requesting feedback on my CORPORATE firewall howto

[drokmed]

UPDATE:

For anyone running this firewall, I performed an update to squeeze, and am in the process of updating the documentation for a squeeze install.

I upgraded one of my firewalls from Etch to Lenny, then from Lenny to TESTING (currently Squeeze 6.0). I have a ton of notes, and will type them up if anyone is still running this version of firewall on Etch. Basically, a few of the apps that were upgraded had new config files, and I opted to have the new config file install, then I re-edit it to get my configuration back. Pretty simple if you are comfortable with the config files. No problems, nothing broke.

I'm adding features to the squeeze firewall, updating my notes, then will upgrade another one of my etch firewalls, to verify my documents/notes.

Once I'm comfortable with this, I will wipe a firewall, and do a fresh squeeze/testing install, then totally update my original how-to, which should be a major upgrade.

More to come soon...

[steveeflypg]

Hi again Daryl!
glad to get an update occasionally from this..It came in very handy for my return to college in the UK this year, as a project for the 2nd yr networking degree Im just finishing (again!), so I jumped a couple more levels of knowledge with this in the last month.
I have just uploaded the college document to my website as I did a lot of reference level testing from default Debian routing/firewall behaviour to after Shorewall is installed using ping and Nmap. A great learning curve to help understand Linux in general and the role of IPTables underneath all Linux Firewalls, and fun - if a but tedious sometimes doing the 40 odd tests for an "academic" paper...yawn...!
Take a look (viewable in IE only as its a .mht and loses formatting and pics as an .html doc - sorry fellow Debians!) here:
http://stevepedwards.com/Shorewall2ndYr ... roject.mht
There is a lot of research here and more in the Appendix I will load later, as UDP was a whole universe in itself that I could not include in the main paper - with interesting links for anyone wanting to delve deeper into packets and protocols.
Thanks again Daryl, for the initial inspiration for all this - and it couldn´t have come at a better time as a Project, as the Firewall stuff helped out nicely with the CCNA module 4 VPN and ACL stuff also - finishing next week. (Hope I pass the CCNA this time round!)
best regards
Steve

[Absent Minded]

Hello Daryl!!
I am waiting in antisapation for your next release. I have been able to glean so much good info from your previous work on this and want you to know that it has been a great help to me as well as others I have pointed in its' direction.

Thank you for keeping things and us all updated.
Michael

[drokmed]

Hi Steve (and my buddy Michael)!

Steve, fantastic job on that paper you wrote! I just finished reading it, and my internal iptables are overflowing

Wow, you certainly dived into the testing very thorough, more than I ever did, well, officially that is. After years of use, I already have a good idea of what works and what doesn't. You made me realize I totally neglected to provide a decent test plan for my document. With your permission, I'll add just a bit to get people started, then reference them to your thorough testing procedures.

BTW, thanks for the kind words in your paper, I appreciate it. I'm glad to see my efforts at documenting this stuff was beneficial to you. You certainly dived down into the nitty gritty detail, and added to my config samples! I'm impressed. You get an A in my book

If you want to upgrade to squeeze, I'm in the process of typing up my notes, part of it done today, the rest hopefully in the next few days. I'll post an upgrade howto soon, then get started on a freshly squeezed doc. I'm frustrated that the STABLE build always has old versions of packages, sometimes years old. The TESTING platform always seems to be current, so TESTING it is...

I'm looking forward to reading your UDP research. Very cool. I don't want to dive too much into theory in my howto, but will definitely reference your work for people to learn more. I'd also love to see what you were able to do with the VPN configs... I never did get around to implementing VPN. We don't really have an official need for it at work, since remote desktop access has proven sufficient for us in a production environment. Maybe I'll give you a VPN into my lab, so you can have a remote site to test from. We'll fire up a game of ncsnipes (google it)

Good luck on that CCNA test. I'm glad at my age I don't have to bother with certs anymore

Cheers,

Daryl

[steveeflypg]

Hi Daryl
glad its useful - of course, go ahead and use whatever you need - you started it after all!
I have just loaded the Appendix here:
http://stevepedwards.com/Appendix.mht
and added a couple of recent things I found out from playing with the FW (and VPNs), like adding a Speedtouch 330 USB modem and connecting directly to the Web! Pretty damn quick surfing actually! We should try that site to site VPN link sometime, as I also have a lot of recent VPN research due to a Cisco paper being delivered next week, and messing with my 837 router and Cisco´s SDM GUI, and seeing what Linux apps can connect to it etc. (VPNC can connect as a Cisco client but OPENVPN cannot. PPTP may be used as a VPN server on the FW. I need to do more work here as I was getting mangled GRE checksums over DNAT when FW is used as a pass through, but at least I understand why a bit more now as NAT traversal of Firewalls can mangle the packet headers and so mess up the encryption checksums etc. so it is an interesting area. It will all disappear with IPv6 of course when we all have millions of direct personal IP addresses and NAT wont be needed any more, but that is a while off yet...)
I cant believe I missed the Nmap testing weirdness from the FW out being due to the POLICY file default REJECT settings, duh..
Anyhoo, take it easy,
Steve

[drokmed]

UPDATE: Upgrade to SQUEEZE howto document is now available:

http://www.abazaba.org/debian/firewall.html

Please note: I consider this a complete, but draft document at this time. These are my notes from performing one upgrade from etch to lenny to squeeze. I am continuing to test the firewall, and update this document.

This weekend, I will be upgrading one of our production firewalls from etch to lenny to squeeze, and updating this document again. Once I have confirmed this document is ready for general usage, I'll let y'all know...

As always, feedback is always welcome.

Once this document is considered complete, I will begin re-writing the original howto, specifically for a fresh squeeze install. Fun fun fun! I plan on adding a ton of goodies to that one! I'll go back and explore everyone's feedback, especially Steve's work, and hopefully we'll produce a document that is much more extensive and useful, and hopefully a bit simpler too! I realize this is mind-numbing stuff to many... I think it's worth it.

[Absent Minded]

Hey, thanks!! I had a great time reading through things. It looks great!! I will be thinking about upgrading from Lenny to Squeeze on one of my servers soon so this has given me some food for thought. I am glad to see things went smoothly, but then, it is Debian so upgrades without incedence is the norm and not the exception.

[jason.rgd]

didn't read this entire post and its replies.. but I'm taking the suggestion of installing this and testing this on a debian 5 "lenny" server... Can you send me the instructions on a fresh lenny install...

[Absent Minded]

There is a link back a few posts that you should view. And you will also be able to download the how-to from there. There was not a big differance in the way things worked in Etch and the way they worked in Lenny so the firewall is easily usable for both.

With that said, a couple of quick notes:
WebMin needs downloaded from the Webmin site these days as it is no longer in the Debian repository.

You will need clam AV from backports.org (I believe, unless I missed something and it is included in the volital repo).

Those are about the only two things I can think of off the top of my head that will make the original how-to a bit differnt. Be sure to also download the updated upgrade to Squeeze info as you might miss out on something otherwise. It works well and is very "common sense" orented. Also, I expect by the end of the year that Squeeze will be the new stable.. something to concider a bit as Lenny is getting a bit old, although not out of date really (depending on ones view).

[jason.rgd]

thanks for the reply... will give a try...

[drokmed]

Okay folks,

MAJOR UPDATE:

I just posted the draft of the SQUEEZE updated version of this training doc:

http://www.abazaba.org

Squeeze will go stable soon, how soon? I don't know, but I'm thinking maybe another month or so. That doesn't give me much time to finish filling in some of the many details I've added to this document.

This training guide went from 30 pages to 74. Tons of useful information added. More to come.

I welcome feedback.

[codge]

Once again you've done a cracking job! I hope you continue to update this how to as debian progresses, as it sets the standards that people should follow when setting up a firewall. Very well written.

regards

[drokmed]

Thanks man, very kind of you

[steveeflypg]

Hi Drokmed
Only 1/2 way through the latest draft but excellent job!!
That´s clarity encapsulated in an easy read! Nice one.
Tidy visual layout too..
No healthy criticisms really - only saw a couple of typos, and a sentence/paragraph discontinuity so far (probably me - it was 1.30am..), nothing that an auto spell check and an English class with Stephen Fry wont fix! haha.. (you probably don´t know who he is eh? Dr House´s old Cambridge "chum" in real life)
Will get back to you on the rest soon.
I have also got a lot of varied Linux Admin and Network info up on my site now:
http://www.stevepedwards.com
including a lot of research and links from my Uni Project, originally based on your document, as you know, that is included in the Appendix that may help some people who wish for further reading.
One area you mentioned "in passing" that I would be interested in you expanding on and explaining further (yeah I know - what? you haven´t done enough already?! Jeez..), is server "hardening guidelines"..maybe a link there at least would be good? - to learn more on these principles, or maybe a check list approach?

