Abazaba Squeeze Firewall

Debian Linux Security Appliance Firewall
Only Debian packages are installed, no compiling, easy to upgrade and keep current. port level control/logging, intrusion detection/prevention, web caching/content filtering, VPN/vlan, virus/spam Suitable for: Home, SOHO, Corporate, public access networks, schools, libraries, churches, etc. Version (by date): October 07, 2010 Written By: Daryl Caudill, aka drokmed (@ the Debian forums, freenode IRC #debian, mailing lists) Linux distribution: Debian Squeeze 6.0 (now frozen in the TESTING branch of Debian, as of this date) Prerequisites: Experience with the GNU/Linux command line, and a strong understanding of TCP/IP is required Difficulty level: Qualified Beginners will find this is a hard and challenging project Copyright 2010 Daryl Caudill. All rights reserved.
Summary:
This document TEACHES you how to build your own custom dedicated, stand-alone multi-function GNU/Linux firewall. It covers advanced techniques, and is far from trivial. This document is more of a tutorial than a quick how-to. It is intentionally long, to help educate the beginner who actually wants to learn. If you just want a quick install, go download smoothwall, highly recommended, or Untangle, IPCOP or pfsense. However, none of those provide dansguardian, or any other real time payload content filtering. Otherwise, get some coffee. Your first time working through this may take a week or more. After you learn to build a few of these, you will get considerably quicker. I can bang out a fully configured firewall in a few hours.
Features and Capabilities:

Firewall: Per user/port/interface/direction control and logging Network Address Translation (NAT), Port Forwarding (DNAT), Port Knocking, packet redirection Traffic Shaping, Rate Limiting, Quality of Service, Traffic Prioritization Intrusion detection/prevention system, notification and automated response to known attack types Stateful, deep packet inspection, control, logging Web traffic caching performance proxy server Dynamic real-time web payload content filtering, transparent and user/group authentication levels Corporate-wide online virus and spam protection Web-based GUI for management and troubleshooting
Featured Packages:
Debian Squeeze 6.0 (TESTING branch) GNU/Linux shorewall - robust firewall configuration software dnsmasq - simple DNS and DHCP server squid - robust web caching server dansguardian - robust web content filtering server webmin - remote web-based graphical management interface psad - port scan attack detection fwsnort - iptables-based attack detection and active response openvpn unlimited site-to-site and roadwarrior-to-site nmap - robust text-based port scanner iftop - real-time network interface traffic monitor ntop - web-based network traffic sampling and reporting and many others, like ntp, openssh-server, ddclient, etc.
Abazaba Firewall: www.abazaba.org
Page 1
Debian Squeeze 6.0 Linux
Table of Contents
1 Introduction:................................................................................................................................. 4 1.1 Prerequisites and assumptions:.................................................................................................4 1.2 Intended Audience:.................................................................................................................5 1.3 Professional Hardware Options Available:....................................................................................5 1.4 About the Author:...................................................................................................................5 2 Firewall packages explained:............................................................................................................7 2.1 Operating System: Debian GNU/Linux.......................................................................................7 2.2 Firewall configuration software: Shorewall..................................................................................7 2.3 Graphical management interface: Webmin.................................................................................8 2.4 DNS/DHCP Server: Dnsmasq...................................................................................................8 2.5 Web cache/Proxy Server: Squid................................................................................................8 2.6 Web Content Filtering: DansGuardian........................................................................................9 2.7 Intrusion Detection, Prevention and Response: psad & fwsnort......................................................9 2.8 Miscellaneous utilities:............................................................................................................10 2.9 What NOT to install on a firewall:.............................................................................................10 3 Firewall Theory:...........................................................................................................................11 3.1 Routing/NAT examined (shorewall):..........................................................................................11 3.1.1 Personal Firewall vs. Stand-alone Firewall:.........................................................................11 3.1.2 INITIATING traffic one-way explained:...............................................................................11 3.1.2.1 WAN Firewall........................................................................................................12 3.1.2.2 WAN LAN.............................................................................................................13 3.1.2.3 Firewall WAN........................................................................................................13 3.1.2.4 Firewall LAN.........................................................................................................13 3.1.2.5 LAN Firewall.........................................................................................................13 3.1.2.6 LAN WAN.............................................................................................................13 3.2 Attack Detection and Prevention (psad & fwsnort):.....................................................................14 3.2.1 Port Scan Attack Detector (psad)......................................................................................14 3.2.2 Snort-to-iptables rule translator (fwsnort)..........................................................................14 3.3 Web page interception, inspection and approval (dansguardian)...................................................14 3.3.1 Dynamic content filtering.................................................................................................14 3.3.2 Virus scanning and spam filtering......................................................................................15 3.3.3 Auto-updating known bad sites list....................................................................................15 3.4 Troubleshooting tips, tools and logs..........................................................................................15 3.5 GUI management tool (webmin)..............................................................................................15 4 Site Preparation............................................................................................................................16 4.1 Network Documentation:........................................................................................................16 4.2 Network Setup Requirements:.................................................................................................17 4.3 Firewall Hardware requirements:.............................................................................................18 4.3.1 Prepare the Firewall:.......................................................................................................18 4.4 Management Workstation Requirements....................................................................................19 4.4.1 Prepare your management workstation:.............................................................................19 4.4.1.1 Linux workstation:...................................................................................................19 4.4.1.2 Windows workstation:..............................................................................................20 5 Install Debian Base System............................................................................................................24 5.1 Install the Operating System:..................................................................................................24 5.2 Configure the Package Management System:.............................................................................24 5.3 Fix grub:.............................................................................................................................. 25 5.4 Automate the update/upgrade process:....................................................................................25 5.5 Install additional base packages:.............................................................................................26 5.5.1 Install SSH Server:.........................................................................................................26 5.5.2 Install Time Synchronization (NTP) service:........................................................................27 5.5.3 Install ddclient: (optional)................................................................................................27 5.6 Install 2nd NIC:.....................................................................................................................28 5.6.1 Edit the 2nd NIC configuration file:....................................................................................28 5.6.2 Physically Install the 2nd NIC:..........................................................................................29 5.6.3 Verify the 2nd NIC is functioning:......................................................................................30 Abazaba Firewall: www.abazaba.org Page 2 Debian Squeeze 6.0 Linux
5.7 Connect from your management workstation:............................................................................31 5.7.1 Turn on color/aliases in shell session (optional):..................................................................31 6 Install Firewall Packages:...............................................................................................................34 6.1 Install and configure dnsmasq:................................................................................................34 6.1.1 Reconfigure the firewall to use the local DNS server:...........................................................35 6.1.2 Test the local DNS server:................................................................................................35 6.1.3 Fix pinging troubles (optional):.........................................................................................36 6.2 Install and Configure Shorewall:..............................................................................................38 6.2.1 Firewall is up, reconfigure your management workstation:....................................................44 6.2.2 Test shorewall:...............................................................................................................44 6.2.3 Test from the WAN:........................................................................................................44 6.2.4 Test from the LAN:..........................................................................................................45 6.2.5 Enable ssh access from the Internet (optional):..................................................................46 6.3 Install squid:.........................................................................................................................48 6.3.1 Configure squid for transparent access:.............................................................................48 6.3.2 Discuss the squid configuration file:..................................................................................50 6.3.3 Test Squid:....................................................................................................................51 6.3.3.1 Test squid directly (not transparent):..........................................................................51 6.3.3.2 Test squid transparently:..........................................................................................51 6.4 Install dansguardian:.............................................................................................................53 6.4.1 Configure Dansguardian for Transparent Access..................................................................53 6.4.2 Test Dansguardian:.........................................................................................................55 6.4.2.1 Test dansguardian directly (not transparent):..............................................................55 6.4.2.2 Test dansguardian transparently:...............................................................................56 6.5 Install webmin:.....................................................................................................................58 6.6 Install and configure psad:......................................................................................................60 6.7 Install and configure fwsnort:..................................................................................................60 6.8 Install OpenVPN:...................................................................................................................60 7 Enable User Management...............................................................................................................61 7.1 Configure squid to authenticate users:......................................................................................62 7.1.1 Configure squid for locally administered users:...................................................................63 7.1.2 Configure squid for Windows users:...................................................................................65 7.1.3 Configure squid for LDAP users:........................................................................................65 7.2 Assign users to groups:..........................................................................................................65 7.3 Implementing Dansguardian filters:..........................................................................................66 7.4 Enable and automate blacklist file updates:...............................................................................66 8 Manage the Firewall:.....................................................................................................................67 8.1 Create/remove user accounts..................................................................................................67 8.1.1 Transparent access:........................................................................................................67 8.1.2 Managing Basic (locally administered) User Account Authentication:......................................68 8.1.3 Managing NTLM (windows domain) User Account Authentication:...........................................68 8.1.4 Managing LDAP User Account Authentication:.....................................................................68 8.1.5 Managing Other User Account Authentication Methods:........................................................68 8.2 Assign users to groups...........................................................................................................68 8.3 Manage a group's Internet access permissions...........................................................................68 9 Troubleshooting with the Firewall....................................................................................................69 9.1 How to read the LOGS!...........................................................................................................69 9.2 Diagnostics tools:..................................................................................................................69 9.2.1 Ntop.............................................................................................................................70 9.2.2 iftop............................................................................................................................. 70 9.2.3 netstat-nat....................................................................................................................71 10 After the firewall is done:.............................................................................................................72 10.1 Disable ssh root login...........................................................................................................72 10.2 Backup existing config files:..................................................................................................72 11 On-going Support:......................................................................................................................74 11.1 Future Plans for this documentation project:............................................................................74
Page 3
1 Introduction:
Building the firewall is the easy part. The hard part is knowing how to use it, and troubleshoot the services. Even though a graphical management system is provided, you still need to have a good understanding of the theory behind each service, and should utilize the mentioned reference material in each section. I intentionally wrote this for the Beginner linux user, because this is almost always the first server every linux fan tries to build. The scenario is always the same: You have a wimpy cheap firewall device you bought at the computer store, and it does NAT, DNS and DHCP well enough (usually), but lacks in many other capabilities. I see questions posted in the forums all the time: How do I set up web caching, or content filtering, or see who is attacking my firewall, or what sites users are accessing? The answer is always: build your own firewall. For most beginning linux fans, who don't really understand things like how to configure IP routing in linux, building a firewall turns out to be much harder than they realize. This document should help them get started. I have intentionally over-simplified this as much as possible, to help the new person. I am employing the KISS principle: KEEP IT SIMPLE STUPID, or what I like to call KEEP IT STUPIDly SIMPLE. Experienced linux users will still find this useful. They can just scan through the details and read the commands at each step. Any beginner skipping the details, then later asking for help, risks getting yelled at, and told to READ the details! Some people will argue over which packages I chose to install. Whatever. Honestly, it doesn't matter. For each category, there are many packages to choose from. Over the years, I have settled on these packages for my firewalls. As you get better at building firewalls, you will try other packages, and I do encourage that. The beauty of linux is there are many ways to accomplish the same thing! This how-to just gets you started. If you follow everything in this how-to, you will have a firewall that provides the above featured packages, lots and lots of utilities, and tips on how to manage and troubleshoot it. This how-to gives the foundation for a firewall that can be built upon with other more advanced services, such as an MTA redirector like postfix, a vpn service, voice over IP/voicemail, etc. Advanced users should feel free to add to this document, and share it with everyone, in compliance with the copyright, of course. I'd appreciate a copy.
1.1
Prerequisites and assumptions:
Even though this how-to is written for the beginner level, you still must have some experience with Linux, TCP/IP and firewalls. If you are very new to any of these, I doubt you will be able to successfully implement this firewall in a production environment. NOTE: You MUST be comfortable working at the linux command line, logged in as root. You will NOT find the word sudo in this document. If root scares you, stop now, go away, and don't look back. If you want to be successful at building this firewall for use in a production environment, you must have: A strong understanding of TCP/IP. This is required. You must understand the first four layers of the OSI model: physical, data link, network, and especially transport. Almost everything in this guide focuses on layer 4 ports. A strong understanding of the advanced features that modern firewalls provide. You need to understand the inner workings of NAT, port forwarding, port redirection, port knocking, etc. A sufficient working knowledge of linux, using the command line. You need to know your way around the linux command prompt, including editing files, restarting services, using ssh, etc. You need to know how to install Debian linux. I do not cover the actual Debian install. There are
Page 4
plenty of other how-to's out there that cover this. Experience with the Debian distribution of linux. You should already have experience building Debian linux servers in text mode. If you know linux, but are coming from a different linux distribution, I highly recommend the book The Debian System by Martin F. Krafft, which is written for people experienced with linux, but new to Debian... a must have for any administrator. A moderate understanding of ALL the services being installed on this firewall. For each service, I identify the main configuration files, as well as the documentation that is installed with the package. READ THEM! Familiarize yourself with them. Make sure you understand how each package works. An understanding of access control lists. ACL's can be very hard to grasp to the uninitiated. Shorewall makes extensive use of ACL's, uses multiple configuration files, which build upon each other. Squid also uses ACL's. Dansguardian offers advanced filters which can also optionally use nested ACL's.
1.2
Intended Audience:
Linux enthusiasts, who really want to learn this stuff. You may get a working firewall, but unless you read and learn all the recommended documentation, the firewall will be of little use to you. Use in a production environment at your own risk MUAHAHAHAHAHA!!!!! Dont get fired! :) Systems Administrators, who would like to get a clean firewall up and running quickly. Systems Integrators, who want to build and support GNU/Linux firewalls for their clients.
1.3
Professional Hardware Options Available:
Why pay thousands (or tens of thousands) for a commercial firewall with similar performance and features, when you can build your own for a few hundred? If you, like me, prefer to build this using professional hardware, such as a 1U rack-mountable server blade, I have been researching hardware vendors, and have found a few that are a good match. I am in the process of purchasing and evaluating their equipment, for use in a production environment. As of this writing, I have no intention of reselling hardware. I encourage you to purchase and build your own, just like me. For businesses local to me, I'll consider building the firewall for you, as long as you take ownership of the hardware. I'm not a reseller, not yet anyways :) For those of you in the states, Newegg.com has a great variety. Here's an entry-level rack-mount chassis: http://www.newegg.com/Product/Product.aspx?Item=N82E16811152087 For those of you abroad, in or near the UK, this site looks good: http://www.mini-itx.com/store/?c=51 I like the Jetway motherboard with the optional 3 Gigabit Ethernet daughter card option, to make a 4 Gigabit Ethernet wire speed router. I'd make it with 2 GB RAM, and the smallest (80GB) hard disk option. Don't waste money on a cd drive, just install over the network, or from a USB stick.
1.4
About the Author:
Who am I? Nobody really. Nobody is paying me to write this. I do it in my spare time, because I love Linux, I
Page 5
love Debian, and as another computer geek, I am thrilled to live in a time where free software is so cool! I'm not going to post my resume here because I'm not looking for a job. I'm a successful engineer who is currently the IT Director of a firm. I've been an engineer for over twenty years. I'm old school, and I still enjoy doing this. I only hope my efforts help other engineers learn this stuff. Why am I doing this? Why not. Because I can.
Page 6
2 Firewall packages explained:

