Copyright © 2001-2005 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2005-10-04
Table of Contents
- My Current Network
- Firewall Configuration
- Shorewall.conf
- Params File (Edited)
- Zones File
- Interfaces File
- Hosts File
- Routestopped File
- Providers File
- Blacklist File
- RFC1918 File
- Policy File
- Masq File
- NAT File
- Proxy ARP File
- Tunnels
- Actions File
- action.Mirrors File
- Rules File (The shell variables are set in /etc/shorewall/params)
- /etc/shorewall/tcdevices
- /etc/shorewall/tcclasses
- /etc/shorewall/tcrules
- /etc/network/interfaces
- /etc/racoon/racoon.conf
- /etc/racoon/setkey.conf
- Tipper Configuration while at Home
- Tipper Configuration on the Road
Caution
I use a combination of One-to-one NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. What you copy may or may not work in your environment.
Caution
The configuration shown here corresponds to Shorewall version 2.5.5. My configuration uses features not available in earlier Shorewall releases.
I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL “modem” (Westell 2200) is
connected to eth2 and has IP address 192.168.1.1 (factory default). The
modem is configured in “bridge” mode so PPPoE is not
involved. I have a local network connected to eth3 (subnet
192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
the same IP address on both eth1
and eth2.
In this configuration:
I use one-to-one NAT for Ursa (my personal system that run SuSE 9.3) - Internal address 192.168.1.5 and external address 206.124.146.178.
I use one-to-one NAT for Eastepnc6000 (My work system -- Windows XP SP1). Internal address 192.168.1.6 and external address 206.124.146.180.
I use SNAT through 206.124.146.176 for my Wife's Windows XP system “Tarry”, and our dual-booting (SuSE 9.3/Windows XP) laptop “Tipper” which connects through the Wireless Access Point (wap) via a Wireless Bridge (wet), and my work laptop when it is not docked in my office.
Note
While the distance between the WAP and where I usually use the laptop isn't very far (50 feet or so), using a WAC11 (CardBus wireless card) has proved very unsatisfactory (lots of lost connections). By replacing the WAC11 with the WET11 wireless bridge, I have virtually eliminated these problems (Being an old radio tinkerer (K7JPV), I was also able to eliminate the disconnects by hanging a piece of aluminum foil on the family room wall. Needless to say, my wife Tarry rejected that as a permanent solution :-).
Squid runs on the firewall and is configured as a transparent proxy.
The firewall runs on a P-II/233 with Debian Sarge (testing).
Ursa runs Samba for file sharing with the Windows systems and is configured as a Wins server.
The wireless network connects to the firewall's eth0 via a LinkSys WAP11. In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification and Kernel 2.6 IPSEC or OpenVPN.
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd) under Fedora Core 3. The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.
The firewall system itself runs a DHCP server that serves the local and wireless networks.
I have one system (Remote, 206.124.146.179) outside the firewall. This system, which runs Debian Sarge (testing) is used for roadwarrior VPN testing and for checking my firewall "from the outside".
All administration and publishing is done using ssh/scp. I have a desktop environment installed on the firewall but I usually don't start it. X applications tunnel through SSH to Ursa or one of the laptops. The server also has a desktop environment installed but it is seldom started either. For the most part, X tunneled through SSH is used for server administration and the server runs at run level 3 (multi-user console mode on Fedora).
I run an SNMP server on my firewall to serve MRTG running in the DMZ.
The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, an entry in my /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up.
The firewall is configured with OpenVPN for VPN access from our second home in Omak, Washington or when we are otherwise out of town. Secure remote access via IPSEC is also available. We typically use IPSEC for wireless security around the house and OpenVPN for roadwarrior access but the Firewall is set up to access either tunnel type from either location.
