About My Network

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2004-04-03

My Current Network

Caution

I use a combination of One-to-one NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. What you copy may or may not work in your configuration.

Caution

The configuration shown here corresponds to Shorewall version 2.0.1 (that's right -- I am running a version of Shorewall that is not yet released). My configuration uses features not available in earlier Shorewall releases.

I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL “modem” (Fujitsu Speedport) is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note that the IP address of eth1 is a duplicate of one on eth0.

In this configuration:

I use one-to-one NAT for Ursa (my personal system that dual-boots Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and external address 206.124.146.178.
I use one-to-one NAT for EastepLaptop (My work system -- Windows XP SP2). Internal address 192.168.1.7 and external address 206.124.146.180.
I use SNAT through 206.124.146.179 for my SuSE 9.0 Linux system (Wookie), my Wife's Windows XP system (Tarry), and our Windows XP laptop (Tipper) which connects through the Wireless Access Point (wap) via a Wireless Bridge (wet).
Note
While the distance between the WAP and where I usually use the laptop isn't very far (25 feet or so), using a WAC11 (CardBus wireless card) has proved very unsatisfactory (lots of lost connections). By replacing the WAC11 with the WET11 wireless bridge, I have virtually eliminated these problems (Being an old radio tinkerer (K7JPV), I was also able to eliminate the disconnects by hanging a piece of aluminum foil on the family room wall. Needless to say, my wife Tarry rejected that as a permanent solution :-).

I have Wookie (193.168.1.3) configured as a 3-port bridge. Squid runs on this system and is configured as a transparent proxy.

The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).

Wookie and Ursa run Samba and the Wookie acts as a WINS server.

The wireless network connects to Wookie's eth2 via a LinkSys WAP11. In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification. This is still a weak combination and if I lived near a wireless “hot spot”, I would probably add IPSEC or something similar to my WiFi->local connections.

The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.

The firewall system itself runs a DHCP server that serves the local network.

All administration and publishing is done using ssh/scp. I have a desktop environment installed on the firewall but I am not usually logged in to it. X applications tunnel through SSH to Ursa. The server also has a desktop environment installed and that desktop environment is available via XDMCP from the local zone. For the most part though, X tunneled through SSH is used for server administration and the server runs at run level 3 (multi-user console mode on RedHat).

I run an SNMP server on my firewall to serve MRTG running in the DMZ.

The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, an entry in my /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up.

Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.

Firewall Configuration

Shorewall.conf

LOGFILE=/var/log/messages
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=$LOG
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK=               #I run Debian which doesn't use service locks
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

Params File (Edited)

MIRRORS=<list of shorewall mirror ip addresses>
NTPSERVERS=<list of the NTP servers I sync with>
TEXAS=<ip address of gateway in Dallas>
LOG=info

Zones File

#ZONE   DISPLAY         COMMENTS
net     Internet        Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks
tx      Texas           Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File

This is set up so that I can start the firewall before bringing up my Ethernet interfaces.

#ZONE   INERFACE        BROADCAST       OPTIONS
net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc     eth2            192.168.1.255   dhcp,detectnets
dmz     eth1            -
-       texas           192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Hosts File

#ZONE           HOST(S)                 OPTIONS
tx              texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Routestopped File

#INTERFACE      HOST(S)
eth1            206.124.146.177
eth2            -
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

RFC1918 File

I use a stripped-down file which doesn't have to be updated when the IANA allocates a block of IP addresses.

#SUBNET                 TARGET
169.254.0.0/16          DROP            # DHCP autoconfig
172.16.0.0/12           logdrop         # RFC 1918
192.0.2.0/24            logdrop         # Example addresses
192.168.0.0/16          logdrop         # RFC 1918
10.24.60.56             DROP            # Some idiot in my broadcast domain
                                        # has a box configured with this
                                        # address.
10.0.0.0/8              logdrop         # Reserved (RFC 1918)

Blacklist File (Partial)

#ADDRESS/SUBNET         PROTOCOL        PORT
0.0.0.0/0               udp             1434
0.0.0.0/0               tcp             1433
0.0.0.0/0               tcp             3127
0.0.0.0/0               tcp             8081
0.0.0.0/0               tcp             57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Policy File

