Hornford Associates

We are updating this howto to support CentOS 5. Red Hat released the RHEL 5 source in April 2007, and  in early April the CentOS project provided a final release of CentOS 5. We are in the process of running through the base installation & detailed configuration to confirm all the directions.
The following How-to is a Work-in-progress based on CentOS 5. It will have typos, spelling errors, gaps & errors until we have completed a detailed run-through and updated the steps. While this is underway we are mainatianing the legacy open-source howtos at www.old.hornfordassociates.com.

At the completion of this Perimter Security How-to you will have a multiple-zone Firewall, Virtual Private Network and Proxy Server.
This provides a basic Perimeter Security environment. Where appropriate the How-to is integrated with a Windows desktop environment.
For detailed configuration options please have a look at www.shorewall.net. This how-to is derived from the Shorewall two-interface sample.

For an overview discussion of why these applications were used look here. Core application list:

• CentOS 5 Linux (Base Operating System)
  
• Windows 2003
• Micropsoft PTPP VPN or OpenVPN (VPN)
  
• Microsoft Active Directory (Directory Services)
  Note: Microsoft Installation & configuration not in scope
  
• ShoreWall (IP tables Firewall Management)
• Fail2Ban (Limited Rat Bastard Limiting)
  
• Bind or Windows 2003 DNS (DNS)
• Webmin (System Management)

The following link provides step-by-step instructions to install and perform a base configuration of a CentOS 5 server.
These steps are common to several CentOS How-tos

• Base CentOS 5 Installation and Configuration
• Section Purpose - Base Installation
• Reference SMB
• Cookbook Format
• Base CentOS Installation
• First Boot
• First Login
• Webmin Configuration
• Third Party Repository
• CentOS Management 101
• Return to Specific How-to

Shorewall is another application where we are not going to use the repository for the RPM.
The project website is available at www.shorewall.net - at the project website make sure you subscribe to the announce mailing list - without receiving the announce messages you WILL fall behind and miss important changes, updates and patches to the product.
This announce mailing list is used only to announce upgrades, fixes and known issues with Shorewall and is available at:http://sourceforge.net/mail/?group_id=22587

CentOS RPMS

CentOS RPMs for Shorewall are available courtesy of Simon Matter. He maintains the RPMs at: www.invoca.ch/pub/packages/shorewall/. Look here for the current version of Shorewall.

Webmin Installation

1. Log-onto Webmin
   make sure you are not connecting as Root
2. Select Webmin's System Tab
3. Select Webmin's Software Packages Module
4. Paste the Shorewall RPM path into 'Install from ftp or HTTP URL'

Webmin's software installation will then prompt you for confirmation of the installation. Review the options, as with most defaults don't change them unless you understand the implications.

With Shorewall installed the next step is to configure your firewall. Refer to the basic firewall planning performed in 'thinking about your firewall'

Create Zones

1. Select Webmin's Networking Tab
2. Select Shorewall module
3. Select Network Zones Tab
   One Zone - fw for the Firewall exists by default. Leave this zone in place
   
4. Create two zones type IPv4
   Leave all the options blank
   
1. first Zone 1 'Red',
   
2. second Zone 2 'Off' (Office) zone.
   "Red" is the Internet, "Off" is your secured internal network
5. Return to list of tables
   

Network Interfaces

Note: With Shorewall 3.4.2 and Webmin 1.330 we are seeing errors in the Network Interfaces configuration. This may be a real error or an artefact of configuring Shorewall in a virtual machine. We suspect it is a real error, it would not be the first time that Webmin & Shorewall options have been out-of-step.

1. Select Network Interfaces Tab
2. Create an Interface
   Note: If the Webmin module developer had left the options the same as those used in Shorewall's documentation it would be easier for the casual administrator to determine which option maps to the documentation. While the meaning of 'nosmurfs' and 'norfc1918' are not as clear as 'check for broadcast source packets' and 'reject private IP packets', they are what exists in Shorewall's documentation.
   
• eth0
• Associates with "Red"
  Based on the case this is the external interface that has a dhcp connection
  
• Select:
  broadcast address - none
• Select options
  dhcp, routestopped, reject packets on blacklist, enable anti-spoofing routfiltering, log unclean, check for broadcast source packets & check for illegal TCP flags, noping.
  dhcp: allows the Firewall server to obtain its external IP address from your service provider
  routestopped: identify hosts, or IP addresses, that can access the firewall when Shorewall is stopped
  blacklist: allows you to use a blacklist file
  anti-spoofing:
  routefiltering:
  log unclean:
  broadcast source:
  illegal TCP flags:
  noping
• Note: We always ensure routestopped is set - remote management is a reality, and being locked out by a mistake can be as damaging as a security breach.
• Note: you may wish to leave filterping
  
3. Create a second Interface
• eth1
• Associate with "Off"
  
• Select:
  broadcast: automatic
• Select Options
  routestopped, check for illegal TCP flags
  routestopped: identify hosts, or IP addresses, that can access the firewall when Shorewall is stopped
  illegal TCP flags:only allows properly formatted TCP/IP packets. Probably not required on the secure side, included because of the VPN that will be implemented.
  

CYA

Before going any further it is time to CYA. Errors in Firewall configurations result in firewalls that drop all connections, including your attempts to fix the problem. To avoid this Shorewall supports a CYA that ensures connections from specified IP addresses always can talk to the firewall.

1. Select When Stopped
2. Internal Interface
   Select add new stopped interface (eth1)
   
• select eth1
• select "Allow to host from any source"
  This will allow access from any internal address to the firewall
3. External Interface
   Select add new stopped interface (eth0)
   
• select eth0
• Identify the external IP addresses or IP address ranges that you want to be able to administer the firewall from.
  

This ensures that if you do something bad, then the Firewall will still allow connections from your system.

Create Policies

Policies configure the default actions for traffic between different firewall zones. They can be overridden for particular hosts or types of traffic on the Firewall Rules page.

1. Select Default Policies
2. Create a new Policy
   Source: Any
   Destination: Any
   Policy: Reject
   Syslog Level: Warning
   This will deny everything from anywhere to anywhere. If a rule or other policy does not allow something, this rule denies activity. It is a good starting point.
   Note: This rule must be located last in the list.
3. Create a new Policy (click on the arrow to create above)
   Source: Off
   Destination: Any
   Policy: Allow
   Syslog Levels: Critical
   For allowed traffic logging on the Firewall is not advised. It generates huge amounts of log-files. You may want or need to create log-files for other reasons, such as investigating a recurrent problem.
   
4. Create new Policy
   Source: Red
   Destination: Any
   Policy: DROP
   Syslog Levels: Critical
   Drops all inbound traffic
   
5. Create new Policy
   Source: Firewall
   Destination: Red
   Policy: Accept
   Syslog Levels: Info
   Allows the Firewall to reach out to the internet. This is logged as it is a somewhat suspect activity.
   

These policies will write to /etc/shorewall/policy

############################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw red ACCEPT info
red all DROP crit
off all ACCEPT crit
all all REJECT warning
#LAST LINE -- DO NOT REMOVE

Basic Firewall Rules

This set of rules will allow basic traffic and management. You will have SSH & Webmin access to the Firewall, DNS connections and office-side ping and Firewall-based ping is enabled.

1. Select Firewall Rules
   
2. Create New Rule
   Action: Accept
   SysLog Level: crit
   Source: Any
   Destination: Red
   Protocol: TCP
   Destination Port: 53
   Note: Feel free to use the comment option.
   Purpose: When combined with UDP rule, this rule allows DNS connections from the Firewall and Office zones to connect to internet nameservers.
3. Create new Rule
   Action: Accept
   SysLog Level: crit
   Source: Any
   Destination: Red
   Protocol: UDP
   Destination Port: 53
   Purpose: When combined with TCP rule, this rule allows DNS connections from the Firewall and Office zones to connect to internet nameservers.
4. Create new Rule
   Action: Accept
   SysLog Level: crit
   Source: Off
   Destination: Firewall
   Protocol: TCP
   Destination Port: 22
   Purpose: Allows SSH connections from Office network to firewall.
5. Create new Rule
   Action: Accept
   SysLog Level: crit
   Source: Off
   Destination: Firewall
   Protocol: TCP
   Destination Port: 443 10000
   Note: Webmin interface requires space between numbers. It will enter the ',' in the Shorewall rule
   Purpose: Allows Webmin connections from Office (local) network to firewall.
6. Create new Rule
   Action: Accept
   SysLog Level: crit
   Source: Off
   Destination: Any
   Protocol: ICMP
   Destination Port: 8
   Purpose: Allows ping to & from the Office to the Firewall and outside world.
   
7. Consider creating a temporary new Rule
   Note: If you create this rule you will likely want to turn this off later
   Action: Accept
   SysLog Level: crit
   Source: Red
   Destination: Firewall
   Protocol: ICMP
   Destination Port: 8
   Allow Ping to & from firewall
   Purpose: However, it is useful in set-up troubleshooting to ensure your firewall is there.
8. Create new Rule
   Action: Accept
   SysLog Level: crit
   Source: Firewall
   Destination: Any
   Protocol: ICMP
   Destination Port: 8
   Allow Ping to & from firewall

#########################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT:crit all red tcp 53
ACCEPT:crit all red udp 53
ACCEPT:crit off fw tcp 22
ACCEPT:crit off fw all 443,10000
ACCEPT:crit off all icmp 8
ACCEPT:crit $FW all icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Start Firewall

Return to the Shorewall Module main page and click the Check Button. Assuming no error conditions are reported, return to the page and click start. Once you have confirmed that the firewall is behaving. You may want to consider returning to the CYA stage and undo the CYA - if you created remote management this may be a good idea. The further you are from the firewall the worse the idea. There is always a security/usability trade-off.

Confirm Start of Firewall

    To enable startup you need to enable Shorewall    

1. Open a Terminal program
   Putty is a good Windows-based tool
2. Enter:
   ssh -l
   ssh -l dave 10.40.40.1
   At the prompt enter a password
3. Enter:
   su -
   At the prompt enter a password
   
4. vi /etc/shorewall/shorewall.conf
5. Enter:
   [esc] to enter vi command mode
   Change STARTUP_ENABLED=No ito STARTUP_ENABLED=Yes

1. Select System Tab
2. Select Bootup and Shutdown Module
3. Ensure Shorewall will be started on system start

• Squid Outline
• Installation
• Configuration
• Access Control (Squid ACL)
• Shorewall configuration for Squid

• VPN Purpose
• Choice of VPN
• Microsoft Windows PPTP
• OpenVPN (Windows Client)

• Fail2ban Outline
• Fail2ban and Shorewall
• Installation

• Minor Options
• Minimize Shorewall writing log messages constantly to console to keep the console useable

Hornford Associates
Suite 114, 100 - 111 5th Ave., SW
Calgary, Alberta, CANADA, T2P 3Y6
+1 (403) 818-4303