SOHO Firewalls using Shorewall

Download Report

Transcript SOHO Firewalls using Shorewall

SOHO Firewalls using
Shorewall
Tom Eastep
April 12, 2003
Agenda
•
•
•
•
•
•
•
About the author
History
Traditional SOHO Firewalls
Features of Shorewall
Prerequisites for using Shorewall
Shorewall Concepts
Using Shorewall to implement a simple two-interface
firewall
• Other Applications of Shorewall
• What Shorewall won’t do
• Q&A
About the Author
• Native of Washington State
• Degrees from WSU and UW (Mathematics)
• Worked for computer manufacturers since 1969
– Burroughs (1969-1980)
– Tandem/Compaq/HP (1980-Present)
• Primary emphasis on middleware
• Live in west Shoreline (telecommuter)
• Currently architect for a large OS project
History of Shorewall
• Tandem Computers, Inc. was acquired by
Compaq in 1997.
• Tandem occupied in more attractive real estate
then did Compaq.
• Tandem telecommuters were “sent home” to
work and Compaq moved in (early 1998).
• Frame Relay intranet connectivity:
– Slow (64kbs)
– Expensive
• Personal Internet Connectivity via dial-up.
History (continued)
• As a cost-reduction measure, Compaq began
switching telecommuters to DSL/Cable modem
in 1999.
• I needed a firewall (inexpensive firewall
appliances weren’t available until much later).
• I had been playing with Linux (circa RH5.0).
• Wrote “Seattle Firewall” (seawall).
• Version 1.0 – November 1999.
• Front end for ‘ipchains’.
• “Traditional” SOHO Firewall
Traditional SOHO Firewalls
• Outside (Internet)
– Untrusted
– Public IP Address(es)
• Inside (Local LAN)
– Trusted
– Often use private (RFC 1918) IP addresses
• Demilitarized Zone (DMZ)
– Distrusts the Outside
– Distrusted by Inside
Basic Two-interface Firewall
(no DMZ)
• Connects to ISP
using DSL, Cable
Modem, ISDN, Dialup, …
• Provides for “Internet
Connection Sharing”
of a single public IP
address for a local
network using
SNAT/Masquerading
Basic Two-interface Firewall
(continued)
• “Port Forwarding” can
be used to allow
internet-accessible
servers to be run on
the local network.
• If server is hacked,
then the local network
is compromised.
Three-interface Firewall
(with DMZ)
• Provides internet
connection sharing of one
or more public IP
addresses.
• Had a DMZ containing
servers that are exposed
to the internet.
• If a server is hacked, the
Firewall and the Local
network aren’t
compromised.
Problem with Traditional SOHO
Firewalls like Seawall
• Inflexibility.
– “Still, it is an error to argue in front of your data. You
find yourself insensibly twisting them round to fit your
theories”
-
Holmes to Watson
• With Seawall, I found myself “insensibly twisting
round” the user’s problem to fit Seawall’s
solution.
• The principle reasons for the inflexibility are:
– Support for a limited set of network topologies
– Policies are built into the firewall software itself.
Shorewall – What is it?
• Tool for configuring Netfilter (packet
filtering capability built into the 2.4 Linux
Kernels).
• Allows firewall solution to be expressed
using a high level of abstraction
• Implemented as a set of shell programs
Shorewall Features
•
•
Uses Netfilter's connection tracking facilities for stateful packet filtering.
Can be used in a wide range of router/firewall/gateway applications.
–
–
–
–
–
•
•
•
•
QuickStart Guides (HOWTOs) to help get your first firewall up and running quickly
A GUI is available via Webmin 1.060 and later (http://www.webmin.com)
Extensive documentation included in the .tgz and .rpm downloads.
Flexible address management/routing support (and you can use all types in the
same firewall):
–
–
–
–
–
•
Completely customizable using configuration files.
No limit on the number of network interfaces.
Allows you to partitions the network into zones and gives you complete control over the
connections permitted between each pair of zones.
Multiple interfaces per zone and multiple zones per interface permitted.
Supports nested and overlapping zones.
Masquerading/SNAT
Port Forwarding (DNAT)
Static NAT.
Proxy ARP.
Simple host/subnet Routing
Blacklisting of individual IP addresses and networks is supported. Also blacklisting
of certain connection types.
Features
(continued – 2 of 2)
•
Operational support:
– Commands to start, stop and clear the firewall
– Supports status monitoring with an audible alarm when an "interesting" packet is
detected.