#SOURCE         DESTINATION     POLICY          LOG LEVEL       BURST:LIMIT
fw              fw              ACCEPT                                    # For testing fw->fw rules
loc             net             ACCEPT                                    # Allow all net traffic from local net
$FW             loc             ACCEPT                                    # Allow local access from the firewall
$FW             tx              ACCEPT                                    # Allow firewall access to texas
loc             tx              ACCEPT                                    # Allow local net access to texas
loc             fw              REJECT          $LOG                      # Reject loc->fw and log
net             all             DROP            $LOG            10/sec:40 # Rate limit and
                                                                          # DROP net->all
all             all             REJECT          $LOG                      # Reject and log the rest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Masq File

Although most of our internal systems use one-to-one NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors with laptops.
#INTERFACE              SUBNET          ADDRESS
eth0:2                  eth2            206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

NAT File

#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
206.124.146.178 eth0:0          192.168.1.5     No                      No
206.124.146.180 eth0:1          192.168.1.7     No                      No
#
# The following entry allows the server to be accessed through an address in
# the local network. This is convenient when I'm on the road and connected
# to the PPTP server. By doing this, I don't need to set my client's default
# gateway to route through the tunnel.
#
192.168.1.193   eth2:0          206.124.146.177 No                      No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Proxy ARP File

#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE          PERSISTENT
206.124.146.177         eth1            eth0            Yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)

#TYPE                   ZONE    GATEWAY         GATEWAY ZONE    PORT
gre                     net     $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Actions File

#ACTION
Mirrors             #Accept traffic from the Shorewall Mirror sites
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

action.Mirrors File

The $MIRRORS variable expands to a list of approximately 10 IP addresses. So moving these checks into a separate chain reduces the number of rules that most net->dmz traffic needs to traverse.
#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
#                                               PORT    PORT(S)    DEST         LIMIT
ACCEPT   $MIRRORS                      
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/action.Drop

This is my common action for the DROP policy. It is like the standard Drop action except that it allows “Ping”.
#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
#                                         PORT(S)   PORT(S)     LIMIT        GROUP
RejectAuth
AllowPing
dropBcast
DropSMB
DropUPnP
dropNonSyn
DropDNSrep

/etc/shorewall/action.Reject

This is my common action for the REJECT policy. It is like the standard Reject action except that it allows “Ping” and contains one rule that guards against log flooding by broken software running in my local zone.
#TARGET  SOURCE     DEST          PROTO   DEST      SOURCE      RATE         USER/
#                                         PORT(S)   PORT(S)     LIMIT        GROUP
RejectAuth
AllowPing
dropBcast
RejectSMB
DropUPnP
dropNonSyn
DropDNSrep
DROP      loc:eth2:!192.168.1.0/24       #So that my braindead Windows[tm] XP system doesn't flood my log
                                         #with NTP requests with a source address in 16.0.0.0/8 (address of
                                         #its PPTP tunnel to HP).

Rules File (The shell variables are set in /etc/shorewall/params)