What are we installing on this firewall? Here are the major components:
2.1
Operating System: Debian GNU/Linux
Homepage: http://www.debian.org/ Forums: http://forums.debian.net/ Wiki: http://wiki.debian.org/ Mailing Lists: http://www.debian.org/MailingLists/ Debian GNU/Linux is considered by many VETERAN linux system administrators as the most robust, reliable, stable, solid, seasoned, business class, production caliber, truly open source free distribution available. Many businesses run their production servers on Debian. Debian does assume you know your way around a linux system. If you are new to linux, and need your hand held, there are beginner linux distributions out there you can learn on first. Once you have become proficient, and no longer consider yourself a noob, you would be wise to try Debian, especially if you intend to run linux on your business servers. You'll be glad you did. Why choose Debian? See for yourself: http://wiki.debian.org/WhyDebian This particular how-to is written for Debian Squeeze 6.0, now frozen, but still in the TESTING phase. It can easily be modified to work with any linux distribution by the more advanced linux user. If you do re-write this for another distribution/version, please share it with us. I'd appreciate a copy. I usually recommend using the STABLE branch of Debian, to ensure rock solid reliability. However, Debian doesn't always release an upgrade every year, so the packages in STABLE do tend to get old. If you are comfortable with upgrading Debian Linux on a regular basis, you should be okay using the TESTING branch of Debian. Our production firewalls currently run the TESTING branch of Debian, to get the latest versions of packages. In fact, I say Debian's TESTING branch is more reliable than other vendor's so-called stable branches. Debian is that good.
2.2
Firewall configuration software: Shorewall
Homepage: http://www.shorewall.net/ Features: http://www.shorewall.net/shorewall_features.htm Wiki: http://wiki.shorewall.net/ Mailing Lists: http://dir.gmane.org/gmane.comp.security.shorewall Shorewall is considered by many experts as the most advanced open source router/firewall/gateway configuration tool available, for configuring netfilter/iptables. Netfilter is the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Netfilter Homepage: http://www.netfilter.org/ Netfilter Wiki: http://en.wikipedia.org/wiki/Netfilter Iptables Wiki: http://en.wikipedia.org/wiki/Iptables There are many packages available for configuring the firewall functionality. I have chosen to install and configure the shorewall package, not because it is simple (it is quite advanced), but because it is very easy to install, configure, and manage via the command line (and via webmin if you want a GUI). It is also designed to easily implement many advanced features, only some of which we will be using. You can easily implement the many other advanced features later if you choose. Some people will argue it is better to use other methods and/or packages, saying you learn more, such as writing shell scripts to modify IPTABLES directly. This is certainly true, but requires a lot more time, learning,
Page 7
troubleshooting, and or course, experience.
2.3
Graphical management interface: Webmin
Homepage: http://www.webmin.com/ Forums: http://sourceforge.net/forum/forum.php?forum_id=600155 Mailing Lists: http://www.webmin.com/mailing.html Webmin is a very popular web-based graphical management system for linux and unix systems. It has a huge following, and is actively supported on pretty much every linux and unix version known. In fact, there are many companies that actively contribute money and resources to ensure Webmin stays up-to-date: Supporters: http://www.webmin.com/partners.html There are many people that do not like webmin for many reasons. It has had a long history of security problems, bugs that mess up your system, etc. If you explore it, and click on the wrong thing, you can sometimes break your server! However, for beginning linux users, it is an incredibly useful educational tool to show you all of the advanced options that exist on a linux server, including many you didn't even know about. Everyone should try it at least once. Beginning linux users always try to find the easiest way to manage things that are new. That is to be expected. It shouldn't surprise you that advanced linux users ALSO like to keep management simple. I always install webmin on all of my firewalls and servers. I don't use it very often, but it is there if I need it. For those of you who are security conscience and wondering, webmin will NOT be accessible from the Internet. If you need that, set up an SSH tunnel or VPN!
2.4
DNS/DHCP Server: Dnsmasq
Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html Mailing Lists: http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss Dnsmasq is a very popular DNS and DHCP server for home and small business use. It is incredibly simple to install and configure. For our purposes, we just install it, turn it on, and enable a few features. Another reason I chose Dnsmasq is because it also includes a nice DHCP server built-in, that is very easy to configure.
2.5
Web cache/Proxy Server: Squid
Homepage: http://www.squid-cache.org/ Wiki: http://wiki.squid-cache.org/ Mailing Lists: http://www.squid-cache.org/Support/mailing-lists.dyn Squid is a very popular advanced web caching proxy server. It improves performance and saves bandwidth by caching frequently-used content. It supports robust configurations, and easily integrates with third party tools for blocking known bad sites, performing dynamic content filtering (such as Dansguardian), etc. Squid can be configured to support users in a variety of ways, including transparent mode (users don't even know it's there), and per-user authentication, which provides per-user robust control and logging, and can even be configured to authenticate logins against your NT Domain controller, or even an LDAP server. For many years, squid has been the standard. It is quite advanced, yet is simple to set up. It has many advanced features, and is also easily managed via webmin.
Page 8
2.6
Web Content Filtering: DansGuardian
Homepage: http://dansguardian.org/ Mailing Lists: http://dansguardian.org/?page=mailinglist Wiki: http://en.wikipedia.org/wiki/DansGuardian DansGuardian is by far the most advanced web content filtering system available in open source. Unlike other content filters, DansGuardian examines the content in real time (not just URL addresses), and actually reads the web page words before forwarding it to the user. If DansGuardian detects any naughty or otherwise unwanted words in the page, it will block it! DansGuardian can filter using a robust combination of multiple methods, including: URL and domain filtering, content phrase filtering, PICS filtering, MIME filtering, file extension filtering, and POST limiting (limit uploads). DansGuardian can even block advertisements! DansGuardian offers a HUGE list of features, way too many to list here. DansGuardian Features: http://dansguardian.org/?page=introduction In fact, when this firewall is done, everyone in your organization will refer to it as the DansGuardian Firewall, because of the block pages they get when trying to access any inappropriate sites! For many years, DansGuardian has been the standard. There are easier packages to setup, but they are not nearly as robust and flexible. DansGuardian is also partially manageable from webmin (old module unfortunately).
2.7
Intrusion Detection, Prevention and Response: psad & fwsnort
Homepage: http://www.cipherdyne.org/ psad homepage: http://cipherdyne.org/psad/ fwsnort homepgae: http://www.cipherdyne.org/fwsnort/ To detect attacks, and automate responses to them, we will be installing psad and fwsnort, two very popular packages, both by Michael Rash, who also recently wrote a book called 'Linux Firewalls' which covers psad, fwsnort and other great utilities in detail. I highly recommend this book. Port Scan Attack Detector (psad) monitors the firewall logs in real time, to detect port scans and other suspect traffic. Depending on the configurable danger threshold, you can have it generate email alerts, and even block offending IP addresses automatically. Psad incorporates many of the signatures from snort, and can detect attack scans, DDoS attacks, and other known threats such as nmap advanced port scans. Psad can also passively fingerprint the remote operating system from which the scan originates. Psad is an excellent tool used to detect and thwart system level attacks. Fwsnort, which works hand-in-hand with psad, takes it a step further, and protects your application servers, such as your web server, email server, database server, etc. Unlike psad, which only looks at the layer three and four information such as IP addresses, ports, packet types, etc., fwsnort actually examines the content of the payload as well, meaning it looks at the data inside the packet. This can be used to detect malicious worms and viruses, and any other types of application layer exploits. Fwsnort takes many snort signatures, and implements them directly into netfilter rules, to detect known application layer exploits. For those of you not familiar with snort (I have mentioned it several times), snort is a well known IDS that is quite robust, and is considered the best in the open source world. We do not run it because unlike psad and fwsnort, snort usually requires a dedicated machine that is very cpu intensive. It's overkill for our purposes, especially since psad and fwsnort cover pretty much everything we need. For more information about snort, check it out: Snort Homepage: http://www.snort.org/
Page 9
2.8
Miscellaneous utilities:
No firewall would be complete if it didn't include lots of useful utilities to check things out. There are many utilities (too many), and I try to cover some of the more popular. We could add to this section a zillion more options. If you do add more utilities, please share with me so I can update this document. Utilities added: nmap (text-based security scanner, scans systems for open ports) iftop (text-based real-time network traffic monitor) ntop (web-based traffic sampling and reporting of network traffic) logrep (web-based syslog viewer) vs php-syslog-ng vs logtool vs SMT vs phplogcon (freshmeat.net) mutt (text-based email client, for checking mail from ssh session) wireshark (text-based packet sniffer)
2.9
What NOT to install on a firewall:
This machine is a firewall. It is placed DIRECTLY on the Internet, with nothing in between. It is not a server. Your firewall should ONLY have services that are best located on the firewall. If you are thinking of adding services to this firewall, you must ask yourself: Is the service firewall related? Things never to install on your firewall: Web Server File Server Email Server Print Server User shell accounts any other non-firewall type of service
Every service running on a server opens up that server to attack. If you run non-firewall services on your firewall, each and every one opens another way for hackers to penetrate your server, take over your network, steal and then destroy all of your personal information, set up horrible services of their own that are now hosted by YOU (porn, denial of service attacks, stolen software archives, etc). I have personally had servers hacked: I once had a poorly configured ftp site hacked, and became a host of HUGE amounts of stolen software and porn, filling my hard disk over night. I used to install VNC on my firewall so I could remote control it, only to find somebody hacked that, installed software of their own, and used it as their personal remote workstation to visit nasty websites, and actually host an IRC server on my machine. My logs show my firewall is port scanned a lot, sometimes many times a day. I know, you are thinking, nahhhhh nobody cares about me, my server isn't interesting enough to be hacked. I used to think that way too. It does happen. It's embarrassing, it's infuriating, it's frustrating, it's easy to avoid. Don't be a schmuck... build a separate server for non-firewall services. Some of you will decide to do it anyways. Go ahead! What do I know?
Page 10
3 Firewall Theory:
Due to popular demand, I've decided to clarify some of the specifics we intend to implement on this firewall. This will help immensely when both configuring AND troubleshooting it. You must understand this section. I want to explain what we are doing in laymans terms, for those of you not familiar with the real-world features of these firewall packages. This firewall provides four major functions: routing, packet forwarding, filtering and logging (shorewall) attack detection and prevention (psad & fwsnort) dynamic real-time web page interception, inspection and approval (dansguardian & squid) corporate-wide online virus and spam protection (clamav) and also covers two additional topics of interest: troubleshooting tips, tools, and logs GUI management tool What does all that mean? Let's go over it now.
3.1
Routing/NAT examined (shorewall):
We are configuring a stand-alone firewall, not to be confused with a personal firewall.
3.1.1
Personal Firewall vs. Stand-alone Firewall:
This is a common misunderstanding. There is a huge difference between the two. The personal firewall: A basic firewall (also known as personal firewall), is usually something you install on your workstation, and blocks traffic in just ONE direction, and that is FROM the world TO your workstation (some can also block from the workstation to the world). It is designed for a workstation that has just one NIC. That is all you need on your workstation. However, personal firewalls were never meant to be used as a stand-alone firewall. There is a huge difference. The Stand-alone Firewall: A stand-alone firewall is much more advanced. It has multiple network interfaces, at least two, with at least one connected to the WAN (wide area network, the world, ie the Internet), and at least one connected to the LAN (local area network, your business or organization). Often, multiple additional network interfaces can be utilized for redundant WAN links, additional LAN links, and specific purpose links such as a DMZ (isolated secure server segment), VLAN, wireless, unrestricted, or any other purpose you can think of. Stand-alone firewalls are ALWAYS configured to INITIATE traffic in ONE direction. I'll explain:
3.1.2
INITIATING traffic one-way explained:
For a firewall that has only two network interfaces (a WAN and a LAN), this is the CORRECT way to represent traffic INITIATED through a stand-alone firewall:
Page 11
WAN Firewall WAN LAN Firewall WAN Firewall LAN LAN Firewall LAN WAN You MUST understand that each of these six different directions serve completely different purposes. This representation is WRONG: WAN Firewall Firewall LAN WAN LAN This representation is also WRONG: WAN Firewall LAN This is WRONG too: WAN <-----------> LAN WAN Firewall LAN This is CORRECT, shown a different way, but basically the same thing as the other correct example: WAN WAN WAN WAN <---------------------------> FIREWALL FIREWALL LAN LAN LAN LAN
You never configure traffic for bi-directional. If you want a specific type of traffic to be initiated from both directions, you must configure it for EACH direction separately. You always configure traffic to be allowed or INITIATED from one side to another. Once a session is initiated, by default, the firewall will ALLOW the RESPONSE to be received in the other direction. You do NOT have to configure the firewall to allow responses coming from the other direction. The firewall builds an internal table that tracks all sessions, and when reply traffic is received on a valid session, the firewall permits the reply to go through. We will be examining this session tracking information later, in the troubleshooting section, using the 'netstat' command. Make sense? You'll get it. Read on, I explain specific examples next. Here is what we are going to setup on this firewall:
3.1.2.1

WAN Firewall
Nothing!! You NEVER want anyone on the Internet INITIATING a session to talk directly to your firewall! Everything gets dropped! The only exception is TOP SECRET! You enable Knock, which will allow one specific person (YOU) from a specific remote host to temporarily gain ssh access INTO the firewall directly. This should only be done by YOU, the firewall administrator. It is an optional back door, and is a closely guarded secret. There are even more advanced and secure ways than knock, such as single packet authorization. Some administrators don't even allow this. This is optional. Your call.
Page 12
3.1.2.2

WAN LAN
This is where you allow traffic from the Internet to go through your firewall to your internal servers: web server, email server, database server, etc. This uses what is called destination network address translation (DNAT), to port forward Internet traffic to your internal servers. Each type of traffic must be configured individually. For example, to allow access to your internal web server, both ports 80 and 443 must be forwarded to the IP address of your internal web server. For mail, ports pop and/or smtp and/or imap to your email server, etc. By default, nothing is forwarded. However, I have included commented out sections in the config file, for you to use port forwarding, with examples for each type of traffic. To enable, simply uncomment each line, and enter the correct IP address of the internal server to be accessed. Another example is if you want to allow an employee to access their desktop machine remotely via the Internet. For example, if they wanted to use remote control software such as VNC or pcAnywhere from home, this is where you would enable this. You would keep the port closed, but give them their own unique (and top secret!) knock to temporarily open a unique hole, so only they can get in, and be port forwarded (and port redirected) to their own machine. Pretty cool, huh? I gave examples of this in the config file too.
3.1.2.3
Firewall WAN
This one confuses people. Why does the firewall need to talk to anyone on the Internet? LOL yes it does, actually. Not only does the Debian machine need to talk to the WAN (apt-get/aptitude to install packages, get software updates, security patches, etc.), but some of the packages we are installing on the firewall need to talk to the WAN. Squid, the proxy service that fetches and caches web pages for your internal users, is running on the firewall, and needs to initiate requests onto the WAN. The network time protocol (NTP) server is also running on the firewall, and needs to talk to the WAN. The DNS server is also running on the firewall, and needs to talk to the WAN. The ssh client, so YOU (and only you) can ssh from inside the firewall to the Internet. ICMP, so YOU can ping from inside the firewall to the Internet.
3.1.2.4
Firewall LAN
Not much here really. If you did allow yourself to knock into the ssh port, you will probably want to allow yourself to ping and ssh into the local LAN. That's about it.
3.1.2.5

