build:firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
build:firewall [2005/07/30 15:12] 206.197.251.61 |
build:firewall [2009/08/03 16:18] (current) 167.206.189.6 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Firewall ====== | ====== Firewall ====== | ||
| + | We originally went with [[http://pcxfirewall.sourceforge.net/|PCX Firewall]] on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with [[http://www.shorewall.net/|Shorewall]]. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. | ||
| - | ===== Open Ports ===== | + | We currently aren't running a firewall on bock. Solaris 10 ships with IPF, but it has suffered from throughput problems, so we're leaving it off. |
| - | These are the ports that we want to open up inbound: | + | ===== Requirements ===== |
| - | * 22 -- SSH | + | Shorewall doesn't seem to have any requirements, except ''iptables'', ''iproute'', and ''libatm1''. |
| - | * 25 -- SMTP | + | <code rootshell> |
| - | * 80 -- http | + | apt-get install iproute iproute-doc libatm1 |
| - | * 110 -- pop3 | + | </code> |
| - | * 143 -- imap2 | + | |
| - | * 443 -- https | + | |
| - | * <del>992 -- telnets</del> | + | |
| - | * 993 -- imaps | + | |
| - | * 995 -- pop3s | + | |
| - | * 10000 -- webmin (https) | + | |
| + | All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going **through** the system.) We want to allow all outbound connections, and allow inbound connections to only the following ports: | ||
| - | ===== Install Shorewall ===== | + | * 22 -- SSH |
| + | * 25 -- SMTP (Bud only) | ||
| + | * 53 -- DNS (Bud only) | ||
| + | * 80 -- HTTP | ||
| + | * 110 -- POP (Bud only) | ||
| + | * 123 -- NTP (UDP) | ||
| + | * 143 -- IMAP (Bud only) | ||
| + | * 443 -- HTTPS | ||
| + | * 993 -- IMAPS (Bud only) | ||
| + | * 995 -- POPS (Bud only) | ||
| - | Install shorewall (And its documentation): | + | ===== Installation ===== |
| - | apt-get install shorewall shorewall-doc | + | |
| - | ===== Configure Shorewall ===== | + | Install shorewall (and its documentation): |
| + | <code rootshell> | ||
| + | apt-get install shorewall shorewall-doc | ||
| + | </code> | ||
| + | ===== Configuration ===== | ||
| - | In /etc/default/shorewall, set shorewall to run, and set some configuration options: | + | In ''/etc/default/shorewall'', set shorewall to run by changing the ''startup'' line: |
| - | STARTUP=1 | + | <code rootshell> |
| - | LOGFILE=/var/log/shorewall.log | + | sed -i -e 's/startup=0/startup=1/' /etc/default/shorewall |
| - | LOGRATE=10/minute | + | </code> |
| - | LOGBURST=5 | + | |
| - | IPTABLES=/sbin/iptables | + | |
| - | Install default config files for one interface: | + | Install default config files for systems with one interface: |
| - | cd /tmp | + | <code rootshell> |
| - | tar xfz /usr/share/doc/shorewall-doc/examples/one-interface.tgz | + | cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/ |
| - | cp one-interface/* /etc/shorewall/ | + | cd /etc/shorewall/ |
| + | gunzip *.gz | ||
| + | </code> | ||
| - | Edit /etc/shorewall/rules to add some rules to allow various ports inbound: | + | If the system has more than one interface, see the other directories of examples. |
| - | ACCEPT net fw tcp 22 | + | |
| - | ===== Start Shorewall ===== | + | In ''/etc/shorewall/shorewall.conf'', set some configuration options. Change the following lines: |
| + | <file> | ||
| + | LOGFILE=/var/log/shorewall.log | ||
| + | LOGRATE=10/minute | ||
| + | LOGBURST=5 | ||
| + | </file> | ||
| - | Start shorewall: | + | Edit ''/etc/shorewall/rules'' to add some rules to allow various ports inbound: |
| - | touch /var/log/shorewall.log | + | <file> |
| - | /etc/init.d/shorewall start | + | ACCEPT net $FW tcp 22 |
| + | ACCEPT net $FW tcp 25 | ||
| + | ACCEPT net $FW tcp 53 | ||
| + | ACCEPT net $FW udp 53 | ||
| + | ACCEPT net $FW tcp 80 | ||
| + | ACCEPT net $FW tcp 110 | ||
| + | ACCEPT net $FW udp 123 | ||
| + | ACCEPT net $FW tcp 143 | ||
| + | ACCEPT net $FW tcp 443 | ||
| + | ACCEPT net $FW tcp 993 | ||
| + | ACCEPT net $FW tcp 995 | ||
| + | </file> | ||
| + | If the system has more than one interface, duplicate the same rules for each interface unless there is a reason to not do that. In that case, document the purpose and restrictions for each interface, and why the rules are different. | ||
| - | ===== PCX Firewall ===== | + | ===== Startup ===== |
| - | The firewall was (originally) constructed with the PCXFirewall Toolkit available here: | + | Start shorewall: |
| - | http://pcxfirewall.sourceforge.net/ | + | <code rootshell> |
| - | After determining list of services to be offered, a list of open ports was created. The following list enumerates that list. | + | touch /var/log/shorewall.log |
| + | /etc/init.d/shorewall start | ||
| + | </code> | ||
| - | Admin instructions on how to access PCXFirewall | + | ===== Testing ===== |
| - | https://63.252.5.3/pcxfirewall/ | + | |
| - | username -- admin | + | To check whether Shorewall is running, check what IP Tables are configured: |
| + | <code rootshell> | ||
| + | iptables -L -vn | ||
| + | </code> | ||
| + | This should show a large number of tables. | ||
| - | Firewall Config -- budlight1 | + | If Shorewall is not running, check the ''/var/log/shorewall-init.log'' file for details. |
| - | ==== Budlight1 Definition ==== | + | ===== TODO ===== |
| - | ==== Config ==== | + | Can we restrict some ports to the local subnet? |
| - | **Config Options** | + | Determine if our port list is correct for what we need open. We might want to open up additional ports for LMTP, SMTP w/ SSL, and SMTP w/ forced STARTTLS. Perhaps Squid caching and Rsync as well. We might want to remove Webmin and some of the other ports. |
| - | * Network Command -- ifconfig | + | Is Shorewall configured to start on boot at the proper time? Is there a window of time where the network starts up (and there are services running) before Shorewall is protecting the system? |
| - | * Mangle Rules -- Enabled | + | |
| - | **Validity Check:** | + | How can we back up our configuration on a regular basis? |
| - | * TCP Flags -- on | + | How much ICMP do we block? How much do we want to block? |
| - | * ECN Enabled -- off | + | |
| - | * Unclean -- off | + | |
| - | * Kernel Type -- modular | + | |
| - | **Zones:** | + | ===== Credits ===== |
| - | * internal Zone Enabled -- off | + | Shorewall was initially installed and configured by Jeff Muse on 2005-07-30. Craig Buchek assisted and documented. |
| - | * ipsec Zone Enabled -- off | + | |
| - | * dmz Zone Enabled -- off | + | |
| - | * dialin Zone Enabled -- off | + | |
| - | * Bridge Support Enabled -- off | + | |
| - | * Snort-Inline Support Enabled -- off | + | |
| + | PCX Firewall was initially installed, configured, and documented on the test/development system by James Pattie and Carl Fitch, 2005-02-19. | ||
| - | + | ===== Comments ===== | |
| - | + | ||
| - | **Special Protocol Modules:** | + | |
| - | + | ||
| - | * ftp Enabled -- on | + | |
| - | * ftp Params -- none | + | |
| - | * irc Enabled -- off | + | |
| - | * irc Params -- none | + | |
| - | + | ||
| - | + | ||
| - | **Rate Limit:** | + | |
| - | + | ||
| - | * Tainted Packets Log Rate -- 20 / minute | + | |
| - | * Reserved Packets Log Rate -- 20 / minute | + | |
| - | * Default Policy Packets Log Rate -- 30 / minute | + | |
| - | * Reject Packets Log Rate -- 30 / minute | + | |
| - | * Normal Packets Log Rate -- 30 / minute | + | |
| - | * ICMP Packets Allow Rate -- 30 / minute | + | |
| - | + | ||
| - | **Logging:** | + | |
| - | + | ||
| - | * Log Prefix -- FW | + | |
