User Tools

Site Tools


build:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:firewall [2010/08/01 23:31]
99.100.133.164 old revision restored
build:firewall [2012/12/10 22:41] (current)
Line 1: Line 1:
 ====== Firewall ====== ====== Firewall ======
  
-decided to go with [[http://​www.shorewall.net/​|Shorewall]],​ which is fairly standardShorewall ​also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall.+We decided to go with [[http://​www.shorewall.net/​|Shorewall]],​ which is relatively popularIt also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. 
  
 ===== Requirements ===== ===== Requirements =====
- 
-Shorewall doesn'​t seem to have any requirements,​ except ''​iptables'',​ ''​iproute'',​ and ''​libatm1''​. 
-<code rootshell>​ 
-apt-get install iptables iproute iproute-doc libatm1 
-</​code>​ 
  
 All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going **through** the system.) We want to allow all outbound connections,​ and allow inbound connections to only the following ports: All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going **through** the system.) We want to allow all outbound connections,​ and allow inbound connections to only the following ports:
  
   *  22 -- SSH   *  22 -- SSH
-  *  53 -- DNS (UDP only)+  *  53 -- DNS (UDP and TCP)
   *  80 -- HTTP   *  80 -- HTTP
   * 123 -- NTP (UDP)   * 123 -- NTP (UDP)
   * 443 -- HTTPS   * 443 -- HTTPS
 +
  
 ===== Installation ===== ===== Installation =====
  
 Install shorewall (and its documentation):​ Install shorewall (and its documentation):​
-<​code ​rootshell+ 
-apt-get install shorewall shorewall-doc+<​code ​bash
 +sudo apt-get ​-y install shorewall shorewall-doc
 </​code>​ </​code>​
 +
 +
 ===== Configuration ===== ===== Configuration =====
  
 In ''/​etc/​default/​shorewall'',​ set shorewall to run by changing the ''​startup''​ line: In ''/​etc/​default/​shorewall'',​ set shorewall to run by changing the ''​startup''​ line:
-<​code ​rootshell+ 
-sed -i -e '​s/​startup=0/​startup=1/'​ /​etc/​default/​shorewall+<​code ​bash
 +sudo sed -i -e '​s/​startup=0/​startup=1/'​ /​etc/​default/​shorewall
 </​code>​ </​code>​
  
-Install default config files for systems with one interface:​ +Install ​the default config files for systems with one interface: 
-<​code ​rootshell+ 
-cp -a /​usr/​share/​doc/​shorewall-common/​examples/​one-interface/​* /​etc/​shorewall/​+<​code ​bash
 +sudo cp -a /​usr/​share/​doc/​shorewall/​examples/​one-interface/​* /​etc/​shorewall/​
 cd /​etc/​shorewall/​ cd /​etc/​shorewall/​
-gunzip *.gz+sudo gunzip ​-f *.gz
 </​code>​ </​code>​
  
-In ''/​etc/​shorewall/​shorewall.conf'', ​set some configuration options. Change ​the following lines: +In ''/​etc/​shorewall/​shorewall.conf'', ​we need to enable startup; we also change ​the log file and set the log rate limits:
-<​file>​ +
-STARTUP_ENABLED=Yes +
-LOGFILE=/​var/​log/​shorewall.log +
-LOGRATE=10/​minute +
-LOGBURST=5 +
-</file>+
  
-Edit ''/​etc/​shorewall/​rules'' ​to add some rules to allow various ports inbound: +<code bash> 
-<file>+sudo sed -i /​etc/​shorewall/​shorewall.conf -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|' 
 +sudo sed -i /​etc/​shorewall/​shorewall.conf -e 's|^LOGFILE=.*|LOGFILE=/​var/​log/​shorewall.log|' 
 +sudo sed -i /​etc/​shorewall/​shorewall.conf -e '​s|^LOGRATE=.*|LOGRATE=10/​minute|'​ 
 +sudo sed -i /​etc/​shorewall/​shorewall.conf -e '​s|^LOGBURST=.*|LOGBURST=5|'​ 
 +</​code>​ 
 + 
 + 
 +==== Rules ==== 
 + 
 +Add rules to ''/​etc/​shorewall/​rules''​ allowing ​various ports inbound: 
 + 
 +<code bash> 
 +sudo sh -c 'cat >> /​etc/​shorewall/​rules'​ <<'​EOF'​ 
 + 
 +# Allow inbound SSH.
 ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 22
 +
 +# Allow inbound DNS (including TCP, for AFXRs).
 ACCEPT net $FW udp 53 ACCEPT net $FW udp 53
-ACCEPT net $FW tcp 80+ACCEPT net $FW tcp 53 
 + 
 +# Allow inbound NTP.
 ACCEPT net $FW udp 123 ACCEPT net $FW udp 123
 +
 +# Allow inbound HTTP and HTTPS.
 +ACCEPT net $FW tcp 80
 ACCEPT net $FW tcp 443 ACCEPT net $FW tcp 443
-</file>+EOF 
 +</code> 
  
 ===== Startup ===== ===== Startup =====
  
-Start shorewall+Start Shorewall: 
-<​code ​rootshell+ 
-touch /​var/​log/​shorewall.log +<​code ​bash
-/​etc/​init.d/​shorewall start+sudo touch /​var/​log/​shorewall.log 
 +sudo /​etc/​init.d/​shorewall start
 </​code>​ </​code>​
 +
  
 ===== Testing ===== ===== Testing =====
  
 To check whether Shorewall is running, check what IP Tables are configured: To check whether Shorewall is running, check what IP Tables are configured:
-<​code ​rootshell+ 
-iptables -L -vn+<​code ​bash
 +sudo iptables -L -vn
 </​code>​ </​code>​
 +
 This should show a large number of tables. This should show a large number of tables.
  
 If Shorewall is not running, check the ''/​var/​log/​shorewall-init.log''​ file for details. If Shorewall is not running, check the ''/​var/​log/​shorewall-init.log''​ file for details.
  
-===== TODO =====+Ensure that you can establish a new SSH session inbound. If not, stop Shorewall and try again.
  
-Can we restrict some ports to the local subnet? 
  
-Determine if our port list is correct for what we need open. We might want to open up additional ports for LMTP, SMTP w/ SSL, and SMTP w/ forced STARTTLS. Perhaps Squid caching and Rsync as well.+===== TODO =====
  
-Is Shorewall configured to start on boot at the proper time? Is there a window of time where the network starts up (and there are services running) before Shorewall is protecting the system?+  * We might want to open up additional ports for other services. 
 +  * How much ICMP do we block? How much do we want to block? 
 +  * Is Shorewall configured to start on boot at the proper time? 
 +    * Is there a window of time where the network starts up (and there are services running) before Shorewall is protecting the system?
  
-How much ICMP do we block? How much do we want to block? 
build/firewall.txt · Last modified: 2012/12/10 22:41 (external edit)