forked from extern/shorewall_code
2c73054e6b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3386 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
947 lines
39 KiB
XML
947 lines
39 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>About My Network</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2006-01-21</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2006</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>My Current Network</title>
|
|
|
|
<caution>
|
|
<para>I use a combination of One-to-one NAT and Xen paravirtualization,
|
|
neither of which are relevant to a simple configuration with a single
|
|
public IP address. If you have just a single public IP address, most of
|
|
what you see here won't apply to your setup so beware of copying parts
|
|
of this configuration and expecting them to work for you. What you copy
|
|
may or may not work in your environment.</para>
|
|
</caution>
|
|
|
|
<caution>
|
|
<para>The configuration shown here corresponds to Shorewall version
|
|
3.0.3. My configuration uses features not available in earlier Shorewall
|
|
releases.</para>
|
|
</caution>
|
|
|
|
<para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
|
|
My DSL <quote>modem</quote> (<ulink
|
|
url="http://www.westell.com/pages/index.jsp">Westell</ulink> 2200) is
|
|
connected to eth2 and has IP address 192.168.1.1 (factory default). The
|
|
modem is configured in <quote>bridge</quote> mode so PPPoE is not
|
|
involved. I have a local network connected to eth1 which is bridged to
|
|
interface tun0 via bridge br0 (subnet 192.168.1.0/24) and a wireless
|
|
network (192.168.3.0/24) connected to eth0.</para>
|
|
|
|
<para>In this configuration:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>I use one-to-one NAT for <emphasis>"Ursa"</emphasis> (my
|
|
personal system that run SuSE 10.0) - Internal address 192.168.1.5 and
|
|
external address 206.124.146.178.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>I use one-to-one NAT for "<emphasis>lists</emphasis>" (My server
|
|
system that runs SuSE 10.0 in a Xen virtual system on
|
|
<emphasis>ursa</emphasis>) - Internal address 192.168.1.7 and external
|
|
address 206.124.146.177.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>I use one-to-one NAT for <emphasis>"Eastepnc6000</emphasis>" (My
|
|
work system -- Windows XP SP1/SuSE 10.0). Internal address 192.168.1.6
|
|
and external address 206.124.146.180.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>use SNAT through 206.124.146.179 for my Wife's Windows XP
|
|
system <quote><emphasis>Tarry</emphasis></quote> and our SUSE 10.0
|
|
laptop <quote><emphasis>Tipper</emphasis></quote> which connects
|
|
through the Wireless Access Point (wap) via a Wireless Bridge
|
|
(wet).<note>
|
|
<para>While the distance between the WAP and where I usually use
|
|
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
|
|
wireless card) has proved very unsatisfactory (lots of lost
|
|
connections). By replacing the WAC11 with the WET11 wireless
|
|
bridge, I have virtually eliminated these problems (Being an old
|
|
radio tinkerer (K7JPV), I was also able to eliminate the
|
|
disconnects by hanging a piece of aluminum foil on the family room
|
|
wall. Needless to say, my wife Tarry rejected that as a permanent
|
|
solution :-).</para>
|
|
</note></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The firewall runs on a Celeron 1.4Ghz under SuSE 10.0.</para>
|
|
|
|
<para><emphasis>Ursa</emphasis> runs Samba for file sharing with the
|
|
Windows systems and is configured as a Wins server.</para>
|
|
|
|
<para>The wireless network connects to the firewall's eth0 via a LinkSys
|
|
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
|
(64-bit with the 24-bit preamble), I use <ulink
|
|
url="MAC_Validation.html">MAC verification</ulink> and <ulink
|
|
url="OPENVPN.html#Bridge">OpenVPN in bridge mode</ulink>.</para>
