Tom, I have a router at home running Shorewall doing great, and I want to install it on our file/web/mail server at work too. Problem is, I can''t afford much downtime futzing around with it. Can you recommend some Shorewall settings? Here are the particulars: 1. The server is behind a hardware security router/switch (Netgear RO318) which forwards ports 80, 25, & 110 requests to it that come in from the Internet over our RoadRunner cable modem. 2. The server has a single network card, a static ip (192.168.0.13), and is plugged into the security router just like every other box on the lan. 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA (both available to the internet and the lan). For the lan, it runs SAMBA, SWAT (port 901), and Webmin (port 10000), the last 2 only accessible from 192.168.0.10. The server mounts an NFS share on a Snap! server at boot time (nightly backups are sent there). The server needs access to the internet to get NTP time sync info, to get RedHat updates, and to update our IP address with DynDNS. Everyone on the lan syncs time to the server using the time server feature in SAMBA. 4. The lan addresses are all 192.168.0.0/24; some of them are assigned by the dhcp service that the security router provides, and some are statically assigned. The hardware router was used because at the time, it was simply a Windoze only lan that needed access to the Internet. Theoretically, the router provides stateful packet inspection and protection against common threats. We haven''t had any breaches I''m aware of (yet). I added the linux server later on just to play with, but now that I''ve got 3 ports hanging out in the breeze, I''m concerned that the hardware router might let something through, or that a virus could get loose on the lan and do some damage from the inside (my users are clueless). I realize this configuration is somewhat less than ideal. In the future, I plan on replacing the hardware router with a Linux system using 3 NIC''s to effectively separate Internet, LAN, and a DMZ, but for now I need to work with what I''ve got. Right now, the server has NO firewall except what is provided by the router, so almost anything would be an improvement. Would it help to configure the server''s single NIC to have more than 1 IP? If so, how? Thanks in advance for any suggestions, and thanks again for a great piece of software. Linux newbies like me would be lost without people like you making it relatively easy. Sincerely, Jim Hubbard jimh@dyersinc.com
Jim Hubbard wrote:> Tom, > I have a router at home running Shorewall doing great, and I want to > install > it on our file/web/mail server at work too. Problem is, I can''t afford > much downtime futzing around with it. Can you recommend some Shorewall > settings? Here are the particulars:Hi Jim, It seems to me that you already know most of what you want. There are only a few ambiguities that need to be addressed.> ... > 2. The server has a single network card, a static ip (192.168.0.13), and > is plugged into the security router just like every other box on the > lan.Do the requests appear to come from the Internet or the router? (i.e. Does the router do unidirectional NAT or bidirectional NAT?) My guess would be the former - requests still appear with the true source IP, and your router does the outgoing translation. If that is the case, i think you need two zones, one for internal and one for external - the ''loc'' and ''net'' zones provided by default should do the trick. The ''loc'' zone would be 192.168.0.0/24, and ''net'' would be everything else.> 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA > (both available to the internet and the lan).Personally, if you are running standard POP3 over the Internet, i think you are: a) crazy, b) an ISP, or c) both of the above. :-) I know users like it, but it really is quite insecure.> For the LAN, it runs > SAMBA, SWAT (port 901), and Webmin (port 10000), the last 2 only > accessible from 192.168.0.10. > ...All of your services except SWAT & Webmin can be defined between the ''loc'' zone and the firewall. You can do the other two with a simple host-specific override in the rules file. A separate zone for admin workstations would require rule duplication (since they would require access to all the same services as normal workstations).> ... > I realize this configuration is somewhat less than ideal. In the > future, I plan on replacing the hardware router with a Linux system > using 3 NIC''s to effectively separate Internet, LAN, and a DMZ, but for > now I need to work with what I''ve got.Personally, i don''t feel that the 3 NIC model actually offers much more protection than what you''ve got, since you would only have to compromise one system (the firewall) to gain access to the entire network, whereas your current model requires that two systems (the router and the Linux server) be compromised, unless the Linux box is compromised through the port-forwarded services.> ... > Right now, the server has NO firewall except what is provided by the > router, so almost anything would be an improvement. Would it help to > configure the server''s single NIC to have more than 1 IP? If so, how?I don''t think it would help. You can do all you want by defining shorewall zones.> Thanks in advance for any suggestions, and thanks again for a great > piece of software. Linux newbies like me would be lost without people > like you making it relatively easy.Tom has indeed made it very easy! :-) Paul http://paulgear.webhop.net