###############################################################################################################################################################################
#RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL        RATE    USER
#                                                                                                                       PORT(S)         DEST:SNAT               SET
###############################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG     loc                             net                     tcp     6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
#
QUEUE           loc                             net                     udp
QUEUE           loc                             fw                      udp
QUEUE           loc                             net                     tcp
###############################################################################################################################################################################
# Local Network to Firewall
#
ACCEPT          loc                             fw                      tcp     ssh,time
ACCEPT          loc                             fw                      udp     snmp,ntp
###############################################################################################################################################################################
# Local Network to DMZ
#
REJECT          loc                             dmz                     tcp     465
ACCEPT          loc                             dmz                     udp     domain,xdmcp
ACCEPT          loc                             dmz                     tcp     www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3       -
###############################################################################################################################################################################
# Internet to DMZ
#
DNAT-           net                             dmz:206.124.146.177     tcp     smtp                                    -               206.124.146.179,206.124.146.178
ACCEPT          net                             dmz                     tcp     smtp,www,ftp,imaps,domain,cvspserver,https      -
ACCEPT          net                             dmz                     udp     domain
ACCEPT          net                             dmz                     udp     33434:33436
Mirrors         net                             dmz                     tcp     rsync
#ACCEPT:$LOG    net                             dmz                     tcp     32768:61000                             20
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT            net                             loc:192.168.1.4         tcp     1723
DNAT            net                             loc:192.168.1.4         gre
#
# ICQ
#
ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
#
# Real Audio
#
ACCEPT          net                             loc:192.168.1.5         udp     6970:7170
#
# Overnet
#
#ACCEPT         net                             loc:192.168.1.5         tcp     4662
#ACCEPT         net                             loc:192.168.1.5         udp     12112
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT          dmz                             net                     udp     domain
ACCEPT          dmz                             net:$POPSERVERS         tcp     pop3
#ACCEPT         dmz                             net:206.191.151.2       tcp     pop3
#ACCEPT         dmz                             net:66.216.26.115       tcp     pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     snmp,ssh
ACCEPT          dmz                             fw                      udp     snmp
REJECT          dmz                             fw                      tcp     auth
###############################################################################################################################################################################
# DMZ to Local Network
#
ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
ACCEPT          dmz:206.124.146.177             loc:192.168.1.3         tcp     111
ACCEPT          dmz:206.124.146.177             loc:192.168.1.3         udp
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www
ACCEPT          net                             dmz                     udp     33434:33435

###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
#ACCEPT         fw                              net:$POPSERVERS         tcp     pop3
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp
ACCEPT          fw                              dmz                     udp     domain
REJECT          fw                              dmz                     udp     137:139
###############################################################################################################################################################################
# Ping
#
ACCEPT          all                             all                     icmp    8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/network/interfaces

This file is Debian specific. My additional entry (which is displayed in bold type) adds a route to my DMZ server when eth1 is brought up. It allows me to enter “Yes” in the HAVEROUTE column of my Proxy ARP file.
...
auto eth1
iface eth1 inet static
        address 206.124.146.176
        netmask 255.255.255.255
        broadcast 0.0.0.0
        up ip route add 206.124.146.177 dev eth1
...

/etc/dhcpd.conf (MAC Addresses Omitted)

While this is a little off-topic, I've included it to show how to set up DHCP on two interfaces.

default-lease-time 67200; max-lease-time 67200;
get-lease-hostnames on;

group {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option routers 192.168.1.254;
        option ntp-servers 192.168.1.254;
        option domain-name-servers 192.168.1.193;
        option netbios-name-servers 192.168.1.254;
        option domain-name "shorewall.net";
        option netbios-dd-server 192.168.1.254;
        option netbios-node-type 8;
        option netbios-scope "";

        subnet 192.168.1.0 netmask 255.255.255.0 {
                range 192.168.1.11 192.168.1.20;
        }

         host ursa.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.1.5;
        }

        host eastept1 {
                hardware ethernet …;
                fixed-address 192.168.1.7;
        }

        host tarry {
                hardware ethernet …;
                fixed-address 192.168.1.4;
        }

        host wookie.shorewall.net {
                hardware ethernet  …;
                fixed-address 192.168.1.3;
        }

        host testws.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.1.6;
        }

        host printer.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.1.10;
        }

}

group {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.3.255;
        option routers 192.168.3.254;
        option ntp-servers 192.168.3.254;
        option domain-name-servers 206.124.146.177;
        option netbios-name-servers 192.168.3.254;
        option domain-name "shorewall.net";
        option netbios-dd-server 192.168.3.254;
        option netbios-node-type 8;
        option netbios-scope "";

        subnet 192.168.3.0 netmask 255.255.255.0 {
                range 192.168.3.11 192.168.3.20;
        }

        host easteplaptop {
                hardware ethernet …;
                fixed-address 192.168.3.7;
        }

        host tipper.shorewall.net {
                hardware ethernet …;
                fixed-address 192.168.3.8;
        }

Bridge (Wookie) Configuration

As mentioned above, Wookie acts as a bridge. It's view of the network is diagrammed in the following figure.

I've included the files that I used to configure that system -- some of them are SuSE-specific.