|
|
|
|
<para>The server in runs <ulink
|
|
url="http://www.postfix.org">Postfix</ulink>, <ulink
|
|
url="http://www.courier-mta.org/imap/">Courier IMAP</ulink> (imap and
|
|
imaps), <ulink url="http://www.isc.org/sw/bind/">DNS (Bind 9)</ulink>, a
|
|
<ulink url="http://www.apache.org">Web server (Apache)</ulink> and an
|
|
<ulink url="http://www.pureftpd.org/">FTP server
|
|
(Pure-ftpd)</ulink>.</para>
|
|
|
|
<para>The firewall system itself runs a <ulink
|
|
url="http://www.isc.org/sw/dhcp/">DHCP server</ulink> that serves the
|
|
local and wireless networks.</para>
|
|
|
|
<para>All administration and publishing is done using ssh/scp. I have a
|
|
desktop environment installed on the firewall but I usually don't start
|
|
it. X applications tunnel through SSH to <emphasis>Ursa</emphasis> or one
|
|
of the laptops. The server also has a desktop environment installed but it
|
|
is never started. For the most part, X tunneled through SSH is used for
|
|
server administration and the server runs at run level 3 (multi-user
|
|
console mode on SuSE).</para>
|
|
|
|
<para>In addition to the OpenVPN bridge, the firewall hosts an OpenVPN
|
|
Tunnel server for VPN access from our second home in <ulink
|
|
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
|
|
otherwise out of town.</para>
|
|
|
|
<para><graphic align="center" fileref="images/network.png" /><note>
|
|
<para><emphasis>Eastepnc6000</emphasis> is shown in both the local LAN
|
|
and in the Wifi zone with IP address 192.168.1.6 -- clearly, the
|
|
computer can only be in one place or the other.
|
|
<emphasis>Tipper</emphasis> can also be in either place and will have
|
|
the IP address 192.168.1.8 regardless.</para>
|
|
</note></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Ursa (Xen) Configuration</title>
|
|
|
|
<para>Ursa runs two domains. Domain 0 is my personal Linux desktop
|
|
environment. The other domains comprise my DMZ. There is currently only
|
|
one system (lists) in the DMZ.</para>
|
|
|
|
<graphic align="center" fileref="images/Xen3.png" />
|
|
|
|
<para>Ursa's Shorewall configuration is described in <ulink
|
|
url="Xen.html">the article about Xen and Shorewall</ulink>.</para>
|
|
|
|
<para>About the only thing that is unique about the configuration of
|
|
Domain 1 (lists) is that its (virtualized) eth0 has two addresses:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>192.168.1.7/24</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>206.124.146.177/32</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>This prevents the DNS server from getting confused due to the fact
|
|
that the two different views have a different IP addresses for the primary
|
|
name server for the domain shorewall.net.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Firewall Configuration</title>
|
|
|
|
<section>
|
|
<title>Shorewall.conf</title>
|
|
|
|
<blockquote>
|
|
<programlisting>STARTUP_ENABLED=Yes
|
|
LOGFILE=/var/log/messages
|
|
LOGFORMAT="Shorewall:%s:%s:"
|
|
LOGTAGONLY=No
|
|
LOGRATE=
|
|
LOGBURST=
|
|
LOGALLNEW=
|
|
BLACKLIST_LOGLEVEL=
|
|
MACLIST_LOG_LEVEL=$LOG
|
|
TCP_FLAGS_LOG_LEVEL=$LOG
|
|
RFC1918_LOG_LEVEL=$LOG
|
|
SMURF_LOG_LEVEL=$LOG
|
|
LOG_MARTIANS=No
|
|
IPTABLES=
|
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
SHOREWALL_SHELL=/bin/dash
|
|
SUBSYSLOCK=
|
|
MODULESDIR=
|
|
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
|
RESTOREFILE=standard
|
|
IPSECFILE=zones
|
|
FW=
|
|
IP_FORWARDING=On
|
|
ADD_IP_ALIASES=No
|
|
ADD_SNAT_ALIASES=No
|
|
RETAIN_ALIASES=Yes
|
|
TC_ENABLED=Internal
|
|
CLEAR_TC=Yes
|
|
MARK_IN_FORWARD_CHAIN=Yes
|
|
CLAMPMSS=Yes
|
|
ROUTE_FILTER=No
|
|
DETECT_DNAT_IPADDRS=Yes
|
|
MUTEX_TIMEOUT=60
|
|
ADMINISABSENTMINDED=Yes
|
|
BLACKLISTNEWONLY=Yes
|
|
DELAYBLACKLISTLOAD=No
|
|
MODULE_SUFFIX=
|
|
DISABLE_IPV6=Yes
|
|
BRIDGING=No
|
|
DYNAMIC_ZONES=No
|
|
PKTTYPE=No
|
|
RFC1918_STRICT=Yes
|
|
MACLIST_TTL=60
|
|
