forked from extern/shorewall_code
ed61406441
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
191 lines
14 KiB
HTML
191 lines
14 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>My Shorewall Configuration</title>
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
|
||
<meta name="Microsoft Theme" content="none">
|
||
</head>
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||
bgcolor="#400169" height="90">
|
||
<tbody>
|
||
<tr>
|
||
<td width="100%">
|
||
|
||
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<blockquote> </blockquote>
|
||
|
||
<h1>My Current Network </h1>
|
||
|
||
<blockquote>
|
||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
|
||
use a combination of Static NAT and Proxy ARP, neither of which are relevant
|
||
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||
If you have just a single public IP address, most of what you see here won't
|
||
apply to your setup so beware of copying parts of this configuration and expecting
|
||
them to work for you. What you copy may or may not work in your setup. </small></b></big><br>
|
||
</p>
|
||
|
||
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
|
||
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
|
||
is connected to eth0. I have a local network connected to eth2 (subnet
|
||
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).<2E></p>
|
||
|
||
<p> I use:<br>
|
||
</p>
|
||
|
||
<ul>
|
||
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
|
||
and external address 206.124.146.178.</li>
|
||
<li>Proxy ARP for wookie (my Linux System). This system has two
|
||
IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
|
||
<li>SNAT through the primary gateway address (206.124.146.176)
|
||
for<6F> my Wife's system (tarry) and the Wireless Access Point (wap)</li>
|
||
|
||
</ul>
|
||
|
||
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
|
||
|
||
<p> Wookie runs Samba and acts as the a WINS server.<2E> Wookie is in its
|
||
own 'whitelist' zone called 'me'.</p>
|
||
|
||
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
|
||
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
|
||
software and is managed by Proxy ARP. It connects to the local network
|
||
through the PopTop server running on my firewall. </p>
|
||
|
||
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||
server (Pure-ftpd). The system also runs fetchmail to fetch our email
|
||
from our old and current ISPs. That server is managed through Proxy ARP.</p>
|
||
|
||
<p> The firewall system itself runs a DHCP server that serves the local
|
||
network.</p>
|
||
|
||
<p> All administration and publishing is done using ssh/scp.</p>
|
||
|
||
<p> I run an SNMP server on my firewall to serve <a
|
||
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
|
||
in the DMZ.</p>
|
||
|
||
<p align="center"> <img border="0"
|
||
src="images/network.png" width="764" height="846">
|
||
</p>
|
||
|
||
<p><EFBFBD></p>
|
||
|
||
<p>The ethernet interface in the Server is configured
|
||
with IP address 206.124.146.177, netmask
|
||
255.255.255.0. The server's default gateway is
|
||
206.124.146.254 (Router at my ISP. This is the same
|
||
default gateway used by the firewall itself). On the firewall,
|
||
Shorewall automatically adds a host route to
|
||
206.124.146.177 through eth1 (192.168.2.1) because
|
||
of the entry in /etc/shorewall/proxyarp (see
|
||
below).</p>
|
||
|
||
<p>A similar setup is used on eth3 (192.168.3.1) which
|
||
interfaces to my laptop (206.124.146.180).<br>
|
||
</p>
|
||
|
||
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
|
||
access.<br>
|
||
</p>
|
||
|
||
<p><font color="#ff0000" size="5"></font></p>
|
||
</blockquote>
|
||
|
||
<h3>Shorewall.conf</h3>
|
||
|
||
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
|
||
|
||
<h3>Zones File:</h3>
|
||
|
||
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
|
||
|
||
<h3>Interfaces File: </h3>
|
||
|
||
<blockquote>
|
||
<p> This is set up so that I can start the firewall before bringing up
|
||
my Ethernet interfaces. </p>
|
||
</blockquote>
|
||
|
||
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||
|
||
<h3>Hosts File: </h3>
|
||
|
||
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
|
||
|
||
<h3>Routestopped File:</h3>
|
||
|
||
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
|
||
|
||
<h3>Common File: </h3>
|
||
|
||
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
|
||
|
||
<h3>Policy File:</h3>
|
||
|
||
<pre><font size="2" face="Courier">
|
||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||
me all ACCEPT
|
||
tx me ACCEPT #Give Texas access to my personal system
|
||
all me CONTINUE #<font
|
||
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
|
||
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
|
||
|
||
<h3>Masq File: </h3>
|
||
|
||
<blockquote>
|
||
|
||
<p> Although most of our internal systems use static NAT, my wife's system
|
||
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
|
||
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
|
||
</blockquote>
|
||
|
||
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
|
||
|
||
<h3>NAT File: </h3>
|
||
|
||
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
|
||
|
||
<h3>Proxy ARP File:</h3>
|
||
|
||
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
|
||
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><pre><font
|
||
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
|
||
|
||
<h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
|
||
|
||
<pre><small> #TYPE<50><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ZONE<4E><45><EFBFBD> GATEWAY</small><small> <br> gre<72><65><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net<65><74><EFBFBD><EFBFBD> $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre>
|
||
|
||
<h3>Rules File (The shell variables
|
||
are set in /etc/shorewall/params):</h3>
|
||
|
||
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||
|
||
<p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
|
||
<a href="support.htm">Tom Eastep</a></font>
|
||
</p>
|
||
<a href="copyright.htm"><font size="2">Copyright</font> <20>
|
||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|