into a separate chain reduces the
number of rules that most net->dmz traffic needs to traverse.#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/action.Drop
This is my common action for the DROP policy. It is like the
standard Drop action except that it
allows Ping.#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
RejectAuth
AllowPing
dropBcast
DropSMB
DropUPnP
dropNonSyn
DropDNSrep
/etc/shorewall/action.Reject
This is my common action for the REJECT policy. It is like the
standard Reject action except that it
allows Ping and contains one rule that guards against
log flooding by broken software running in my local zone.#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
RejectAuth
AllowPing
dropBcast
RejectSMB
DropUPnP
dropNonSyn
DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).
Rules File (The shell variables are set in /etc/shorewall/params)
###############################################################################################################################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
# PORT(S) DEST:SNAT SET
###############################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG loc net tcp 6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
QUEUE loc net udp
QUEUE loc fw udp
QUEUE loc net tcp
###############################################################################################################################################################################
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh,time
ACCEPT loc fw udp snmp,ntp
###############################################################################################################################################################################
# Local Network to DMZ
#
REJECT loc dmz tcp 465
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
###############################################################################################################################################################################
# Internet to DMZ
#
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
ACCEPT net dmz udp domain
ACCEPT net dmz udp 33434:33436
Mirrors net dmz tcp rsync
#ACCEPT:$LOG net dmz tcp 32768:61000 20
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT net loc:192.168.1.4 tcp 1723
DNAT net loc:192.168.1.4 gre
#
# ICQ
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6970:7170
#
# Overnet
#
#ACCEPT net loc:192.168.1.5 tcp 4662
#ACCEPT net loc:192.168.1.5 udp 12112
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT dmz net udp domain
ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:206.191.151.2 tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp,ssh
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www
ACCEPT net dmz udp 33434:33435
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
#ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
###############################################################################################################################################################################
# Ping
#
ACCEPT all all icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/network/interfaces
This file is Debian specific. My additional entry (which is
displayed in bold type) adds a route
to my DMZ server when eth1 is brought up. It allows me to enter
Yes in the HAVEROUTE column of my
Proxy ARP file....
auto eth1
iface eth1 inet static
address 206.124.146.176
netmask 255.255.255.255
broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth1
...
/etc/dhcpd.conf (MAC Addresses Omitted)
While this is a little off-topic, I've included it to show
how to set up DHCP on two interfaces.default-lease-time 67200; max-lease-time 67200;
get-lease-hostnames on;
group {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option ntp-servers 192.168.1.254;
option domain-name-servers 192.168.1.193;
option netbios-name-servers 192.168.1.254;
option domain-name "shorewall.net";
option netbios-dd-server 192.168.1.254;
option netbios-node-type 8;
option netbios-scope "";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.11 192.168.1.20;
}
host ursa.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.5;
}
host eastept1 {
hardware ethernet …;
fixed-address 192.168.1.7;
}
host tarry {
hardware ethernet …;
fixed-address 192.168.1.4;
}
host wookie.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.3;
}
host testws.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.6;
}
host printer.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.10;
}
}
group {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.254;
option ntp-servers 192.168.3.254;
option domain-name-servers 206.124.146.177;
option netbios-name-servers 192.168.3.254;
option domain-name "shorewall.net";
option netbios-dd-server 192.168.3.254;
option netbios-node-type 8;
option netbios-scope "";
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.11 192.168.3.20;
}
host easteplaptop {
hardware ethernet …;
fixed-address 192.168.3.7;
}
host tipper.shorewall.net {
hardware ethernet …;
fixed-address 192.168.3.8;
}
Bridge (Wookie) ConfigurationAs mentioned above, Wookie acts as a bridge. It's view of the
network is diagrammed in the following figure.I've included the files that I used to configure that system --
some of them are SuSE-specific.The configuration on Wookie can be modified to test various bridging
features -- otherwise, it serves to isolate the Wireless network from the
rest of our systems.shorewall.conf
Only the changes from the defaults are shown.BRIDGING=Yes
zones
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
WiFi WireLess Wireless Network
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
policy
#SOURCE DEST POLICY LOG LIMIT:BURST
fw fw ACCEPT
loc net ACCEPT
net loc ACCEPT
net fw ACCEPT
loc fw ACCEPT
loc WiFi ACCEPT
fw WiFi ACCEPT
fw net ACCEPT
fw loc ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
interfaces
#ZONE INTERFACE BROADCAST OPTIONS
- br0 192.168.1.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
hosts
#ZONE HOST(S) OPTIONS
net br0:eth1
loc br0:eth0
WiFi br0:eth2 maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
rules
The first rule allows a transparent WWW proxy (Squid) to run on
my bridge/firewall. Squid listens on port 3128.The remaining rules protect the local systems and bridge from
the WiFi network. Note that we don't restrict WiFi→net traffic
since the only directly-accessible system in the net zone is the
firewall (Wookie and the Firewall are connected by a cross-over
cable).#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
REDIRECT loc 3128 tcp www - !192.168.1.0/24
ACCEPT WiFi loc udp 137:139
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
ACCEPT WiFi loc udp 1024: 137
ACCEPT WiFi loc udp 177
ACCEPT loc WiFi udp 137:139
ACCEPT loc WiFi tcp 137,139,445
ACCEPT loc WiFi udp 1024: 137
ACCEPT loc WiFi tcp 6000:6010
ACCEPT WiFi fw tcp ssh,137,139,445
ACCEPT WiFi fw udp 137:139,445
ACCEPT WiFi fw udp 1024: 137
ACCEPT WiFi fw udp ntp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
routestopped
#INTERFACE HOST(S) OPTIONS
br0 0.0.0.0/0 routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
maclist
#INTERFACE MAC IP ADDRESSES (Optional)
br0:eth2 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
br0:eth2 00:04:59:0e:85:b9 #WAP11
br0:eth2 00:06:D5:45:33:3c #WET11
br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/init.d/bridge
This file is SuSE-specific and creates the bridge device
br0. A script for other
disbributions would be similar.#!/bin/sh
################################################################################
# Script to create a bridge between eth0, eth1 and eth2
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2004 - Tom Eastep (teastep@shorewall.net)
#
# Modify the following variables to match your configuration
#
# chkconfig: 2345 05 89
# description: Layer 2 Bridge
#
################################################################################
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
do_stop() {
echo "Stopping Bridge"
brctl delbr br0
ip link set eth0 down
ip link set eth1 down
ip link set eth2 down
}
do_start() {
echo "Starting Bridge"
ip link set eth0 up
ip link set eth1 up
ip link set eth2 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
/etc/sysconfig/network/ifcfg-br0
This file is SuSE-specificBOOTPROTO='static'
BROADCAST='192.168.1.255'
IPADDR='192.168.1.3'
NETWORK='192.168.1.0'
NETMASK='255.255.255.0'
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='3hqH.MjuOqWfSZ+C'
WIRELESS='no'
MTU=''
/etc/sysconfig/network/routes
This file is SuSE-specific192.168.1.0 - 255.255.255.0 br0
default 192.168.1.254 - -