This is my first attempt at setting up a DMZ so I am
admitting now that I probably got it all wrong. That said, I am hoping
someone on the list can point out where I have made my mistakes and point me
in the right direction. Here is what I am attempting to accomplish.
-----> Internet-----> eth0 Bering box using shorewall ---->
eth1 loc zone
---> eth2 dmz zone
GOAL IS:
TO ALLOW ALL INTERNET TRAFFIC INTO MY DMZ
TO ALLOW DMZ ACCESS TO THE INTERNET (BUT TO LOG IT)
TO ALLOW LOC ZONE OPEN ACCESS TO DMZ
TO BLOCK ALL TRAFFIC FROM DMZ TO LOC ZONE and log it if it
tries to connect to loc zone.
TO ALLOW DNSCACHE AND DHCPD TO WORK FOR BOTH ZONES.
I thought I had it all working until I attempted to do an
ftp file transfer between my windoz systems on the loc zone to my Linux
server in the dmz zone. My transfer rate was terrible and FTP kept giving me
a "cannot connect to data socket error". Even attempting an ftp transfer
from a remote server was failing. Please keep in mind that this is my first
attempt at this and I have tried to follow the shorewall howto for setting
up three interfaces but I am pretty sure I goofed. PLEASE HELP! I have
included all the info that I think is pertinent but if you require more
please let me know and I will provide it. Thanks in advance.
Troy
#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# $<variable-name> is not permitted in this file.
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz dmz Demiliterized networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
# DENAT all my webserver from web
DNAT net dmz:192.168.2.25 tcp -
DNAT net dmz:192.168.2.25 udp -
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT loc fw udp 67
ACCEPT loc fw udp 68
# Bering specific rules:
# allow dmz to fw udp/53 for dnscache to work
# allow dmz to fw tcp/80 for weblet to work
#
ACCEPT dmz fw udp 53
ACCEPT dmz fw tcp 80
ACCEPT dmz fw udp 67
ACCEPT dmz fw udp 68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#
############################################################################
##
#INTERFACE SUBNET ADDRESS
eth0 eth1
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918,noping
loc eth1 detect routestopped
dmz eth2 detect routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
############################################################################
##
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002 - Tom Eastep ([EMAIL PROTECTED])
############################################################################
##
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set -this to "".
#
SUBSYSLOCK=/var/run/shorwall
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED="yes"
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=""
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATE=""
LOGBURST=""
#
# This variable determines the level at which Mangled/Invalid packets are
logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
LOGUNCLEAN=info
# This variable tells the /sbin/shorewall program where to look for
Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where
to
# look for Shorewall messages.It does NOT control the destination
for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/FAQ.htm#faq6
LOGFILE="/var/log/messages"
#
# Enable nat support.
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED="Yes"
#
# Enable mangle support.
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED="Yes"
#
# Enable IP Forwarding
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only
want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING="On"
#
# Automatically add IP Aliases
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP
aliases
# for each NAT external address that you give in /etc/shorewall/nat. If you
say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES="Yes"
#
# Automatically add SNAT Aliases
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP
aliases
# for each SNAT external address that you give in /etc/shorewall/masq. If
you say
# "No" or "no", you must add these aliases youself.
#
ADD_SNAT_ALIASES="No"
#
# Enable Traffic Shaping
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the
firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable
traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities)
and
# you must enable packet mangling above.
#
TC_ENABLED="No"
#
# Blacklisting
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# Blacklist Logging
#
# Set this variable to the syslogd level that you want blacklist packets
logged
# (beward of DOS attacks resulting from such logging). If not set, no
logging
# of blacklist packets occurs.
#
BLACKLIST_LOGLEVEL=
#
# MSS Clamping
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to
PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS="No"
#
# Route Filtering
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on
all
# interfaces.
#
ROUTE_FILTER="No"
#
# NAT before RULES
#
# Shorewall has traditionally processed static NAT rules before port
forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is
assumed.
NAT_BEFORE_RULES="Yes"
#LAST LINE -- DO NOT REMOVE
# /etc/network/interfaces -- configuration file for LEAF network
# J. Nilo, April 2002
#
# Loopback interface.
auto lo
iface lo inet loopback
# Step 1: configure external interface
# uncomment/adjust one of the following 4 options
# Option 1.1 (default): eth0 / dynamic IP from pump/dhclient
auto eth0
iface eth0 inet dhcp
# Step 2: configure internal interface
# Default: eth1 / fixed IP = 192.168.1.254
auto eth1
iface eth1 inet static
address 192.168.1.254
masklen 24
broadcast 192.168.1.255
# Step 3 (optionnal): configure DMZ
# Default: eth2 / fixed IP = 192.168.1.100
auto eth2
iface eth2 inet static
address 192.168.2.254
masklen 24
broadcast 192.168.2.255
gateway 192.168.1.254
# /etc/hosts.allow: list of hosts that are allowed to access the system.
See
# hosts_access(5) and /usr/doc/net/portmapper.txt
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# Allow anything from the local net
ALL: 192.168.1.0/255.255.255.0
# Allow anything from the dmz
ALL: 192.168.2.0/255.255.255.0
/ETC/HOSTS
127.0.0.1 localhost
192.168.1.254 firewall
192.168.2.254 dmz
/ETC/DNSCACHE/ENV/IP
192.168.1.254
192.168.2.254
/ETC/DHCPD.CONF
dynamic-bootp-lease-length 604800;
max-lease-time 1209600;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option domain-name "MY.network";
option domain-name-servers 192.168.1.254,128.233.3.2,128.233.3.1;
range 192.168.1.1 192.168.1.199;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.254;
option domain-name "MY-dmz.network";
option domain-name-servers 192.168.1.254,128.233.3.2,128.233.3.1;
range 192.168.2.1 192.168.2.199;
}
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
