About My Network

My Current Network

Warning 1: I use a combination of Static NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. What you copy may or may not work in your configuration.

Warning 2: The configuration shown here corresponds to version 1.4.6.

I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL "modem" (Fujitsu Speedport) is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless network connected to eth3 (192.168.3.0/24).

I use:

The firewall runs on a 256MB PII/233 with RH9.0.

Wookie and the Firewall both run Samba and the Firewall acts as a WINS server.

Wookie is in its own 'whitelist' zone called 'me' which is embedded in the local zone.

The wireless network connects to eth3 via a LinkSys WAP11.  In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification. This is still a weak combination and if I lived near a wireless "hot spot", I would probably add IPSEC or something similar to my WiFi->local connections.

The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.

The firewall system itself runs a DHCP server that serves the local network. It also runs Postfix which is configured as a Virus and Spam filter with all incoming mail then being forwarded to the MTA in the DMZ.

All administration and publishing is done using ssh/scp. I have X installed on the firewall but no X server or desktop is installed. X applications tunnel through SSH to XWin.exe running on Ursa. The server does have a desktop environment installed and that desktop environment is available via XDMCP from the local zone. For the most part though, X tunneled through SSH is used for server administration and the server runs at run level 3 (multi-user console mode on RedHat).

I run an SNMP server on my firewall to serve MRTG running in the DMZ.

(My network layout)

 

The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, Shorewall automatically adds a host route to 206.124.146.177 through eth1 (192.168.2.1) because of the entry in /etc/shorewall/proxyarp (see below).

Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior access.

Shorewall.conf

LOGFILE=/var/log/messages
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SHARED_DIR=/usr/share/shorewall

Params File (Edited):

MIRRORS=<list of shorewall mirror ip addresses>
NTPSERVERS=<list of the NTP servers I sync with> TEXAS=<ip address of gateway in Dallas>
LOG=info

Zones File

#ZONE	DISPLAY		COMMENTS
net Internet Internet
WiFi Wireless Wireless Network on eth3
me Wookie My Linux Workstation
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File:

This is set up so that I can start the firewall before bringing up my Ethernet interfaces.

#ZONE	INERFACE	BROADCAST	OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
WiFi eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Hosts File:

#ZONE		HOST(S)			OPTIONS
me              eth2:192.168.1.3
tx              texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Routestopped File:

#INTERFACQ	HOST(S)
eth1 206.124.146.177
eth2 -
eth3 192.168.3.8
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Policy File:

#SOURCE		DESTINATION	POLICY		LOG LEVEL	BURST:LIMIT
me loc NONE
me all ACCEPT
tx me ACCEPT
WiFi loc ACCEPT
loc WiFi ACCEPT
loc me NONE
all me CONTINUE - 2/sec:5
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
WiFi net ACCEPT
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Masq File:

Although most of our internal systems use static NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops. Also, I masquerade systems connected through the wireless network.

#INTERFACE              SUBNET          ADDRESS
eth0 eth2 206.124.146.176
eth0 eth3 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

NAT File:

#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.179 eth0:1 192.168.1.3 No No
206.124.146.180 eth0:2 192.168.1.7 No No
192.168.1.193 eth2:0 206.124.146.177 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE\

Proxy ARP File:

#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
206.124.146.177 eth1 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):

#TYPE			ZONE    GATEWAY         GATEWAY ZONE    PORT
gre net $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Rules File (The shell variables are set in /etc/shorewall/params):

################################################################################################################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG loc net tcp 6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.1.0/24 fw
ACCEPT loc fw tcp ssh,time,10000,smtp,swat,137,139,445
ACCEPT loc fw udp snmp,ntp,445
ACCEPT loc fw udp 137:139
ACCEPT loc fw udp 1024: 137
################################################################################################################################################################
# Local Network to DMZ
#
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,pop3 -
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz tcp www,ftp,imaps,domain,cvspserver,https -
ACCEPT net dmz udp domain
ACCEPT net:$MIRRORS dmz tcp rsync
ACCEPT:$LOG net dmz tcp 32768:61000 20
DROP net dmz tcp 1433
################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# ICQ
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6790
################################################################################################################################################################
# Net to me
#
ACCEPT net loc:192.168.1.3 tcp 4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT dmz net udp domain
#ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:206.191.151.2 tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp,ssh
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT dmz me tcp 111
ACCEPT dmz me udp 111
ACCEPT dmz me udp 2049
ACCEPT dmz me udp 32700:
################################################################################################################################################################
# Internet to Firewall
#
REDIRECT- net 25 tcp smtp - 206.124.146.177
ACCEPT net fw tcp smtp
REJECT net fw tcp www
DROP net fw tcp 1433
################################################################################################################################################################
# WiFi to Firewall (SMB and NTP)
#
ACCEPT WiFi fw tcp ssh,137,139,445
ACCEPT WiFi fw udp 137:139,445
ACCEPT WiFi fw udp 1024: 137
ACCEPT WiFi fw udp ntp ntp
################################################################################################################################################################
# Firewall to WiFi (SMB)
#
ACCEPT fw WiFi tcp 137,139,445
ACCEPT fw WiFi udp 137:139,445
ACCEPT fw WiFi udp 1024: 137
###############################################################################################################################################################
# WiFi to DMZ
#
DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193
ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh -
ACCEPT WiFi dmz udp domain
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,smtp,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp 8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
ACCEPT fw dmz icmp 8
REJECT fw dmz udp 137:139

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Last updated 7/27/2003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.