The configuration on Wookie can be modified to test various bridging features -- otherwise, it serves to isolate the Wireless network from the rest of our systems.

shorewall.conf

Only the changes from the defaults are shown.
BRIDGING=Yes

zones

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
WiFi    WireLess        Wireless Network
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

policy

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
fw              fw              ACCEPT
loc             net             ACCEPT
net             loc             ACCEPT
net             fw              ACCEPT
loc             fw              ACCEPT
loc             WiFi            ACCEPT
fw              WiFi            ACCEPT
fw              net             ACCEPT
fw              loc             ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS
-       br0             192.168.1.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

hosts

#ZONE           HOST(S)                         OPTIONS
net             br0:eth1
loc             br0:eth0
WiFi            br0:eth2                        maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

rules

The first rule allows a transparent WWW proxy (Squid) to run on my bridge/firewall. Squid listens on port 3128.

The remaining rules protect the local systems and bridge from the WiFi network. Note that we don't restrict WiFi→net traffic since the only directly-accessible system in the net zone is the firewall (Wookie and the Firewall are connected by a cross-over cable).

#ACTION    SOURCE          DEST            PROTO   DEST    SOURCE  ORIGINAL
#                                          PORT            PORT(S) DEST
REDIRECT   loc             3128            tcp     www     -       !192.168.1.0/24

ACCEPT     WiFi            loc             udp     137:139
ACCEPT     WiFi            loc             tcp     22,80,137,139,445,901,3389
ACCEPT     WiFi            loc             udp     1024:                                   137
ACCEPT     WiFi            loc             udp     177

ACCEPT     loc             WiFi            udp     137:139
ACCEPT     loc             WiFi            tcp     137,139,445
ACCEPT     loc             WiFi            udp     1024:                                   137
ACCEPT     loc             WiFi            tcp     6000:6010

ACCEPT     WiFi            fw              tcp     ssh,137,139,445
ACCEPT     WiFi            fw              udp     137:139,445
ACCEPT     WiFi            fw              udp     1024:                                   137
ACCEPT     WiFi            fw              udp     ntp

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

routestopped

#INTERFACE      HOST(S)         OPTIONS
br0             0.0.0.0/0       routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

maclist

#INTERFACE              MAC                     IP ADDRESSES (Optional)
br0:eth2                00:A0:1C:DB:0C:A0       192.168.1.7     #Work Laptop
br0:eth2                00:04:59:0e:85:b9                       #WAP11
br0:eth2                00:06:D5:45:33:3c                       #WET11
br0:eth2                00:0b:c1:53:cc:97       192.168.1.8     #TIPPER
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/init.d/bridge

This file is SuSE-specific and creates the bridge device br0. A script for other disbributions would be similar.

#!/bin/sh
################################################################################
#   Script to create a bridge between eth0, eth1 and eth2
#
#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
#     (c) 2004 - Tom Eastep (teastep@shorewall.net)
#
#   Modify the following variables to match your configuration
#
# chkconfig: 2345 05 89
# description: Layer 2 Bridge
#
################################################################################

PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin

do_stop() {
    echo "Stopping Bridge"
    brctl delbr br0
    ip link set eth0 down
    ip link set eth1 down
    ip link set eth2 down
}

do_start() {

      echo "Starting Bridge"
      ip link set eth0 up
      ip link set eth1 up
      ip link set eth2 up
      brctl addbr br0
      brctl addif br0 eth0
      brctl addif br0 eth1
      brctl addif br0 eth2
}

case "$1" in
  start)
      do_start
    ;;
  stop)
      do_stop
    ;;
  restart)
      do_stop
      sleep 1
      do_start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac
exit 0

/etc/sysconfig/network/ifcfg-br0

This file is SuSE-specific

BOOTPROTO='static'
BROADCAST='192.168.1.255'
IPADDR='192.168.1.3'
NETWORK='192.168.1.0'
NETMASK='255.255.255.0'
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='3hqH.MjuOqWfSZ+C'
WIRELESS='no'
MTU=''

/etc/sysconfig/network/routes

This file is SuSE-specific
192.168.1.0 - 255.255.255.0 br0
default 192.168.1.254 - -