SAVE_IPSETS=No
|
|
MAPOLDACTIONS=No
|
|
FASTACCEPT=No
|
|
BLACKLIST_DISPOSITION=DROP
|
|
MACLIST_TABLE=mangle
|
|
MACLIST_DISPOSITION=DROP
|
|
TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Params File (Edited)</title>
|
|
|
|
<blockquote>
|
|
<para><programlisting>NTPSERVERS=<list of NTP server IP addresses>
|
|
POPSERVERS=<list of external POP3 servers accessed by fetchmail running on the DMZ server>
|
|
LOG=info
|
|
WIFI_IF=eth0
|
|
EXT_IF=eth2
|
|
INT_IF=br0
|
|
OMAK=<ip address of the gateway at our second home>
|
|
MIRRORS=<list IP addresses of Shorewall mirrors></programlisting></para>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Zones File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE TYPE OPTTIONS IN OUT
|
|
# OPTIONS OPTIONS
|
|
fw firewall
|
|
net ipv4
|
|
loc ipv4
|
|
dmz:loc ipv4
|
|
vpn ipv4
|
|
Wifi ipv4
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Interfaces File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
|
|
loc $INT_IF detect dhcp,routeback
|
|
vpn tun+ -
|
|
Wifi $WIFI_IF - dhcp,maclist
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts File</title>
|
|
|
|
<para>This file is used to define the dmz zone -- the single (virtual)
|
|
system with internal IP address 192.168.1.7.</para>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
dmz $INT_IF:192.168.1.7
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Routestopped File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#INTERFACE HOST(S) OPTIONS
|
|
$INT_IF - source,dest
|
|
$WIFI_IF - source,dest
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Providers File</title>
|
|
|
|
<blockquote>
|
|
<para>This entry isn't necessary but it allows me to smoke test
|
|
parsing of the providers file.</para>
|
|
|
|
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
|
Blarg 1 1 main $EXT_IF 206.124.146.254 track,balance=1 $INT_IF,$WIFI_IF,tun0
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Blacklist File (Edited)</title>
|
|
|
|
<blockquote>
|
|
<para>I blacklist a number of ports globally to cut down on the amount
|
|
of noise in my firewall log. Note that the syntax shown below was
|
|
introduced in Shorewall 3.0.3 ("-" in the ADDRESS/SUBNET column);
|
|
earlier versions must use "0.0.0.0/0".</para>
|
|
|
|
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
|
- udp 1024:1033
|
|
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>RFC1918 File</title>
|
|
|
|
<blockquote>
|
|
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
|
|
is connected to eth0, I need to make an exception for that address in
|
|
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
|
|
/etc/shorewall/rfc1918 and changed it as follows:</para>
|
|
|
|
<programlisting>#SUBNET TARGET
|
|
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
|
|
172.16.0.0/12 logdrop # RFC 1918
|
|
192.168.0.0/16 logdrop # RFC 1918
|
|
10.0.0.0/8 logdrop # RFC 1918
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Policy File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
|
$FW $FW ACCEPT
|
|
loc net ACCEPT
|
|
$FW vpn ACCEPT
|
|
vpn net ACCEPT
|
|
vpn loc ACCEPT
|
|
fw Wifi ACCEPT
|
|
loc vpn ACCEPT
|
|
$FW loc ACCEPT #Firewall to Local
|
|
loc $FW REJECT $LOG
|
|
net all DROP $LOG 10/sec:40
|
|
all all REJECT $LOG
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Masq File</title>
|
|
|
|
<blockquote>
|
|
<para>Although most of our internal systems use one-to-one NAT, my
|
|
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
|
|
our wireless network systems and visitors with laptops.</para>
|
|
|
|
<para>The first entry allows access to the DSL modem and uses features
|
|
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
|
|
rule to be placed before rules generated by the /etc/shorewall/nat
|
|
file below.</para>
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
|
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
|
