shorewall_code/Shorewall-docs2/myfiles.xml
teastep f6452d6282 Update my config
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2943 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-11-01 17:12:03 +00:00

947 lines
38 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>About My Network</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2005-11-01</pubdate>
<copyright>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>My Current Network</title>
<caution>
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
which are relevant to a simple configuration with a single public IP
address. If you have just a single public IP address, most of what you
see here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may or
may not work in your environment.</para>
</caution>
<caution>
<para>The configuration shown here corresponds to Shorewall version
3.0.0. My configuration uses features not available in earlier Shorewall
releases.</para>
</caution>
<para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
My DSL <quote>modem</quote> (<ulink
url="http://www.westell.com/pages/index.jsp">Westell</ulink> 2200) is
connected to eth2 and has IP address 192.168.1.1 (factory default). The
modem is configured in <quote>bridge</quote> mode so PPPoE is not
involved. I have a local network connected to eth3 which is bridged to
interface tun0 via bridge br0 (subnet 192.168.1.0/24), a wireless network
(192.168.3.0/24) connected to eth0, and a DMZ connected to eth1
(206.124.146.176/32). Note that I configure the same IP address on both
<filename class="devicefile">eth1</filename> and <filename
class="devicefile">eth2</filename>.</para>
<para>In this configuration:</para>
<itemizedlist>
<listitem>
<para>I use one-to-one NAT for <emphasis>"Ursa"</emphasis> (my
personal system that run SuSE 10.0) - Internal address 192.168.1.5 and
external address 206.124.146.178.</para>
</listitem>
<listitem>
<para>I use one-to-one NAT for <emphasis>"Eastepnc6000</emphasis>" (My
work system -- Windows XP SP1/SuSE 10.0). Internal address 192.168.1.6
and external address 206.124.146.180.</para>
</listitem>
<listitem>
<para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
system <quote><emphasis>Tarry</emphasis></quote>, my <firstterm>crash
and burn</firstterm> system "<emphasis>Wookie</emphasis>", our SuSE
10.0 laptop <quote><emphasis>Tipper</emphasis></quote> which connects
through the Wireless Access Point (wap) via a Wireless Bridge (wet),
and my work laptop (<emphasis>eastepnc6000</emphasis>) when it is not
docked in my office.<note>
<para>While the distance between the WAP and where I usually use
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old
radio tinkerer (K7JPV), I was also able to eliminate the
disconnects by hanging a piece of aluminum foil on the family room
wall. Needless to say, my wife Tarry rejected that as a permanent
solution :-).</para>
</note></para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>Squid runs on the DMZ server and is configured as a transparent
proxy.</para>
</listitem>
</itemizedlist>
<para>The firewall runs on a P-II/233 with Debian Sarge (testing).</para>
<para><emphasis>Ursa</emphasis> runs Samba for file sharing with the
Windows systems and is configured as a Wins server.</para>
<para>The wireless network connects to the firewall's eth0 via a LinkSys
WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
(64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink> and <ulink
url="OPENVPN.html#Bridge">OpenVPN in bridge mode</ulink>.</para>
<para>The single system in the DMZ (address 206.124.146.177) runs <ulink
url="http://www.postfix.org">Postfix</ulink>, <ulink
url="http://www.courier-mta.org/imap/">Courier IMAP</ulink> (imap and
imaps), <ulink url="http://www.isc.org/sw/bind/">DNS (Bind 9)</ulink>, a
<ulink url="http://www.apache.org">Web server (Apache)</ulink> and an
<ulink url="http://www.pureftpd.org/">FTP server (Pure-ftpd)</ulink> under
<ulink url="http://fedora.redhat.com/">Fedora Core 4</ulink>. The system
also runs <ulink
url="http://www.catb.org/~esr/fetchmail/">fetchmail</ulink> to fetch our
email from our old and current ISPs. That server is accessible from the
Internet through <ulink url="ProxyARP.htm">Proxy ARP</ulink>.</para>
<para>The firewall system itself runs a <ulink
url="http://www.isc.org/sw/dhcp/">DHCP server</ulink> that serves the
local and wireless networks.</para>
<para>All administration and publishing is done using ssh/scp. I have a
desktop environment installed on the firewall but I usually don't start
it. X applications tunnel through SSH to <emphasis>Ursa</emphasis> or one
of the laptops. The server also has a desktop environment installed but it
is seldom started either. For the most part, X tunneled through SSH is
used for server administration and the server runs at run level 3
(multi-user console mode on Fedora).</para>
<para>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same default gateway used
by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>In addition to the OpenVPN bridge, the firewall hosts an OpenVPN
Tunnel server for VPN access from our second home in <ulink
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
otherwise out of town.</para>
<para><graphic align="center" fileref="images/network.png" /><note>
<para><emphasis>Eastepnc6000</emphasis> is shown in both the local LAN
and in the Wifi zone with IP address 192.168.1.6 -- clearly, the
computer can only be in one place or the other.
