About My Network
I have DSL service and get my External IP address via DHCP. My DSL
"modem" is connected through a 10MB hub to eth0 (I can get up
to 3 dynamic IP addresses and I also have an LRP-based firewall connected to
this hub). I have a local network connected to eth2 (subnet 192.168.1.0/24)
and a DMZ connected to eth1 (192.168.2.0/24).
The firewall runs on a 128MB PII/233 with RH7.1 and Kernel 2.4.9.
My personal system is 192.168.1.5 and all external icq
connection requests are forwarded to that system.
There is a single system (192.168.2.2) in the DMZ and that system runs
postfix, pop3, DNS, a Web server and an FTP server (Pure-ftpd). The system
also runs fetchmail to fetch our email from our ISP.
The firewall system itself runs a DHCP server that serves the local
network.
All administration and publishing is done using ssh/scp.
I run PoPToP on my firewall system for when I'm on the road with my Win2k
laptop and the firewall serves as the endpoint of a PPTP tunnel to my employer
(Compaq).
I run an snmp server on my firewall to serve MRTG
running on my personal system.
I run Squid on my firewall and use it as a Transparent HTTP proxy.
Finally, the firewall acts as an IPSEC gateway to a peer network in Dallas
Texas. I am using FreeS/Wan 1.91.
Note: My files use extensions made available in Shorewall version 1.1.12.
Zones File:
#ZONE DISPLAY COMMENTS
net Internet Internet
loc Local Local networks
dmz DMZ Demilitarized zone
tx Texas Peer network in Dallas
cpq Compaq Compaq Intranet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces File:
This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. It is important that 'loc' is defined before 'cpq' since
'loc' also uses a ppp interface (see hosts file below).
#ZONE INTERFACE BROADCAST
OPTIONS
net eth0 206.191.149.223 dhcp,norfc1918,routefilter,noping
loc eth2 192.168.1.255
dhcp
dmz eth1 192.168.2.255
tx ipsec0 -
cpq ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Hosts File:
Note that PPTP clients connected to my firewall are treated as part of the
local zone (loc). They are given IP addresses in the 192.168.1.0/24 subnet.
#ZONE HOST(S)
OPTIONS
dmz eth1:192.168.2.2 routestopped
loc eth2:192.168.1.0/24 routestopped
loc ppp+:192.168.1.0/24
tx ipsec0:192.168.9.0/24
##LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
Policy File:
#CLIENT SERVER POLICY LOG LEVEL
cpq loc ACCEPT
cpq fw DROP
fw cpq DROP
loc cpq ACCEPT
loc net ACCEPT
fw loc ACCEPT
fw tx ACCEPT
tx loc REJECT
loc tx ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Tunnels File (Gateway address falsified):
# TYPE ZONE GATEWAY
ipsec net 130.252.100.21 tx
#LAST LINE -- DO NOT REMOVE
Masq File:
Both my local network and my DMZ are masqueraded to the the internet. Note
that outbound tunnel traffic to Compaq also gets masqueraded (Compaq does not
use 192.168.1.0/24 and my own PPTP clients have addresses in that range). This
prevents masquerading of traffic destined for my PPTP clients.
#INTERFACE
SUBNET
eth0
192.168.1.0/24
eth0
192.168.2.0/24
ppp+:!192.168.1.0/24 192.168.1.0/24
ppp+:!192.168.1.0/24 192.168.2.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Rules File:
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S)CLIENT
PORT(S) ADDRESS
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net
tcp 6667
#
# Local Network to Firewall - Allow SSH, swat, time, NETBIOS
# noise and SNMP. I also run Squid on my firewall as a Transparent Proxy
#
ACCEPT loc fw
tcp ssh,swat,135,137:139,445,time
ACCEPT loc fw
udp 137:139,snmp
ACCEPT loc fw::8080
tcp http -
!206.191.149.206
#
# Local Network to DMZ - Allow SMTP, POP3, SSH, AUTH, PING, FTP, WWW, SMTP
#
ACCEPT loc dmz
udp domain
ACCEPT loc dmz
tcp domain,smtp,ssh,auth
ACCEPT loc dmz
icmp echo-request
ACCEPT loc dmz:192.168.2.2 tcp
ftp,www,pop3 - 206.191.149.206
#
#
# Internet to DMZ - Allow SMTP, WWW, FTP
#
ACCEPT net dmz:192.168.2.2 tcp
www,ftp,smtp - all
ACCEPT net dmz:192.168.2.2 udp
domain -
all
#
# Net to Local -- ICQ
#
ACCEPT net loc:192.168.1.5 tcp
4000:4100 - all
#
# DMZ to Internet - Allow ping, SMTP, NTP, Auth, POP3 and DNS
#
# Note: 206.191.149.193 is the IP address of the stata 2 time server that I
# sync to.
# Note: 206.191.151.2 is our ISP's POP3 server.
#
ACCEPT dmz net
icmp echo-request
ACCEPT dmz net
tcp smtp,auth,domain
ACCEPT dmz net:206.191.149.193 udp
ntp
ACCEPT dmz net:206.191.151.2
tcp pop3
ACCEPT dmz net
udp domain
#
# DMZ to Firewall -- Silently reject Auth
#
REJECT dmz fw
tcp auth
#
# DMZ to Local Network - Allow SMTP, AUTH, PING, and NFS
#
ACCEPT dmz loc
tcp smtp,auth
ACCEPT dmz loc
icmp echo-request
#
# DMZ to Compaq -- DNS
#
ACCEPT dmz cpq
udp domain
ACCEPT dmz cpq
tcp domain,smtp
ACCEPT dmz cpq
icmp echo-request
#
# DMZ to Texas -- STMP, POP3, AUTH and ping
#
ACCEPT dmz tx
tcp smtp,pop3,auth
ACCEPT dmz tx
icmp echo-request
#
# Texas to DMZ -- SMTP, POP3, AUTH and ping
#
ACCEPT tx dmz
tcp smtp,pop3,auth
ACCEPT tx dmz
icmp echo-request
#
# Internet to Firewall - Allow PPTP, Auth and SSH
#
ACCEPT net fw
tcp ssh,auth,1723
ACCEPT net fw
gre
#
# Firewall to Internet - Allow NTP, DNS, PPTP, HTTP and Whois
#
ACCEPT fw net:206.191.149.193 udp ntp
ACCEPT fw net
udp domain,33434:33500
ACCEPT fw net
tcp domain,www,ssh,1723,whois
ACCEPT fw net
gre
ACCEPT fw net
icmp echo-request
#
# Firewall to DMZ - Reject NETBIOS noise but accept http, ftp and DNS
#
ACCEPT fw dmz
tcp http,ftp
ACCEPT fw dmz
udp domain
REJECT fw dmz
udp 137:139
#
# Firewall to Compaq - Ping
#
ACCEPT fw cpq
icmp echo-request
#
# Allow Texas access to my personal system
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Last updated 8/28/2001 - Tom
Eastep
|