1: Is server encased in kryptonite?
2: Is UPS nuclear powered?
3: Is site documentation chiselled in stone and proof read by Moses..etc, etc.. ?

take it easy
S

[drokmed]

Hi Steve,

Thanks for the critique. I look forward to hearing more of your input. I'm a big House fan, didn't know Stephen Fry though. I'm checking out your website, looks like you've added some things since I checked it last. Tons of stuff!

Thanks for the hardening suggestion, I do have notes to add hardening info at the end of the document, haven't typed up my notes yet. I'm still light on that part though, need more meat. I'm definitely open to your suggestions.

Cheers

[Absent Minded]

Drokmed my friend!! This is totally awesome and I thought that your other work was but this completely blows me away. Not to mention that even on my crappy home setup the formatting is splendid, clear and looks completely perfect to me. That said, I haven't even gotten very far. Things being what they are here I keep having to take care of this or that and not much time to myself to sit and read. Still, if the small bit I have read and seen is any indication of the rest of your work here, man it is really something. I kid you not.

I hope to have other input for you but so far I haven't seen anything I would change if I could.

Awesome Job. I even sent a copy to my brother to read as the network of schools he admins could really make use of this. Anyway, he has very little time but I know he is always looking for things to lessen his work load.. On salary and working 50+ of course a week.

[spilikin]

Hi,

First, you have a very well written howto. I've been a linux user for quite some time, but am now getting around to setting up a firewall for my home network. I'm running a fresh squeeze install with a DSL static IP address, dual nic and a local network 192.158.5.x behind it. I've followed the howto to the letter (except for replacing my .5. network for your .1.). Everything works flawlessly until I get to section 6.3.3.2 Test Squid Transparently.

In this step, I reset my browser so as not to use the proxy settings, and then edit shorewall rules and uncomment the REDIRECT line, check and restart shorewall. However, now when I go to a web page I get the error below (also, see the test for /var/log/squid/access.log). The one thing I have done to make it work is add the "transparent" option to the http_port 192.168.5.1:3128 line in /etc/squid/squid.conf so it reads http_port 192.168.5.1:3128 transparent. However, I am unsure if shorewall is intercepting the traffic and redirecting it to squid. I humbly request your opinion - am I configured for transparent squid access thru shorewall as intended in your howto?

ERROR

The requested URL could not be retrieved

Invalid Request error was encountered while trying to process the request:

GET / HTTP/1.1
Host: www.google.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rememberme=true; PREF=ID=4ce1de8308ae2783:U=8398b580924194db:TM=1270682422:LM=1286237760:GM=1:S=xFkBmHxsgOb2Qcmj; HSID=AtWP4kSe2u56c5rKM; SS=DQAAALYAAAAUfJ7fKCmbNjxkpo_FpJqCMwMUYVzRY_ufFg4EytGrieSx1l4K-QOUWK2Y2kW0ogehbFIUjD7VJ-Od1sk9RXCgQdcoIIbD62v2eVzK-_lNjm_pWDLC4TctDFvNwWqlwfe6mc8Q2jBZOFvGEeR3mWD0H5XmZA38rh_-Xr7fhDWJjVWWcFIElI2AUEsvyoJOPFDPSW2MNz2e7QPuvMBJ9DzfwVouecAUzRO1F8rflJC-ZTVBEgwsnlQQbaHkLXdmPyU; NID=40=nC8uIVCCkvPPckaJYJLRDMVhMGJ__wLP15yD6C7wB1R--gTgVod9c5_YzxjZZv91oXAQLFSunyuNJGWq4fX2dIb7wk0wxC2EGZ8A1ZqXHVcrHr9HUP3gLNyW0cH5FUi1; SID=DQAAALQAAABbQZXk5sNY0bESCr-Su356tSis45szMEILRHej0GmsRCW6ac7vJ9FLK2IJyfPqy1vQKXgW9QI5ilfSJ2eFBUKkKWMPWKIAVdqFO2yomQz975qfVsdjgKvCcadhmGSIvd8WvdbyUE1eVqhdIFR4U7FfH-Zv-QlTojW3lv1F2tBWZgqEOvdOsNPhd99xRTIjpq7wwclS5n71L_-DJaZR22icMbviFxlfODqZsX-249akn7tStYmaQB2qYltzDFD6BL4

Some possible problems are:

Missing or unknown request method.

Missing URL.

Missing HTTP Identifier (HTTP/1.0).

Request is too large.

Content-Length missing for POST or PUT requests.

Illegal character in hostname; underscores are not allowed.

HTTP/1.1 Expect: feature is being asked from an HTTP/1.0 software.