<emphasis>Tipper</emphasis> can also be in either place and will have
the IP address 192.168.1.8 regardless.</para>
</note></para>
</section>
<section>
<title>Firewall Configuration</title>
<section>
<title>Shorewall.conf</title>
<blockquote>
<programlisting>STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=$LOG
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/dash
SUBSYSLOCK=
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=standard
IPSECFILE=zones
FW=
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
RETAIN_ALIASES=Yes
TC_ENABLED=Internal
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=Yes
MACLIST_TTL=60
SAVE_IPSETS=Yes
MAPOLDACTIONS=No
FASTACCEPT=No
BLACKLIST_DISPOSITION=DROP
MACLIST_TABLE=mangle
MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP</programlisting>
</blockquote>
</section>
<section>
<title>Params File (Edited)</title>
<blockquote>
<para><programlisting>NTPSERVERS=&lt;list of NTP server IP addresses&gt;
POPSERVERS=&lt;list of external POP3 servers accessed by fetchmail running on the DMZ server&gt;
LOG=info
WIFI_IF=eth0
EXT_IF=eth2
INT_IF=br0
DMZ_IF=eth1
OMAK=&lt;ip address of the gateway at our second home&gt;</programlisting></para>
</blockquote>
</section>
<section>
<title>Zones File</title>
<blockquote>
<programlisting>#ZONE TYPE OPTTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
loc ipv4
vpn ipv4
Wifi ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Interfaces File</title>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp,routeback
dmz $DMZ_IF -
vpn tun+ -
Wifi $WIFI_IF - dhcp,maclist
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Routestopped File</title>
<blockquote>
<programlisting>#INTERFACE HOST(S) OPTIONS
$DMZ_IF 206.124.146.177 source
$INT_IF - source,dest
$WIFI_IF - source,dest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Providers File</title>
<blockquote>
<para>This entry isn't necessary but it allows me to smoke test
parsing of the providers file.</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Blarg 1 1 main $EXT_IF 206.124.146.254 track,balance=1 $INT_IF,$DMZ_IF,$WIFI_IF,tun0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>Blacklist File</title>
<blockquote>
<para>I use <ulink url="ipsets.html">ipsets</ulink> to represent my
blacklist.</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>RFC1918 File</title>
<blockquote>
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
is connected to eth0, I need to make an exception for that address in
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
/etc/shorewall/rfc1918 and changed it as follows:</para>
<programlisting>#SUBNET TARGET
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>Policy File</title>
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
$FW $FW ACCEPT
loc net ACCEPT
$FW vpn ACCEPT
vpn net ACCEPT
vpn loc ACCEPT
fw Wifi ACCEPT
loc vpn ACCEPT
$FW loc ACCEPT #Firewall to Local
loc $FW REJECT $LOG
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Masq File</title>
<blockquote>
<para>Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
our wireless network systems and visitors with laptops.</para>
<para>The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
rule to be placed before rules generated by the /etc/shorewall/nat
file below. The double colons ("::") cause the entry to be exempt from
ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
$EXT_IF:2 192.168.0.0/22 206.124.146.179
$DMZ_IF:: 206.124.146.176 192.168.1.254 tcp 80
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>NAT File</title>
<blockquote>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 $EXT_IF:0 192.168.1.5 No No
206.124.146.180 $EXT_IF:1 192.168.1.6 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section id="ProxyARP">
<title>Proxy ARP File</title>
<blockquote>
<para>I configure the host route to 206.124.146.177 on <filename
class="devicefile">eth1</filename> in <link
linkend="debian_interfaces">/etc/network/interfaces</link>.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 $DMZ_IF $EXT_IF yes
192.168.1.1 $EXT_IF $INT_IF yes # Allow access to DSL modem from the local zone
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Tunnels</title>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
openvpnserver:1194 net 0.0.0.0/0
openvpnserver:1194 Wifi 192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section id="Actions">
<title>Actions File</title>
<blockquote>
<programlisting>#ACTION
Mirrors #Accept traffic from the Shorewall Mirror sites
SSHKnock #Port Knocking
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>action.Mirrors File</title>
<blockquote>
<para>The <emphasis>Mirrors</emphasis> and
<emphasis>Mirrornets</emphasis> <ulink
url="ipsets.html">ipsets</ulink> define the set of Shorewall
mirrors.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT +Mirrors
ACCEPT +Mirrornets
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<blockquote>
<programlisting>###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
###############################################################################################################################################################################
SECTION NEW
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
#
# Stop NETBIOS crap
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
#
DROP loc:!192.168.0.0/22 net