– Wide variety of informational commands.
•
VPN Support
– IPSEC, GRE, IPIP and OpenVPN Tunne.s
– PPTP clients and Servers.
•
•
Support for Traffic Control/Shaping integration.
Wide support for different GNU/Linux Distributions.
– RPM and Debian packages available.
– Includes automated install, upgrade, fallback and uninstall facilities for
users who can't use or choose not to use the RPM or Debian packages.
– Included as a standard part of LEAF/Bering (router/firewall on a floppy, CD or
compact flash).
•
•
Media Access Control (MAC) Address Verification
Selectively disable ECN (RFC 3168) to remote hosts or networks
Prerequisites
• A kernel that supports netfilter. I've tested with 2.4.2 2.4.20. 2.4.20 required for full functionality.
• iptables 1.2 or later but beware version 1.2.3. Version
1.2.7a required for full functionality.
• iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default.
The official download site is ftp://ftp.inr.ac.ru/ip-routing.
• A Bourne shell or derivative such as bash or ash. This
shell must have correct support for variable expansion
formats ${variable%pattern }, ${variable%%pattern},
${variable#pattern } and ${variable##pattern}.
• The firewall monitoring display is greatly improved if you
have awk (gawk) installed.
Shorewall Concepts - 1 of 2
• No restrictions on network topology
– No Shorewall-defined limit on the number of network
interfaces.
– No built-in notion of concepts like “Internet”, “Local
Network” and “DMZ”.
• No policies are built into Shorewall
– Any firewall-enforced policy can be configured by the
user
– Configuration via text files in /etc/shorewall/
– “Extension Scripts” to meet needs that the author
hasn’t anticipated
Shorewall Concepts - 2 of 2
• Result is great flexibility
• Ease of use is achieved using QuickStart
Guides with accompanying sample
configurations.
• Lots of Documentation
Zone Based
• Shorewall sees the
network that it is a part of
as consisting of a set of
zones
• The firewall itself
comprises the zone
called ‘fw’ (default value
of variable $FW).
• Zones other than $FW
are defined in
/etc/shorewall/zones
Zone Based
(continued 2 of 4)
• Simplest model is one
zone per firewall network
interface. Defined in
/etc/shorewall/interfaces.
• Zones are normally
disjoint but may be
overlapping or nested.
These are defined in
/etc/shorewall/hosts.
Zone Based
(continued - 3 of 4)
• Shorewall assigns no
meaning to zone names
(1-5 characters)
• Shorewall allows you to
specify a policy for
connections between
each pair of zones:
– ACCEPT (allow)
– REJECT (disallow)
– DROP (ignore – stealth)
• Policies are defined in
/etc/shorewall/policy
Zone Based
(continued – 4 of 4)
• Rules are exceptions
to policy and are
defined in
/etc/shorewall/rules.
• Example:
– Policy: Z1 Z2 REJECT
– Rule: ACCEPT Z1 Z2 tcp telnet
Documentation
QuickStart Guides
• http://www.shorewall.net/quickstart_guide.htm
• Single External IP Address
– Standalone
– Two-interface
– Three-interface
• Multiple External IP Addresses
– Setup Guide (also networking concepts intro)
• Documentation Index (for rest of documentation)
Simple two-interface firewall
Overview – 1 of 13
• Linux system used as
a firewall/router for a
small local network.
• Single public IP
address.
• Internet connection
through cable
modem, DSL, ISDN,
Frame Relay, dial-up
...
Simple two-interface firewall
Install Shorewall – 2 of 13
• Install the Shorewall
software using the
.rpm or .tgz.
• Print a copy of the
Two-interface
QuickStart Guide
(http://www.shorewall.
net/two-interface.htm)
Simple two-interface firewall
Install Sample configuration – 3 of 13
• Download the two-interface sample
configuration files from
http://www.shorewall.net/LATEST.samples/
two-interface.tgz.
• Un-tar the samples (tar –zxf twointerfaces.tgz)
• Replace the files in /etc/shorewall with
those from the sample (cp –f twointerfaces/* /etc/shorewall).
Simple two-interface firewall
/etc/shorewall/zones – 4 of 13
• /etc/shorewall/zones file contains
definitions for two zones:
– net
– loc
Net
Local
Internet
Local networks
• First column is the short name of the zone
used in the configuration files.