LAN Firewall
This one confuses people. You will NEVER allow your users direct access to the Internet. Instead, they must talk to proxies on the firewall, then the firewall talks to the Internet. All LAN user web browsers must be reconfigured to point to the IP address of the firewall, and talk to port 8080, which is the DansGuardian server. Please note: DansGuardian will forward all web traffic requests to squid, which is port 3128 on the local host. Another note: any traffic from one service to another on the same host, goes through the internal interface, and does not go through the firewall. The DNS port must be open to the LAN, so all users can access the DNS server on the firewall. The NTP port must be open to the LAN, so all users can access the time server on the firewall. ICMP is typically opened up to the LAN, so all users can ping the firewall.
3.1.2.6
LAN WAN
Page 13
Nothing! You don't want ANYONE accessing anything directly through the firewall to the Internet. You will probably make exceptions for yourself, and maybe your boss and other demanding management (which must remain top secret, of course!). I do include two other examples in the config file, to allow windows machines to get updates through the firewall, and to allow windows machines to access bitdefender for the free online virus scan/clean.
3.2
Attack Detection and Prevention (psad & fwsnort):
Unless your firewall doesn't allow ANY traffic initiated from the WAN (to the FIREWALL or the LAN), and you have absolutely no open ports on the WAN side, then sooner or later, your firewall will be attacked. This is a fact. Usually within 24 hours. I'm serious. The Internet is full of hacker wannabe losers, who run automated software, which scans all IP network segments, looking for machines with open ports. If your firewall has even one port open to the Internet, your firewall will be attacked. My logs show my firewall gets attacked several times EACH DAY. Obviously, we shouldn't have to worry about this every moment of every day. With a properly configured firewall, you have little to worry about. However, in the very small chance, usually due to a configuration error, or sometimes a software bug, your firewall may be possibly compromised in a future attack. Fortunately, every type of attack imaginable has already been thought of, documented, and solutions provided to prevent them. There is even software packages available that will detect when an attack takes place, and automatically prevent it in most cases. There is a popular packages, called psad, which we will be installing and configuring. In the more sophisticated types of attacks, where it isn't so obvious, a smart tool such as fwsnort is available to detect and prevent those attacks as well. We will be installing and configuring that too.
3.2.1
Port Scan Attack Detector (psad)
Great utility. It monitors your WAN interface (actually, it monitors a log file of your WAN traffic), and when it sees your ports getting scanned, it can be configured to react in a variety of ways, including blocking the source IP address of the offending attacker, logging the attack, and even sending you an email. Pretty cool. We'll use it.
3.2.2
Snort-to-iptables rule translator (fwsnort)
If you are forwarding traffic to some internal servers, such as an email server, web server, etc., this gem of a tool loads up the most common attacks to those kind of servers, and plugs them into the linux kernel as iptables rules, which means these types of attacks will be detected and blocked instantly by the kernel, at full wire speed, without needing any additional software running to process the attack first. Neat stuff.
3.3
Web page interception, inspection and approval (dansguardian)
One of the coolest packages on the Internet, this very popular package sets the standard for dynamic realtime filtering of web page filtering. You can leave dansguardian defaults on, and this will suffice for most people. Naturally, it is extremely customizable.
3.3.1
Dynamic content filtering
Page 14
When a user attempts to access a website, the user sends the request, and it is intercepted by the dansguardian firewall, which in turn requests the page from the website, and examines the CONTENT of the web page in real time, before forwarding the page to the user, if and only if dansguardian finds nothing objectionable. If objectionable content is found, dansguardian will instead send a block message to the user, advising them the website they attempted to contact had objectionable material, and has been blocked. This process is automated, and works beautifully.
3.3.2
Virus scanning and spam filtering
Another great feature is the automatic blocking of spam, pop-up messages and advertisements on web pages. If any files are downloaded, the downloaded file is scanned for viruses before allowing the download to continue. If a virus is found, the download is blocked, and a virus message is sent to the user.
3.3.3
Auto-updating known bad sites list
This is an optional feature which you really don't need, because the content filtering is good enough to catch anything undesirable. However, if you would like to automatically block known bad sites, will have to pay for the bad site listing. There are a number of inexpensive subscription services. I'll show you how to setup one of the more popular ones.
3.4
Troubleshooting tips, tools and logs
We are installing all kinds of cool stuff on this firewall. The time will come when you have to track something down. When that happens, you will already have days of logs waiting for you to examine. You will have real time tools you can launch, to start monitoring traffic. You will have utilities and methods to help you begin tracking down an issue. We can't anticipate everything, but we can predict most things. There are a variety of tools we will be installing.
3.5
GUI management tool (webmin)
There is an awesome GUI management tool available for linux boxes, that has been around for many years, and is definitely an industry leader. Webmin can configure pretty much you can think of on a linux box, and it does it nicely. (add a pic here from the abazaba.org firewall)
Page 15
4 Site Preparation
Before you start building the firewall, you need to have your documentation ready, your network ready, your firewall pc ready, and your management workstation ready. We already know everything that we will need, can identify it now, and can be prepared. Chance favors the prepared mind... An ounce of prevention is worth a pound of cure...
4.1
Network Documentation:
Many beginners skip this step, and then later wind up rebuilding the entire firewall from scratch, because they forgot some huge detail! Don't you dare ask me how to change any of the names or addresses after you build the firewall. I WILL yell at you, then laugh and tell you to rebuild it. Don't be a schmuck, get your documentation ready, and keep it with the firewall or in a secure location. Determine all name and IP addressing: Does your ISP provide you a dynamic IP address, via DHCP? Or is it static? You have to know ahead of time. Things you must identify and/or decide on, BEFORE building the firewall: Firewall name Domain name WAN IP address * WAN network mask * WAN default route * ISP DNS server IP address #1 * ISP DNS server IP address #2 * ISP DNS server IP address #3 * LAN IP address LAN network mask
NOTE for dynamic WAN links (*): If your ISP provides a dynamic IP address (not static), then you do not need to document the WAN IP, WAN network mask, WAN default route, or ISP DNS servers. This information will be gathered by the firewall automatically via DHCP. For the Firewall name, unless you have something specific in mind, I recommend you name it 'firewall'. For the Domain name, make sure you predetermine this. I highly recommend you subscribe to dyndns.org, and register your domain name, BEFORE building this firewall. If you do it after you build the firewall, there's a HUGE chance the domain name you chose has ALREADY been registered by somebody else. You have been warned! Internal LAN IP addressing plan: You need a plan! Your network should follow a predefined network addressing plan. I always make a spreadsheet, keep a printout in my desk, and as I add or change IP addresses, I pull out the sheet and write on it. That way, I always know who is using what IP address. Whenever I need to modify the DNS server, figure out the next available address etc., I always have the printout with me. For your convenience, I have created a spreadsheet for you. Please download it, and fill-in all relevant
Page 16
information. Modify as desired. DOWNLOAD SAMPLE IP ADDRESS SPREADSHEET HERE: www.abazaba.org/debian/lanipdoc.ods Note: I assume you have fewer than 250 workstations in your organization. If you have more, than you are probably using the 10.x.x.x network, and should already know how to do this. For more information about private IP address ranges, see: http://www.ip-adress.com/private_ip_address/ For those of you who need a plan, the spreadsheet uses the following assumed configuration: EXAMPLE LAN IP NETWORK: LAN LAN LAN LAN LAN LAN IP network: 192.168.1.0 IP address: 192.168.1.1 IP broadcast: 192.168.1.255 network mask: 255.255.255.0 default route: 192.168.1.1 DNS Server: 192.168.1.1
LAN IP address assignments: 1: firewall 2-9 : routers and switches 10-19 : file servers, print servers, game servers (LOL just kidding) 20-29 : privileged administration workstations (me, boss, etc.) 30-39 : administrative/executive staff 40-49 : department managers/leads 50-199 : standard users, assigned by firewall DHCP server 200-250: VPN Wireless IP address assignments: If you have a wireless network, simply put the wireless access points on their own IP network, and route between wired and wireless. For example, a wireless network can use the 192.168.2.0 network. Wired Wired Wired Wired IP address: 192.168.1.x (this is a router, use 2-9 range) network mask: 255.255.255.0 default route: 192.168.1.1 DNS server: 192.168.1.1 IP network: 192.168.2.0 IP address: 192.168.2.1 IP broadcast: 192.168.2.255 network mask: 255.255.255.0 default route: 192.168.2.1
Wireless Wireless Wireless Wireless Wireless
Your wireless router will probably have a built-in DNS and DHCP server. Go ahead and use them. Your needs may differ. Adjust all of the above as required. Note: For those of you who are wondering why I am starting with the 192.168.1.0 network, and not the 192.168.0.0 network, it's because I'm old school. Back in the day, some routers (like Wellfleet, before Bay, before Nortel) couldn't handle the 0 network, so to be safe, we always started at 1. Feel free to use the 0 network if you prefer, it's up to you.
4.2
Network Setup Requirements:
Your network must have: Abazaba Firewall: www.abazaba.org Page 17 Debian Squeeze 6.0 Linux
A direct internet connection. Can be a static or dynamic IP address provided by your ISP, doesnt really matter which. The firewall will be placed directly on the Internet. A relatively new pc with moderate speed and lots of RAM, to install the server software. It doesnt have to be new. The cheapest box from your local computer store costing under $500us is more than sufficient. Since we are installing all the services on this one box, the more RAM the better. The basic firewall should have 256MB RAM. If you intend to install squid/dansguardian, a minimum of 512MB RAM is needed to avoid hitting the swap file. This should suffice for a small office of less than 100 users. More users means more RAM youll have to figure RAM usage yourself. A management workstation, used to remote test and remote configure the server. Can be Windows or Linux based (dual-boot very useful). I use my laptop, running Debian TESTING, of course. Additional workstations to test connectivity are extremely useful, but not required for testing. An external (on other side of Internet) linux workstation, to perform remote testing. I have a linux firewall at work and at home, to test to/from each. An optional registered internet domain. You must subscribe to one of the providers (ex: dyndns), and register your domain name address on their site. Dont be cheap, get your own personal domain. If you intend to also run an email server, you need a custom account that supports MX records (email server identification). If your ISP provides a dynamic IP address, we will install a service on the firewall to automatically update your domain IP address information whenever it changes.
4.3
Firewall Hardware requirements:
It may surprise you that this firewall can be installed on a older slower machine. It does not require much in the way of resources (squid needs a lot of RAM). An old Pentium PC with 256MB RAM will do nicely for a home or small office. Obviously, a faster machine with more RAM will be better, but is not necessary for small LAN's. You also need a 2nd network interface card (NIC). NOTE: Even though I don't cover adding a third NIC and setting up a DMZ, if you know what that is, you shouldn't have any trouble adding one. Maybe I'll add an appendix that covers this.
4.3.1
Prepare the Firewall:
Before we start installing Debian, we need to prepare the firewall machine for installation. Upgrade the BIOS: (optional) It's a good idea to upgrade the BIOS before building the firewall, especially if it is not a new machine. This is probably the only chance you will get. After you build the firewall, you should NEVER upgrade the BIOS, because it may break the firewall! Note: Upgrading the BIOS is dangerous to the machine, if you don't know how. One false move, and the machine is rendered useless (you cannot fix it). Only perform this if step if you are experienced. If you have never upgraded a BIOS before, well, now is not the time to learn LOL. Download and burn the Debian Installation CD: NOTE: If you have a fast Internet connection (cable or fiber), you can just download the NETINSTALL ISO cd. If you have a slow Internet link (dial-up or dsl), you might want to consider downloading the full INSTALL DVD. Sure, it will take a long time to download the DVD, but it's better to have an Internet connection problem during downloading the DVD, then to have a problem during the actual install. Download the latest Debian Squeeze NETINSTALL ISO cd, currently frozen in TESTING as of this writing. Do NOT get an ISO with a GUI such as GNOME or KDE. It is EXTREMELY inadvisable to install a GUI, which will be wasting disk space, and more importantly, a LOT of precious memory. You do NOT Page 18 Debian Squeeze 6.0 Linux
need a GUI on the firewall. We will do all tasks remotely. We also provide a graphical management system (webmin) that you can access remotely. Burn the ISO to a CD, and make sure it burned okay.
Setup the firewall hardware: Do NOT install the 2nd NIC at this time. Make sure there is only one NIC installed. For people new to linux, configuring multiple NICs can be very difficult to get right. We will make sure the first NIC is working correctly BEFORE adding the second one. Go ahead and connect the server DIRECTLY to the Internet (this is to avoid IP/DNS/routing/resolver problems for those not familiar with customizing and troubleshooting these things).
4.4
Management Workstation Requirements
Any desktop or laptop will suffice. I use both. My desktop has a huge, high rez double wide lcd monitor, so I can have lots of windows open at once. A laptop with a decent resolution will suffice as well. Both of mine dual boot to Windows and Linux, Debian of course.
4.4.1
Prepare your management workstation:
Before we build the server, we want to make sure your management workstation has all of the necessary programs needed during the remote installation, configuration and testing phase. There are several programs you will find incredibly useful on the workstation. Whether you are running Windows or Linux, you will need: Browser (I use Firefox in both environments) SSH client Secure remote file manager Diagnostic utilities
4.4.1.1
Linux workstation:
If you are running Debian linux on your workstation, like me :) you want to prepare it for use as a remote configuration workstation. Automate SSH client: Your linux workstation already has secure shell installed. We will be using it a lot. Make sure you have an easy way of launching it. Whether you are using GNOME or KDE (doesn't matter), I usually add a quick launch icon to the toolbar, that opens a bash console, launches ssh, and connects me to the firewall (ssh 192.168.1.1). We will be using ssh sessions a lot. Get used to doing things from the command line, it's faster than webmin. Install secure remote file manager utility: You might also want to install Krusader. It's the linux equivalent to the Windows WinSCP utility. It is a great secure remote file browsing/editing utility, used for accessing a remote file system. It looks just like the Windows file manager, in a split screen format, showing your local file system on the left, and the remote linux file system on the right. Nifty.
# apt-get install krusader md5deep cfv krename arj lha unrar unrar-free rar
Page 19
rpm unace unzip p7zip