STARTUP_ENABLED=Yes LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=$LOG TCP_FLAGS_LOG_LEVEL=$LOG RFC1918_LOG_LEVEL=$LOG SMURF_LOG_LEVEL=$LOG BOGON_LOG_LEVEL=$LOG LOG_MARTIANS=No IPTABLES= PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin SHOREWALL_SHELL=/bin/dash SUBSYSLOCK= STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE=standard IPSECFILE=zones FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=Yes RETAIN_ALIASES=Yes TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=Yes ROUTE_FILTER=No DETECT_DNAT_IPADDRS=Yes MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No PKTTYPE=No RFC1918_STRICT=Yes MACLIST_TTL=60 SAVE_IPSETS=Yes MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP
NTPSERVERS=<list of NTP server IP addresses> POPSERVERS=<list of external POP3 servers accessed by fetchmail running on the DMZ server> LOG=info WIFI_IF=eth0 EXT_IF=eth2 INT_IF=eth3 DMZ_IF=eth1 OMAK=<ip address of the gateway at our second home>
#ZONE TYPE OPTTIONS IN OUT # OPTIONS OPTIONS net ipv4 dmz ipv4 loc ipv4 vpn ipv4 Wifi ipv4 sec ipsec mode=tunnel mss=1400 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#ZONE INTERFACE BROADCAST OPTIONS net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs loc $INT_IF detect dhcp,routeback dmz $DMZ_IF - vpn tun+ - Wifi $WIFI_IF - dhcp,maclist #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#ZONE HOST(S) OPTIONS sec $WIFI_IF:192.168.3.0/24 sec $EXT_IF:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#INTERFACE HOST(S) OPTIONS $DMZ_IF 206.124.146.177 source $INT_IF - source,dest $WIFI_IF - source,dest #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This entry isn't necessary but it allows me to smoke test parsing of the providers file.
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY Blarg 1 1 main $EXT_IF 206.124.146.254 track,balance=1 $INT_IF,$DMZ_IF,$WIFI_IF,tun0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
I use ipsets to represent my blacklist.
#ADDRESS/SUBNET PROTOCOL PORT +Blacklistports[dst] +Blacklistnets[src,dst] +Blacklist[src,dst] #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Because my DSL modem has an RFC 1918 address (192.168.1.1) and is connected to eth0, I need to make an exception for that address in my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918 and changed it as follows:
#SUBNET TARGET 192.168.1.1 RETURN 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT $FW $FW ACCEPT loc net ACCEPT $FW vpn ACCEPT vpn net ACCEPT vpn loc ACCEPT sec vpn ACCEPT vpn sec ACCEPT sec loc ACCEPT loc sec ACCEPT fw sec ACCEPT sec net ACCEPT Wifi sec NONE sec Wifi NONE fw Wifi ACCEPT loc vpn ACCEPT $FW loc ACCEPT #Firewall to Local loc $FW REJECT $LOG net all DROP $LOG 10/sec:40 all all REJECT $LOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Although most of our internal systems use one-to-one NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do our wireless network systems and visitors with laptops.
The first entry allows access to the DSL modem and uses features introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the rule to be placed before rules generated by the /etc/shorewall/nat file below. The double colons ("::") cause the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.
Note
My use of ADD_SNAT_ALIASES=Yes is an anachronism. I previously used 206.124.146.179 as the SNAT address before I configured a system outside the firewall with that IP address. ADD_SNAT_ALIASES=Yes was used to add 206.124.146.179 as an IP address on the external interface.
#INTERFACE SUBNET ADDRESS PROTO PORT +$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254 $EXT_IF:: 192.168.0.0/22 206.124.146.176 $DMZ_IF:: 206.124.146.176 192.168.1.254 tcp 80 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 206.124.146.178 $EXT_IF:0 192.168.1.5 No No 206.124.146.180 $EXT_IF:1 192.168.1.6 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
I configure the host route to 206.124.146.177 on
eth1in /etc/network/interfaces.#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 206.124.146.177 $DMZ_IF $EXT_IF yes 192.168.1.1 $EXT_IF $INT_IF yes # Allow access to DSL modem from the local zone #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#TYPE ZONE GATEWAY GATEWAY ZONE PORT openvpn:1194 net 0.0.0.0/0 ipsec net 0.0.0.0/0 sec openvpn:1194 Wifi 192.168.3.0/24 ipsec Wifi 192.168.3.0/24 sec #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ACTION Mirrors #Accept traffic from the Shorewall Mirror sites SSHKnock #Port Knocking #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
The Mirrors and Mirrornets ipsets define the set of Shorewall mirrors.