| - | * Log Level -- debug | + | |
| - | + | ||
| - | **Dynamic Interfaces:** | + | |
| - | + | ||
| - | * Dynamic Interfaces Mode -- ignoreIP | + | |
| - | + | ||
| - | ==== Networks ==== | + | |
| - | + | ||
| - | * Index -- 0 | + | |
| - | * Host -- budlight | + | |
| - | * Type -- normal | + | |
| - | * Active -- true | + | |
| - | * Comment -- external network/lan | + | |
| - | + | ||
| - | ==== Reserved External Networks ==== | + | |
| - | + | ||
| - | ^Index^Host^LimitTo^Active^Comment^ | + | |
| - | |10.0.0.0/8 | | |false |Class A| | + | |
| - | | 192.168.0.0/16 | | |false |Class C| | + | |
| - | | 127.0.0.0/8 | | |true |Local machine| | + | |
| - | | 172.16.0.0/12 | | |false |Class B| | + | |
| - | | 224.0.0.0/4 | | |false |Class D Multicast| | + | |
| - | | 240.0.0.0/5 | | |true |Class E Reserved| | + | |
| - | | 0.0.0.0/8 | | |false |Illegal except for DHCP| | + | |
| - | | 169.254.0.0/16 | | |true |Link Local Networks| | + | |
| - | | 192.0.2.0/24 | | |false |TEST-NET| | + | |
| - | + | ||
| - | ==== Zones ==== | + | |
| - | + | ||
| - | * Alias -- external | + | |
| - | * Interface -- eth0 | + | |
| - | * IP Address -- 63.252.5.3 | + | |
| - | * IPSec -- false | + | |
| - | * IPSec LimitFrom -- | + | |
| - | * Network -- budlight | + | |
| - | * Proxy Arp -- false | + | |
| - | * Active -- true | + | |
| - | * Comment -- This is configured for a LAN server, not a WAN. | + | |
| - | + | ||
| - | ==== Services ==== | + | |
| - | + | ||
| - | Existing services were left as preconfigured. | + | |
| - | + | ||
| - | Added : POP3s | + | |
| - | * Protocol -- tcp | + | |
| - | * d-port -- 995 | + | |
| - | * s-port -- any | + | |
| - | * icmp type -- | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== Paths ==== | + | |
| - | === ServiceGroups === | + | |
| - | + | ||
| - | + | ||
| - | ^ in ^ out ^ ip ^ source ^ dest ^ action ^ service ^ active ^ | + | |
| - | | | | | | | | **firewallToExternal**| | | + | |
| - | | |* | |ALL |ALL |ACCEPT| DNS, SSH, IDENT, SMTP, ICMP, TRACEROUTE, SQUID, HTTP, FTP, BOOTP, NTP, RSYNC |true| | + | |
| - | | | | | | | | **externalToFirewall**| | | + | |
| - | |*| | |ALL |ALL |ACCEPT |SSH, SMTP, POP3, IMAP, ICMP-limited, HTTP, HTTPS, BOOTP, IMAPS, POP3S|true| | + | |
| - | |*| | |ALL |ALL |Reject |IDENT |true| | + | |
| - | |external| | |ALL |ALL |Drop No Log |SMB |true| | + | |
| - | |external| | |ALL |ALL |ACCEPT |Webmin |true| | + | |
| - | | | | | | | | **externalBroadcast**| | | + | |
| - | |*| | |ALL |ALL |ACCEPT |BOOTP |true| | + | |
| - | + | ||
| - | ===== Installation ===== | + | |
| - | get this from PCXFirewall instructions and put here | + | |
| - | + | ||
| - | ===== System Changes ===== | + | |
| - | //Please post changes here in the format of: [H4] date|your name [/H4] [CR]description of chages made// | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | === March 5 2005 | Carl Fitch === | + | |
| - | Added Path to allow Webmin access. This was added as a seperate path to allow an easier way to turn the path on or off as needed. | + | |
| - | + | ||
| - | + | ||
| - | === Feburary 19 2005 | James Pattie, Carl Fitch === | + | |
| - | + | ||
| - | The initial installation | + | |
| - | === March 5 2005 | Carl Fitch === | + | |
| - | Changed Zone "external" to current static IP address | + | |
| - | + | ||
| - | ===== TODO ===== | + | |
| - | + | ||
| - | Get installation instructions and have James verify | + | |
| - | + | ||
| - | <del>need to get how to access and use front end.</del> | + | |
| - | + | ||
| - | ===== Credits ===== | + | |
| - | Initially installed, configured, and documented by James Pattie and Carl Fitch, 2005-02-19. | + | |
build/firewall.1122754335.txt.gz · Last modified: 2005/07/30 16:32 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