Install nmap and zenmap: We will do extensive testing of the firewall from the workstation. The most popular, ie industry standard, is nmap. It is a port scanner, designed to scan an IP address, and identify all ports that are open. Nmap is the command line version, and zenmap is the GUI. You'll love it. Highly recommended.
# apt-get install nmap zenmap
4.4.1.2
Windows workstation:
If you are running windows on your management workstation, you will need to install some remote connectivity software. Install SSH client: The most popular is putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/ Download putty.exe and psftp.exe. Putty is the DOS equivalent to ssh, providing a secure remote shell to the server. Psftp is the DOS equivalent to sftp, providing secure file transfer to the server. We will be remote connecting a LOT to the server. It is best to create a quick launch icon that runs putty, and connects you to the server (by IP address for now, will use DNS name later). Go ahead and do that now.
Page 20
Install secure remote file manager utility: WinSCP is one of the most popular utilities for accessing a remote file system. It looks just like the Windows file manager, in a split screen format, showing your local file system on the left, and the remote linux file system on the right. Nifty. Download and install WinSCP: http://winscp.net/eng/docs/screenshots Put that on your quick launch bar.
Page 21
Install Zenmap/nmap: Nmap now has a windows version of their awesome port scanning utility. Download and install nmap for windows: http://nmap.org/download.html
Optional Linux environment: If you are not comfortable or used to Windows, I highly recommend you install Cygwin:
Page 22
http://www.cygwin.com/ Cygwin is a Linux-like environment for Windows. It comes complete with X-Windows support, giving Windows a Linux like environment and command line utilities. Pretty cool stuff.
Page 23
5 Install Debian Base System

We are ready to start building the firewall. Connect the PC to the Internet, plug everything in, pop that Debian CD in the drive, and fire it up!
5.1
Install the Operating System:
OK, lets get started! If you haven't completed the Site Preparation Documentation, NOW is the time. You need it now. Boot the CD, and start the server build. Dont install any of the application servers such as web, mail, samba, etc. Do not install the desktop environment. The only thing that should be selected for installation is 'standard system'. Make sure you select the Internet sources, and update the sources. Dont worry about upgrading anything yet, well do that later. Use the server name and domain name you registered with your domain service. Purely optional: For the local user account (non-root), I usually name it something like 'linuxadmin' or 'administrator', and not my normal login name, because in a business setting, someone else may eventually be managing this firewall. You need to decide that now. New linux users should use the entire hard disk as one partition, select: guided, use entire disk, all files in one partition When installation is done, reboot and test to your liking. Make sure its ready. Make sure you can ping everywhere.
5.2
Configure the Package Management System:
For a fresh install, you should always finish configuring the package management system, and perform an upgrade, to make sure all available patches are installed, and everything is current. Edit the sources.list file: NOTE: Obsolete! For Etch only... for Lenny and above, this has been fixed By default, the NETINSTALL will leave the CDROM media enabled as a source. We need to disable this, to make sure you can safely remove the NETINSTALL CD, and all updates are fetched from the Internet.
# vi /etc/apt/sources.list
Your /etc/apt/sources.list file should look something like this. Make sure you comment out the installation CD (there are usually two lines, and I always comment out the first one, and delete the second one):
# # deb cdrom:[Debian GNU/Linux 4.0 r2 _Etch_ - Official i386 NETINST Binary-1 20080103-00:44]/ etch contrib main deb http://ftp.debian.org/debian/ squeeze main deb-src http://ftp.debian.org/debian/ squeeze main deb http://security.debian.org/ squeeze/updates main deb-src http://security.debian.org/ squeeze/updates main
Page 24
Update the system and apply all patches: Before we continue, we want to run the upgrade process, to ensure we are using the latest Debian kernel patch, and have installed all package updates. A note on apt-get vs aptitude: Although they can be used interchangeably, it is a good idea to stick to just one of them, because there are some subtle differences (I won't get into). Aptitude is a program that runs on top of apt-get. I tend to use aptitude because it is a little bit smarter, and better at resolving dependencies. However, for this firewall, it is safe to use either one.
# aptitude update # aptitude dist-upgrade

Install all updates. If an upgraded kernel patch is also installed, after it is done installing, reboot:
# reboot
5.3
Fix grub:
Starting with squeeze, a new version is grub is being installed. When you first boot your computer, if you see a message from grub, telling you to test the grub install before fixing it, then grub continues to boot normally, you need to apply a fix to grub. If you upgraded from Lenny to Squeeze:
# os-prober # update-grub
If you installed Squeeze:
# update-grub
Reboot. Grub should boot normally now (no more test message).
5.4
Automate the update/upgrade process:
Just kidding! Even though it is possible, you should NEVER automate the upgrade process on any production machine, whether it's a firewall, server or even just a workstation. Even though Debian Stable is fantastic with it's reliable upgrades, there is always the remote chance an upgrade will break something on your firewall. You should always perform upgrades on your production firewall manually. If you really want to automate the upgrade process, look for that feature in the webmin package we install later. How often should I upgrade? Debian Stable doesn't get a lot of updates. Most people manually run the update once a week. You can go once a month and be fine. Just remember though, the longer you wait, the more updates there will be, and the greater the chances a badly needed bug fix is waiting to be applied. Every weekend, usually on Sunday, I will remote into our corporate firewall (from home) and run the update:
Page 25
# aptitude update # aptitude dist-upgrade

If the kernel gets patched, make sure you reboot the firewall. When I need to reboot the firewall, I usually wait until either late at night, or early in the morning, when I know nobody is on the network. If you live near work, you can usually safely reboot it remotely from home (I do). Just make sure you reconnect after a few minutes, to make sure it came back up ok, and everything is running.
5.5
Install additional base packages:
Before we begin configuring the main firewall packages, lets go ahead and install some additional needed services. The very first thing to install is the ssh server, so we can do all remaining work from the management pc, to take advantage of a high rez GUI, open multiple sessions to the firewall, etc.
5.5.1
Install SSH Server:
At-a-glance: Main directory: /etc/ssh Main configuration file: /etc/ssh/sshd_config Documentation: /usr/share/doc/openssh* (multiple directories) Logs: /var/log/auth.log We need to install the OpenSSH secure shell server, so we can remote connect to the server.
# apt-get install openssh-server

Disable ssh root login (optional): We want to beef up the default security for the ssh server. By default, it listens on port 22 of all interfaces, and allows root to login. At a minimum, we want to disable root login. Lets do that now. Edit the /etc/ssh/sshd_config file, and make sure you set the 'PermitRootLogin' option to NO:
PermitRootLogin no
NOTE: You may not want to disable ssh root login just yet. We will be remote connecting to the box soon, to make lots of root level changes, so you might want to skip this for now. You will probably be using WinSCP (or krusader) to remote browse/edit the filesystem on the firewall. After you are done configuring everything, then you will want to disable the ssh root login. I leave ssh root login enabled at this point, to make building the firewall easier. At the end of this document, when we lock down the firewall, we will close it. Restart ssh server:
# /etc/init.d/ssh restart
Note: Later, when we configure the shorewall firewall, we will be CLOSING port 22 access from the WAN, and configuring 'port knocking' to open it.
Page 26
5.5.2
Install Time Synchronization (NTP) service:
At-a-glance: Main directory: none Main configuration file: /etc/ntp.conf Documentation: /usr/share/doc/ntp, /usr/share/doc/ntp-doc Logs: /var/log/ntpstats/* (if you enable logs) We want the date/time on this server to always be correct. The NTP service will synchronize with a public NTP server on the Internet. This service is auto-configured for you upon installation, and requires no configuration (in most cases).
# apt-get install ntp ntp-doc

The time on your firewall will now always be correct. Enable ntp server to the local LAN: This package can also serve as an NTP server for your local LAN. To enable it: Edit /etc/ntp.conf, and uncomment:
broadcast 192.168.1.255
NOTE: Don't forget to open this port on the firewall to the local LAN. We cover that later. Enable logging: To enable logging, edit /etc/ntp.conf, and uncomment:
statsdir /var/log/ntpstats/
Restart NTP server:
/etc/init.d/ntp restart
5.5.3
Install ddclient: (optional)
At-a-glance: Main directory: none Main configuration file: /etc/ddclient.conf Documentation: /usr/share/doc/ddclient Logs: none (use interactive mode to troubleshoot, see README in docs) If you have a dynamic IP address (not static), and you registered a domain name with dyndns.org (or have a paid account with dyndns.com), you need to install this client. It will detect when your IP changes, and automatically update your A-record with dyndns. NOTE: Make sure you already have the A-record set up on dyndns before installing ddclient.
# apt-get install ddclient

The post-installation script will ask you:
fqdn of host: firewall.abazaba.org

Abazaba Firewall: www.abazaba.org Page 27 Debian Squeeze 6.0 Linux
interface to monitor: eth0 dyndns login name: name dyndns login password: password
Thats it. Ddclient will monitor your WAN IP address, and notify dyndns.org every time it changes. Troubleshooting: Use the interactive mode of ddclient, from the command line. See /usr/share/doc/ddclient/README for instructions.
5.6
Install 2nd NIC:
Before we actually physically install the 2nd NIC into the PC, we can go ahead and edit the configuration file, and prepare the firewall to recognize it and auto-configure it upon boot.
5.6.1
Edit the 2nd NIC configuration file:
Take a look at the /etc/network/interfaces file:
# cat /etc/network/interfaces
Add this to the end of your /etc/network/interfaces file:
# I added this stuff: # The LAN network interface iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 auto eth0 auto eth1
For a static configuration, it will look something like this:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo auto eth0 auto eth1 iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 72.91.54.192
netmask 255.255.255.0 network 72.91.54.0 broadcast 72.91.54.255 gateway 72.91.54.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 72.91.54.192 68.238.112.12 68.238.96.12 dns-search abazaba.org # I added this stuff: # The LAN network interface iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 auto eth0 auto eth1
For a DHCP configuration, it will look something like this:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet dhcp # I added this stuff: # The LAN network interface iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 auto eth0 auto eth1
5.6.2
Physically Install the 2nd NIC:
Shutdown the server:
# halt
and install the other NIC. Make sure it is a NIC that is supported in linux. Most NICs older than a year are automatically supported.
Page 29
Note: this how-to does not cover hardware issues. You need to have experience installing hardware. Before you turn the computer back on, you need to finish connecting all networking hardware. connect the LAN port to an Ethernet switch connect another PC to the Ethernet switch If the Ethernet switch has any server capabilities, such as DNS server, DHCP server, etc., make sure you turn that stuff off!!! Make sure the Ethernet switch is powered up, so the LAN NIC in the firewall comes up at boot time.
5.6.3
Verify the 2nd NIC is functioning:
Power up the server, and login as root. There are a number of commands you should familiarize yourself with:
ifconfig ifconfig eth0 ifconfig eth1 route netstat -nr arp -a dig yahoo.com ping www.yahoo.com
ifconfig eth1 should produce something like:
eth1
Link encap:Ethernet HWaddr 00:1B:2F:34:57:C0 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21b:2fff:fe34:57c0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2608168 errors:0 dropped:0 overruns:0 frame:0 TX packets:3883163 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:561724795 (535.7 MiB) TX bytes:370550585 (353.3 MiB) Interrupt:201 Base address:0xb800
If for some reason you think the server didn't detect the NIC, check this file: In Etch, it's: /etc/udev/rules.d/z25_persistent-net.rules In Squeeze, it's: /etc/udev/rules.d/70-persistent-net.rules Please note: Every time you install another NIC that the firewall detects, it adds that NIC's hardware information to the persistent-net.rules file. If the ethx goes higher than eth0 and eth1 (you have eth2 eth3 etc) just delete those entries and reboot to get the count back down. If you are still having trouble getting a NIC to work, check the boot log (the stuff you see scrolling on the screen at boot time):
# more /var/log/dmesg
You can try lspci to scan the PCI bus and show found devices:
# lspci -v # update-pciids
5.7
Connect from your management workstation:
At this point, you should be able to connect to the firewall's LAN interface from your workstation. You should be able to ping the firewall, and connect to it with ssh, using a secure shell. You should also be able to connect using the secure remote file manager. Make sure you can ping the IP address of the firewall's LAN port from your workstation. Make sure you can open a secure shell to the firewall. Go ahead and open the remote file browser too. It will come in handy, even if just browsing.
5.7.1
Turn on color/aliases in shell session (optional):
I like color ssh sessions. I'm a big fan. I also tweak the aliases a bit. I do this for both the root and non-root account. To me, it makes it easier to identify files and directories quicker. Not everyone likes a color prompt. This part is totally optional. Feel free to skip it. CAUTION: If you screw this up, you may have problems logging in again, so be careful when editing the .bashrc file! You should open multiple ssh sessions, and keep them open, just to be safe, so you don't lock yourself out. As non-root (linuxadmin on my box): edit ~/.bashrc: comment out these lines:
# set a fancy prompt (non-color, unless we know we "want" color) # case "$TERM" in # xterm-color) # PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\ [\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' # ;; # *) # PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' # ;; # esac
uncomment the color prompt line, and change the small 'h' to a capital 'H':
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\ [\033[01;34m\]\w\[\033[00m\]\$ '

turn on color options (uncomment these lines):
# enable color support of ls and also add handy aliases if [ "$TERM" != "dumb" ]; then eval "`dircolors -b`"
alias ls='ls --color=auto' #alias dir='ls --color=auto --format=vertical' #alias vdir='ls --color=auto --format=long' fi
uncomment ls aliases:
# some more ls aliases alias ll='ls -l' alias la='ls -A' alias l='ls -CF'
Now, don't logout! Instead, just open a new ssh terminal to the firewall, and login to the regular non-root account. You should see a color prompt. If you messed something up, just go back to the original window and fix it. Don't logout until it works. Try out some of the color ls commands:
$ $ $ $
ls ll la l
My favority is 'ls -alF', and I assign it to alias ll. Try it out.
$ ls -alF
For the root account, the .bashrc file is different. Here is .bashrc file for root:
root@firewall:~# cat .bashrc # ~/.bashrc: executed by bash(1) for non-login shells. export PS1='\h:\w\$ ' umask 022 # You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' # alias l='ls $LS_OPTIONS -lA' alias l='ls $LS_OPTIONS -alF' # # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' # color prompt PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\ [\033[01;34m\]\w\[\033[00m\]\$ '
Set domain name (optional:)
Page 32
I like to see the FQDN as my prompt, so I know which firewall on which network I'm currently shelled into. I've made changes and rebooted the wrong firewall before DOH! It sucks. Edit /etc/hostname, and put the FQDN, for example:
firewall.abazaba.org
Then re-initialize the start script:
/etc/init.d/hostname.sh start
Change all the 'PS1' settings in .bashrc (already did above), replace /h with /H to see the FQDN in an xterm window (or console).
Page 33
6 Install Firewall Packages:

