Shorewall 1.0

My Configuration Files


About My Network

I have DSL server and get my External IP address via DHCP. My DSL "modem" is connected through a  10MB hub to eth0 (I can get up to 3 dynamic IP addresses and I also have an LRP-based firewall connected to this hub). I have a local network connected to eth1 (subnet 192.168.1.0/24) and a DMZ connected to eth2 (192.168.2.0/24). 

My personal system is 192.168.1.3 and all external ssh and icq connection requests are forwarded to that system.

There is a single system (192.168.2.2) in the DMZ and that system runs sendmail, pop3, DNS, a Web server and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our ISP.

The firewall system itself runs a DHCP server that serves the local network.

Auth (ident) servers run everywhere and all administration is done using ssh.

Zones File:

#ZONE DISPLAY COMMENTS
net    Internet     Internet
loc    Local        Local networks
dmz    DMZ          Demilitarized zone
tun    Tunnel       Peer network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File:

#ZONE    INTERFACE BROADCAST       OPTIONS
net      eth0      206.191.149.223 dhcp,noping,norfc1918
tun      ipsec0    -
loc      eth1      192.168.1.255   routestopped
dmz      eth2      192.168.2.255   routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy File:

#CLIENT SERVER POLICY LOG LEVEL
loc     net    ACCEPT
loc     loc    REJECT
fw      loc    ACCEPT
tun     loc    ACCEPT
loc     tun    ACCEPT
net     all    DROP   info
all     all    REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

Tunnels File (Gateway address falsified):

# TYPE ZONE GATEWAY
ipsec  net  130.252.100.21
#LAST LINE -- DO NOT REMOVE

Rules File:


#RESULT CLIENT(S) SERVER(S)       PROTO PORT(S)CLIENT PORT(S) ADDRESS
#
# Local Network to Firewall - Allow SSH and DHCP
#
ACCEPT  loc       fw              tcp   ssh
ACCEPT  loc       fw              udp   67:68
#
# Local Network to DMZ - Allow SMTP, POP3, DNS, SSH, AUTH, PING, FTP, WWW
#
ACCEPT  loc       dmz:192.168.2.2 tcp   25
ACCEPT  loc       dmz:192.168.2.2 tcp   110
ACCEPT  loc       dmz:192.168.2.2 udp   53
ACCEPT  loc       dmz:192.168.2.2 tcp   53
ACCEPT  loc       dmz tcp ssh
ACCEPT  loc       dmz:192.168.2.2 tcp   auth
ACCEPT  loc       dmz icmp 8
ACCEPT  loc       dmz:192.168.2.2 tcp   21        -           206.191.149.199
ACCEPT  loc       dmz:192.168.2.2 tcp   www       -           206.191.149.199
#
# Internet to LOCAL - Forward SSH and ICQ connections to Wookie
#
ACCEPT  net       loc:192.168.1.3 tcp   ssh       -           all
ACCEPT  net       loc:192.168.1.3 udp   4000      -           all
ACCEPT  net       loc:192.168.1.3 tcp   4000:4100 -           all

#
# Internet to DMZ - Allow SMTP, WWW, FTP, DNS, ICMP
#
ACCEPT  net       dmz:192.168.2.2 tcp   smtp      -           all
ACCEPT  net       dmz:192.168.2.2 tcp   80        -           all
ACCEPT  net       dmz:192.168.2.2 tcp   21        -           all
ACCEPT  net       dmz:192.168.2.2 udp   53        -           all
#
# DMZ to Internet - Allow PING, DNS, SMTP, NTP, AUTH, POP3
#
ACCEPT  dmz             net                 icmp 8
ACCEPT  dmz:192.168.2.2 net                 udp 53
ACCEPT  dmz:192.168.2.2 net                 tcp 53
ACCEPT  dmz:192.168.2.2 net                 tcp 25
ACCEPT  dmz:192.168.2.2 net:206.191.149.193 udp ntp
ACCEPT  dmz:192.168.2.2 net                 tcp auth
ACCEPT  dmz:192.168.2.2 net:206.191.151.2   tcp 110
#
# DMZ to Local Network - Allow SMTP, AUTH, PING
#
ACCEPT  dmz:192.168.2.2 loc       tcp   25
ACCEPT  dmz:192.168.2.2 loc       tcp   auth
ACCEPT  dmz             loc       icmp  8
#
# Internet to Firewall - Allow Auth
#
ACCEPT  net             fw        tcp   auth
#
# Firewall to Internet - Allow NTP, DNS
#
ACCEPT  fw  net                   udp   ntp
ACCEPT  fw  net:206.191.151.10    udp   53
ACCEPT  fw  net:206.191.151.11    udp   53
#
# Firewall to DMZ - Allow DNS
#
ACCEPT  fw  dmz:192.168.2.2       udp   53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


Last updated 3/20/2001 - Tom Eastep