$EXT_IF 192.168.0.0/22 206.124.146.179
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NAT File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
|
# INTERFACES
|
|
206.124.146.177 $EXT_IF 192.168.1.7 No No
|
|
206.124.146.178 $EXT_IF 192.168.1.5 No No
|
|
206.124.146.180 $EXT_IF 192.168.1.6 No No
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tunnels</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
|
openvpnserver:1194 net 0.0.0.0/0
|
|
openvpnserver:1194 Wifi 192.168.3.0/24
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section id="Actions">
|
|
<title>Actions File</title>
|
|
|
|
<blockquote>
|
|
<para>The Limit action is described in a <ulink
|
|
url="PortKnocking.html#Limit">separate article</ulink>.</para>
|
|
|
|
<programlisting>#ACTION
|
|
Mirrors #Accept traffic from the Shorewall Mirror sites
|
|
Limit #Limit connection rate from each individual Host
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>action.Mirrors File</title>
|
|
|
|
<blockquote>
|
|
<para>$MIRRORS is set in <filename>/etc/shorewall/params</filename>
|
|
above.</para>
|
|
|
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
# PORT PORT(S) DEST LIMIT
|
|
ACCEPT $MIRRORS
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Accounting File</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
|
# PORT(S) PORT(S) GROUP
|
|
hp:COUNT accounting $EXT_IF $INT_IF:192.168.1.6 UDP
|
|
hp:COUNT accounting $INT_IF:192.168.1.6 $EXT_IF UDP
|
|
DONE hp
|
|
|
|
mail:COUNT - $EXT_IF $INT_IF:192.168.1.7 tcp 25
|
|
mail:COUNT - $INT_IF:192.168.1.7 $EXT_IF tcp 25
|
|
DONE mail
|
|
|
|
web - $EXT_IF $INT_IF:192.168.1.7 tcp 80
|
|
web - $EXT_IF $INT_IF:192.168.1.7 tcp 443
|
|
web - $INT_IF:192.168.1.7 $EXT_IF tcp 80
|
|
web - $INT_IF:192.168.1.7 $EXT_IF tcp 443
|
|
|
|
COUNT web $EXT_IF $INT_IF:192.168.1.7
|
|
COUNT web $INT_IF:192.168.1.7 $EXT_IF
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Rules File (The shell variables are set in
|
|
/etc/shorewall/params)</title>
|
|
|
|
<blockquote>
|
|
<programlisting>SECTION NEW
|
|
###############################################################################################################################################################################
|
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# PORT PORT(S) DEST LIMIT GROUP
|
|
###############################################################################################################################################################################
|
|
REJECT:$LOG loc net tcp 25
|
|
REJECT:$LOG loc net udp 1025:1031
|
|
#
|
|
# Stop NETBIOS crap
|
|
#
|
|
REJECT loc net tcp 137,445
|
|
REJECT loc net udp 137:139
|
|
#
|
|
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
|
#
|
|
DROP loc:!192.168.0.0/22 net
|
|
DROP Wifi net:15.0.0.0/8
|
|
DROP Wifi net:16.0.0.0/8
|
|
###############################################################################################################################################################################
|
|
# Local Network to Firewall
|
|
#
|
|
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
|
|
Limit:$LOG:SSHA,3,60\
|
|
loc fw tcp 22
|
|
ACCEPT loc fw tcp time,631,8080
|
|
ACCEPT loc fw udp 161,ntp,631
|
|
ACCEPT loc:192.168.1.5 fw udp 111
|
|
DROP loc fw tcp 3185 #SuSE Meta pppd
|
|
Ping/ACCEPT loc fw
|
|
###############################################################################################################################################################################
|
|
# Local Network to Wireless
|
|
#
|
|
Ping/ACCEPT loc Wifi
|
|
###############################################################################################################################################################################
|
|
# Insecure Wireless to DMZ
|
|
#
|
|
ACCEPT Wifi dmz udp domain
|
|
ACCEPT Wifi dmz tcp domain
|
|
###############################################################################################################################################################################
|
|
# Insecure Wireless to Internet
|
|
#
|
|
ACCEPT Wifi net udp 500
|
|
ACCEPT Wifi net udp 4500
|
|
ACCEPT Wifi:192.168.3.9 net all
|
|
Ping/ACCEPT Wifi net
|
|
###############################################################################################################################################################################
|
|
# Insecure Wireless to Firewall
|
|
#
|
|
SSH/ACCEPT Wifi fw
|
|
###############################################################################################################################################################################
|
|
# Road Warriors to Firewall
|
|
#
|
|
ACCEPT vpn fw tcp ssh,time,631,8080
|
|
ACCEPT vpn fw udp 161,ntp,631
|
|
Ping/ACCEPT vpn fw
|
|
###############################################################################################################################################################################
|
|
# Road Warriors to DMZ
|
|
#
|
|
ACCEPT vpn dmz udp domain
|
|
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
|
Ping/ACCEPT vpn dmz
|
|
###############################################################################################################################################################################
|
|
# Local network to DMZ
|
|
#
|
|
ACCEPT loc dmz udp domain
|
|
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
|
ACCEPT loc dmz tcp smtp
|
|
ACCEPT loc dmz udp 33434:33454
|
|
###############################################################################################################################################################################
|
|
# Internet to ALL -- drop NewNotSyn packets
|
|
#
|
|
dropNotSyn net fw tcp
|
|
dropNotSyn net loc tcp
|
|
dropNotSyn net dmz tcp
|
|
###############################################################################################################################################################################
|
|
# Internet to DMZ
|
|
#
|
|
ACCEPT net dmz udp domain
|
|
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
|
|
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
|
|
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
|
|
ACCEPT net dmz udp 33434:33454
|
|
Mirrors net dmz tcp rsync
|
|
Limit:$LOG:SSHA,3,60\
|
|
net dmz tcp 22
|
|
Ping/ACCEPT net dmz
|
|
###############################################################################################################################################################################
|
|
#
|
|
# Net to Local
|
|
#
|
|
##########################################################################################
|
|
# Test Server
|
|
#
|
|
ACCEPT net loc:192.168.1.9 tcp 80
|
|
ACCEPT net loc:192.168.1.9 tcp 443
|
|
ACCEPT net loc:192.168.1.9 tcp 21
|
|
Ping/ACCEPT net loc:192.168.1.9
|
|
#
|
|
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
|
|
#
|
|
DNAT net loc:192.168.1.4 tcp 1729
|
|
DNAT net loc:192.168.1.4 gre
|
|
#
|
|
# Roadwarrior access to Ursa
|
|
#
|
|
ACCEPT net:$OMAK loc tcp 22
|
|
Limit:$LOG:SSHA,3,60\
|
|
net loc tcp 22
|
|
#
|
|
# ICQ
|
|
#
|
|
ACCEPT net loc:192.168.1.5 tcp 113,4000:4100
|
|
#
|
|
# Bittorrent
|
|
#
|
|
ACCEPT net loc:192.168.1.5 tcp 6881:6889,6969
|
|
ACCEPT net loc:192.168.1.5 udp 6881:6889,6969
|
|
#
|
|
# Real Audio
|
|
#
|
|
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
|
#
|
|
# Overnet
|
|
#
|
|
#ACCEPT net loc:192.168.1.5 tcp 4662
|
|
#ACCEPT net loc:192.168.1.5 udp 12112
|
|
#
|
|
# OpenVPN
|
|
#
|
|
ACCEPT net loc:192.168.1.5 udp 1194
|
|
#
|
|
# Skype
|
|
#
|
|
ACCEPT net loc:192.168.1.6 tcp 1194
|
|
#
|
|
# Silently Handle common probes
|
|
#
|
|
REJECT net loc tcp www,ftp,https
|
|
DROP net loc icmp 8
|
|
###############################################################################################################################################################################
|
|
# DMZ to Internet
|
|
#
|
|
ACCEPT dmz net udp domain,ntp
|
|
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
|
Ping/ACCEPT dmz net
|
|
#
|
|
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
|
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
|
# but logs the connection so I can keep an eye on this potential security hole.
|
|
#
|
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
|
###############################################################################################################################################################################
|
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
|
#
|
|
ACCEPT dmz fw udp ntp ntp
|
|
ACCEPT dmz fw tcp 161,ssh
|
|
ACCEPT dmz fw udp 161
|
|
REJECT dmz fw tcp auth
|
|
Ping/ACCEPT dmz fw
|
|
###############################################################################################################################################################################
|
|
# Internet to Firewall
|
|
#
|
|
REJECT net fw tcp www,ftp,https
|
|
DROP net fw icmp 8
|
|
ACCEPT net fw udp 33434:33454
|
|
ACCEPT net:$OMAK fw udp ntp
|
|
ACCEPT net fw tcp auth
|
|
ACCEPT net:$OMAK fw tcp 22
|
|
Limit:$LOG:SSHA,3,60\
|
|
net fw tcp 22
|
|
###############################################################################################################################################################################
|
|
# Firewall to Internet
|
|
#
|
|
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
|
#ACCEPT fw net:$POPSERVERS tcp pop3
|
|
ACCEPT fw net udp domain
|
|
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
|
ACCEPT fw net udp 33435:33535
|
|
ACCEPT fw net icmp
|
|
REJECT:$LOG fw net udp 1025:1031
|
|
DROP fw net udp ntp
|
|
Ping/ACCEPT fw net
|
|
###############################################################################################################################################################################
|
|
# Firewall to DMZ
|
|
#
|
|
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,993,465
|
|
ACCEPT fw dmz udp domain
|
|
REJECT fw dmz udp 137:139
|
|
Ping/ACCEPT fw dmz
|
|
###############################################################################################################################################################################
|
|
# Firewall to Insecure Wireless
|
|
#
|
|
Ping/ACCEPT fw Wifi
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/tcdevices</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
|
$EXT_IF 1.5mbit 384kbit
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/tcclasses</title>
|
|
|
|
<blockquote>
|
|
<para>My traffic shaping configuration is basically the "WonderShaper"
|
|
<ulink
|
|
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
|
|
from tc4shorewall</ulink> with a little tweaking.</para>
|
|
|
|
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
|
$EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay
|
|
$EXT_IF 20 9*full/10 9*full/10 2 default
|
|
$EXT_IF 30 6*full/10 6*full/10 3
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/tcrules</title>
|
|
|
|
<blockquote>
|
|
<para>I give full bandwidth to my local systems -- the server gets
|
|
throttled and rsync gets throttled even more.</para>
|
|
|
|
<note>
|
|
<para>The class id for tc4shorewall-generated classes is
|
|
<<emphasis>device number</emphasis>>:<<emphasis>100 + mark
|
|
value</emphasis>> where the first device in
|
|
<filename>/etc/shorewall/tcdevices</filename> is device number 1,
|
|
the second is device number 2 and so on. The rules below are using
|
|
the Netfilter CLASSIFY target to classify the traffic directly
|
|
without having to first mark then classify based on the
|
|
marks.</para>
|
|
</note>
|
|
|
|
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
|
# PORT(S)
|
|
1:110 192.168.0.0/22 $EXT_IF
|
|
1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
<para>Here is the output of <command>shorewall show tc</command> while
|
|
the Shorewall mirrors were receiving updates via rsync and the link
|
|
was otherwise idle. Note the rate limiting imposed by the 1:30
|
|
Class.</para>
|
|
|
|
<programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005
|
|
|
|
...
