430 likes | 602 Views
SOHO Firewalls using Shorewall. Tom Eastep April 12, 2003. Agenda. About the author History Traditional SOHO Firewalls Features of Shorewall Prerequisites for using Shorewall Shorewall Concepts Using Shorewall to implement a simple two-interface firewall Other Applications of Shorewall
E N D
SOHO Firewalls using Shorewall Tom Eastep April 12, 2003
Agenda • About the author • History • Traditional SOHO Firewalls • Features of Shorewall • Prerequisites for using Shorewall • Shorewall Concepts • Using Shorewall to implement a simple two-interface firewall • Other Applications of Shorewall • What Shorewall won’t do • Q&A
About the Author • Native of Washington State • Degrees from WSU and UW (Mathematics) • Worked for computer manufacturers since 1969 • Burroughs (1969-1980) • Tandem/Compaq/HP (1980-Present) • Primary emphasis on middleware • Live in west Shoreline (telecommuter) • Currently architect for a large OS project
History of Shorewall • Tandem Computers, Inc. was acquired by Compaq in 1997. • Tandem occupied in more attractive real estate then did Compaq. • Tandem telecommuters were “sent home” to work and Compaq moved in (early 1998). • Frame Relay intranet connectivity: • Slow (64kbs) • Expensive • Personal Internet Connectivity via dial-up.
History (continued) • As a cost-reduction measure, Compaq began switching telecommuters to DSL/Cable modem in 1999. • I needed a firewall (inexpensive firewall appliances weren’t available until much later). • I had been playing with Linux (circa RH5.0). • Wrote “Seattle Firewall” (seawall). • Version 1.0 – November 1999. • Front end for ‘ipchains’. • “Traditional” SOHO Firewall
Traditional SOHO Firewalls • Outside (Internet) • Untrusted • Public IP Address(es) • Inside (Local LAN) • Trusted • Often use private (RFC 1918) IP addresses • Demilitarized Zone (DMZ) • Distrusts the Outside • Distrusted by Inside
Basic Two-interface Firewall(no DMZ) • Connects to ISP using DSL, Cable Modem, ISDN, Dial-up, … • Provides for “Internet Connection Sharing” of a single public IP address for a local network using SNAT/Masquerading
Basic Two-interface Firewall(continued) • “Port Forwarding” can be used to allow internet-accessible servers to be run on the local network. • If server is hacked, then the local network is compromised.
Three-interface Firewall(with DMZ) • Provides internet connection sharing of one or more public IP addresses. • Had a DMZ containing servers that are exposed to the internet. • If a server is hacked, the Firewall and the Local network aren’t compromised.
Problem with Traditional SOHO Firewalls like Seawall • Inflexibility. • “Still, it is an error to argue in front of your data. You find yourself insensibly twisting them round to fit your theories” • Holmes to Watson • With Seawall, I found myself “insensibly twisting round” the user’s problem to fit Seawall’s solution. • The principle reasons for the inflexibility are: • Support for a limited set of network topologies • Policies are built into the firewall software itself.
Shorewall – What is it? • Tool for configuring Netfilter (packet filtering capability built into the 2.4 Linux Kernels). • Allows firewall solution to be expressed using a high level of abstraction • Implemented as a set of shell programs
Shorewall Features • Uses Netfilter's connection tracking facilities for stateful packet filtering. • Can be used in a wide range of router/firewall/gateway applications. • Completely customizable using configuration files. • No limit on the number of network interfaces. • Allows you to partitions the network into zones and gives you complete control over the connections permitted between each pair of zones. • Multiple interfaces per zone and multiple zones per interface permitted. • Supports nested and overlapping zones. • QuickStart Guides (HOWTOs) to help get your first firewall up and running quickly • A GUI is available via Webmin 1.060 and later (http://www.webmin.com) • Extensive documentation included in the .tgz and .rpm downloads. • Flexible address management/routing support (and you can use all types in the same firewall): • Masquerading/SNAT • Port Forwarding (DNAT) • Static NAT. • Proxy ARP. • Simple host/subnet Routing • Blacklisting of individual IP addresses and networks is supported. Also blacklisting of certain connection types.