On Wednesday 30 January 2002 02:57 am, Paul Gear wrote:> > Do the requests appear to come from the Internet or the router? (i.e. Does > the router do unidirectional NAT or bidirectional NAT?) My guess would be > the former - requests still appear with the true source IP, and your router > does the outgoing translation. If that is the case, i think you need two > zones, one for internal and one for external - the ''loc'' and ''net'' zones > provided by default should do the trick. The ''loc'' zone would be > 192.168.0.0/24, and ''net'' would be everything else.I agree.> > > 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA > > (both available to the internet and the lan). > > Personally, if you are running standard POP3 over the Internet, i think you > are: > a) crazy, > b) an ISP, or > c) both of the above. :-) > I know users like it, but it really is quite insecure.Yes -- a VPN solution would definitely be better.> > I don''t think it would help. You can do all you want by defining shorewall > zones.I agree. The only thing that I can add is that for NFS, I would open UDP port 111 and=20 ALL unpriv UDP ports from the NFS client (your server) to the NFS server=20 (SNAP). -Tom=20 --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Paul Gear > Sent: Wednesday, January 30, 2002 5:58 AM > To: jimh@xlproject.com > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] LAN server config? > > Personally, if you are running standard POP3 over the Internet, i > think you > are: > a) crazy, > b) an ISP, or > c) both of the above. :-) > I know users like it, but it really is quite insecure. >Thanks for the wakeup call. I still consider myself a Linux newbie, and I''m still learning. I tend to concentrate on getting a service to work first and learn how to secure it later. So "ignorant", in this case is probably a better description. If you have any good links for implimenting secure pop3 please let me know.> > Personally, i don''t feel that the 3 NIC model actually offers much more > protection than what you''ve got, since you would only have to compromise > one system (the firewall) to gain access to the entire network, whereas > your current model requires that two systems (the router and the Linux > server) be compromised, unless the Linux box is compromised through the > port-forwarded services. >It''s not that the hardware router I have is insecure, it''s just that I don''t really know (and can''t control) how secure it is. With this particular router, I can''t even ban a host from using it. For instance, if I want to ban a host from my web server, I have to do it at the web server instead of at the router. That, to me, is not good. Using one linux system as a router and having a second running web and mail services in a "dmz" zone physically seperate from the rest of the lan would seem to be much better and offer more control. Not that I really understand yet how to properly use that control, but I figure I''ve only got about 19,437 more man pages to read until it seems like child''s play. Jim Hubbard jimh@dyersinc.com
Jim Hubbard wrote:> ... > > Personally, if you are running standard POP3 over the Internet, i > > think you > > are: > > a) crazy, > > b) an ISP, or > > c) both of the above. :-) > > I know users like it, but it really is quite insecure. > > > > Thanks for the wakeup call. I still consider myself a Linux newbie, and I''m > still learning. I tend to concentrate on getting a service to work first > and learn how to secure it later. So "ignorant", in this case is probably a > better description. If you have any good links for implimenting secure pop3 > please let me know.As Tom said, implement a VPN. Or tunnel it in SSL with stunnel (comes with Red Hat and maybe other distros). Netscape and Outlook both support POP3 over SSL.> > Personally, i don''t feel that the 3 NIC model actually offers much more > > protection than what you''ve got, since you would only have to compromise > > one system (the firewall) to gain access to the entire network, whereas > > your current model requires that two systems (the router and the Linux > > server) be compromised, unless the Linux box is compromised through the > > port-forwarded services. > > It''s not that the hardware router I have is insecure, it''s just that I don''t > really know (and can''t control) how secure it is.That''s a good point. (I love free software. :-)> ... > Using one linux system as a > router and having a second running web and mail services in a "dmz" zone > physically seperate from the rest of the lan would seem to be much better > and offer more control.Yep - fair enough. Seems a bit of a waste of that router, but you''re probably right that it''s more secure and offers better control. Paul http://paulgear.webhop.net