DROP Wifi net:15.0.0.0/8
DROP Wifi net:16.0.0.0/8
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
ACCEPT loc fw tcp ssh,time,631,8080
ACCEPT loc fw udp 161,ntp,631
DROP loc fw tcp 3185 #SuSE Meta pppd
Ping/ACCEPT loc fw
###############################################################################################################################################################################
# Roadwarriors to Firewall
#
ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631
Ping/ACCEPT vpn fw
###############################################################################################################################################################################
# Local Network to DMZ
#
DNAT- loc dmz:206.124.146.177:3128 \
tcp www - !206.124.146.177,192.168.1.1
DROP loc:!192.168.0.0/22 dmz
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3,3128 -
Ping/ACCEPT loc dmz
###############################################################################################################################################################################
# Insecure Wireless to DMZ
#
ACCEPT Wifi dmz udp domain
ACCEPT Wifi dmz tcp domain
###############################################################################################################################################################################
# Insecure Wireless to Internet
#
ACCEPT Wifi net udp 500
ACCEPT Wifi net udp 4500
Ping/ACCEPT Wifi net
###############################################################################################################################################################################
# Road Warriors to DMZ
#
ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn net fw tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
###############################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz udp domain
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
ACCEPT net dmz udp 33434:33454
Mirrors net dmz tcp rsync
ACCEPT net dmz tcp 22
Ping/ACCEPT net dmz
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
#
DNAT net loc:192.168.1.4 tcp 1729
DNAT net loc:192.168.1.4 gre
ACCEPT net:$OMAK loc:192.168.1.5 tcp 22
#
# Auth for IRC
#
ACCEPT net loc:192.168.1.5 tcp 113
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6970:7170
#
# Overnet
#
#ACCEPT net loc:192.168.1.5 tcp 4662
#ACCEPT net loc:192.168.1.5 udp 12112
#
# OpenVPN
#
ACCEPT net loc:192.168.1.5 udp 1194
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
DROP net loc icmp 8
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080,cvspserver
REJECT:$LOG dmz net udp 1025:1031
ACCEPT dmz net:$POPSERVERS tcp pop3
#
#
# OpenVPN
#
ACCEPT net loc:192.168.1.5 udp 1194
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
DROP net loc icmp 8
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth
Ping/ACCEPT dmz fw
###############################################################################################################################################################################
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz:206.124.146.177 loc:192.168.1.5,192.168.1.3 \
tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.5,192.168.1.3 \
udp
Ping/ACCEPT dmz loc
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
DROP net fw icmp 8
ACCEPT net fw udp 33434:33454
ACCEPT net:$OMAK fw udp ntp
ACCEPT net fw tcp auth
SSHKnock:info net fw tcp 22,4320,4321,4322
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
#ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp
REJECT:$LOG fw net udp 1025:1031
DROP fw net udp ntp
Ping/ACCEPT fw net
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp,993,465
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
Ping/ACCEPT fw dmz
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/shorewall/tcdevices</title>
<blockquote>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
$EXT_IF 1.5mbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/shorewall/tcclasses</title>
<blockquote>
<para>My traffic shaping configuration is basically the "WonderShaper"
<ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
from tc4shorewall</ulink> with a little tweaking.</para>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 9*full/10 9*full/10 2 default
$EXT_IF 30 6*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/shorewall/tcrules</title>
<blockquote>
<para>I give full bandwidth to my local systems -- the server gets
throttled and rsync gets throttled even more.</para>
<note>
<para>The class id for tc4shorewall-generated classes is
&lt;<emphasis>device number</emphasis>&gt;:&lt;<emphasis>100 + mark
value</emphasis>&gt; where the first device in
<filename>/etc/shorewall/tcdevices</filename> is device number 1,
the second is device number 2 and so on. The rules below are using
the Netfilter CLASSIFY target to classify the traffic directly
without having to first mark then classify based on the
marks.</para>
</note>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF
1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>Here is the output of <command>shorewall show tc</command> while
the Shorewall mirrors were receiving updates via rsync and the link
was otherwise idle. Note the rate limiting imposed by the 1:30
Class.</para>
<programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005
...