Features(continued – 2 of 2) • Operational support: • Commands to start, stop and clear the firewall • Supports status monitoring with an audible alarm when an "interesting" packet is detected. • Wide variety of informational commands. • VPN Support • IPSEC, GRE, IPIP and OpenVPN Tunne.s • PPTP clients and Servers. • Support for Traffic Control/Shaping integration. • Wide support for different GNU/Linux Distributions. • RPM and Debian packages available. • Includes automated install, upgrade, fallback and uninstall facilities for users who can't use or choose not to use the RPM or Debian packages. • Included as a standard part of LEAF/Bering (router/firewall on a floppy, CD or compact flash). • Media Access Control (MAC) Address Verification • Selectively disable ECN (RFC 3168) to remote hosts or networks
Prerequisites • A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20. 2.4.20 required for full functionality. • iptables 1.2 or later but beware version 1.2.3. Version 1.2.7a required for full functionality. • iproute ("ip" utility). The iproute package is included with most distributions but may not be installed by default. The official download site is ftp://ftp.inr.ac.ru/ip-routing. • A Bourne shell or derivative such as bash or ash. This shell must have correct support for variable expansion formats ${variable%pattern }, ${variable%%pattern}, ${variable#pattern } and ${variable##pattern}. • The firewall monitoring display is greatly improved if you have awk (gawk) installed.
Shorewall Concepts - 1 of 2 • No restrictions on network topology • No Shorewall-defined limit on the number of network interfaces. • No built-in notion of concepts like “Internet”, “Local Network” and “DMZ”. • No policies are built into Shorewall • Any firewall-enforced policy can be configured by the user • Configuration via text files in /etc/shorewall/ • “Extension Scripts” to meet needs that the author hasn’t anticipated
Shorewall Concepts - 2 of 2 • Result is great flexibility • Ease of use is achieved using QuickStart Guides with accompanying sample configurations. • Lots of Documentation
Zone Based • Shorewall sees the network that it is a part of as consisting of a set of zones • The firewall itself comprises the zone called ‘fw’ (default value of variable $FW). • Zones other than $FW are defined in /etc/shorewall/zones
Zone Based(continued 2 of 4) • Simplest model is one zone per firewall network interface. Defined in /etc/shorewall/interfaces. • Zones are normally disjoint but may be overlapping or nested. These are defined in /etc/shorewall/hosts.
Zone Based(continued - 3 of 4) • Shorewall assigns no meaning to zone names (1-5 characters) • Shorewall allows you to specify a policy for connections between each pair of zones: • ACCEPT (allow) • REJECT (disallow) • DROP (ignore – stealth) • Policies are defined in /etc/shorewall/policy
Zone Based(continued – 4 of 4) • Rules are exceptions to policy and are defined in /etc/shorewall/rules. • Example: • Policy: Z1 Z2 REJECT • Rule: ACCEPT Z1 Z2 tcp telnet
DocumentationQuickStart Guides • http://www.shorewall.net/quickstart_guide.htm • Single External IP Address • Standalone • Two-interface • Three-interface • Multiple External IP Addresses • Setup Guide (also networking concepts intro) • Documentation Index (for rest of documentation)
Simple two-interface firewallOverview – 1 of 13 • Linux system used as a firewall/router for a small local network. • Single public IP address. • Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up ...
Simple two-interface firewallInstall Shorewall – 2 of 13 • Install the Shorewall software using the .rpm or .tgz. • Print a copy of the Two-interface QuickStart Guide (http://www.shorewall.net/two-interface.htm)
Simple two-interface firewallInstall Sample configuration – 3 of 13 • Download the two-interface sample configuration files from http://www.shorewall.net/LATEST.samples/two-interface.tgz. • Un-tar the samples (tar –zxf two-interfaces.tgz) • Replace the files in /etc/shorewall with those from the sample (cp –f two-interfaces/* /etc/shorewall).
Simple two-interface firewall/etc/shorewall/zones – 4 of 13 • /etc/shorewall/zones file contains definitions for two zones: • net Net Internet • loc Local Local networks • First column is the short name of the zone used in the configuration files. • Second column is the “Display Name” • Rest is commentary
Simple two-interface firewall/etc/shorewall/policy – 5 of 13 • Change policy file as desired • loc net ACCEPT • #fw net ACCEPT • net all DROP • all all REJECT • First policy to match is used • Uncomment second line for unlimited fw->net access • Add “fw loc ACCEPT” and “loc fw ACCEPT” to make fw part of local net
Simple two-interface firewall/etc/shorewall/interfaces – 6 of 13 • Change /etc/shorewall/interface as necessary • net eth0 detect \ dhcp,routefilter,norfc1918 • loc eth1 detect • First column is zone name • Second is interface name • Third column is broadcast address (detect means Shorewall will detect) • Fourth column is list of options
Simple two-interface firewallLocal network addressing – 7 of 13 • RFC 1918 reserves private address ranges • 10.0.0.0 to 10.255.255.255 • 172.16.0.0 to 172.31.255.255 • 192.168.0.0 to 192.168.255.255 • These addresses are used within your local network • The internet backbone routers don’t route to these non-routable addresses. • See http://www.shorewall.net/shorewall_setup_guide.htm#Addressing • Default gateway for Computer 1 & 2 is 10.10.10.254 (local IP address of the firewall). • Use 255.255.255.0 for subnet mask.
Simple two-interface firewall SNAT/Masquerading – 8 of 13 • “Source Network Address Translation” • Internal system connects to an External Host • Firewall rewrites the source IP address in the request to be the ip address of its external interface. Necessary because the internal system uses a private IP. • When responses are received, the destination IP address is rewritten back to the address of the internal system.
Simple two-interface firewallSNAT/Masquerade – 9 of 13 • /etc/shorewall/masq file: • eth0 eth1- • First column is external interface • Second column is internal interface (can also be specified as a host or network address – in our case 10.10.10.0/24) • Third column is SNAT address. If left blank, Masquerading will be used (best if you have a dynamic public IP address)
Simple two-interface firewall DNAT/Port Forwarding – 10 of 13 • “Destination Network Address Translation” • When a connection request is received, it’s destination IP address is changed to the IP address of an internal server (the port number can also be changed). • When the server replies, the Source IP address is rewritten to be the external IP address of the firewall.
Simple two-interface firewallPort Forwarding (DNAT) – 11 of 13 • Suppose we want to run a web server on Computer 1 • /etc/shorewall/rules: • DNAT net loc:10.10.10.1 tcp 80 • WARNING: Your ISP may block inbound TCP port 80 requests and may also block outbound TCP port 25 requests that don’t go to their SMTP server(s).
Simple two-interface firewallPort Forwarding (DNAT) – 12 of 13 • Sample has the following additional rules • ACCEPT fw net tcp 53 #DNS • ACCEPT fw net udp 53 #DNS • ACCEPT loc fw tcp 22 #SSH • Add any additional rules that you require. • Port information at http://www.shorewall.net/ports.htm
Simple two-interface firewallPort Forwarding (DNAT) – 13 of 13 • Remove /etc/shorewall/startup_disabled • shorewall start • shorewall stop puts the firewall in a “safe” mode where traffic is accepted to/from those hosts specified in /etc/shorewall/routestopped • eth1 0.0.0.0/0 • shorewall clear removes all rules and sets your firewall to “wide open” (no SNAT/MASQ). • See: http://www.shorewall.net/starting_and_stopping.htm
Other Applications of Shorewall • Static NAT • Proxy ARP • VPN
Static NAT • Used when you have multiple external IP addresses • Allows association of local hosts and external addresses: • 130.252.100.18 eth0 10.1.1.2 • 130.252.100.19 eth0 10.1.1.3
Proxy ARP • Also used when you have multiple exernal IP addresses • Avoids some of the problems with static NAT • My preferred choice for a DMZ • Doesn’t pass broadcasts
What Shorewall Won’t Do • Won’t work with Linux configured as an L2 Bridge (http://bridge.sf.net). • Won’t run under operating systems other than Linux. • Not a “Personal Firewall” – cannot filter by application. • Doesn’t support “Patch-o-matic” features; I only provide support for features in released kernels. • Doesn’t do content filtering.