On Thursday 11 March 2004 07:12 pm, Bhavin Modi wrote:> Hi,
>
> I am configuring shorewall on a proxy with 3 NICS, two of which connects
> two class C public networks. One NIC is for LAN, one connecting to class C
> for provider 1 and another connecting class C from provider 2.
>
> I have to setup a proxy to allow only few ports(53,20,21,80,443) on both
> the DMZs(class C networks), but everything on internet through any of the
> T1s to the local network.
>
> The problem is that the management has decided to give internet access to
> people(mostly doctors) in the building.
Which we later learn is the zone ''tcm''.
> They will be on a different pvt.
> network(different zone on shorewall). The access between different pvt.
> networks will be controllled by proxy.
Below we see that given the topology, the proxy really can''t do that.
> A few people in the building also
> wants there local servers to be accessible from outside and they also dont
> want to move there servers in our DMZ. I can do an SNAT to there local IP
> through the proxy, so they dont have to change anything and they will
> handle the security issue on their own(TOM''s fox-hen case).
I believe you meant DNAT.
> My concern is
> the security on our DMZs which are connected to the proxy and our LAN.
>
> The network is something like this.
>
>
> LAN ---- Proxy/Firewall
>
>
> xxx.xxx.xxx.10 ------------ Firewall1 ----- ISP1 (live /24
> network)
>
> | |__ DMZ1
>
> yyy.yyy.yyy.10 ------------- Firewall2----- ISP1 (live /24
> network)
>
> |__ DMZ2
>
> xxx.xxx.xxx.10 and yyy.yyy.yyy.10 are part of the same Class C as DMZ
I''m guessing that xxx.xxx.xxx.10 and yyy.yyy.yyy.10 are IP addresses of
interfaces on the "Proxy/Firewall">?
Above, I see DMZ1 and DMZ2 which appear to be two DMZs yet now you use the
word DMZ.
> so I
> think any access to the same class C through proxy bypasses firewall.
> yyy.yyy.yyy.10 is the gateway on proxy for internet access which I can
> change to route internet access through either of the firewalls.
I don''t understand that at all. Now I''m really confused as to
what
xxx.xxx.xxx.10 and yyy.yyy.yyy.10 are...
>
> I think the setup is really poor, but I am new to this and confused about
> how to create zones or change the total system with minimum downtime.
> Firewall1 and Firewall2 both run shorewall and I cannot play with it as it
> has many services running.
>
> The firewalls connecting to ISPs has only two NICs.
Then how are we to interpret the THREE lines coming out of each
"firewall" box
in your diagram?
>
> loc is 192.168.1.0/24
> tcm is 192.168.2.0/30
>
I''ve moved the hosts and interfaces files up here where we can better
understand your setup.
> ------------------------------
> Hosts:
> loc eth0:$LOC
> tcm eth0:$TCM
> ------------------------------
> Interfaces:
> - eth0 192.168.1.255,192.168.2.3 dropunclean,tcpflags
Ok -- so ''loc'' and ''tcm'' are two networks
off of eth0. But only one of those
networks (192.168.2.0/30) is "building". So these are the
"private networks"
that you mention above? Since they are connected to the same LAN, if any of
the people using systems on those LANs have administrative privileges on
their systems then you have at best "security by obscurity" between
''loc'' and
''tcm''.
> net eth1 xxx.xxx.xxx.255
> norfc1918,dropunclean,blacklist,tcpflags,newnotsyn
> net eth2 yyy.yyy.yyy.255
> norfc1918,dropunclean,blacklist,tcpflags,newnotsyn
> Currently the policy is:
> net fw DROP info
> net net DROP info
> loc net CONTINUE info
> tcm net CONTINUE info (tcm is the local
> network in the building, outside of our office.)
I don''t understand the point of the CONTINUE policies.
> fw all ACCEPT info
> all all REJECT info
> ----------------------------
> Rules:
> ### Rules for loc -> fw
> ACCEPT loc fw udp 53 -
> ACCEPT loc fw tcp 53 -
>
> ### Rules for tcm -> fw
> ACCEPT tcm fw udp 53 -
> ACCEPT tcm fw tcp 53 -
>
> ### Rules for loc -> net
> # REDIRECT HTTP TO SQUID
> REDIRECT loc 3128 tcp 80 - !$LOC,$TCM,$DMZ
> # Allow everything on net except dmz network
> ACCEPT loc net:!$DMZ all -
> ($DMZ is xxx.xxx.xxx.xxx/24,yyy.yyy.yyy.yyy/24)
>
> ### Rules for tcm -> net
> # REDIRECT HTTP TO SQUID
> REDIRECT tcm 3128 tcp 80 - !$LOC,$TCM,$DMZ
> # Allow everything on net except dmz network
> ACCEPT tcm net:!$DMZ all -
That rule doesn''t work!!! It is equivalent to:
ACCEPT tcm net:!xxx.xxx.xxx.xxx/24 all
ACCEPT tcm net:yyy.yyy.yyy.yyy/24 all
You rather want:
REJECT tcm net:$DMZ all
ACCEPT tcm net all
And you want those rules at the end.
>
> ### Rules for net -> tcm (for SNAT)
DNAT...
> ACCEPT:info net tcm:$TCMSERVER tcp 80 -
> ($TCMSERVER is the pvt. IP on tcm''s network)
> ACCEPT:info net tcm:$TCMSERVER tcp 20 -
> ACCEPT:info net tcm:$TCMSERVER tcp 21 -
> ACCEPT:info net tcm:$TCMSERVER tcp 22 -
So where is the DNAT taking place -- on the firewalls?
>
> ### Rules for services on network
> # DNS
> ACCEPT all net:$DMZ udp 53
> ACCEPT all net:$DMZ tcp 53
> # HTTP/HTTPS
> ACCEPT all net:$DMZ tcp 80
> ACCEPT all net:$DMZ tcp 443
> # FTP
> ACCEPT all net:$DMZ tcp 21
> ACCEPT all net:$DMZ tcp 20
> # SMTP/POP3/IMAP
> ACCEPT all net:$DMZ tcp 25
> ACCEPT all net:$DMZ tcp 110
> ACCEPT all net:$DMZ tcp 143
> # JABBER
> ACCEPT all net:$DMZ tcp 5222
> ACCEPT all net:$DMZ tcp 5223
>
> ### Rules for net:dmz -> fw
> # SSH
> ACCEPT net:$DMZ fw tcp 22 -
> # DNS
> ACCEPT net:$DMZ fw udp 53 -
> ACCEPT net:$DMZ fw tcp 53 -
>
> ### Rules for ping for all zones
> ACCEPT loc:$ADMIN all icmp 8
> ACCEPT tcm fw:$TCM icmp 8
> -----------------------------
> Masq:
> eth1 $LOC
> eth2 $LOC
> eth1 $TCM
> eth2 $TCM
> ----------------------------
>
> I am sorry for the length of this email, but the security concern is
> forcing me to do it.
>
I''m afraid I still don''t understand your network topology well
enough to
comment.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net