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT ACCEPT +Mirrors ACCEPT +Mirrornets #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
###############################################################################################################################################################################
SECTION NEW
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
#
# Stop NETBIOS crap
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
REJECT sec net tcp 137,445
REJECT sec net udp 137:139
#
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
#
DROP loc:!192.168.0.0/22 net
DROP Wifi net:15.0.0.0/8
DROP Wifi net:16.0.0.0/8
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
ACCEPT loc fw tcp ssh,time,631,8080
ACCEPT loc fw udp 161,ntp,631
DROP loc fw tcp 3185 #SuSE Meta pppd
Ping/ACCEPT loc fw
###############################################################################################################################################################################
# Secure wireless to Firewall
#
ACCEPT sec fw tcp ssh,time,631,8080
ACCEPT sec fw udp 161,ntp,631
DROP sec fw tcp 3185 #SuSE Meta pppd
Ping/ACCEPT sec fw
###############################################################################################################################################################################
# Roadwarriors to Firewall
#
ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631
Ping/ACCEPT vpn fw
###############################################################################################################################################################################
# Local Network to DMZ
#
DNAT- loc dmz:206.124.146.177:3128 \
tcp www - !206.124.146.177,192.168.1.1
DROP loc:!192.168.0.0/22 dmz
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3,3128 -
Ping/ACCEPT loc dmz
###############################################################################################################################################################################
# Insecure Wireless to DMZ
#
ACCEPT Wifi dmz udp domain
ACCEPT Wifi dmz tcp domain
###############################################################################################################################################################################
# Insecure Wireless to Internet
#
ACCEPT Wifi net udp 500
ACCEPT Wifi net udp 4500
Ping/ACCEPT Wifi net
###############################################################################################################################################################################
# Secure Wireless to DMZ
#
DROP sec:!192.168.0.0/22 dmz
DNAT sec dmz:206.124.146.177:3128 \
tcp www - !206.124.146.177,192.168.1.1
ACCEPT sec dmz udp domain,xdmcp
ACCEPT sec dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT sec dmz
###############################################################################################################################################################################
# Road Warriors to DMZ
#
ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn net fw tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
###############################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz udp domain
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
ACCEPT net dmz udp 33434:33454
Mirrors net dmz tcp rsync
ACCEPT net dmz tcp 22
Ping/ACCEPT net dmz
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
#
DNAT net loc:192.168.1.4 tcp 1729
DNAT net loc:192.168.1.4 gre
ACCEPT net:$OMAK loc:192.168.1.5 tcp 22
#
# Auth for IRC
#
ACCEPT net loc:192.168.1.5 tcp 113
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6970:7170
#
# Overnet
#
#ACCEPT net loc:192.168.1.5 tcp 4662
#ACCEPT net loc:192.168.1.5 udp 12112
#
# OpenVPN
#
ACCEPT net loc:192.168.1.5 udp 1194
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
DROP net loc icmp 8
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,8080,cvspserver
REJECT:$LOG dmz net udp 1025:1031
ACCEPT dmz net:$POPSERVERS tcp pop3
#
#
# OpenVPN
#
ACCEPT net loc:192.168.1.5 udp 1194
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
DROP net loc icmp 8
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth
Ping/ACCEPT dmz fw
###############################################################################################################################################################################
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz:206.124.146.177 loc:192.168.1.5,192.168.1.3 \
tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.5,192.168.1.3 \
udp
Ping/ACCEPT dmz loc
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
DROP net fw icmp 8
ACCEPT net fw udp 33434:33454
ACCEPT net:$OMAK fw udp ntp
ACCEPT net fw tcp auth
SSHKnock:info net fw tcp 22,4320,4321,4322
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
#ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp
REJECT:$LOG fw net udp 1025:1031
DROP fw net udp ntp
Ping/ACCEPT fw net
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp,993,465
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
Ping/ACCEPT fw dmz
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE#INTERFACE IN-BANDWITH OUT-BANDWIDTH $EXT_IF 1.5mbit 384kbit #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
My traffic shaping configuration is the "WonderShaper" example from tc4shorewall.
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay $EXT_IF 20 9*full/10 9*full/10 2 default $EXT_IF 30 6*full/10 6*full/10 3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
I give full bandwidth to my local systems -- the server gets throttled and rsync gets throttled even more.
Note
The class id for tc4shorewall-generated classes is 1:<100 + mark value>. The rules below are using the Netfilter CLASSIFY target to classify the traffic directly without having to first mark then classify based on the marks.
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1:110 192.168.0.0/22 $EXT_IF 1:130 206.124.146.177 $EXT_IF tcp - 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This file is Debian-specific and defines the configuration of the network interfaces.