Device eth2:
qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
backlog 20p
qdisc ingress ffff: ----------------
Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
backlog 20p
class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
rate 424bit
lended: 417516 borrowed: 0 giants: 0
tokens: 36864 ctokens: 36864
class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
rate 231568bit 19pps
lended: 0 borrowed: 0 giants: 0
tokens: -26280 ctokens: -26280
class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
<emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
lended: 48784 borrowed: 0 giants: 0
tokens: -106401 ctokens: -106401
class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
rate 1000bit
lended: 177773 borrowed: 0 giants: 0
tokens: 41126 ctokens: 41126
...</programlisting>
</blockquote>
</section>
<section id="debian_interfaces">
<title>/etc/network/interfaces</title>
<para>This file is Debian-specific and defines the configuration of the
network interfaces.</para>
<blockquote>
<programlisting># The loopback network interface
auto lo
iface lo inet loopback
# DMZ interface
auto eth1
iface eth1 inet static
address 206.124.146.176
netmask 255.255.255.255
broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth1
# Internet interface
auto eth2
iface eth2 inet static
address 206.124.146.176
netmask 255.255.255.0
gateway 206.124.146.254
up ip route add 192.168.1.1 dev eth2
# Wireless network
auto eth0
iface eth0 inet static
address 192.168.3.254
netmask 255.255.255.0
# LAN interface
auto br0
iface br0 inet static
address 192.168.1.254
netmask 255.255.255.0
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /sbin/ip link set tap0 up
pre-up /sbin/ip link set eth3 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth3
pre-up /usr/sbin/brctl addif br0 tap0
up ip route add 224.0.0.0/4 dev br0
post-down /usr/sbin/brctl delif br0 eth3
post-down /usr/sbin/brctl delif br0 tap0
post-down /usr/sbin/brctl delbr br0
post-down /usr/sbin/openvpn --rmtun --dev tap0
# Unbridged LAN interface (Not started automatically)
iface eth3 inet static
address 192.168.1.254
netmask 255.255.255.0
up ip route add 224.0.0.0/4 dev eth3
# Second Internet interface (Not started automatically -- address is duplicate of one added by Shorewall to eth2)
iface eth4 inet static
pre-up modprobe ne io=0x300 irq=10
address 206.124.146.179
netmask 255.255.255.0
</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>Only the tunnel-mode OpenVPN configuration is described here --
the bridge is described in the <ulink url="OPENVPN.html">OpenVPN
documentation</ulink>.</para>
<blockquote>
<programlisting>dev tun
local 206.124.146.176
server 192.168.2.0 255.255.255.0
dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem
port 1194
comp-lzo
user nobody
group nogroup
keepalive 15 45
ping-timer-rem
persist-tun
persist-key
client-config-dir /etc/openvpn/clients
ccd-exclusive
client-to-client
verb 3</programlisting>
</blockquote>
</section>
</section>
<section>
<title>Tipper and Eastepnc6000 Configuration in the Wireless
Network</title>
<para>Please find this information in the <ulink
url="OPENVPN.html#Bridge">OpenVPN bridge mode</ulink>
documentation.</para>
</section>
<section>
<title>Tipper Configuration while on the Road</title>
<para>This laptop is either configured on our wireless network
(192.168.3.8) or as a standalone system on the road.</para>
<para><emphasis>Tipper</emphasis>'s view of the world is shown in the
following diagram:</para>
<graphic align="center" fileref="images/network2.png" valign="middle" />
<section>
<title>zones</title>
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
home Home Shorewall Network
net Net Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>policy</title>
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
$FW home ACCEPT
home $FW ACCEPT
net home NONE
home net NONE
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>interfaces</title>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
home tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>rules</title>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW icmp 8
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/home.conf</title>
<blockquote>
<programlisting>dev tun
remote gateway.shorewall.net
up /etc/openvpn/home.up
tls-client
pull
ca /etc/certs/cacert.pem
cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem
port 1194
user nobody
group nogroup
comp-lzo
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/home.up</title>
<blockquote>
<programlisting>#!/bin/bash
ip route add 192.168.1.0/24 via $5 #Access to Home Network
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
#Internal Bind 9 view because the source IP will
#be in 192.168.2.0/24</programlisting>
</blockquote>
</section>
</section>
</article>