SLUUG Wiki

User Tools

Site Tools

Trace: firewall
build:firewall

This is an old revision of the document!

Table of Contents

Firewall

Open Ports

These are the ports that we want to open up inbound:

  • 22 – SSH
  • 25 – SMTP
  • 80 – http
  • 110 – pop3
  • 143 – imap2
  • 443 – https
  • 992 – telnets
  • 993 – imaps
  • 995 – pop3s
  • 10000 – webmin (https)

Install Shorewall

Install shorewall (And its documentation): 

apt-get install shorewall shorewall-doc

Configure Shorewall

In /etc/default/shorewall, set shorewall to run, and set some configuration options: 

STARTUP=1
LOGFILE=/var/log/shorewall.log
LOGRATE=10/minute
LOGBURST=5
IPTABLES=/sbin/iptables

Install default config files for one interface: 

cd /tmp
tar xfz /usr/share/doc/shorewall-doc/examples/one-interface.tgz
cp one-interface/* /etc/shorewall/

Edit /etc/shorewall/rules to add some rules to allow various ports inbound: 

ACCEPT net fw tcp 22

Start Shorewall

Start shorewall: 

touch /var/log/shorewall.log
/etc/init.d/shorewall start

PCX Firewall

The firewall was (originally) constructed with the PCXFirewall Toolkit available here: http://pcxfirewall.sourceforge.net/ After determining list of services to be offered, a list of open ports was created. The following list enumerates that list.

Admin instructions on how to access PCXFirewall 

https://63.252.5.3/pcxfirewall/

username – admin

Firewall Config – budlight1

Budlight1 Definition

Config

Config Options

  • Network Command – ifconfig
  • Mangle Rules – Enabled

Validity Check:

  • TCP Flags – on
  • ECN Enabled – off
  • Unclean – off
  • Kernel Type – modular

Zones:

  • internal Zone Enabled – off
  • ipsec Zone Enabled – off
  • dmz Zone Enabled – off
  • dialin Zone Enabled – off
  • Bridge Support Enabled – off
  • Snort-Inline Support Enabled – off

Special Protocol Modules:

  • ftp Enabled – on
  • ftp Params – none
  • irc Enabled – off
  • irc Params – none

Rate Limit:

  • Tainted Packets Log Rate – 20 / minute
  • Reserved Packets Log Rate – 20 / minute
  • Default Policy Packets Log Rate – 30 / minute
  • Reject Packets Log Rate – 30 / minute
  • Normal Packets Log Rate – 30 / minute
  • ICMP Packets Allow Rate – 30 / minute

Logging:

  • Log Prefix – FW
  • Log Level – debug

Dynamic Interfaces:

  • Dynamic Interfaces Mode – ignoreIP

Networks

  • Index – 0
  • Host – budlight
  • Type – normal
  • Active – true
  • Comment – external network/lan

Reserved External Networks

IndexHostLimitToActiveComment
10.0.0.0/8 false Class A
192.168.0.0/16 false Class C
127.0.0.0/8 true Local machine
172.16.0.0/12 false Class B
224.0.0.0/4 false Class D Multicast
240.0.0.0/5 true Class E Reserved
0.0.0.0/8 false Illegal except for DHCP
169.254.0.0/16 true Link Local Networks
192.0.2.0/24 false TEST-NET

Zones

  • Alias – external
  • Interface – eth0
  • IP Address – 63.252.5.3
  • IPSec – false
  • IPSec LimitFrom –
  • Network – budlight
  • Proxy Arp – false
  • Active – true
  • Comment – This is configured for a LAN server, not a WAN.

Services

Existing services were left as preconfigured.

Added : POP3s

  • Protocol – tcp
  • d-port – 995
  • s-port – any
  • icmp type –

Paths

ServiceGroups

in out ip source dest action service active
firewallToExternal
* ALL ALL ACCEPT DNS, SSH, IDENT, SMTP, ICMP, TRACEROUTE, SQUID, HTTP, FTP, BOOTP, NTP, RSYNC true
externalToFirewall
* ALL ALL ACCEPT SSH, SMTP, POP3, IMAP, ICMP-limited, HTTP, HTTPS, BOOTP, IMAPS, POP3Strue
* ALL ALL Reject IDENT true
external ALL ALL Drop No Log SMB true
external ALL ALL ACCEPT Webmin true
externalBroadcast
* ALL ALL ACCEPT BOOTP true

Installation

get this from PCXFirewall instructions and put here

System Changes

Please post changes here in the format of: [H4] date|your name [/H4] [CR]description of chages made

March 5 2005 | Carl Fitch

Added Path to allow Webmin access. This was added as a seperate path to allow an easier way to turn the path on or off as needed.

Feburary 19 2005 | James Pattie, Carl Fitch

The initial installation

March 5 2005 | Carl Fitch

Changed Zone "external" to current static IP address

TODO

Get installation instructions and have James verify

need to get how to access and use front end.

Credits

Initially installed, configured, and documented by James Pattie and Carl Fitch, 2005-02-19.

build/firewall.1122754335.txt.gz · Last modified: 2005/07/30 16:32 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki