MNF2 Firewall

Notes:

firewall rules

Create outgoing accept rules for DHCP responses: fw:lan, fw:wifi udp 67-68

status messages are sent from the firewall via SMTP. Make sure you open up an outgoing rule in the firewall to allow it to send these messages.

Port forwarding rules

To forward ports from WAN:

DNAT

Service to forward (port)

Client: WAN

Server: LAN, internal IP address

Forwarding address: public IP address (if more than one)

Loopback rules

With MNF 2, to get loopback rules, you need to limit the from address. Otherwise you'll do SNAT for all incoming connections, making the entire Internet look like it's coming from the LAN zone!

We were an open relay for a couple days because of this.

DNAT

Forward all ports, tcp+udp

Client: LAN private IP/netmask (use full dotted style)

Server: LAN, internal IP address

1. 
   

Prevent password expiration

[root@mnf john]# more /etc/security/msec/level.local
no_password_aging_for("root")
no_password_aging_for("admin")
no_password_aging_for("john")

Allow secured SSH access from everywhere

Add this to /etc/hosts.allow:
sshd:ALL:ALLOW

Copy your ssh key to ~/.ssh/authorized_keys

Change this setting in /etc/ssh/sshd_config
PasswordAuthentication no

SSH access to both firewall and forwarded to server on LAN

1. Create a DNAT rule to forward port 22 to the appropriate LAN server:
DNAT wan lan:172.16.0.1:22 tcp 22
2. Create a DNAT rule to forward port 222 to port 22 on the firewall. If the firewall has a dynamic WAN address, you can use a static LAN address as the destination IP address:
DNAT wan:216.231.62.127 fw:172.16.0.2:22 tcp 222

NTP Cron job

In the Beta, the NTP cron job gets restored whenever you hit the NTP settings in the web page. It restores a job that attempts to pipe to /dev/null, instead of directing stdout/stderr. Change the template for this file to set appropriately?

CVS version apparently fixes this by setting ntpd to auto-update, instead of needing a cron job.

CA Certificate manager

Certificates are generated and put into /etc/freeswan/ipsec.d/certs and keys into /etc/freeswan/ipsec.d/private. The CA cert is put into /etc/freeswan/ipsec.d/cacerts, and we needed to create /etc/freeswan/ipsec.d/newcerts as a temporary directory before certificate generation worked properly.

See Running a CA for more.

OpenVPN

We haven't found the OpenVPN interface to be that useful. We just create the appropriate server OpenVPN files and drop them into /etc/openvpn.

The trick is getting the firewall configured to accept connections correctly.

We've opened two different ports for the VPN: UDP 1194 (default OpenVPN port) and TCP 443 (alternate port that's nearly always open through firewalls).

To set up the firewall for OpenVPN:

1. In the Zones interface, create a VPN zone, and make sure it's above the WAN zone in the list.
2. In the Interfaces list, add tun0 and tun1 to the VPN zone. Apply.
3. Add a default Policy for the VPN tunnel. We typically set vpn:all to ACCEPT, and apply.
4. Create a "tunnel" for each port and zone combination you want to enable: usually generic:udp:1194 wan, generic:tcp:443 wan, and generic:udp:1194 wifi.
5. Create the OpenVPN configs:

[root@peachpit shorewall]# more /etc/openvpn/freelock.conf



Generated by openvpn-setup.pl


port 1194

proto udp

dev tun




 Multi-client server


mode server

tls-server




 Diffie-Hellman parameters.
 Generate your own with:
   openssl dhparam -out dh1024.pem 1024
 Substitute 2048 for 1024 if you are using
 2048 bit keys.


dh dh1024.pem




 Any X509 key management system can be used.
 OpenVPN can also use a PKCS #12 formatted key file
 (see pkcs12 directive in man page).


ca      ca.crt

cert    ovpn-server.crt

key     ovpn-server.key




 Routed VPN or Bridged VPN


server 192.168.167.0 255.255.255.0

;ifconfig-pool-persist ipp.txt



tls-auth ta.key 0




 Advertise subnets to client


push "route 192.168.9.0 255.255.255.0"

push "dhcp-option DNS 192.168.9.39"

push "dhcp-option WINS 192.168.9.39"

push "dhcp-option DOMAIN freelock.lan"

client-to-client




 Keep Alive


keepalive 15 120




 It's a good idea to reduce the OpenVPN
 daemon's privileges after initialization.


user nobody

group nogroup




 The persist options will try to avoid
 accessing certain resources on restart
 that may no longer be accessible because
 of the privilege downgrade.


persist-key

persist-tun




 Output a short status file showing
 current connections, truncated
 and rewritten every minute.


status openvpn-status.log

log-append openvpn-log




 Use LZO compression (with adaptive shutoff)


comp-lzo




 Verbosity


verb 3

6. Create/copy a dh1024.pem file, the ca.crt, and the server cert and key to the /etc/openvpn directory. Also a tls-auth passphrase or key.
7. Start the openvpn server.

8. Create and distribute a client config file:

[root@hunter openvpn]# more freelock.conf



 Specify that we are a client and that we
 will be pulling certain config file directives
 from the server.


client




 Use the same setting as you are using on
 the server.
 On most systems, the VPN will not function
 unless you partially or fully disable
 the firewall for the TUN/TAP interface.


;dev tap

dev tun




 Windows needs the TAP-Win32 adapter name
 from the Network Connections panel
 if you have more than one.  On XP SP2,
 you may need to disable the firewall
 for the TAP adapter.


;dev-node MyTap




 Are we connecting to a TCP or
 UDP server?  Use the same setting as
 on the server.


;proto tcp

proto udp




 The hostname/IP and port of the server.
 You can have multiple remote entries
 to load balance between the servers.


;remote 192.168.119.254 1194

remote foraker.freelock.com 1194

;remote 216.231.62.115 443

;remote 216.231.62.127 1194

;remote my-server-2 1194

float



 Choose a random host from the remote
 list for load-balancing.  Otherwise
 try hosts in the order specified.


;remote-random




 Keep trying indefinitely to resolve the
 host name of the OpenVPN server.  Very useful
 on machines which are not permanently connected
 to the internet such as laptops.


resolv-retry infinite




 Most clients don't need to bind to
 a specific local port number.


nobind




 Downgrade privileges after initialization (non-Windows only)


;user nobody

;group nogroup




 Try to preserve some state across restarts.


persist-key

persist-tun




 If you are connecting through an
 HTTP proxy to reach the actual OpenVPN
 server, put the proxy server/IP and
 port number here.  See the man page
 if your proxy server requires
 authentication.


;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]




 Wireless networks often produce a lot
 of duplicate packets.  Set this flag
 to silence duplicate packet warnings.


;mute-replay-warnings




 SSL/TLS parms.
 See the server config file for more
 description.  It's best to use
 a separate .crt/.key file pair
 for each client.  A single ca
 file can be used for all clients.


ca ca.crt

cert hunter.freelock.lan.crt

key hunter.freelock.lan.key




 Verify server certificate by checking
 that the certicate has the nsCertType
 field set to "server".  This is an
 important precaution to protect against
 a potential attack discussed here:
  http://openvpn.net/howto.html#mitm








 To use this feature, you will need to generate
 your server certificates with the nsCertType
 field set to "server".  The build-key-server
 script in the easy-rsa folder will do this.


ns-cert-type server




 If a tls-auth key is used on the server
 then every client must also have the key.


tls-auth ta.key 1




 Select a cryptographic cipher.
 If the cipher option is used on the server
 then you must also specify it here.


;cipher x




 Enable compression on the VPN link.
 Don't enable this unless it is also
 enabled in the server config file.


comp-lzo




 Set log file verbosity.


verb 3




 Silence repeating messages


;mute 20

pull dhcp-options

up /etc/openvpn/client.up

down /etc/openvpn/client.down