|
|
|
|
Device eth2:
|
|
qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
|
|
Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
|
|
backlog 20p
|
|
qdisc ingress ffff: ----------------
|
|
Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
|
|
qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
|
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
|
|
qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
|
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
|
|
qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
|
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
|
|
backlog 20p
|
|
class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
|
|
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
|
|
rate 424bit
|
|
lended: 417516 borrowed: 0 giants: 0
|
|
tokens: 36864 ctokens: 36864
|
|
|
|
class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
|
|
Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
|
|
rate 231568bit 19pps
|
|
lended: 0 borrowed: 0 giants: 0
|
|
tokens: -26280 ctokens: -26280
|
|
|
|
class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
|
|
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
|
|
<emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
|
|
lended: 48784 borrowed: 0 giants: 0
|
|
tokens: -106401 ctokens: -106401
|
|
|
|
class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
|
|
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
|
|
rate 1000bit
|
|
lended: 177773 borrowed: 0 giants: 0
|
|
tokens: 41126 ctokens: 41126
|
|
|
|
...</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/openvpn/server.conf</title>
|
|
|
|
<para>Only the tunnel-mode OpenVPN configuration is described here --
|
|
the bridge is described in the <ulink url="OPENVPN.html">OpenVPN
|
|
documentation</ulink>.</para>
|
|
|
|
<blockquote>
|
|
<programlisting>dev tun
|
|
|
|
local 206.124.146.176
|
|
|
|
server 192.168.2.0 255.255.255.0
|
|
|
|
dh dh1024.pem
|
|
|
|
ca /etc/certs/cacert.pem
|
|
|
|
crl-verify /etc/certs/crl.pem
|
|
|
|
cert /etc/certs/gateway.pem
|
|
key /etc/certs/gateway_key.pem
|
|
|
|
port 1194
|
|
|
|
comp-lzo
|
|
|
|
user nobody
|
|
group nogroup
|
|
|
|
keepalive 15 45
|
|
ping-timer-rem
|
|
persist-tun
|
|
persist-key
|
|
|
|
client-config-dir /etc/openvpn/clients
|
|
ccd-exclusive
|
|
client-to-client
|
|
|
|
verb 3</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tipper and Eastepnc6000 Configuration in the Wireless
|
|
Network</title>
|
|
|
|
<para>Please find this information in the <ulink
|
|
url="OPENVPN.html#Bridge">OpenVPN bridge mode</ulink>
|
|
documentation.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tipper Configuration while on the Road</title>
|
|
|
|
<para>This laptop is either configured on our wireless network
|
|
(192.168.3.8) or as a standalone system on the road.</para>
|
|
|
|
<para><emphasis>Tipper</emphasis>'s view of the world is shown in the
|
|
following diagram:</para>
|
|
|
|
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
|
|
|
<section>
|
|
<title>zones</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE DISPLAY COMMENTS
|
|
home Home Shorewall Network
|
|
net Net Internet
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>policy</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
$FW net ACCEPT
|
|
$FW home ACCEPT
|
|
home $FW ACCEPT
|
|
net home NONE
|
|
home net NONE
|
|
net all DROP info
|
|
# The FOLLOWING POLICY MUST BE LAST
|
|
all all REJECT info
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>interfaces</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect dhcp,tcpflags
|
|
home tun0 -
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>rules</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# PORT PORT(S) DEST LIMIT GROUP
|
|
ACCEPT net $FW icmp 8
|
|
ACCEPT net $FW tcp 22
|
|
ACCEPT net $FW tcp 4000:4100
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/openvpn/home.conf</title>
|
|
|
|
<blockquote>
|
|
<programlisting>dev tun
|
|
remote gateway.shorewall.net
|
|
up /etc/openvpn/home.up
|
|
|
|
tls-client
|
|
pull
|
|
|
|
ca /etc/certs/cacert.pem
|
|
|
|
cert /etc/certs/tipper.pem
|
|
key /etc/certs/tipper_key.pem
|
|
|
|
port 1194
|
|
|
|
user nobody
|
|
group nogroup
|
|
|
|
comp-lzo
|
|
|
|
ping 15
|
|
ping-restart 45
|
|
ping-timer-rem
|
|
persist-tun
|
|
persist-key
|
|
|
|
verb 3</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/openvpn/home.up</title>
|
|
|
|
<blockquote>
|
|
<programlisting>#!/bin/bash
|
|
|
|
ip route add 192.168.1.0/24 via $5 #Access to Home Network
|
|
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
|
|
#Internal Bind 9 view because the source IP will
|
|
#be in 192.168.2.0/24</programlisting>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
</article> |