Shorewall users - Nov 2003 - one-interface with dial-in zones

I would like to know if this will work. I have a computer that is on 
a LAN, but is not behind a firewall. I have a minimal RH install on 
it, and I''d like to use Shorewall to configure a firewall on this 
machine. I have two dial-in users that connect to this computer 24/7. 
Each of these users run a firewall, so I want them to control traffic 
in/out of their LANs. So what I want with this machine is that all 
packets to the firewall zone will be dropped. But, if they are for 
either ppp client, which is the PPP zone, then I would like them to 
be accepted.

interfaces
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth0		detect		norfc1918,routefilter
ppp	ppp+


zones
#ZONE	DISPLAY		COMMENTS
net	Net		Internet
ppp	PPP		dialin users


policy
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
fw		net		ACCEPT
net		ppp		ACCEPT
ppp		net		ACCEPT
net		all		DROP		info
all		all		REJECT		info


rules
#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL
                                         PORT	PORT(S)	DEST
ACCEPT		net	fw	tcp	22
ACCEPT		ppp	fw	icmp	8
ACCEPT		ppp	fw	tcp	22

--
DAvid

On Fri, 7 Nov 2003, David Hoffman wrote:
> Each of these users run a firewall, so I want them to control traffic
> in/out of their LANs. So what I want with this machine is that all
> packets to the firewall zone will be dropped. But, if they are for
> either ppp client, which is the PPP zone, then I would like them to
> be accepted.
>
> interfaces
> #ZONE	INTERFACE	BROADCAST	OPTIONS
> net	eth0		detect		norfc1918,routefilter
> ppp	ppp+
>
If you wish for the dial-in users to be able to communicate among
themselves, you need to change the above line to:

	ppp	ppp+	-	routeback

and if you are using recent 1.4.6/7/8 Shorewall, you must modify
/usr/share/shorewall/firewall as follows:

In the function "validate_interface_file()", change:

	interface=`chain_base $interface`

	eval ${interface}_broadcast="$subnet"
	eval ${interface}_zone="$z"
	eval ${interface}_options=\"$options\"

to

	iface=`chain_base $interface`

	eval ${iface}_broadcast="$subnet"
	eval ${iface}_zone="$z"
	eval ${iface}_options=\"$options\"

In other words, replace "interface" with "iface" in those
four lines.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>On Fri, 7 Nov 2003, David Hoffman wrote:
>
>>  Each of these users run a firewall, so I want them to control traffic
>>  in/out of their LANs. So what I want with this machine is that all
>>  packets to the firewall zone will be dropped. But, if they are for
>>  either ppp client, which is the PPP zone, then I would like them to
>>  be accepted.
>>
>>  interfaces
>>  #ZONE	INTERFACE	BROADCAST	OPTIONS
>>  net	eth0		detect		norfc1918,routefilter
>>  ppp	ppp+
>>
>
>If you wish for the dial-in users to be able to communicate among
>themselves, you need to change the above line to:
>
>	ppp	ppp+	-	routeback
the dial-in users have nothing to do with each other, and simply are 
connecting to the machine as if it''s an ISP. I don''t need to
change
the ppp interface line in that case, do I?
>
>and if you are using recent 1.4.6/7/8 Shorewall, you must modify
>/usr/share/shorewall/firewall as follows:
>
>In the function "validate_interface_file()", change:
>
>	interface=`chain_base $interface`
>
>	eval ${interface}_broadcast="$subnet"
>	eval ${interface}_zone="$z"
>	eval ${interface}_options=\"$options\"
>
>to
>
>	iface=`chain_base $interface`
>
>	eval ${iface}_broadcast="$subnet"
>	eval ${iface}_zone="$z"
>	eval ${iface}_options=\"$options\"
>
>In other words, replace "interface" with "iface" in
those four lines.
Does the above still apply, even if I''m not going to change the ppp 
interface line?