Your cache administrator is linuxadmin.


Generated Wed, 27 Oct 2010 03:52:14 GMT by cartman.xxxx.xxx (squid/2.7.STABLE9)

root@cartman:/home/chad# tail /var/log/squid/access.log

1288151543.374 0 192.168.5.20 TCP_DENIED/400 2266 GET NONE:// - NONE/- text/html
1288151544.865 0 192.168.5.20 TCP_DENIED/400 4349 GET NONE:// - NONE/- text/html
1288151551.263 0 192.168.5.20 TCP_DENIED/400 2968 GET NONE:// - NONE/- text/html
1288151551.263 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151566.265 0 192.168.5.20 TCP_DENIED/400 2967 GET NONE:// - NONE/- text/html
1288151566.265 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151581.267 0 192.168.5.20 TCP_DENIED/400 2968 GET NONE:// - NONE/- text/html
1288151581.267 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151596.269 0 192.168.5.20 TCP_DENIED/400 2952 GET NONE:// - NONE/- text/html
1288151596.270 0 192.168.5.20 TCP_DENIED/400 2968 GET NONE:// - NONE/- text/html

[drokmed]

Hi,

First, you have a very well written howto. I've been a linux user for quite some time, but am now getting around to setting up a firewall for my home network. I'm running a fresh squeeze install with a DSL static IP address, dual nic and a local network 192.158.5.x behind it. I've followed the howto to the letter (except for replacing my .5. network for your .1.). Everything works flawlessly until I get to section 6.3.3.2 Test Squid Transparently.

Glad to hear somebody is trying this document Thanks for the feedback.

In this step, I reset my browser so as not to use the proxy settings, and then edit shorewall rules and uncomment the REDIRECT line, check and restart shorewall. However, now when I go to a web page I get the error below (also, see the test for /var/log/squid/access.log). The one thing I have done to make it work is add the "transparent" option to the http_port 192.168.5.1:3128 line in /etc/squid/squid.conf so it reads http_port 192.168.5.1:3128 transparent.

Thanks, I forgot to add the "transparent" to that section, will do.

However, I am unsure if shorewall is intercepting the traffic and redirecting it to squid. I humbly request your opinion - am I configured for transparent squid access thru shorewall as intended in your howto?

I can see from what you posted that shorewall is working perfectly. If the problem was shorewall, nothing would show up in the squid log. Shorewall is forwarding it, but squid is rejecting it. By the way, thanks for posting the squid log, that provides the answer.

Squid is rejecting it. That web page you get is generated from the squid service running on your firewall:

Your cache administrator is linuxadmin.
Generated Wed, 27 Oct 2010 03:52:14 GMT by xxxxx.xxxx.xxx (squid/2.7.STABLE9)

Squid is rejecting it, because it doesn't like the IP address:

1288151543.374 0 192.168.5.20 TCP_DENIED/400 2266 GET NONE:// - NONE/- text/html

We need to tell squid to allow requests from 192.168.5.20 (and any other pc's on the local lan).

Your squid acl's need to allow pc's from the local lan to talk to it directly.

In your /etc/squid/squid.conf file, make sure you have both the define and allow "localnet" enabled, put it before the "deny all" line, your acl's need this:

Code: Select all

acl localnet src 192.168.5.0/24
http_access allow localnet
http_access deny all

That should do it. Restart squid.

Keep in mind, later, when you enable dansguardian, you will have to take out the "transparent" option in squid (I'll add that to the guide). You will have to take out the 5.1 ip too, since dansguardian runs on 127.0.0.1.

You have nearly caught up to me in the how-to. I enjoyed some vacation time, and haven't gotten back to finishing this draft document. I guess it's time to dive back in.

Thank you for posting this issue. You have helped me identify an omission from the guide that I probably wouldn't have noticed.

Cheers

[JohnDeere630]

Finally got time to check out your how-to & I have only one thing to say: Awesome! I thought, after reading the beginning of it, it would be mostly over my head. Not so, either I am smarter than I look (unlikely) or you have done a superlative job of explaining things. I have read through it twice & will be starting to build it this week. This is just a practice firewall for my home network, but I can see a real use for this for some of my clients. When I get it finished, I'll let you know how it went. I am no network guru, so I look forward to a real learning experience, akin to building my first MythTV server.

[Xylock]

Hey dude,

Just checking out your build again, since you've updated it ^^ Just spent like 2 days scouring the internet for the fix re:transparent squid mentioned above >< Wish I'd checked here first!

Hope you're well. Good job!

Neil.