The Debian Base installation is complete. We are now ready to turn this box into a firewall. Let's install the firewall packages.
6.1
Install and configure dnsmasq:
At-a-glance: Main directory: /etc/dnsmasq.d/ Main configuration file: /etc/dnsmasq.conf, etc/default/dnsmasq, /etc/dnsmasq.d/* Documentation: /usr/share/doc/dnsmasq, /usr/share/doc/dnsmasq-base Logs: /var/log/syslog Before we turn on the NAT/routing, lets get the DNS and DHCP services up and running.
# apt-get install dnsmasq

NOTE: Do NOT install resolvconf from the recommended list, unless of course your firewall will be mobile. Make sure you read through the main configuration file for dnsmasq, it is: /etc/dnsmasq.conf Restrict to LAN interface: Dnsmasq should only listen to DNS and DHCP requests from the local LAN, and ignore from the WAN. Note: the firewall will also be configured to block DNS and DHCP requests from the WAN. Edit the /etc/dnsmasq.conf file, find and uncomment the interface line, and set it to eth1:
interface=eth1
Expand Hosts: We want to enable the expand hosts option, so the DNS server understands each LAN workstation name is part of the local domain, and will add the domain name to them automatically. Edit the /etc/dnsmasq.conf file, and uncomment the expand-hosts line:
expand-hosts
Set Domain Name: We need to tell the DNS/DHCP server the name of our local domain. Note: Make sure you set the domain name to the exact same thing as you did when you installed Debian. If you don't remember the exact name you used, from the command line, enter: dnsdomainname The domain= line should read something like this (use your domain name):
domain=abazaba.org
Configure DHCP Server (optional): If you want a DHCP server available for your network, you need to turn it on, and configure the address range. Abazaba Firewall: www.abazaba.org Page 34 Debian Squeeze 6.0 Linux
The configuration we are using allocates 100 addresses for DHCP. If you need more, modify as desired. The first DHCP address starts at 50. Most networks will reserve the first portion of addresses for various things, including: firewall, routers, switches, servers, and machines with static IP addresses. TIP: I tend to give important people static IP addresses, so they can bypass some firewall restrictions placed on people who receive DHCP addresses. However, this only works on networks where none of the users are computer savvy. More on this later. Edit the /etc/dnsmasq.conf file, uncomment the first dhcp-range line, and make it look something like:
dhcp-range=192.168.1.50,192.168.1.150,12h
That's it. Dnsmasq should be configured correctly. Restart dnsmasq:
# /etc/init.d/dnsmasq restart
6.1.1
Reconfigure the firewall to use the local DNS server:
Now that we have a fully functional DNS server running on our firewall, it makes since to reconfigure the firewall to use it! This way, every process on the firewall that needs to get DNS info (such as squid) will check with it's locally running DNS server, and if no hit, let the DNS server fetch the info. Static IP address: Edit the /etc/resolv.conf file, and add the first line that says nameserver 127.0.0.1
root@firewall:~# cat /etc/resolv.conf nameserver 127.0.0.1 nameserver 68.238.112.12 nameserver 68.238.96.12

DHCP Address: Edit the /etc/dhcp/dhclient.conf file, and after the #supersede line, insert this line:
prepend domain-name-servers 127.0.0.1;

Then re-initialize the WAN NIC:
# ifdown eth0 # ifup eth0

Then check the /etc/resolv.conf file, and make sure it has the nameserver as the first line:
# cat /etc/resolv.conf
6.1.2
Test the local DNS server:
Now, test it. From the command prompt, use dig:
# dig yahoo.com
Page 35
Towards the bottom, you will see:
;; Query time: 24 msec ;; SERVER: 127.0.0.1#53(127.0.0.1)

As you can see, the response came from the local IP address. It's working. Now, do it again:
# dig yahoo.com ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1)

See the difference? Pretty cool! To check the log: dnsmasq uses the system syslog utility to capture it's log entries. On a debian box, the entries are stored in the /var/log/syslog file. To view dnsmasq log entries:
grep dnsmasq /var/log/syslog | more

Prevent bogus DNS spam responses from unprofessional DNS providers: This irks the crap out of me. Occasionally, I will have a typo when i'm typing in the URL of some website. For example, instead of typing in www.yahoo.com, I accidentally type www.yahoo.co (forgot the 'm' at the end), but instead of getting the usual server not found error message, my web browser gets hijacked, and I'm forwarded to some lame site, that tells me server not found then offers me their services. I hate that. It's incredibly rude, and they are violating the netiquette rules (remember those from the '80's?). Any time you encounter a site like that, get it's IP address, using the dig command from the command line. Then, edit the /etc/dnsmasq.conf file, uncomment the bogus-nxdomain line, and add the IP, like this:
bogus-nxdomain=8.15.7.117 bogus-nxdomain=63.251.179.13
Those are two actual DNS servers I've blocked so far. Feel free to block them. After you block it, test from your browser again. If you get hijacked again, get the new IP address, and add it too.
6.1.3
Fix pinging troubles (optional):
If you, like me, want to be able to ping the firewall from both Window's and Linux boxes on the LAN, using just ping firewall and not ping firewall.abazaba.org, there are a few tricks you need to know. From Windows, ping firewall doesn't work. You have to put a . after firewall, so ping firewall. will work. The problem is Windows is expecting to see at least one . for name resolution to correctly occur. Lame, but there is a fix. Unfortunately, for each Windows pc, you have to edit the network settings. On XP, go to the manually set IP screen, re-edit IP setting, advanced button, dns tab, set 'DNS suffix for this connection' to abazaba.org or whatever domain you use. Now, when you type ping firewall your pc will automatically Abazaba Firewall: www.abazaba.org Page 36 Debian Squeeze 6.0 Linux
append the domain name to it. For linux, the latest versions have fixed this problem. There is a fix for older versions of linux (etch). For that fix, read the /etc/resolv.conf man pages, you want the 'options ndots:0' feature. Finally, in your firewall's /etc/hosts file, just put the one word name for each box on your LAN:
Page 37
6.2
Install and Configure Shorewall:
At-a-glance: Main directory: /etc/shorewall, /usr/share/shorewall Main configuration file: ALL FILES IN MAIN DIRECTORY (see key configuration files section below) Documentation: /usr/share/doc/shorewall* (multiple directories) Logs: /var/log/kern.log, /var/log/messages, /var/log/shorewall-init.log FAQ: http://www.shorewall.net/FAQ.htm (excellent doc!) Shorewall has undergone a massive upgrade to a major new version. The author of shorewall, Tom Eastep, has converted the compiler from shell based to perl based. As a result, performance is improved, and shorewall is now a LOT more flexible. Kudo's to Tom and team! At this point, the two network cards are up and operational, but no packets can pass between them until we install and configure routing/NAT. We will do this with the shorewall package.
# apt-get install shorewall shorewall-doc

Note: after shorewall installs, it will display a message:
#### WARNING #### The firewall won't be started/stopped unless it is configured

Don't worry about this, we will address it shortly. Make sure you read the shorewall documentation in the /usr/share/doc/shorewall/ directory, such as the README.Debian.gz file. Note: to uncompress the readme file, use: gunzip README.Debian.gz Also make sure you read through the main configuration file for shorewall:
# more /etc/shorewall/shorewall.conf
Example configuration files: By default, when shorewall is installed, nothing is configured. This is intentional. The installer cannot read your mind. You have to decide how shorewall will be configured. However, it does come with a variety of sample configuration files, for various 'typical' firewall scenario's. We are going to use one of them. Take a look at the examples provided in the '/usr/share/doc/shorewall/examples' directory. There are example files for: one-interface two-interfaces three-interfaces
We will be using the files in the 'two-interfaces' directory. Also, browse thru the default files (using WinSCP or krusader) in: /usr/share/doc/shorewall/default-config If you actually looked in them, you will see that they are all empty. Well, not exactly empty. They are full of comments. However, there are no actual configuration commands. Copy the two-interfaces example files: Abazaba Firewall: www.abazaba.org Page 38 Debian Squeeze 6.0 Linux
First, copy these default files to our configuration directory:
# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall
Next, uncompress the files in the example two-interface directory:
# gunzip /usr/share/doc/shorewall/examples/two-interfaces/*
Now, copy the example files from the 'two-interfaces' directory:
# cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall
Last, change file permissions so only root can access these files. Even though we will never let any users in this box, we should still follow firewall hardening guidelines:
# chmod 600 /etc/shorewall/*

Key configuration files: You need to understand the purpose and contents of the key files we copied from the 'two-interfaces' directory. These, along with the main config file (/etc/shorewall/shorewall.conf) are the most important. The others are for optional stuff that you may or may not use. These are the primary configuration files, listed in ORDER OF PRECEDENCE: /etc/shorewall/shorewall.conf /etc/shorewall/zones /etc/shorewall/interfaces /etc/shorewall/masq /etc/shorewall/policy /etc/shorewall/rules <-<-<-<-<-<-main configuration file fw, net, loc net=eth0, fw=self, loc=eth1 another word for NAT, masq everything from eth0 (loc) to eth1 (net) defines to default ACCEPT, REJECT or DROP to/from all interfaces overrides policy with specific port/application exceptions to allow traffic
Note: PLEASE READ these files! You should have some background or at least understanding of how firewalls are configured. You first configure in general overall terms, then slowly drill down into the details, making exceptions along the way. That way, in the end, the only things that can pass through a firewall are those things you specifically allow, mostly defined in the rules file. Everything else, by default, is blocked. The zones file: The default zones file is fine. No changes needed. You need to read the notes in this file, and understand the three zones defined: local (LAN), net (Internet), and firewall (within the firewall itself, including both NICs). /etc/shorewall/zones
fw net loc
firewall ipv4 ipv4
If you are going to add a DMZ, or VPN, etc., you would add an entry for each of those in the zones file. The interfaces file: The default interface file needs to be modified. The default does not allow a DHCP server to run on the firewall, which services the local (eth1) segment. To allow this, we need to edit the file, and add the dhcp parameter at the end of the eth1 line. /etc/shorewall/interfaces Abazaba Firewall: www.abazaba.org Page 39 Debian Squeeze 6.0 Linux
Net loc
eth0 eth1
detect detect
dhcp,tcpflags,routefilter,nosmurfs,logmartians tcpflags,nosmurfs,dhcp
By adding dhcp to the eth1 line, shorewall will now allow DHCPDISCOVER packets to be detected. The masq file: The default masq is fine. No changes needed. This is the file some people miss. This is where you turn on NAT (already turned on for us from this example file). /etc/shorewall/masq
eth0
The policy file:
eth1
This is the second most important file. You had better understand it. The policy file needs some tweaking. By default, the firewall is fairly locked down. For home use, it is probably locked down too much. However, for business use, it is not locked down enough. Traffic from the LAN:
loc loc loc
net $FW all
REJECT REJECT REJECT
info info info
By default, all traffic from the LAN is allowed to access the Internet, through the firewall, which is BAD. It's too much freedom. In a business environment, we do not want the users directly accessing anything on the Internet. We will force them to use our proxy server for web access, and any other traffic will have to be specifically allowed in the the rules file, such as myspace chat clients, ssh sessions, ftp sessions, email sessions, streaming video/music sessions, etc. Those things, IF allowed, will be defined in the rules file. We need to change the loc->net rule to REJECT, and turn on logging with the 'info' option. We want the firewall to log all unauthorized attempts to access the Internet (more on this later). Now, people on the LAN cannot access ANYTHING on the Internet, by default. I know what you are thinking, that's not what I want. In a business setting, we want to SPECIFICALLY define each type of traffic we will allow users to access the Internet. We will do that soon in the rules file. Notice the second line. All local traffic TO the firewall is rejected, which is GOOD. We don't want people poking around with our firewall. Again, we will define specific exceptions to the firewall in the rules file. Traffic from the firewall:
$FW $FW $FW
net loc all
REJECT REJECT REJECT
info info info
By default, we do not want the firewall talking to ANYTHING. You may wonder why we don't want the firewall able to talk to anything. This is a security precaution. There are very few things the firewall needs to talk to directly, and we will make those specific exceptions later in the rules file. Traffic from the Internet:
net net net
$FW loc all
DROP DROP DROP
info info info