--
DAvid

On Fri, 7 Nov 2003, David Hoffman wrote:
> >On Fri, 7 Nov 2003, David Hoffman wrote:
> >
> >>  Each of these users run a firewall, so I want them to control
traffic
> >>  in/out of their LANs. So what I want with this machine is that
all
> >>  packets to the firewall zone will be dropped. But, if they are
for
> >>  either ppp client, which is the PPP zone, then I would like them
to
> >>  be accepted.
> >>
> >>  interfaces
> >>  #ZONE	INTERFACE	BROADCAST	OPTIONS
> >>  net	eth0		detect		norfc1918,routefilter
> >>  ppp	ppp+
> >>
> >
> >If you wish for the dial-in users to be able to communicate among
> >themselves, you need to change the above line to:
> >
> >	ppp	ppp+	-	routeback
>
> the dial-in users have nothing to do with each other, and simply are
> connecting to the machine as if it''s an ISP. I don''t need
to change
> the ppp interface line in that case, do I?
Well, different clients of an ISP are permitted to connect to each other,
are they not?
>
> >
> >and if you are using recent 1.4.6/7/8 Shorewall, you must modify
> >/usr/share/shorewall/firewall as follows:
> >
> >In the function "validate_interface_file()", change:
> >
> >	interface=`chain_base $interface`
> >
> >	eval ${interface}_broadcast="$subnet"
> >	eval ${interface}_zone="$z"
> >	eval ${interface}_options=\"$options\"
> >
> >to
> >
> >	iface=`chain_base $interface`
> >
> >	eval ${iface}_broadcast="$subnet"
> >	eval ${iface}_zone="$z"
> >	eval ${iface}_options=\"$options\"
> >
> >In other words, replace "interface" with "iface" in
those four lines.
>
> Does the above still apply, even if I''m not going to change the
ppp
> interface line?
No.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>On Fri, 7 Nov 2003, David Hoffman wrote:
>
>>  Each of these users run a firewall, so I want them to control traffic
>>  in/out of their LANs. So what I want with this machine is that all
>>  packets to the firewall zone will be dropped. But, if they are for
>>  either ppp client, which is the PPP zone, then I would like them to
>>  be accepted.
>>
>>  interfaces
>>  #ZONE	INTERFACE	BROADCAST	OPTIONS
>>  net	eth0		detect		norfc1918,routefilter
>>  ppp	ppp+
>>
>
>If you wish for the dial-in users to be able to communicate among
>themselves, you need to change the above line to:
>
>	ppp	ppp+	-	routeback
I think I fired off my last question too quickly. So what you are 
saying is that if one dial-in user wants to access a web site that 
the other dial-in user is hosting (or something like that), then I 
need to change the line as above?

--
DAvid

On Fri, 7 Nov 2003, David Hoffman wrote:
> >On Fri, 7 Nov 2003, David Hoffman wrote:
> >
> >>  Each of these users run a firewall, so I want them to control
traffic
> >>  in/out of their LANs. So what I want with this machine is that
all
> >>  packets to the firewall zone will be dropped. But, if they are
for
> >>  either ppp client, which is the PPP zone, then I would like them
to
> >>  be accepted.
> >>
> >>  interfaces
> >>  #ZONE	INTERFACE	BROADCAST	OPTIONS
> >>  net	eth0		detect		norfc1918,routefilter
> >>  ppp	ppp+
> >>
> >
> >If you wish for the dial-in users to be able to communicate among
> >themselves, you need to change the above line to:
> >
> >	ppp	ppp+	-	routeback
>
> I think I fired off my last question too quickly. So what you are
> saying is that if one dial-in user wants to access a web site that
> the other dial-in user is hosting (or something like that), then I
> need to change the line as above?
>
That''s what I''m saying.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>On Fri, 7 Nov 2003, David Hoffman wrote:
>
>>  Each of these users run a firewall, so I want them to control traffic
>>  in/out of their LANs. So what I want with this machine is that all
>>  packets to the firewall zone will be dropped. But, if they are for
>>  either ppp client, which is the PPP zone, then I would like them to
>>  be accepted.
>>
>>  interfaces
>>  #ZONE	INTERFACE	BROADCAST	OPTIONS
>>  net	eth0		detect		norfc1918,routefilter
>>  ppp	ppp+
>>
>
>If you wish for the dial-in users to be able to communicate among
>themselves, you need to change the above line to:
>
>	ppp	ppp+	-	routeback
>
>and if you are using recent 1.4.6/7/8 Shorewall, you must modify
>/usr/share/shorewall/firewall as follows:
>
>In the function "validate_interface_file()", change:
>
>	interface=`chain_base $interface`
>
>	eval ${interface}_broadcast="$subnet"
>	eval ${interface}_zone="$z"
>	eval ${interface}_options=\"$options\"
>
>to
>
>	iface=`chain_base $interface`
>
>	eval ${iface}_broadcast="$subnet"
>	eval ${iface}_zone="$z"
>	eval ${iface}_options=\"$options\"
>
>In other words, replace "interface" with "iface" in
those four lines.
I just upgraded to 1.4.8 after posting my question, and it looks like 
the changes you said I needed to make to 
/usr/share/shorewall/firewall have been taken care of in 1.4.8. 
That''s a bit confusing, since you said that if I was using 1.4.6/7/8 
that I''d need to make the change. Was that a typo?

On Sun, 9 Nov 2003, David Hoffman wrote:
>
> I just upgraded to 1.4.8 after posting my question, and it looks like
> the changes you said I needed to make to
> /usr/share/shorewall/firewall have been taken care of in 1.4.8.
> That''s a bit confusing, since you said that if I was using
1.4.6/7/8
> that I''d need to make the change. Was that a typo?
No -- at the time that I typed that last week, 1.4.8 final hadn''t been
released yet. Both -RC1 and -RC2 which *were* available when I typed my
response *did* require modification.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I have a small remote network set-up and connected to my main network via an
IPSEC tunnel with frees/wan.  My shorewall server on the main network is
also the IPSEC gateway.   I set the frees/wan ipsec.conf on the remote
nework to force all traffic to the main network by specifying the main
network''s subnet as 0.0.0.0/0.  I did this because I want to force the
remote subnet to use the main networks internet connection for access to the
outside world.  All traffic is being directed to the main network from the
remote network   After adding the appropriate policies I can access any zone
on the main network from the remote network, except the net (internet) zone.
I do have proxyarp running on the box at the main network, but it
doesn''t
seem to be an issue from following the instructions of the possible work
around contained in the documentation.  Any ideas?

Main config files

Interfaces
--------------------
net	eth0	detect
norfc1918,routefilter,logunclean,blacklist,tcpflags,routeback
dmz	eth1	detect
loc	eth4	detect	routefilter
vpn	ipsec0	-

Masq
----------------------
eth0	eth4


Policy
----------------------
loc	net	DROP	info
net		all		DROP		info
all		all		REJECT		info
loc	vpn	ACCEPT	-
vpn	loc	ACCEPT	-
vpn	net	ACCEPT	-
vpn	dmz	ACCEPT	-
vpn          $FW	ACCEPT	-
all            all              REJECT    info

Tunnels
--------------------
ipsec	net	68.52.82.127	-


Zones
---------------------
net	Net		Internet
loc	Local		Local networks
dmz	DMZ		Demilitarized zone-
vpn	VPN	VPN

Ipsec.conf
--------------------

conn home-work
	authby=rsasig
	auto=start
	left=69.21.239.19
	leftid=@thomas.lavergne.org
	leftnexthop=%defaultroute
	leftrsasigkey=0sAQO....
leftsubnet=0.0.0.0/0
	right=68.52.82.127
	rightid=@work.lavergne.org
	rightnexthop=68.52.80.1
	rightrsasigkey=0sAQN...
rightsubnet=10.10.10.0/24

Remote config files

Interfaces
--------------
net    eth0    detect    dhcp,routefilter,norfc1918
loc    eth1    detect
vpn    ipsec0

Policy
--------------
loc    net    ACCEPT
net    all    DROP    info
loc    vpn    ACCEPT
vpn    loc    ACCEPT
all    all    REJECT    info

Tunnels
--------------
ipsec    net    69.21.239.19

Zones
-------------
net    Net    Internet
loc    Local    Local
vpn    Work

Ipsec.conf
------------------
conn home-work
authby=rsasig
auto=start
left=69.21.239.19
leftid=@thomas.lavergne.org
leftnexthop=%defaultroute
leftrsasigkey=0sAQO....
leftsubnet=0.0.0.0/0
right=68.52.82.127
rightid=@work.lavergne.org
rightnexthop=68.52.80.1
rightrsasigkey=0sAQN...
rightsubnet=10.10.10.0/24

The rules file for the main network is extensive so I havent included it
here (I can if necessary).  I have no rules regarding the VPN in it at all.

Thanks much,
Thomas

On Mon, 10 Nov 2003, Thomas Reed wrote:
>
> Masq
> ----------------------
> eth0	eth4
If the remote network uses RFC1918 addresses then you need to masquerade
them to the net. Given the way that IPSEC works, you will not be able to
enter ''ipsec0'' in the second column but will rather have to
list the
remote subnet(s) explicitly.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Worked great!  Thanks for the info and a great product.

Thomas

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom
Eastep
Sent: Monday, November 10, 2003 9:19 AM
To: Shorewall Users Mailing List
Subject: Re: [Shorewall-users] Routing IPSEC


On Mon, 10 Nov 2003, Thomas Reed wrote:
>
> Masq
> ----------------------
> eth0	eth4
If the remote network uses RFC1918 addresses then you need to masquerade
them to the net. Given the way that IPSEC works, you will not be able to
enter ''ipsec0'' in the second column but will rather have to
list the
remote subnet(s) explicitly.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm