My Shorewall Configuration

About My Network

I have DSL service and get my External IP address via DHCP. My DSL "modem" is connected through a  10MB hub to eth0 (I can get up to 3 dynamic IP addresses and I also have an LRP-based firewall connected to this hub). I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

The firewall runs on a 128MB PII/233 with RH7.1 and Kernel 2.4.9.

My personal system is 192.168.1.5 and all external icq connection requests are forwarded to that system.

There is a single system (192.168.2.2) in the DMZ and that system runs postfix, pop3, DNS, a Web server and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our ISP.

The firewall system itself runs a DHCP server that serves the local network.

All administration and publishing is done using ssh/scp.

I run PoPToP on my firewall system for when I'm on the road with my Win2k laptop and the firewall serves as the endpoint of a PPTP tunnel to my employer (Compaq).

I run an snmp server on my firewall to serve MRTG running on my personal system.

I run Squid on my firewall and use it as a Transparent HTTP proxy.

Finally, the firewall acts as an IPSEC gateway to a peer network in Dallas Texas. I am using FreeS/Wan 1.91.

Note: My files use extensions made available in Shorewall version 1.1.12.

Zones File:

#ZONE  DISPLAY    COMMENTS
net    Internet   Internet
loc    Local      Local networks
dmz    DMZ        Demilitarized zone
tx     Texas      Peer network in Dallas
cpq    Compaq     Compaq Intranet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File:

This is set up so that I can start the firewall before bringing up my Ethernet interfaces. It is important that 'loc' is defined before 'cpq' since 'loc' also uses a ppp interface (see hosts file below).

#ZONE    INTERFACE BROADCAST       OPTIONS
net      eth0      206.191.149.223 dhcp,norfc1918,routefilter,noping
loc      eth2      192.168.1.255   dhcp
dmz      eth1      192.168.2.255
tx       ipsec0 -
cpq      ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Hosts File: 

Note that PPTP clients connected to my firewall are treated as part of the local zone (loc). They are given IP addresses in the 192.168.1.0/24 subnet.

#ZONE HOST(S)             OPTIONS
dmz   eth1:192.168.2.2    routestopped
loc   eth2:192.168.1.0/24 routestopped
loc   ppp+:192.168.1.0/24
tx    ipsec0:192.168.9.0/24
##LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE

Policy File:

#CLIENT SERVER POLICY LOG LEVEL
cpq     loc    ACCEPT
cpq     fw     DROP
fw      cpq    DROP
loc     cpq    ACCEPT
loc     net    ACCEPT
fw      loc    ACCEPT
fw      tx     ACCEPT
tx      loc    REJECT
loc     tx     ACCEPT
net     all    DROP   info
all     all    REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Tunnels File (Gateway address falsified):

# TYPE ZONE GATEWAY
ipsec  net  130.252.100.21    tx
#LAST LINE -- DO NOT REMOV
E

Masq File:

Both my local network and my DMZ are masqueraded to the the internet. Note that outbound tunnel traffic to Compaq also gets masqueraded (Compaq does not use 192.168.1.0/24 and my own PPTP clients have addresses in that range). This prevents masquerading of traffic destined for my PPTP clients. 

#INTERFACE                 SUBNET
eth0                       192.168.1.0/24
eth0                       192.168.2.0/24
ppp+:!192.168.1.0/24       192.168.1.0/24
ppp+:!192.168.1.0/24       192.168.2.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Rules File:


#RESULT CLIENT(S) SERVER(S)       PROTO PORT(S)CLIENT PORT(S) ADDRESS
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc   net             tcp   6667
#
# Local Network to Firewall - Allow SSH, swat, time, NETBIOS
# noise and SNMP. I also run Squid on my firewall as a Transparent Proxy
#
ACCEPT  loc       fw              tcp   ssh,swat,135,137:139,445,time
ACCEPT  loc       fw              udp   137:139,snmp
ACCEPT  loc       fw::8080        tcp   http    -              !206.191.149.206
#
# Local Network to DMZ - Allow SMTP, POP3, SSH, AUTH, PING, FTP, WWW, SMTP
#
ACCEPT  loc       dmz             udp   domain
ACCEPT  loc       dmz             tcp   domain,smtp,ssh,auth
ACCEPT  loc       dmz             icmp  echo-request
ACCEPT  loc       dmz:192.168.2.2 tcp   ftp,www,pop3 -         206.191.149.206
#
#
# Internet to DMZ - Allow SMTP, WWW, FTP
#
ACCEPT  net       dmz:192.168.2.2 tcp   www,ftp,smtp -         all
ACCEPT  net       dmz:192.168.2.2 udp   domain  -              all
#
# Net to Local -- ICQ
#
ACCEPT  net       loc:192.168.1.5 tcp   4000:4100 -            all
#
# DMZ to Internet - Allow ping, SMTP, NTP, Auth, POP3 and DNS
#
# Note: 206.191.149.193 is the IP address of the stata 2 time server that I
#       sync to.
# Note: 206.191.151.2 is our ISP's POP3 server.
#
ACCEPT  dmz       net                 icmp  echo-request
ACCEPT  dmz       net                 tcp   smtp,auth,domain
ACCEPT  dmz       net:206.191.149.193 udp   ntp
ACCEPT  dmz       net:206.191.151.2   tcp   pop3
ACCEPT  dmz       net                 udp   domain
#
# DMZ to Firewall -- Silently reject Auth
#
REJECT  dmz       fw                  tcp   auth
#
# DMZ to Local Network - Allow SMTP, AUTH, PING, and NFS
#
ACCEPT  dmz       loc             tcp   smtp,auth
ACCEPT  dmz       loc             icmp  echo-request

#
# DMZ to Compaq -- DNS
#
ACCEPT  dmz        cpq            udp   domain
ACCEPT  dmz        cpq            tcp   domain,smtp
ACCEPT  dmz        cpq            icmp  echo-request
#
# DMZ to Texas -- STMP, POP3, AUTH and ping
#
ACCEPT  dmz        tx             tcp   smtp,pop3,auth
ACCEPT  dmz        tx             icmp  echo-request
#
# Texas to DMZ -- SMTP, POP3, AUTH and ping
#
ACCEPT  tx         dmz            tcp   smtp,pop3,auth
ACCEPT  tx         dmz            icmp  echo-request
#
# Internet to Firewall - Allow PPTP, Auth and SSH
#
ACCEPT  net        fw             tcp   ssh,auth,1723
ACCEPT  net        fw             gre
#
# Firewall to Internet - Allow NTP, DNS, PPTP, HTTP and Whois
#
ACCEPT  fw         net:206.191.149.193 udp ntp
ACCEPT  fw         net            udp   domain,33434:33500
ACCEPT  fw         net            tcp   domain,www,ssh,1723,whois
ACCEPT  fw         net            gre
ACCEPT  fw         net            icmp  echo-request
#
# Firewall to DMZ - Reject NETBIOS noise but accept http, ftp and DNS
#
ACCEPT  fw         dmz            tcp   http,ftp
ACCEPT  fw         dmz            udp   domain
REJECT  fw         dmz            udp   137:139
#
# Firewall to Compaq - Ping
#
ACCEPT  fw         cpq            icmp  echo-request
#
# Allow Texas access to my personal system


#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


Last updated 8/28/2001 - Tom Eastep