Page 40 Debian Squeeze 6.0 Linux
This one should be obvious. By default, we don't want anyone on the Internet accessing ANYTHING on our firewall OR our local network. Exceptions, such as accessing our web or email server will be made in the rules file. Please note, with the DROP all, people on the Internet cannot even PING our firewall, which is what we want. In fact, they can't even detect the existence of our firewall, which is even better. The rules file: The rules file is THE MOST IMPORTANT FILE. This is where you define, usually by port, what specific traffic you will allow. This file is very flexible, and can grow to be quite long. You MUST have a solid understanding of the contents in this file. If you don't, you will never get the firewall working as you want. The rules file is where you make specific exceptions, such as controlling if pings to the firewall from the Internet should be dropped or not (default is drop them). This is where you will ENABLE specific ports, to allow support for specific services. This is also where you port forward, like port 80 to a web server, or port 25 to your email server, etc. Since by default everything is either REJECTed or DROPped, we need to add some rules to the rules file to accept or allow specific traffic types. My default rules file: Here is a good default rules file. We will tweak it more later. Please study it. As you can see, it uses some unique commands. For now, make yours look like this (dont worry about the tabs/spacing):
# From the Internet: Ping/DROP net $FW # turned off logging of pings Auth/DROP net $FW # breaks IRC clients, don't care #SSH/ACCEPT net $FW # generally not advisable to leave this open, you will get attacked # for ssh, better to use this line to limit 3 login attempts per minute, to thwart hackers Limit:info:SSHA,3,60 net $FW tcp 22 # even better is to leave ssh closed, and turn on port knocking to open it #SSHKnock net $FW tcp 22,1599,1600,1601 # Redirect # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT # DNAT port #) # DNAT port #) Internet traffic to internal computers (DNAT/PORT FORWARDING): net loc:192.168.1.2 tcp 80 # http net loc:192.168.1.2 tcp 443 # https net loc:192.168.1.2 tcp 8080 # ispconfig net loc:192.168.1.2 tcp 20 # ftp data net loc:192.168.1.2 tcp 21 # ftp control net loc:192.168.1.2 tcp 22 # ssh net loc:192.168.1.2 tcp 25 # smtp net loc:192.168.1.2 tcp 109 # pop2 net loc:192.168.1.2 tcp 110 # pop3 net loc:192.168.1.2 tcp 143 # imap net loc:192.168.1.2 udp 143 # imap net loc:192.168.1.2 tcp 220 # imap3 net loc:192.168.1.2 udp 220 # imap3 net loc:192.168.1.14 tcp 5631 # pcanywhere net loc:192.168.1.14 tcp 5632 # pcanywhere net loc:192.168.1.20 tcp 5901 # vnc server net loc:192.168.1.21:5900 tcp 32163 # vnc server (alternate net loc:192.168.1.22:22 tcp 41484 # ssh server (alternate
Page 41
# From the firewall to the Internet: Ping/ACCEPT $FW net SSH/ACCEPT $FW net DNS/ACCEPT $FW net NTP/ACCEPT $FW net HTTP/ACCEPT $FW net # apt-get uses 80 ACCEPT $FW net icmp # From the firewall to the local LAN: Ping/ACCEPT $FW loc SSH/ACCEPT $FW loc ACCEPT $FW loc icmp # From the LAN (all users) to the firewall: Ping/ACCEPT loc fw DNS/ACCEPT loc fw ACCEPT loc fw tcp 8080 # dansguardian ACCEPT loc fw tcp 3128 # squid (close this after testing dansguardian) # uncomment the next line to turn on transparent to squid: # REDIRECT loc 3128 tcp www # OR!!!!!!!! (can't have both) # uncomment the next line to turn on transparent to dansguardian: # REDIRECT loc 8080 tcp www # From the LAN (privileged machines) to the firewall: SSH/ACCEPT loc:192.168.1.1-192.168.1.29 fw Webmin/ACCEPT loc:192.168.1.1-192.168.1.29 fw HTTP/ACCEPT loc:192.168.1.1-192.168.1.29 fw HTTPS/ACCEPT loc:192.168.1.1-192.168.1.29 fw ACCEPT loc:192.168.1.1-192.168.1.29 fw tcp
3000
# ntop
# From the LAN (all users) to the Internet: Ping/ACCEPT loc net # DNS/ACCEPT loc net # we can close this, since they get dns from this firewall # NTP/ACCEPT loc net # give specific rules to servers that need NTP access # ACCEPT loc net:67.15.127.0/24 all # specific remote hosts # allow access to microsoft for windows updates HTTP/ACCEPT loc net:207.46.0.0/16 HTTPS/ACCEPT loc net:207.46.0.0/16 HTTP/ACCEPT loc net:65.55.184.0/24 HTTPS/ACCEPT loc net:65.55.184.0/24 # allow managers HTTP/ACCEPT HTTPS/ACCEPT SSH/ACCEPT FTP/ACCEPT POP3/ACCEPT POP3S/ACCEPT IMAP/ACCEPT direct access via general protocols loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net
Page 42 Debian Squeeze 6.0 Linux
IMAPS/ACCEPT SMTP/ACCEPT SMTPS/ACCEPT
loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net loc:192.168.1.1-192.168.1.29 net
Turn off logging to the console: NOTE to self: This was necessary in Etch. Not sure about Lenny or Squeeze, need to check this. By default, shorewall will send log lines to the console. If you never use the console, you will never see these lines. If you do use the console, these lines will annoy the !#$%&! out of you! I guess some people like it, but I don't. Here's how to turn it off: edit /etc/default/klogd, set last line to:
KLOGD=-c 4 -x
Remove inhibitors: The Debian package maintainers add a safeguard in the configuration file to prevent startup without configuration. Since we are aware of this, and know how to configure shorewall, go ahead and remove these inhibitors now. Edit /etc/shorewall/shorewall.conf and set these lines to:
STARTUP_ENABLED=Yes IP_FORWARDING=On
ALSO Edit /etc/default/shorewall and change startup to 1:
startup=1
That's it! We should be ready to go. Test configuration files: First check the firewall configuration files:
# shorewall check
It should check everything, and at the end, say: Shorewall configuration verified. If it gives an error, make sure you fix the error. Start firewall: When ready, start the firewall:
# shorewall start
NOTE: Do NOT use /etc/init.d/shorewall start to start, stop or restart the firewall. Always use the shorewall command directly.
Page 43
If it starts okay, it is now time to reconfigure your workstation to use the firewall. If you want to see what rules (chains in iptables speak) are actively applied in the kernel, use the shorewall show command:
# # # # #
shorewall shorewall shorewall shorewall shorewall
show show loc2net show net2fw show capabilities help
Note: this output is best viewed on a wide screen (more than 80 characters) ssh session, window maximized.
6.2.1
Firewall is up, reconfigure your management workstation:
Congratulations! Your firewall is ready! Well, it's far from done, but it is up and usable. The firewall now has routing/NAT enabled, and the DNS/DHCP server is enabled. It is time to reconfigure your workstation to use the firewall as the default route, the primary DNS server, and optionally the DHCP server as well. Note: You should know how to do this. I will not cover it. Make sure you use one of the privileged IP addresses, in the range 192.168.1.2-29 (remember what's in the /etc/shorewall/rules file?). I use the admin range 20-29. I'm 20, the boss man 21, etc. For example, configure your workstation to use: IP address: netmask: default route: DNS: 192.168.1.20 255.255.255.0 192.168.1.1 192.168.1.1
That should do it. Test and make sure your workstation has full connectivity, and can get to the Internet correctly. As a privileged IP address, you should be able to ping, ssh, and surf the web unrestricted. If you recall, when we configured the /etc/shorewall/rules file, you enabled full access from privileged machines to access HTTP, HTTPS, SSH, FTP, POP3, POP3S, IMAP, IMAPS, SMTP & SMTPS. Try it out. Hey, try something that's NOT authorized...
6.2.2
Test shorewall:
Now that the firewall is live on the Internet, before we do anything else, we need to do some testing. We need to make sure everything is working as planned.
6.2.3
Test from the WAN:
What can people on the Internet detect about your firewall? Let's find out! Let's test the firewall from the WAN, to see what ports are open. From your management workstation, point your browser to the Shield's Up! Website:
Page 44
http://www.grc.com/default.htm Scroll way down, find the Shield's Up option, and click on it. You should be redirected to a secured web page, with a big Welcome to ShieldsUP!. Click on the Proceed button (and then the continue button on the pop-up message). You should now be at the test options screen. Select the button near the middle that says All Service Ports. The site will now interrogate your firewall, thoroughly examining the first 1056 ports... and shouldn't find ANY ports open. You should pass the test. That means your firewall is safe and secure from people on the Internet. Pretty cool! I love this stuff.
6.2.4
Test from the LAN:
Let's test the firewall from the LAN side, to see what ports are open. Use nmap to test ports not blocked by the firewall: You can also port scan the firewall directly, to see what SERVICES are OPEN and available to the LAN. To see what ports your workstation can see open on the firewall, use nmap to scan the firewall. You should have already installed nmap (and possibly zenmap) on your workstation. For your Linux management workstation:
# nmap 192.168.1.1
For your Windows management workstation, run the zenmap utility. Keep in mind, the results are what your management workstation can see. Other users on your LAN will have different results, depending on what IP address they are using. If you have other workstations that can use a different IP (maybe test the DHCP server too while you are at it), go and try one. Have that pc visit the Shield's UP! Website. Third-party testing of this firewall how-to document: Steve Edwards, an Engineer in the UK, built a firewall using the older etch version of this how-to, and did some rather extensive testing. He wrote a paper testing shorewall, and posted it on his website. He came up with more tests than I ever cared to do! Please check out Steve's website here: http://www.stevepedwards.com/ and his extensive firewall testing page here: http://www.stevepedwards.com/firewalldoc.html Thanks Steve, great stuff!
Page 45
6.2.5
Enable ssh access from the Internet (optional):
If you want to access the firewall from the Internet, usually via ssh, it's NOT recommended to just open the port. Instead, there are a few safer options available. Please note: You can skip these now, and come back later to add them. If you are new to shorewall, I suggest you get comfortable with the default configuration we have built, before trying to add these features. If you are experienced with both Shorewall and these features, then feel free to add them now. Use rate-limiting to drop SSH packets after 3 failed login attempts: At a minimum, turn this on. You can use rate limiting to thwart SSH attackers. To prevent a hacker from using an automated script to brute force into your SSH server, you can use the rate-limiting feature. In the rules file, simply replace the SSH/ACCEPT line with this: Edit the /etc/shorewall/rules file, and add this near the top, in the net firewall section:
Limit:info:SSHA,3,60
net
$FW
tcp
22
This line tells the firewall to only allow three new SSH connection attempts per minute, and log all dropped attempts. Add Port Knocking to protect the SSH port: It is safer to keep the ssh port closed, and only open it when the firewall receives a secret command to do so. This is called port knocking. Basically, from a remote box (across the Internet), you send a packet to the firewall, which if done correctly, instructs the firewall to temporarily open the ssh port to you, and only you. To enable port knocking, following the directions on this shorewall web page: http://www.shorewall.net/ManualChains.html Restrict ssh to a specific IP address/range: An even safer way, is simply to limit the IP address range of who can connect to your ssh port. If you, like me, only connect to your work firewall from home (and vice versa), then simply tell shorewall to only allow ssh connections from a certain IP address. If your home address is DHCP (not static), then you need to get the IP address range. Use whois ipaddress, and you will get a long response about the provider. Towards the bottom, you will see a line that says something like network:Auth-Area:97.96.64.0/21. That's the valid IP range that services your home. Use that range below. Edit the /etc/shorewall/rules file, and add:
# only accept ssh connections from my house/network block ACCEPT net:97.96.64.0/21 fw tcp 22
Don't forget to check the configuration changes:
# shorewall check
If no errors, restart shorewall:
# shorewall restart
Page 46
That's it. Test it from your remote linux box.
Page 47
6.3
Install squid:
At-a-glance: Main directory: /etc/squid Main configuration file: /etc/squid/squid.conf Documentation: /usr/share/doc/squid Logs: /var/log/squid/access.log (and older archived copies) NOTE: We are STILL sticking with the squid version 2 series. The new squid version 3 series is a total rewrite, and although it promises many nice new features, it is still a work in progress. We have no reason to upgrade, feature-wise, so we will stick with the very mature and stable version 2 platform for now.
# apt-get install squid
6.3.1
Configure squid for transparent access:
For this initial configuration, we will be using a transparent configuration. Later, after all functionality has been verified, we will enable authentication in a later section. In a transparent configuration, the users do not login. In fact, they don't even know squid is intercepting their web traffic. They think they are accessing the Internet directly, but in reality, the squid server intercepts all of their Internet traffic, checks ACL permissions, then fetches the page and caches it, thereby speeding up Internet access for everyone. In transparent access mode, everyone has the same access rights. Read the main configuration file: /etc/squid/squid.conf, it is HEAVILY documented. Very well written. Great job devs. For those of you who actually READ the squid config file, you'll know that it's huge! Well, the new version is even bigger. Still, they did a fantastic job of cleaning it up. The first thing I noticed is that they reorganized the content, making it much easier to follow. The most important stuff is now at the top, then progresses nicely to different subjects as you work your way through it. Shorten the config file: For simplicity sake, I've made a new version of the config file, with a few tweaks, and I removed all of the comments. Don't delete the existing config file. Instead, just rename it: as root:
cd /etc/squid mv squid.conf squid.conf.orig touch squid.conf chmod 600 squid.conf