• Second column is the “Display Name”
• Rest is commentary
Simple two-interface firewall
/etc/shorewall/policy – 5 of 13
• Change policy file as desired
–
–
–
–
loc
#fw
net
all
net
net
all
all
ACCEPT
ACCEPT
DROP
REJECT
• First policy to match is used
• Uncomment second line for
unlimited fw->net access
• Add “fw loc
ACCEPT”
and “loc fw
ACCEPT”
to make fw part of local net
Simple two-interface firewall
/etc/shorewall/interfaces – 6 of 13
• Change
/etc/shorewall/interface as
necessary
– net eth0 detect \
dhcp,routefilter,norfc1918
– loc eth1 detect
• First column is zone name
• Second is interface name
• Third column is broadcast
address (detect means
Shorewall will detect)
• Fourth column is list of options
Simple two-interface firewall
Local network addressing – 7 of 13
•
RFC 1918 reserves private address
ranges
– 10.0.0.0 to 10.255.255.255
– 172.16.0.0 to 172.31.255.255
– 192.168.0.0 to 192.168.255.255
•
•
•
•
•
These addresses are used within your
local network
The internet backbone routers don’t
route to these non-routable addresses.
See
http://www.shorewall.net/shorewall_set
up_guide.htm#Addressing
Default gateway for Computer 1 & 2 is
10.10.10.254 (local IP address of the
firewall).
Use 255.255.255.0 for subnet mask.
Simple two-interface firewall
SNAT/Masquerading – 8 of 13
• “Source Network Address
Translation”
• Internal system connects to an
External Host
• Firewall rewrites the source IP
address in the request to be
the ip address of its external
interface. Necessary because
the internal system uses a
private IP.
• When responses are received,
the destination IP address is
rewritten back to the address
of the internal system.
Simple two-interface firewall
SNAT/Masquerade – 9 of 13
• /etc/shorewall/masq file:
– eth0
eth1 -
• First column is external
interface
• Second column is internal
interface (can also be specified
as a host or network address –
in our case 10.10.10.0/24)
• Third column is SNAT address.
If left blank, Masquerading will
be used (best if you have a
dynamic public IP address)
Simple two-interface firewall
DNAT/Port Forwarding – 10 of 13
• “Destination Network
Address Translation”
• When a connection
request is received, it’s
destination IP address is
changed to the IP
address of an internal
server (the port number
can also be changed).
• When the server replies,
the Source IP address is
rewritten to be the
external IP address of the
firewall.
Simple two-interface firewall
Port Forwarding (DNAT) – 11 of 13
• Suppose we want to run a
web server on Computer 1
• /etc/shorewall/rules:
– DNAT net loc:10.10.10.1 tcp 80
• WARNING: Your ISP may
block inbound TCP port 80
requests and may also block
outbound TCP port 25
requests that don’t go to their
SMTP server(s).
Simple two-interface firewall
Port Forwarding (DNAT) – 12 of 13
• Sample has the
following additional
rules
– ACCEPT fw net tcp 53 #DNS
– ACCEPT fw net udp 53 #DNS
– ACCEPT loc fw tcp 22 #SSH
• Add any additional
rules that you require.
• Port information at
http://www.shorewall.
net/ports.htm
Simple two-interface firewall
Port Forwarding (DNAT) – 13 of 13
• Remove /etc/shorewall/startup_disabled
• shorewall start
• shorewall stop puts the firewall in a “safe” mode
where traffic is accepted to/from those hosts
specified in /etc/shorewall/routestopped
– eth1
0.0.0.0/0
• shorewall clear removes all rules and sets your
firewall to “wide open” (no SNAT/MASQ).
• See:
http://www.shorewall.net/starting_and_stopping.htm
Shorewall State Diagram
Other Applications of Shorewall
• Static NAT
• Proxy ARP
• VPN
Static NAT
• Used when you have
multiple external IP
addresses
• Allows association of
local hosts and
external addresses:
– 130.252.100.18 eth0 10.1.1.2
– 130.252.100.19 eth0 10.1.1.3
Proxy ARP
• Also used when you
have multiple exernal
IP addresses
• Avoids some of the
problems with static
NAT
• My preferred choice
for a DMZ
• Doesn’t pass
broadcasts
VPN
Connect two Private Networks
What Shorewall Won’t Do
• Won’t work with Linux configured as an L2
Bridge (http://bridge.sf.net).
• Won’t run under operating systems other than
Linux.
• Not a “Personal Firewall” – cannot filter by
application.
• Doesn’t support “Patch-o-matic” features; I only
provide support for features in released kernels.
• Doesn’t do content filtering.
Q&A