forked from extern/shorewall_code
a44e4a46f8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1143 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
458 lines
38 KiB
HTML
458 lines
38 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>About My Network</title><meta name="generator" content="DocBook XSL Stylesheets V1.62.4" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2590562"></a>About My Network</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001-2004 Thomas M. Eastep</p></div><div><div class="legalnotice"><p>Permission is granted to copy, distribute and/or modify this
|
||
document under the terms of the GNU Free Documentation License, Version
|
||
1.2 or any later version published by the Free Software Foundation; with
|
||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||
Texts. A copy of the license is included in the section entitled
|
||
“<span class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2004-02-13</p></div></div><div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2815839">My Current Network</a></span></dt><dd><dl><dt><span class="section"><a href="#id2805857">Shorewall.conf</a></span></dt><dt><span class="section"><a href="#id2805874">Params File (Edited)</a></span></dt><dt><span class="section"><a href="#id2805900">Zones File</a></span></dt><dt><span class="section"><a href="#id2807778">Interfaces File</a></span></dt><dt><span class="section"><a href="#id2807811">Hosts File</a></span></dt><dt><span class="section"><a href="#id2807838">Routestopped File</a></span></dt><dt><span class="section"><a href="#RFC1918">RFC1918 File</a></span></dt><dt><span class="section"><a href="#id2810254">Blacklist File (Partial)</a></span></dt><dt><span class="section"><a href="#id2810278">Policy File</a></span></dt><dt><span class="section"><a href="#id2810297">Masq File</a></span></dt><dt><span class="section"><a href="#id2809846">NAT File</a></span></dt><dt><span class="section"><a href="#ProxyARP">Proxy ARP File</a></span></dt><dt><span class="section"><a href="#id2809906">Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</a></span></dt><dt><span class="section"><a href="#Actions">Actions File</a></span></dt><dt><span class="section"><a href="#id2809963">action.Mirrors File</a></span></dt><dt><span class="section"><a href="#id2809999">action.MyDrop</a></span></dt><dt><span class="section"><a href="#id2810040">action.MyReject</a></span></dt><dt><span class="section"><a href="#id2810089">Rules File (The shell variables are set in /etc/shorewall/params)</a></span></dt><dt><span class="section"><a href="#id2810110">/etc/network/interfaces</a></span></dt><dt><span class="section"><a href="#Dhcpd">/etc/dhcpd.conf (MAC Addresses Omitted)</a></span></dt></dl></dd></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2815839"></a>My Current Network</h2></div></div><div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
||
which are relevant to a simple configuration with a single public IP
|
||
address. If you have just a single public IP address, most of what you
|
||
see here won't apply to your setup so beware of copying parts of
|
||
this configuration and expecting them to work for you. What you copy may
|
||
or may not work in your configuration.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The configuration shown here corresponds to Shorewall version
|
||
2.0.0-Beta1. It may use features not available in earlier Shorewall
|
||
releases.</p></div><p>I have DSL service and have 5 static IP addresses
|
||
(206.124.146.176-180). My DSL “<span class="quote">modem</span>” (Fujitsu Speedport) is
|
||
connected to eth0. I have a local network connected to eth2 (subnet
|
||
192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/32) and a
|
||
Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
|
||
address of eth1 is a duplicate of one on eth0.</p><p>I use:</p><div class="itemizedlist"><ul type="disc"><li><p>One-to-one NAT for Ursa (my personal system that dual-boots
|
||
Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and
|
||
external address 206.124.146.178.</p></li><li><p>One-to-one NAT for EastepLaptop (My work system -- Windows XP
|
||
SP2). Internal address 192.168.1.7 and external address
|
||
206.124.146.180.</p></li><li><p>SNAT through 206.124.146.179 for my SuSE 9.0 Linux
|
||
system (Wookie), my Wife's Windows XP system (Tarry), and
|
||
our Windows XP laptop (Tipper) which connects through the
|
||
Wireless Access Point (wap) via a Wireless Bridge (bridge).</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>While
|
||
the distance between the WAP and where I usually use the laptop
|
||
isn't very far (25 feet or so), using a WAC11 (CardBus wireless
|
||
card) has proved very unsatisfactory (lots of lost connections). By
|
||
replacing the WAC11 with the WET11 wireless bridge, I have virtually
|
||
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
|
||
also able to eliminate the disconnects by hanging a piece of aluminum
|
||
foil on the family room wall. Needless to say, my wife Tarry rejected
|
||
that as a permanent solution :-).</p></div></li></ul></div><p>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</p><p>Wookie, Ursa and the Firewall all run Samba and the Firewall acts as
|
||
a WINS server.</p><p>The wireless network connects to eth3 via a LinkSys WAP11.
|
||
In additional to using the rather weak WEP 40-bit encryption (64-bit with
|
||
the 24-bit preamble), I use <a href="MAC_Validation.html" target="_self">MAC
|
||
verification</a>. This is still a weak combination and if I lived near
|
||
a wireless “<span class="quote">hot spot</span>”, I would probably add IPSEC or
|
||
something similar to my WiFi->local connections.</p><p>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
|
||
fetch our email from our old and current ISPs. That server is managed
|
||
through Proxy ARP.</p><p>The firewall system itself runs a DHCP server that serves the local
|
||
network.</p><p>All administration and publishing is done using ssh/scp. I have a
|
||
desktop environment installed on the firewall but I am not usually logged
|
||
in to it. X applications tunnel through SSH to Ursa. The server also has a
|
||
desktop environment installed and that desktop environment is available
|
||
via XDMCP from the local zone. For the most part though, X tunneled
|
||
through SSH is used for server administration and the server runs at run
|
||
level 3 (multi-user console mode on RedHat).</p><p>I run an SNMP server on my firewall to serve <a href="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/" target="_self">MRTG</a> running
|
||
in the DMZ.</p><div align="center"><img src="images/network.png" align="middle" /></div><p>The
|
||
ethernet interface in the Server is configured with IP address
|
||
206.124.146.177, netmask 255.255.255.0. The server's default gateway
|
||
is 206.124.146.254 (Router at my ISP. This is the same default gateway
|
||
used by the firewall itself). On the firewall, an entry in my
|
||
/etc/network/interfaces file (see below) adds a host route to
|
||
206.124.146.177 through eth1 when that interface is brought up.</p><p>Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
|
||
Road Warrior access.</p><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2805857"></a>Shorewall.conf</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">LOGFILE=/var/log/messages
|
||
LOGRATE=
|
||
LOGBURST=
|
||
LOGUNCLEAN=$LOG
|
||
BLACKLIST_LOGLEVEL=
|
||
LOGNEWNOTSYN=$LOG
|
||
MACLIST_LOG_LEVEL=$LOG
|
||
TCP_FLAGS_LOG_LEVEL=$LOG
|
||
RFC1918_LOG_LEVEL=$LOG
|
||
SMURF_LOG_LEVEL=
|
||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||
SHOREWALL_SHELL=/bin/ash
|
||
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
||
STATEDIR=/var/state/shorewall
|
||
MODULESDIR=
|
||
FW=fw
|
||
IP_FORWARDING=On
|
||
ADD_IP_ALIASES=Yes
|
||
ADD_SNAT_ALIASES=Yes
|
||
TC_ENABLED=Yes
|
||
CLEAR_TC=No
|
||
MARK_IN_FORWARD_CHAIN=No
|
||
CLAMPMSS=Yes
|
||
ROUTE_FILTER=No
|
||
DETECT_DNAT_IPADDRS=Yes
|
||
MUTEX_TIMEOUT=60
|
||
NEWNOTSYN=Yes
|
||
BLACKLISTNEWONLY=Yes
|
||
BLACKLIST_DISPOSITION=DROP
|
||
MACLIST_DISPOSITION=REJECT
|
||
TCP_FLAGS_DISPOSITION=DROP
|
||
</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2805874"></a>Params File (Edited)</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">MIRRORS=<list of shorewall mirror ip addresses>
|
||
NTPSERVERS=<list of the NTP servers I sync with>
|
||
TEXAS=<ip address of gateway in Dallas>
|
||
LOG=info</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2805900"></a>Zones File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ZONE DISPLAY COMMENTS
|
||
net Internet Internet
|
||
WiFi Wireless Wireless Network on eth3
|
||
dmz DMZ Demilitarized zone
|
||
loc Local Local networks
|
||
tx Texas Peer Network in Dallas
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2807778"></a>Interfaces File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>This is set up so that I can start the firewall before bringing
|
||
up my Ethernet interfaces.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ZONE INERFACE BROADCAST OPTIONS
|
||
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||
loc eth2 192.168.1.255 dhcp,detectnets
|
||
dmz eth1 -
|
||
WiFi eth3 192.168.3.255 dhcp,maclist,detectnets
|
||
- texas 192.168.9.255
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2807811"></a>Hosts File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ZONE HOST(S) OPTIONS
|
||
tx texas:192.168.8.0/22
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2807838"></a>Routestopped File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#INTERFACE HOST(S)
|
||
eth1 206.124.146.177
|
||
eth2 -
|
||
eth3 192.168.3.0/24
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="RFC1918"></a>RFC1918 File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>I use a stripped-down file which doesn't have to be updated
|
||
when the IANA allocates a block of IP addresses.</p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#SUBNET TARGET
|
||
169.254.0.0/16 DROP # DHCP autoconfig
|
||
172.16.0.0/12 logdrop # RFC 1918
|
||
192.0.2.0/24 logdrop # Example addresses
|
||
192.168.0.0/16 logdrop # RFC 1918
|
||
10.24.60.56 DROP # Some idiot in my broadcast domain
|
||
# has a box configured with this
|
||
# address.
|
||
10.0.0.0/8 logdrop # Reserved (RFC 1918)</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2810254"></a>Blacklist File (Partial)</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
|
||
0.0.0.0/0 udp 1434
|
||
0.0.0.0/0 tcp 1433
|
||
0.0.0.0/0 tcp 8081
|
||
0.0.0.0/0 tcp 57
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2810278"></a>Policy File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||
fw fw ACCEPT # For testing fw->fw rules
|
||
loc net ACCEPT # Allow all net traffic from local net
|
||
$FW loc ACCEPT # Allow local access from the firewall
|
||
$FW tx ACCEPT # Allow firewall access to texas
|
||
loc tx ACCEPT # Allow local net access to texas
|
||
loc fw REJECT $LOG # Reject loc->fw and log
|
||
WiFi net ACCEPT # Allow internet access from wirless
|
||
net all DROP $LOG 10/sec:40 # Rate limit and
|
||
# DROP net->all
|
||
all all REJECT $LOG # Reject and log the rest
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2810297"></a>Masq File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>Although most of our internal systems use one-to-one NAT, my
|
||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
|
||
as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
||
visitors with laptops.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#INTERFACE SUBNET ADDRESS
|
||
eth0:2 eth2 206.124.146.179
|
||
eth0 eth3 206.124.146.179
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||
</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2809846"></a>NAT File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||
206.124.146.178 eth0:0 192.168.1.5 No No
|
||
206.124.146.180 eth0:1 192.168.1.7 No No
|
||
#
|
||
# The following entry allows the server to be accessed through an address in
|
||
# the local network. This is convenient when I'm on the road and connected
|
||
# to the PPTP server. By doing this, I don't need to set my client's default
|
||
# gateway to route through the tunnel.
|
||
#
|
||
192.168.1.193 eth2:0 206.124.146.177 No No
|
||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="ProxyARP"></a>Proxy ARP File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||
206.124.146.177 eth1 eth0 Yes
|
||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2809906"></a>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||
gre net $TEXAS
|
||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Actions"></a>Actions File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION
|
||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||
DropUPnP #Silently Drop UPnP Probes
|
||
RejectAuth #Silently Reject Auth
|
||
DropPing #Silently Drop Ping
|
||
DropDNSrep #Silently Drop DNS Replies
|
||
AllowPing #Accept Ping
|
||
|
||
Mirrors #Accept traffic from the Shorewall Mirror sites
|
||
|
||
MyDrop:DROP #My DROP common action
|
||
MyReject:REJECT #My REJECT common action
|
||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2809963"></a>action.Mirrors File</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>The $MIRRORS variable expands to a list of approximately 10 IP
|
||
addresses. So moving these checks into a separate chain reduces the
|
||
number of rules that most net->dmz traffic needs to traverse.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||
# PORT PORT(S) DEST LIMIT
|
||
ACCEPT $MIRRORS
|
||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2809999"></a>action.MyDrop</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>This is my common action for the DROP policy. It is like the
|
||
standard <span class="bold"><b>Reject</b></span> action except that it
|
||
allows “<span class="quote">Ping</span>”.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||
# PORT(S) PORT(S) LIMIT GROUP
|
||
RejectAuth
|
||
AllowPing
|
||
dropBcast
|
||
DropSMB
|
||
DropUPnP
|
||
dropNonSyn
|
||
DropDNSrep</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2810040"></a>action.MyReject</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>This is my common action for the REJECT policy. It is like the
|
||
standard <span class="bold"><b>Drop</b></span> action except that it
|
||
allows “<span class="quote">Ping</span>”.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||
# PORT(S) PORT(S) LIMIT GROUP
|
||
RejectAuth
|
||
AllowPing
|
||
dropBcast
|
||
RejectSMB
|
||
DropUPnP
|
||
dropNonSyn
|
||
DropDNSrep
|
||
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
||
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
||
#its PPTP tunnel to HP).</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2810089"></a>Rules File (The shell variables are set in /etc/shorewall/params)</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">###############################################################################################################################################################################
|
||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
||
# PORT(S) DEST:SNAT SET
|
||
###############################################################################################################################################################################
|
||
# Local Network to Internet - Reject attempts by Trojans to call home
|
||
#
|
||
REJECT:$LOG loc net tcp 6667
|
||
#
|
||
# Stop NETBIOS crap since our policy is ACCEPT
|
||
#
|
||
REJECT loc net tcp 137,445
|
||
REJECT loc net udp 137:139
|
||
#
|
||
DROP loc:!192.168.1.0/24 net
|
||
|
||
QUEUE loc net udp
|
||
QUEUE loc fw udp
|
||
QUEUE loc net tcp
|
||
###############################################################################################################################################################################
|
||
# Local Network to Firewall
|
||
#
|
||
DROP loc:!192.168.1.0/24 fw
|
||
ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445
|
||
ACCEPT loc fw udp snmp,ntp,445
|
||
ACCEPT loc fw udp 137:139
|
||
ACCEPT loc fw udp 1024: 137
|
||
###############################################################################################################################################################################
|
||
# Local Network to DMZ
|
||
#
|
||
DROP loc:!192.168.1.0/24 dmz
|
||
REJECT loc dmz tcp 465
|
||
ACCEPT loc dmz udp domain,xdmcp
|
||
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
|
||
###############################################################################################################################################################################
|
||
# Internet to DMZ
|
||
#
|
||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
||
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
|
||
ACCEPT net dmz udp domain
|
||
ACCEPT net dmz udp 33434:33436
|
||
Mirrors net dmz tcp rsync
|
||
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
||
###############################################################################################################################################################################
|
||
#
|
||
# Net to Local
|
||
#
|
||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||
#
|
||
ACCEPT net loc:192.168.1.5 tcp 1723
|
||
ACCEPT net loc:192.168.1.5 gre
|
||
#
|
||
# ICQ
|
||
#
|
||
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||
#
|
||
# Real Audio
|
||
#
|
||
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
||
#
|
||
# Overnet
|
||
#
|
||
#ACCEPT net loc:192.168.1.5 tcp 4662
|
||
#ACCEPT net loc:192.168.1.5 udp 12112
|
||
###############################################################################################################################################################################
|
||
# DMZ to Internet
|
||
#
|
||
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
||
ACCEPT dmz net udp domain
|
||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||
#
|
||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||
# that is sending a PORT command which that code doesn't understand. Either way,
|
||
# the following works around the problem.
|
||
#
|
||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||
###############################################################################################################################################################################
|
||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||
#
|
||
ACCEPT dmz fw udp ntp ntp
|
||
ACCEPT dmz fw tcp snmp,ssh
|
||
ACCEPT dmz fw udp snmp
|
||
REJECT dmz fw tcp auth
|
||
###############################################################################################################################################################################
|
||
# DMZ to Internet
|
||
#
|
||
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
||
ACCEPT dmz net udp domain
|
||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||
#
|
||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||
# that is sending a PORT command which that code doesn't understand. Either way,
|
||
# the following works around the problem.
|
||
#
|
||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||
###############################################################################################################################################################################
|
||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||
#
|
||
ACCEPT dmz fw udp ntp ntp
|
||
ACCEPT dmz fw tcp snmp,ssh
|
||
ACCEPT dmz fw udp snmp
|
||
REJECT dmz fw tcp auth
|
||
###############################################################################################################################################################################
|
||
#
|
||
# DMZ to Local Network
|
||
#
|
||
ACCEPT dmz loc tcp smtp,6001:6010
|
||
ACCEPT dmz loc tcp 111
|
||
ACCEPT dmz loc udp
|
||
###############################################################################################################################################################################
|
||
# Internet to Firewall
|
||
#
|
||
REJECT net fw tcp www
|
||
ACCEPT net dmz udp 33434:33435
|
||
###############################################################################################################################################################################
|
||
# WIFI to Firewall
|
||
#
|
||
ACCEPT WiFi fw tcp ssh,137,139,445
|
||
ACCEPT WiFi fw udp 137:139,445
|
||
ACCEPT WiFi fw udp 1024: 137
|
||
ACCEPT WiFi fw udp ntp ntp
|
||
###############################################################################################################################################################################
|
||
# Firewall to WIFI
|
||
#
|
||
ACCEPT fw WiFi tcp 137,139,445
|
||
ACCEPT fw WiFi udp 137:139,445
|
||
ACCEPT fw WiFi udp 1024: 137
|
||
ACCEPT fw WiFi udp ntp ntp
|
||
##############################################################################################################################################################################
|
||
# WIFI to DMZ
|
||
#
|
||
DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193
|
||
ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh,8080 -
|
||
ACCEPT WiFi dmz udp domain
|
||
##############################################################################################################################################################################
|
||
# WIFI to loc
|
||
#
|
||
ACCEPT WiFi loc udp 137:139
|
||
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
|
||
ACCEPT WiFi loc udp 1024: 137
|
||
ACCEPT WiFi loc udp 177
|
||
##############################################################################################################################################################################
|
||
# loc to WiFi
|
||
#
|
||
ACCEPT loc WiFi udp 137:139
|
||
ACCEPT loc WiFi tcp 137,139,445
|
||
ACCEPT loc WiFi udp 1024: 137
|
||
ACCEPT loc WiFi tcp 6000:6010
|
||
###############################################################################################################################################################################
|
||
# Firewall to Internet
|
||
#
|
||
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
||
#ACCEPT fw net:$POPSERVERS tcp pop3
|
||
ACCEPT fw net udp domain
|
||
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
||
ACCEPT fw net udp 33435:33535
|
||
ACCEPT fw net icmp
|
||
###############################################################################################################################################################################
|
||
# Firewall to DMZ
|
||
#
|
||
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
||
ACCEPT fw dmz udp domain
|
||
REJECT fw dmz udp 137:139
|
||
###############################################################################################################################################################################
|
||
# Ping
|
||
#
|
||
ACCEPT all all icmp 8
|
||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2810110"></a>/etc/network/interfaces</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>This file is Debian specific. My additional entry (which is
|
||
displayed in <span class="bold"><b>bold type</b></span>) adds a route
|
||
to my DMZ server when eth1 is brought up. It allows me to enter
|
||
“<span class="quote">Yes</span>” in the HAVEROUTE column of <a href="#ProxyARP" title="Proxy ARP File">my
|
||
Proxy ARP file</a>.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">...
|
||
auto eth1
|
||
iface eth1 inet static
|
||
address 206.124.146.176
|
||
netmask 255.255.255.255
|
||
broadcast 0.0.0.0
|
||
<span class="bold"><b>up ip route add 206.124.146.177 dev eth1
|
||
</b></span>...</pre></td></tr></table></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Dhcpd"></a>/etc/dhcpd.conf (MAC Addresses Omitted)</h3></div></div><div></div></div><div class="blockquote"><blockquote class="blockquote"><p>While this is a little off-topic, I've included it to show
|
||
how to set up DHCP on two interfaces.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">default-lease-time 67200; max-lease-time 67200;
|
||
get-lease-hostnames on;
|
||
|
||
group {
|
||
option subnet-mask 255.255.255.0;
|
||
option broadcast-address 192.168.1.255;
|
||
option routers 192.168.1.254;
|
||
option ntp-servers 192.168.1.254;
|
||
option domain-name-servers 192.168.1.193;
|
||
option netbios-name-servers 192.168.1.254;
|
||
option domain-name "shorewall.net";
|
||
option netbios-dd-server 192.168.1.254;
|
||
option netbios-node-type 8;
|
||
option netbios-scope "";
|
||
|
||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||
range 192.168.1.11 192.168.1.20;
|
||
}
|
||
|
||
host ursa.shorewall.net {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.1.5;
|
||
}
|
||
|
||
host eastept1 {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.1.7;
|
||
}
|
||
|
||
host tarry {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.1.4;
|
||
}
|
||
|
||
host wookie.shorewall.net {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.1.3;
|
||
}
|
||
|
||
host testws.shorewall.net {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.1.6;
|
||
}
|
||
|
||
host printer.shorewall.net {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.1.10;
|
||
}
|
||
|
||
}
|
||
|
||
group {
|
||
option subnet-mask 255.255.255.0;
|
||
option broadcast-address 192.168.3.255;
|
||
option routers 192.168.3.254;
|
||
option ntp-servers 192.168.3.254;
|
||
option domain-name-servers 206.124.146.177;
|
||
option netbios-name-servers 192.168.3.254;
|
||
option domain-name "shorewall.net";
|
||
option netbios-dd-server 192.168.3.254;
|
||
option netbios-node-type 8;
|
||
option netbios-scope "";
|
||
|
||
subnet 192.168.3.0 netmask 255.255.255.0 {
|
||
range 192.168.3.11 192.168.3.20;
|
||
}
|
||
|
||
host easteplaptop {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.3.7;
|
||
}
|
||
|
||
host tipper.shorewall.net {
|
||
hardware ethernet …;
|
||
fixed-address 192.168.3.8;
|
||
}</pre></td></tr></table></blockquote></div></div></div></div></body></html>
|