# The loopback network interface
auto lo
iface lo inet loopback
# DMZ interface -- After the interface is up, add a route to the server. This allows the 'Yes' setting
# in the HAVEROUTE column of /etc/shorewall/proxyarp above.
auto eth1
iface eth1 inet static
address 206.124.146.176
netmask 255.255.255.255
broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth1
# Internet interface -- After the interface is up, add a route to the Westell 2200 DSL "Modem"
auto eth2
iface eth2 inet static
address 206.124.146.176
netmask 255.255.255.0
gateway 206.124.146.254
up ip route add 192.168.1.1 dev eth2
# Wireless interface
auto eth0
iface eth0 inet static
address 192.168.3.254
netmask 255.255.255.0
# LAN interface
auto eth3
iface eth3 inet static
address 192.168.1.254
netmask 255.255.255.0listen
{
isakmp 206.124.146.176 ;
isakmp 192.168.3.254 ;
isakmp_natt 206.124.146.176 [4500] ;
adminsock "/usr/local/var/racoon/racoon.sock" "root" "operator" 0660 ;
}
#
# Tipper at Home
#
remote 192.168.3.8
{
exchange_mode main ;
dpd_delay 20 ;
certificate_type x509 "gateway.pem" "gateway_key.pem" ;
verify_cert on ;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 30 minutes ;
proposal {
encryption_algorithm blowfish ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address 0.0.0.0/0 any address 192.168.3.8 any
{
pfs_group 2 ;
lifetime time 30 minutes ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#
# Work Laptop at Home -- it doesn't like getting proposals from us
# so we let it initiate the tunnel.
#
# Windows XP doesn't support blowfish or rijndal
# so we're stuck with 3des :-(
#
remote 192.168.3.6 inherit 192.168.3.8
{
proposal_check obey ;
passive on ;
generate_policy on ;
proposal {
encryption_algorithm 3des ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address 0.0.0.0/0 any address 192.168.3.6 any
{
pfs_group 2 ;
lifetime time 1 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#
# Both systems on the road -- We use 3des for phase I to accomodate XP.
# Since we don't know the IP address of the
# remote host ahead of time, we must use
# "anonymous".
#
remote anonymous inherit 192.168.3.6
{
nat_traversal on ;
ike_frag on;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm blowfish, 3des;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}# First of all flush the SAD and SPD databases flush; spdflush; # We only define policies for 'tipper'. The XP box seems to work better when it initiates the # negotiation so we essentially run it like a roadwarrior even around the house. spdadd 0.0.0.0/0 192.168.3.8/32 any -P out ipsec esp/tunnel/192.168.3.254-192.168.3.8/require; spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
This laptop is either configured on our wireless network (192.168.3.8) or as a standalone system on the road. While this system is connected via our wireless network, it uses IPSEC tunnel mode for all access.
Note
Given that I use OpenVPN for remote access, it would be more convenient to also use it for wireless access at home. I use IPSEC just so that I always have a working IPSEC testbed.
Tipper's view of the world is shown in the following diagram:
 |
The key configuration files are shown in the following sections.
#ZONE DISPLAY COMMENTS home Home Shorewall Network net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT $FW home ACCEPT home $FW ACCEPT net home NONE home net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS home yes mode=tunnel #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ZONE HOST(S) OPTIONS home eth0:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net $FW icmp 8 ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
flush; spdflush; # Policies for while we're connected via Wireless at home spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none; spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none; spdadd 127.0.0.0/8 127.0.0.0/8 any -P in none; spdadd 127.0.0.0/8 127.0.0.0/8 any -P out none; spdadd 0.0.0.0/0 192.168.3.8/32 any -P in ipsec esp/tunnel/192.168.3.254-192.168.3.8/require; spdadd 192.168.3.8/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.3.8-192.168.3.254/require;
path certificate "/etc/certs";
listen
{
isakmp 192.168.3.8;
}
remote 192.168.3.254
{
exchange_mode main ;
certificate_type x509 "tipper.pem" "tipper_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 30 minutes ;
proposal {
encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
pfs_group 2;
lifetime time 30 minutes ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}When Tipper is on the road, it's world view is the same as in the diagram above.
#ZONE DISPLAY COMMENTS home Home Shorewall Network net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT $FW home ACCEPT home $FW ACCEPT net home NONE home net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags home tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net $FW icmp 8 ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
dev tun remote gateway.shorewall.net up /etc/openvpn/home.up tls-client pull ca /etc/certs/cacert.pem cert /etc/certs/tipper.pem key /etc/certs/tipper_key.pem port 1194 user nobody group nogroup comp-lzo ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3