and copy this into it:
# squid config file: /etc/squid/squid.conf # AUTHENTICATION: # Recommended minimum configuration per scheme: #auth_param negotiate program <uncomment and complete this line to activate> #auth_param negotiate children 5
Page 48
#auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param #auth_param
negotiate keep_alive on ntlm program <uncomment and complete this line to activate> ntlm children 5 ntlm keep_alive on digest program <uncomment and complete this line> digest children 5 digest realm Squid proxy-caching web server digest nonce_garbage_interval 5 minutes digest nonce_max_duration 30 minutes digest nonce_max_count 50 basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd basic children 5 basic realm Access to the Internet requires Authentication basic credentialsttl 2 hours basic casesensitive off
# ACCESS CONTROLS: # localhost (dansguardian), localnet (direct), or authorized (domainusers) acl manager proto cache_object acl purge method PURGE acl all src all acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.0/24 # acl domainusers proxy_auth REQUIRED # http_access allow manager localhost http_access allow purge localhost # allow localnet to bypass dansguardian (to test), uncomment this line: http_access allow localnet # to harden, after successful test, comment above, uncomment next one, to # force users to connect via dansguardian ONLY, blocks access from LAN: # http_access allow domainusers localhost http_access deny all # ALLOW X-Forwarded-For header to be followed to # find the original source of a request. follow_x_forwarded_for allow localhost # NETWORK OPTIONS: # Again, to allow direct access from the LAN (bypass dansguardian), uncomment this line: http_port 192.168.1.1:3128 # and don't forget to open port 3128 (from LAN to fw) in the shorewall rules # To harden, listen on localhost port 3128 only (no dansguardian bypass): # http_port 127.0.0.1:3128 # LOG: access_log /var/log/squid/access.log squid # CACHE TUNING: refresh_pattern refresh_pattern refresh_pattern refresh_pattern ^ftp: 1440 ^gopher: 1440 -i (/cgi-bin/|\?) 0 . 0 20% 0% 0% 20% 10080 1440 0 4320
Page 49
# HTTP OPTIONS: acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT # ADMINISTRATIVE: # Set mail notifications here (need to revisit this) cache_mgr linuxadmin mail_from squid mail_program mail # ADVANCED SETTINGS: hosts_file /etc/hosts # MISCELLANEOUS: coredump_dir /var/spool/squid
and restart squid:
/etc/init.d/squid restart
6.3.2
Discuss the squid configuration file:
Let's discuss each of the sections in the squid config file. AUTHENTICATION: Hold on. Not yet. We will tackle authentication in a later chapter. For now, leave this section all commented out, so it remains transparent. ACCESS CONTROLS: In the config file, we define three client sources: all, localnet and localhost. For this initial transparent configuration, we will allow anyone on the LAN (localnet) to have unrestricted access thru the squid proxy server. We will also allow any programs running on the firewall (localhost) such as dansguardian to also have access to squid. Later, towards the end of this document, after everything is configured and tested, we will harden the firewall. We will lock everything down. At that time, we will shut off localnet squid access, forcing everyone to use dansguardian to get to the Internet. But for now, we will leave it open. ALLOW X-FORWARDED-FOR: In the logs, this adds additional information, to make it easier to determine who the original sender is. NETWORK OPTIONS: Defines which network interface cards (NICs) and ports, that squid listens to. For initial purposes, we will allow squid to listen to port 3128 on both the localhost AND the localnet. NOTE: We will make sure Squid NEVER listens to the WAN port, both here in the squid config, as well as in the shorewall rules file. ADMINISTRATIVE:
Page 50
In addition to logs, squid can send email notifications. This is where you define who (if anyone) receives email notifications from the squid process.
6.3.3
Test Squid:
Okay, lets do some testing. First, we will make sure squid is up and operational by talking to it directly. Once we have verified squid is working, we will re-configure and turn on transparent to squid mode.
6.3.3.1
Test squid directly (not transparent):
Configure browser to access squid proxy server directly: From the management workstation, reconfigure the web browser to talk directly to the squid proxy server on the firewall. If you are using firefox, to configure the browser to use the squid proxy server on the firewall: Tools Options Network Settings... Manual proxy configuration Set HTTP Proxy to: 192.168.1.1 Set port to: 3128 Click yes for: Use this proxy server for all protocols Click OK
NOTE: I don't use Windows Explorer, so have no clue what the settings are. I'm guessing it's different for XP vs Vista vs Windows 7 vs everything else, and it's probably well hidden. Hence the firefox recommendation. To test, now visit any Internet site, as you normally would:
http://www.yahoo.com
If your browser displays the yahoo page correctly, this means you have successfully connected to port 3128 (squid) on the firewall. Check the squid logs on the firewall to verify:
tail /var/log/squid/access.log
Okay, accessing squid directly works. However, this isn't exactly transparent. Not quite.
6.3.3.2
Test squid transparently:
Reset browser to normal (no proxy): First, re-configure the workstation back to it's original configuration (no proxy). thru NAT to the Internet (not using squid). You will be talking directly
NOTE: See above firefox example, and undo it. Put it back to direct (not using a proxy). Re-configure shorewall and turn on transparent to squid config: Now, tell shorewall to forward any LAN packets from port 80 to port 3128:
Page 51
Edit /etc/shorewall/rules file, and uncomment the REDIRECT to 3128 line:
# uncomment the next line to turn on transparent to squid: REDIRECT loc 3128 tcp www # OR!!!!!!!! (can't have both) # uncomment the next line to turn on transparent to dansguardian: # REDIRECT loc 8080 tcp www
Check it:
# shorewall check
and restart it:
#shorewall restart
Now, test the transparent configuration. Access the Internet normally (just press 'F5' to refresh page will suffice):
http://www.yahoo.com
You should still be able to access the Internet, but now the firewall (shorewall) is intercepting the traffic, redirecting it to port 3128 (squid), and squid is processing, fetching and caching the web page. Again, check the squid logs on the firewall to verify this.
tail /var/log/squid/access.log
Try this:
tail -F /var/log/squid/access.log
Now, browse some more. The -F shows you log events has they are logged in real time. We good? If so, then your firewall is now configured for TRANSPARENT SQUID access.
Page 52
6.4
Install dansguardian:
At-a-glance: Main directory: /etc/dansguardian Main configuration file: /etc/dansguardian/dansguardian.conf Documentation: /usr/share/doc/dansguardian Logs: /var/log/dansguardian/access.log (and archived copies) DansGuardian Documentation Wiki: http://contentfilter.futuragts.com/wiki/doku.php?id=Main%20Index Wiki FAQ: http://contentfilter.futuragts.com/wiki/doku.php?id=faq Technical FAQ: /usr/share/doc/dansguardian/FAQ A major upgrade! The most notable new feature is the nltm pass-through authentication support has been fixed, so the Windows domain authorization handshaking with squid now works! (I haven't tested this yet). Thank you to the dansguardian developers! Let's get started! Install dansguardian:
# apt-get install dansguardian clamav-docs
6.4.1
Configure Dansguardian for Transparent Access
We will start with a simple transparent configuration, to get everything up and tested first. Later, we will enable authentication. For now, to get a basic system up and running, we will keep it as a simple transparent filter, with no user authentication accounts required. Once everything is tested and working correctly, I'll show you how to turn on user authentication. The main configuration file is /etc/dansguardian/dansguardian.conf file. It is huge! You have to read through this file, to see all the options that are available. It is HEAVILY commented. There are some nice new features we will be utilizing. Remove inhibitor: Edit /etc/dansguardian/dansguardian.conf, and delete or comment out the line:
# UNCONFIGURED
Defaults we will keep: There are a few lines you need to be aware of:
filterport = 8080
filterport is the port dansguardian listens to. We will send web traffic to port 8080, to be processed by dansguardian.
Proxyip = 127.0.0.1
proxyip is the IP address dansguardian will FORWARD traffic to (send to squid). Since squid is also installed on this firewall, we send all traffic to the local IP address.
Page 53
proxyport = 3128
proxyport is the port dansguardian will FORWARD traffic to (send to squid). We have already configured squid to listen to port 3128.
filtergroups = 1
filtergroups is number of groups (of users) we will be defining. Transparent mode requires everyone be in one group (everyone has the same permissions). Later, when we activate authentication, we will be increasing this number, to represent how many groups of users to define permissions.
filtergroupslist = '/etc/dansguardian/filtergroupslist'
filtergroupslist defines the user control file, the contents of which assigns users to groups. In transparent mode, this file serves no purpose. However, when we turn on authentication, this file becomes very important. This is where you assign user names to groups. Defaults we will change: We will be changing these:
reverseaddresslookups=on
We want to turn on reverseaddresslookups. This provides additional information for troubleshooting.
reverseclientiplookups=on
We want to see the name of the LAN computer that sent the request.
logclienthostnames=on
We want to see which host sent the request. This turns off the anonymous logging. We want names.
loglevel=3
For now, we want this level of log information, for initial build and troubleshooting. Later, we can back it off, after you are comfortable with how the firewall is configured and running.
forwardedfor=on
forwardedfor works with squid to improve reporting of who made the request. This will improve the usefulness of the logs.
contentscanner='clamav.conf'
Uncomment the above contentscanner='clamav.conf' line to activate it, and leave the other virus scanning options commented out. Restart dansguardian:
/etc/init.d/dansguardian restart
Page 54
6.4.2
Test Dansguardian:
Dansguardian should be up and running on your firewall. It's time to re-configure your browser (yet again), for this test.
6.4.2.1
Test dansguardian directly (not transparent):
Reconfigure your browser to use dansguardian: This time, we will configure the browser to talk to the firewall, but on port 8080, which is the port dansguardian is listening to. Go ahead and reconfigure your browser now. Once the browser is pointing to port 8080, try to surf the Internet (hit 'F5' to refresh should suffice). First, go to a harmless site, such as google.com
http://www.google.com
Looks normal, right? Now, let's get naughty... At google.com, do a search for porn. If all is working correctly, you should get the following banned page:
Page 55
Pretty cool! Check the logs:
tail /var/log/dansguardian/access.log
Also try:
tail -F /var/log/dansguardian/access.log
Okay, that seems to be working. Now let's switch to true transparency.
6.4.2.2
Test dansguardian transparently:
Once again, re-configure the browser BACK to normal mode (no proxy configured). Now, we need to edit the shorewall rules file again, and change from squid transparency to dansguardian transparency.
Page 56
Edit /etc/shorewall/rules, comment out the squid line, and uncomment the dansguardian line, so the section look like this:
# # # #
uncomment the next line to turn on transparent to squid: REDIRECT loc 3128 tcp www OR!!!!!!!! (can't have both) uncomment the next line to turn on transparent to dansguardian:
8080 tcp www
REDIRECT loc
You had better get used to editing the rules file. After you are done building the firewall, this is the file you will be editing the most. Check it:
# shorewall check
and restart it:
#shorewall restart
Now, test the transparent configuration. Access the Internet normally (just press 'F5' to refresh page will suffice): http://www.google.com Then google something naughty again. It should be working. Check the logs again if you like. That's it! You now have a fully functional firewall running in transparent dansguardian mode, for ALL users on the LAN. Leave it this way for now.
Page 57
6.5
Install webmin:
At-a-glance: Main directory: /etc/webmin Main configuration file: /etc/webmin/*/* (many files/dirs) Documentation: None from the command line (no man pages or /usr/share/doc files) Logs: /var/webmin/miniserv.log, /var/webmin/webmin.log NOTE: Webmin is 100% optional. I have written this entire how-to so every single task can be performed from the command line. I use the command line for everything. You should be able to do the same. However, some people are still prejudiced against webmin, and refuse to install it. Whatever. Feel free to skip this chapter. Long time ago, webmin used to be in the Debian archives, with the last version supported was in Sarge. Back then, it was removed by request from the Debian archives, due to too many bugs, including serious security issues. To this day, many people still believe that to be true. In my opinion, those people probably haven't tried webmin in several years, so their opinion is probably an uninformed one. Today, webmin has matured into a fantastic product. Sure, it can do a LOT of damage quickly if you click on the wrong thing and break something. That's true for any management GUI as powerful as webmin. Only use it with full root access if you know what you are doing. If you don't, well, you shouldn't be building this firewall anyways. Personally, I do everything from the command line. You should too. However, there ARE tasks I delegate to department managers, such as allowing them to manage squid users and dansguardian access permissions. I grant them a non-root user account to webmin, so they can manage the daily operations of their employees, so I don't have to. I don't want to be bothered with the day to day operations of employees. I couldn't care less if Suzy can't get to the Rachel Ray recipe site. I let the department heads deal with that. Webmin does that beautifully. I show the department heads how to login to webmin, and where to manage their employees. Works great. It's a win-win. Enough chatter, let's get started. Fortunately, the webmin developers maintain their OWN online debian archives, and we will be using it. Add webmin to /etc/apt/sources.list: Edit /etc/apt/sources.list:
# I added this for webmin: deb http://download.webmin.com/download/repository
sarge contrib
I know, it says sarge. Don't worry about it. All debian versions are supported in that one archive. If you don't believe me, then feel free to investigate it for yourself. Install the GPG key: The archive provider provides a signed repository GPG key. We will install it now.
cd ~ wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc

Install webmin normally using apt-get commands:
Page 58
apt-get update apt-get install webmin

All dependencies should be resolved automatically. That's it! There is nothing to configure. Webmin is now installed and operational! From your management workstation, point your web browser to: https://firewall:10000/ Login as root, and take a look around. Do not 'click to install' anything. Don't make any changes yet. We are not yet done building this firewall. We'll come back to using webmin later.
Page 59
6.6
Install and configure psad:
At-a-glance: Main directory: Main configuration file: Documentation: NOTE: If you NEVER open any ports to the WAN, then you don't need to install psad and fwsnort. However, if you ever open at least ONE port, then you need to install these. Even if you are simply redirecting an open port to a DMZ server (such as an internal web or email server), or an internal desktop or server. You will definitely want to install an intrusion detection and prevention system. Psad stands for Port Scan Attack Detection. Basically, when some dork out on the Internet tries to hack into your firewall, usually using some automated tool, such as a brute force auto-log attempt into your ssh server, psad will not only detect the attempt immediately, but it can be configured to automatically block the attack (such as ban the attacker's IP address), and even send you an email notification. Very cool :) Let's install it:
# aptitude install psad

Please read the configuration file. It is heavily documented. We need to tweak the main configuration file: /etc/psad/psad.conf EMAIL_ADDRESSES linuxadmin@localhost; HOSTNAME firewall; HOME_NET 72.91.54.0/24, 192.168.1.0/24; EMAIL_ALERT_DANGER_LEVEL 3; IMPORT_OLD_SCANS Y; (you can have multiple addresses here) (put your local server name here) (put your LAN & WAN net's here) (you don't want to be flooded with emails, set to 3) (keep history of attackers)
NOTE: *** I need to explain everything in this section *** explain alert levels, avoiding trivial email alerts, etc.
6.7
Install and configure fwsnort:
At-a-glance: Main directory: Main configuration file: Documentation: NOTE: *** I need to add this section ***
6.8
Install OpenVPN:
At-a-glance: Main directory: Main configuration file: Documentation: NOTE: *** I need to add this section ***
Page 60
7 Enable User Management

Now that the firewall packages are installed, configured, and tested okay, we can start implementing some of the more advanced features that we really want. You will quickly discover that transparency mode isn't good enough. Different people will need different levels of access to the Internet. Transparency sounds good in theory, but in practice, it sucks. Unless you are running a coffee shop that offers free Internet access to customers, you will want more minute control over different user access permissions. We need to enable user authentication for the online web content filtering feature. You don't just turn it on. You have to understand how it works. You have to understand the relationships between the various packages. Shorewall, squid, dansguardian... they all work together, and depend on each other for various tasks. Discussion: The complex interdependency between squid and dansguardian. Before we get started, you have to understand the strange and complex relationship between squid and dansguardian. They depend on each other, and together share the burden of managing user access. There are THREE distinct and separate steps involved: authenticate users (squid) assign users to groups (dansguardian) assign permissions to groups (dansguardian)
Each of these are handled separately. What do you want from free software? Deal with it. It's not that hard. User authentication in dansguardian is strange for the uninitiated, but makes sense after you learn it. The dansguardian developers, when adding user authentication had to decide how they wanted to implement it. They could build in the capability directly into it, or they could let some other program or service handle some of it, and just build in support for the rest. Since there already are MANY existing ways to authenticate (such as local, NTLM, LDAP, etc.) and there are already linux apps available to handle this (such as squid), the dansguardian devs decided it would be smarter to let the other apps handle it, support those apps, then build in the rest. No sense re-inventing the wheel! Configure dansguardian to work with squid: By default, dansguardian passes all user authentication to squid. So, that means to implement authentication, we configure squid to manage the authentication. Please note: dansguardian only passes the authentication to squid. Once authenticated, dansguardian takes over assigning users to groups, and assigning permissions to groups. It's a multi-step process, with each step distinctly handled on it's own. You must understand this. Let's look at this from another way: Explained in another way: First, dansguardian chooses to pass on the task of USER AUTHENTICATION to squid. When a user's web browser makes a request for the first time, dansguardian passes the job of authenticating the user to squid, and waits for squid to respond with a YAY or NAY. If NAY, access denied. If YAY, then proceed to the next step. Second, dansguardian determines which GROUP the user is assigned to. Dansguardian puts all users into groups. There must be at least one group. If groups aren't being used, well, actually that just means Abazaba Firewall: www.abazaba.org Page 61 Debian Squeeze 6.0 Linux
everyone is in just one group, as used when in transparency mode. However, when running in user authentication mode, dansguardian supports multiple groups. Third, dansguardian examines the group's PERMISSIONS to see if the request should be allowed or denied. If allowed, send the requested web page to the user. If denied, send a access denied web page to the user, with a brief explanation as to why it was denied. You have to understand those three steps, because we configure each of those steps in different places. Got it? Good, here's the first.
7.1
Configure squid to authenticate users:
Squid is incredibly flexible when it comes to authenticating users. It supports many methods. For the purposes of this document, we are only concerned with the three most commonly used methods. Squid can authenticate users: Locally administered via a Windows server via an LDAP Server
You need to pick one. We will cover all three in this chapter. Before we configure squid to authenticate users, first, we have to UNDO transparent mode. Undo TRANSPARENT mode in shorewall: If you have been following this how-to sequentially, your firewall should still be configured to run in TRANSPARENT DANSGUARDIAN mode. Time to undo that. Edit /etc/shorewall/rules, and comment out ALL of the transparent stuff, make it look like this:
# # # #
Check it:
uncomment the next line to turn on transparent to squid: REDIRECT loc 3128 tcp www OR!!!!!!!! (can't have both) uncomment the next line to turn on transparent to dansguardian:
8080 tcp www
# REDIRECT loc
# shorewall check
and restart it:
#shorewall restart
Web content filtering is basically shut off at this point. You should have full access to the Internet (no interception, squid or dansguardian filtering). Test it: http://www.google.com You should also be able to google porn with no problem. Don't get side tracked now, stay with me here :)
Page 62
Configure browser to talk DIRECTLY to dansguardian: Unlike transparent mode, authentication mode cannot be intercepted. All browsers MUST be configured to talk to the firewall directly, and dansguardian specifically. Yes, that means ALL browsers on ALL computers MUST be configured to use the proxy server on the firewall. I know, it sucks. Wah, deal with it. Configure your browser to use dansguardian DIRECTLY:
Proxy server IP address: Proxy server port: 8080
192.168.1.1
You will have to do this for all computers in your organization. For a small company, it's not a big deal. Just walk around and reconfigure them all. For a larger company, you probably have already automated managing pc configurations. You'll have to add this requirement to your overall pc management role.
7.1.1
Configure squid for locally administered users:
This is by far the simplest method. We create a password file on the firewall, in the squid directory. We tell squid to check the file when authenticating a user. To add/change/remove users in the file, we can do that from the command line, and from webmin too (I actually use webmin for this step, it's very convenient). The steps are: create local password file tell squid to use it for authenticating users add/change/remove users
Create a local password file: From the command line:
cd /etc/squid touch squid_passwd chmod 600 squid_passwd chown proxy squid_passwd

We create the password file, use chmod so only the owner (and root) can access it, then change the owner of the file to proxy, so the process that checks the file has access (more later). Configure squid to use the local password file: Now, we tell squid to use the local password file: Edit /etc/squid/squid.conf, and uncomment the section that has auth_param basic in it: auth_param auth_param auth_param auth_param auth_param Restart squid: Abazaba Firewall: www.abazaba.org Page 63 Debian Squeeze 6.0 Linux basic basic basic basic basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd children 5 realm Access to the Internet requires Authentication credentialsttl 2 hours casesensitive off
/etc/init.d/squid restart
Add a test user to the local file: We need to install a command line utility to manage the password file. There is a popular utility called 'htpasswd', most commonly used for managing apache-style password files. It can manage our squid password file too. Install htpasswd: apt-get install apache2-utils Usage syntax:
htpasswd passwordfile username (it will prompt for password)

or
htpasswd -b passwordfile username password

Add a user:
htpasswd -b squid_passwd test lamepassword

Change a user's password:
htpasswd -b squid_passwd test reallylame

Delete a user:
htpasswd -D squid_passwd test

Got it? Go ahead and create a user, name is test, password is test:
htpasswd -b squid_passwd test test

Manage users via webmin: I almost forgot... you can also manage squid users via webmin. From webmin: Server Squid Proxy Server Proxy Authentication There ya go! Click on add a new proxy user. Click on any existing user to change or delete it. Pretty simple. Test AUTHENTICATED DANSGUARDIAN mode: Yes, believe it or not, dansguardian by default is already setup to work with squid for authentication. Also by default, dansguardian already has a default group setup, with some default permissions. It's ready. Go ahead, press F5 to refresh your browser. Did it prompt you for a login and password? It should.
Page 64
Remember: login is test, password is test Now, go to google, and search for porn. It should block you, give you an Access Denied web page. If everything is working correctly, proceed to the section: Assign users to groups.
7.1.2
Configure squid for Windows users:
This is really easy. All we have to do is tell squid where your Windows server is, and squid will do the rest. Edit the /etc/squid/squid.conf file, enable windows (NTLM) authentication, and tell it about your windows server: auth_param ntlm program <uncomment and complete this line to activate> auth_param ntlm children 5 auth_param ntlm keep_alive on *** need to add this
7.1.3
Configure squid for LDAP users:
*** need to add this
7.2
Assign users to groups:
By default, all users are a member of the default group. You don't have to have multiple groups. If you do enable multiple groups, by default, all users will be a member of the default group, until you explicitly assign them to a different group. This is a nice safety precaution. Create Multiple Authenticated User Groups: If you are planning on using authentication, and plan on using multiple groups, there are two ways to do this. You can manually create the directories/files, or you can let the webmin dansguardian module do it for you. I've always done it manually in the past. Now that the new webmin dansguardian module has an option to create them for me, what the heck, I'll try it, just for yuks. From your management workstation, connect to webmin: https://firewall:10000 *** From this point on, need a total re-write and re-format As you can see, I'm using the simple authentication method, which uses a simple local encrypted file, which we edit via webmin. Webmin has a great squid interface, that allows you to add/edit/delete users, and it will edit this file for you. NOTE: Yeah, I know, some of you want to authenticate via ntlm against a Windows domain server. Some day I'll get to that. If anyone has done it, please let me know, so I can add it here. Abazaba Firewall: www.abazaba.org Page 65 Debian Squeeze 6.0 Linux
NOTE2: If you do a 'ps -ef', you will notice lines like this:
proxy 5961 5178 0 06:25 ? /etc/squid/squid_passwd
00:00:00 (ncsa_auth)
That means the password verification is being run by the user 'proxy' and not 'root'. Therefore, make sure the permissions are set correctly for the squid_passwd file. If you used 'touch' to create it, the defaults of 644 should be fine. Root can edit the file (webmin), but proxy can read the file (validate authorized users via squid/dansguardian usage). I'll get around to cleaning up the file ownership eventually. We will later use webmin to add/modify/delete users from this file.
Click on Servers Click on Dansguardian Click on View/Edit System-Wide Base Config Click on Content Filter The first line, Filter Groups, is probably set to the number 1. If you are planning to create, say 5 groups, change the number to 5, then press the UPDATE button at the bottom. It says dansguardian needs to be restarted. We will do that in a little bit. Go back to the main dansguardian menu. Click on Set Up Lists & Configs For Multiple Filter Groups
7.3
Implementing Dansguardian filters:
Blocking downloads Blocking advertisements Blocking youtube video advertisements Blocking spam Scanning for viruses Blocking streaming audio Blocking streaming video Blocking what else:
7.4
Enable and automate blacklist file updates:
At-a-glance: Main directory: Main configuration file: Documentation: need to add this
Page 66
8 Manage the Firewall:

Once the firewall is up and running, and everything is configured, the firewall pretty much runs itself. The only time you need to do anything, honestly, is to manage the user accounts. This includes creating new user accounts, removing old accounts, and modifying group access permissions for adding/denying access to specific web sites. All of this can easily be done via webmin, and also from the command line, if you know where to look. You will need to:
8.1
Create/remove user accounts
Managing the accounts varies, depending which authentication method you used. There are five different ways to authenticate user accounts. User Authentication methods supported: Transparent access, which puts all users into one group (no login required) Basic (locally administered) user authentication NTLM (windows domain) user account authentication LDAP user account authentication Other user account authentication methods Dansguardian user account management: You will need to add new employees, and remove old ones. This is easy to do. You will also assign employeees to groups, and edit the group's permissions.
8.1.1
Transparent access:
Obviously, this is by far the simplest. All people accessing the Internet are lumped into one group. No user account name or password is required. You don't create new users, remove old users, or assign users to groups. All you can do is modify the Internet access permissions. From webmin: Login to webmin Servers Dansguardian Web Content Filter View/Edit A Filter Group's Lists As you can see, there are many types of filter categories. From the command line: Login as root:
# cd /etc/dansguardian/lists
Edit the files manually.
Page 67
8.1.2 Managing Basic (locally administered) User Account Authentication: 8.1.3 8.1.4 8.1.5 Managing NTLM (windows domain) User Account Authentication: Managing LDAP User Account Authentication: Managing Other User Account Authentication Methods:
8.2
Assign users to groups
Done in webmin, or the command line.
8.3
Manage a group's Internet access permissions
Done in webmin, or the command line.
Page 68
9 Troubleshooting with the Firewall

Sooner or later, you will want to investigate whether or not there has been an attack, or determine if a user is abusing Internet access. Let's be honest. You can ignore the firewall, and it will continue protecting your network. You can forget about the firewall, and it still works. It doesn't matter. It will continue to protect your network. However, there will come a time when you will want to know who did what. You will hear that some employee found a way to bypass the firewall, and spends his or her time goofing off on myspace.com, or some other time wasting site. You will hear complaints from fellow employees about some slacker goofing off all day long on some forbidden site. There will come a time, when some manager comes to you, demanding you show reports of the activity of some person, usually when they are building a case to fire an employee, and need your help to do it. That is when you learn this next section... how to read the LOGS!
9.1
How to read the LOGS!
It happened. You have received a complaint that some employee has been perusing a website during normal business hours that they shouldn't be. Nag, Nag, Nag. Okay, let's check it out. We have this super smart firewall, that tracks everything, right? Well, yes and no. It does track everything, but do YOU know where to look? Maybe not. It's time for you to learn what this firewall logs, for how long, and what it doesn't, EVER. Webmin: Command line: Check the email logs: Use webmin to check emails sent by the various firewall packages to the linuxadmin account.
9.2
Diagnostics tools:
List active TCP connections: from command line: netstat -NT | grep EST from ntop: IP->Local->Active TCP/UDP Sessions To tear down a TCP connection: 1st, add rule to firewall to block destination IP address (and optionally port) aptitude install cutter then from the command line: cutter IP
Netstat-nat Great utility for listing NAT connections.
Page 69
9.2.1
Ntop
At-a-glance: Main directory: /etc/ntop Main configuration file: ? Documentation: /usr/share/doc/ntop To install:
# apt-get install ntop

Before you can start ntop, you have to set an administrative password:
# ntop set-admin-password
It will prompt you for a password. Now, start ntop:
# /etc/init.d/ntop start
Or, to start with superuser privileges enabled:
# /etc/init.d/ntop start -u
From your web browser, point to the firewall, using port 3000: http://firewall:3000
9.2.2
iftop
At-a-glance: Main directory: Main configuration file: Documentation: Extremely useful utility! This allows you to monitor network traffic in real time. You can see who is using the most bandwidth at any time. Network running slow? Use iftop to see who the culprit is. To install iftop:
# apt-get install iftop

To monitor your LAN users in real time:
# iftop -i eth0
To monitor what Internet sites your firewall is visiting in real time:
# iftop -i eth1
Page 70
9.2.3
netstat-nat
At-a-glance: Main directory: Main configuration file: Documentation:
Other stuff: vnstat network traffic logger and monitor SystemRescueCD rootkit detection
Page 71
10 After the firewall is done:

Now what? After you are done building and configuring the firewall, there are a few things you should do before you start using it on a production network.
10.1
Disable ssh root login
Remember when we first installed the ssh server, but left open root access, so we could easily connect to the firewall to make changes? Well, now we need to deactivate root access to ssh. Edit the /etc/ssh/sshd_config file, and make sure you set the 'PermitRootLogin' option to NO:
PermitRootLogin no
Restart ssh server:
# /etc/init.d/ssh restart
NOTE: You can still connect to ssh using the linuxadmin account, to transfer files to the firewall. To get root access again, you can open a shell terminal session to the firewall, login as linuxadmin, then 'su -' to gain root access. You should already know how to do this.
10.2
Backup existing config files:
Now that you have a fully configured and operational firewall, you need to backup the configuration files. This is really easy to do. Instead of backing up the entire firewall, I just back up the config files. If the firewall ever dies, you'll have to re-install the Debian OS anyways. With this document, and your backed up config files, you can have a new firewall up in a few hours at most. Create a backup script: Login as root. In your home directory, create a 'backupconfigs' script:
cd ~ touch backupconfigs chmod +x backupconfigs vi backupconfigs

Then copy this into it:
cd ~ mkdir backupconfigs cd backupconfigs cp /etc/apt/sources.list . cp /etc/ssh/sshd_config . cp /etc/ddclient.conf . cp /etc/network/interfaces . cp /etc/resolv.conf .
Page 72
cp /etc/udev/rules.d/70-persistent-net.rules . cp /etc/dnsmasq.conf . mkdir shorewall cd shorewall cp -R /etc/shorewall/* . cd .. cp /etc/default/klogd . cp /etc/psad/conf . mkdir squid cd squid cp -R /etc/squid/* . cd .. mkdir dansguardian cd dansguardian cp -R /etc/dansguardian/* . cd .. tar -cpf configs.tar * gzip configs.tar
Now run it:
# ./backupconfigs
It should create a tar file that contains all config files you have modified since installation. Copy this tar file to your local management workstation, using WinSCP (or krusader). Keep in mind it didn't backup any webmin configuration stuff (I'll have to look into this).
Page 73
11 On-going Support:
I have been writing this document for many years now, with the official releases starting two years ago. Hopefully, I will continue to update this document for many years to come. Then again, we've all heard THAT one before LOL. Fortunately for you, I have based this firewall on a linux distribution that actually has packages actively supported and updated. That's the main reason why I chose Debian, other than the obvious fact it's the best distro available. Even if I do fall off the planet, this firewall documentation project can live on, since we know the distro and the packages will.
11.1
Future Plans for this documentation project:
Adding a DMZ or two... Install a system-wide backup solution, many options available to choose from: cron/rsync software to backup to a usb stick iotop io monitor ie disk access apt-get autoremove pktstat TONS of scripts! Www.squid-cache.org/Scripts tcptrack VPN? VoIP? Email redirector w/ virus/spam scanning? What else?
Page 74

Abazaba Squeeze Firewall

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Abazaba Squeeze Firewall

Caricato da

Copyright:

Formati disponibili

Debian Linux Security Appliance Firewall

Features and Capabilities:

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Prerequisites and assumptions:

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Professional Hardware Options Available:

About the Author:

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

2 Firewall packages explained:

Operating System: Debian GNU/Linux

Firewall configuration software: Shorewall

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

troubleshooting, and or course, experience.

Graphical management interface: Webmin

DNS/DHCP Server: Dnsmasq

Web cache/Proxy Server: Squid

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Web Content Filtering: DansGuardian

Intrusion Detection, Prevention and Response: psad & fwsnort

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

What NOT to install on a firewall:

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Routing/NAT examined (shorewall):

We are configuring a stand-alone firewall, not to be confused with a personal firewall.

Personal Firewall vs. Stand-alone Firewall:

INITIATING traffic one-way explained:

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Attack Detection and Prevention (psad & fwsnort):

Port Scan Attack Detector (psad)

Snort-to-iptables rule translator (fwsnort)

Web page interception, inspection and approval (dansguardian)

Dynamic content filtering

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Virus scanning and spam filtering

Auto-updating known bad sites list

Troubleshooting tips, tools and logs

GUI management tool (webmin)

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Abazaba Firewall: www.abazaba.org

Debian Squeeze 6.0 Linux

Wireless Wireless Wireless Wireless Wireless

Network Setup Requirements:

Firewall Hardware requirements:

Prepare the Firewall: