############################################################################### INSTRUCTIONS FOR CONFIGURING NETWORK.CONF ############################################################################### Version: 1.0 Revision History: 1.0 - April 7, 2000 Initial release by Charles Steinkuehler TODO: Find someone who can explain some of the bridging and fair queueing parameters. Add parameters from the 'Full Goods' example network.conf, which lists some additional border router setup stuff. Add more stuff to the hints & tips section. ############################################################################### OVERVIEW ############################################################################### This document is an attempt to document how to use the settings available in network.conf to customize your Materhorn, Eiger, or other LRP system that uses the same script setup (hereafter collectively referred to as Materhorn). This document covers two different versions of the Materhorn scripts, the original scripts released by Matthew Grant as part of his 2.2.x kernel LRP distributions, and an extended version of the scripts released by Charles Steinkuehler to provide some additional features without having to directly edit ipfilter.conf. I have attempted to document not only the appropriate settings for a particular variable, but also to indicate why the variable exists, and what sort of application it might be used for. ############################################################################### CONFIGURING NETWORK.CONF ############################################################################### Almost everything required to configure networking in a Materhorn LRP distribution can be done by editing the /etc/network.conf file. This document is an attempt to explain how to go about modifying network.conf for your particular environment, and point out some common pitfalls to avoid when trying to customize your LRP configuration. I am going to start off describing the basics, and work towards more advanced settings. You will also probably want to use the reference section, which attempts to describe all the possible settings you can use in network.conf, and what each of them does. This document is based around building an ethernet to ethernet firewall box, because that is what I have use LRP for, and what I am most familiar with. The Materhorn LRP scripts can also be used to set up a generic router, or a 'border router', which I will briefly discuss. This is not a general purpose LRP HOWTO. It is assumed you have read some of the various HOWTO's, or are familiar with LRP in general and Materhorn in particular. It is also assumed that you have added any required modules to talk to your network hardware, and have configured the modules package so they are loaded on boot. If you do not know how to do this, go to http://lrp.c0wz.com and browse through some of the documentation available. ############################################################################### GENERAL SETTINGS ############################################################################### Here you can control some of the general behavior of the configuration scripts. The most important settings from a functionality standpoint are IPFWDING_KERNEL and IPALWAYSDEFRAG_KERNEL. IPFWDING_KERNEL: You almost certainly want to turn on IP forwarding, or your LRP box will not route IP packets between interfaces. You may want forwarding off if you plan on running proxy servers for all required protocols, instead of using the IP masquerading built in to the kernel. I like to use the FILTER_ON setting for forwarding, which doesn't enable packet forwarding until the firewall rules have been put into place. IPALWAYSDEFRAG_KERNEL: You probably want this on if you are using LRP as your connection to the internet. This causes LRP to re-assemble any fragmented packets it receives before applying the firewall rules. Fragmented packet attacks are one of the standard ways to 'tunnel through' a packet filtering firewall. If your LRP box is serving as a router in the middle of a complex network, you probably want this switch off, to comply with the RFC's. CONFIG_xxx: I like to set all the CONFIG_xxx lines to yes, and use network.conf to create my hostname, hosts, and resolv.conf files. If you are a linux guru and want to create these by hand, set these switches to NO. If you create these files manually, remember to back up etc.lrp before rebooting, or you will loose any changes you made. ############################################################################### INTERFACES ############################################################################### Interfaces can be configured three different ways under LRP. You can let the Materhorn scripts automatically configure the interface for you (HIGHLY recommended), you can manually start and stop the interfaces using the Materhorn scripts, or you can configure the interfaces outside of the Materhorn script environment. For each interface you want the scripts to automatically configure, you need to add that interface to the IF_AUTO list. The interfaces are brought up in order from left to right, and shut down from right to left. For interfaces you want to be able to manually start and stop using the Materhorn scripts, you need to add the interface name to the IF_LIST variable. To manually start the interface, use the command: /etc/init.d/network 1 For both of the above configurations, you need to create a set of interface configuration variables, which control things like the IP address, netmask, etc. This is discussed below. If you want to configure interfaces outside of the Materhorn scripts, do not reference the interfaces in the IF_LIST or IF_AUTO, to avoid potential conflict when both your external script and the Materhorn scripts try to configure the same interface. ############################################################################### INTERFACE CONFIGURATION ############################################################################### You need to provide the network configuration information for each interface the Materhorn scripts are going to configure (either automatically or manually). This is done using a series of variables that start with the interface name. At a minimum, each interface needs the following variables defined: xxx_IPADDR - Sets the IP address of the interface xxx_MASKLEN - Sets the interface mask length (do NOT use dot-quad notation, this should be a number between 0 and 32) xxx_BROADCAST - Broadcast address to use for the interface In addition, you may want to define these parameters: xxx_DEFAULT_GW - This should be defined on your external interface to tell LRP how to get packets 'to the internet'. xxx_ALIASn - Assigns additional IP address to an interface, useful if you have several static external IP address. xxx_IP_SPOOF - Unless you have a good reason not to, set this to 'YES' xxx_IP_KRNL_LOGMARTIANS - Unless you have a good reason not to, set this to 'YES' Unless you have an odd network configuration, or want to use Fair Queueing, you shouldn't need to set the other per-interface variables. They are listed here for completeness. See the reference section for details. xxx_IP_SHARED_MEDIA xxx_BRIDGE xxx_PROXY_ARP xxx_FAIRQ xxx_TXQLEN xxx_BNDWIDTH xxx_HNDL xxx_IABURST xxx_IARATE xxx_PXMTU ############################################################################### IP FILTER SETUP ############################################################################### You have now told the Materhorn scripts how to configure your interfaces, but you still can't talk to the outside world. You now have to configure the firewall rules. In it's simplest form, this is really pretty easy, as the built-in rule set is fine for most users. If you need to, you can do fancy things like open ports, and port-forward services from the LRP box to internal machines. The first variable you need to set is the IPFILTER_SWITCH. This can be set to one of three possible values: none, router, or firewall. When set to none, the LRP box does no packet filtering, but doesn't forward any packets, either. This is probably not too useful to most folks. If IPFILTER_SWITCH is set to router, the filter rules are set up to allow IP forwarding between the various interfaces defined on the LRP box. This is mainly used for traditional router applications, although there is a 'border_router' switch, that puts some firewall filtering rules in place. You might want to look into this if you are lucky enough to have a block of public IP address for your internal network, and an ISP that is willing to talk to your router. The last option, firewall, will probably be what most 'home users' will want. This creates an internal network of private RFC 1597 address, and masquerades them behind a single public IP address. A pretty good set of packet filtering rules are also put into place, adding security and multiple machine access to a single high speed network connection (typically cable-modem or xDSL). ############################################################################### ROUTER CONFIGURATION ############################################################################### I have not configured LRP as a router, so don't really feel comfortable telling you how to set up your configuration. If you use a Materhorn based LRP in the router configuration, please take some time to document the particulars of this setup. ############################################################################### FIREWALL CONFIGURATION ############################################################################### External Interface: At the very minimum, you need to configure: EXTERN_IF - Your External interface, typically eth0 or ppp0 EXTERN_IP - The IP address of your external interface IMPORTANT NOTE: You must enter the IP address of your external interface in BOTH the EXTERN_IP field, and the appropriate per-interface xxx_IPADDR variable. If you have a dynamic IP address, you will need to set EXTERN_DHCP=YES, and the script will read the external IP address directly from the interface. Internal Interface: At the very minimum, you need to configure: INTERN_IF - Your Internal interface, typically eth1 or eth0 INTERN_NET - The network specification for your internal network. This is needed by the firewall rules. See the reference section for details. INTERN_IP - The IP address of your internal interface IMPORTANT NOTE: You must enter the IP address of your internal interface in BOTH the INTERN_IP field, and the appropriate per-interface xxx_IPADDR variable. Misc Setup: For a typical firewall setup, you also need to set MASQ_SWITCH=YES, and that's it. You should now have a working IP masquerading firewall setup. ############################################################################### ADVANCED FIREWALL CONFIGURATION ############################################################################### Once you get a basic firewall setup, you may want to customize it. Things you might want to do include: Open ports on the firewall machine to allow access to servers running on the LRP box, such as telnet (not recommended), ssh (much better), or similar services. Port-Forward services from the LRP box to a machine on the internal network. This lets you set up a service (like a mail or web server) on an internal workstation, and let people on the internet access it using the public IP address of your LRP box. Port-Forward services from the LRP box to a machine on a private IP address DMZ network. This is similar to the previous feature, but since the internal server is on a separate network from your other workstations, it is considerably more secure, especially if someone manages to hack the machine providing public services. Route packets to a DMZ network. This is a fairly advanced configuration. Use this setup if you have registered a block of public IP addresses, and your ISP is willing to route packets for this public space to your LRP box. This is how the 'big boys' setup DMZ's. ############################################################################### Opening ports: To open a port, first figure out who you want to give access to. 0/0 means everyone on the internet. 1.2.3.4/32 means just your friend with the IP address 1.2.3.4. You can also something like 1.2.3.0/24, which allows your friend at 1.2.3.4, and everyone else on his /24 network access through the firewall. Once you know who you want to allow to connect, you need to specify the ports they are allowed to connect to. You can specify individual ports using names or numbers (see the /etc/services file for a list of common port names and numbers), or you can specify a range of ports (see reference section for details). Finally, if you have more than one external IP address, you need to decide which IP address to open the ports on. If you have a single IP address, or are using the standard Materhorn scripts (which don't support IP aliases), you don't have to worry about this. The standard Materhorn scripts provide two variables to open ports on the firewall: EXTERN_TCP_PORTS and EXTERN_UDP_PORTS. Each variable is a space separated list of source address and destination port numbers. The unspecified destination IP address is always the IP address of your external interface. The extended Materhorn scripts use three indexed variable lists to open ports: EXTERN_TCP_PORTn, EXTERN_UDP_PORTn, and EXTERN_ICMP_PORTn. Each variable contains a source IP address, destination port number, and destination IP address. This allows one of possibly several external IP addresses to be specified. The addition of the ICMP 'ports' (with ICMP, ports are really types see the reference section) is to allow ping and/or other ICMP messages to make it through the firewall. If you do not explicitly open the various ICMP types, the default firewall rules will deny and log ICMP packets on all external IP addresses except the 'main' one (EXTERN_IP). IMPORTANT NOTE: If you want to port-forward a service, you have to open the desired port with one of the methods above, or the firewall rules will deny your packets, happily filling your log files, while the port-forward service sits idle, patiently waiting for traffic. ############################################################################### Port-Forwarding to the Internal Network: The standard Materhorn scripts allow limited port-forwarding from the external interface to machines on the internal network. This is done using the INTERN_xxx_SERVER series of variables, where xxx can be one of: FTP, WWW, SMTP, POP3, IMAP, or SSH. All you need to enter is the IP address of the internal machine that you want the service forwarded to. The SSH port-forwarder also has a configuration variable, EXTERN_SSH_PORT, which allows you to change the forwarded port from the default of 22 to some other value. With the extended scripts, you get a lot more control over port-forwarding. The indexed variable list INTERN_SERVERn is used to provide an arbitrary number of forwarded services. You do have to provide more information to forward a port, including protocol (TCP/UDP), local IP address & port, and remote IP address & port. The local IP address field is provided to allow you to use multiple external IP address, and the remote port is provided in case you want to change the destination port while forwarding. ############################################################################### Port-Forward to Private address DMZ: To do this, you first need to set up a private address DMZ. This requires you add a DMZ network card to your LRP box. Remember to add the appropriate per-interface configuration variables (xxx_IPADDR et-al). You also need to configure: DMZ_SWITCH - Enable the private address DMZ by setting to "PRIVATE" DMZ_IF - Your DMZ interface DMZ_NET - The network specification for your DMZ network. This is needed by the firewall rules. See the reference section for details. You will probably also want to set DMZ_OUTBOUND_ALL to YES, unless you are hyper-paranoid about someone accessing the internet from a hacked DMZ server. Note that if you do not set this to YES, some port-forwarded services might not work. With this out of the way, you can port-forward services from your external IP address(es) to the DMZ net using the indexed variable list: DMZ_SERVERn. The parameters for DMZ_SERVERn are the same as those for INTERN_SERVER, except you should provide a remote address that is on the DMZ network, instead of the internal network. What's the difference between an INTERN_SERVER and a DMZ_SERVER? Well, I'm glad you asked. The only difference between the two is an additional masquerade rule that is created for DMZ servers. This rule allows machines on the internal network to use the same external IP address folks on the internet would use to communicate with the port-forwarded server. Specifically, a reverse masquerade rule is created from the DMZ net to the internal net for the service that is port-forwarded. This provides the required reverse masquerade rule (each port-forward rule requires a corresponding masquerade rule in the other direction) for the internal network (the external network is covered already by the rule that masquerades all traffic to the internet), so everything works properly. ############################################################################### Routing to a Public address DMZ: So, you're a network big shot. You've got a block of IP's, and an ISP that will let you talk to their router. Well, since I don't fall into this class, the following is untested, but I've crawled through the scripts enough to be fairly sure about how things work. First, add a DMZ network card to your LRP box. Remember to add the appropriate per-interface configuration variables (xxx_IPADDR et-al). You also need to configure: DMZ_SWITCH - Enable the public address DMZ by setting to "YES" DMZ_IF - Your DMZ interface DMZ_NET - The network specification for your DMZ network. This is needed by the firewall rules. See the reference section for details. Once this is setup, you can allow packets through to your DMZ using the DMZ_OPEN_DEST variable. You can define a list of protocol, source address/mask, and destination ports that will be allowed through the router. You can also enable traffic to any TCP ports >= 1024 through the router by specifying DMZ_HIGH_TCP_CONNECT=YES. If you do this, you should use the DMZ_CLOSED_DEST variable to block any packets destined for vulnerable ports on your DMZ machines. ############################################################################### HINTS & TIPS ############################################################################### Use /etc/init.d/network !!! Proper use of this script can save you a lot of time, and spare you many reboots. Remember to backup etc if you change any config scripts! Once you get used to restarting the networking manually, it can be easy to forget to backup. With this script, you can: List the packet rules currently active: /etc/init.d/network ipfilter list Reload the firewall rules after changing the network.conf: /etc/init.d/network ipfilter reload Restart networking, reconfiguring all interfaces (useful if you change any interfaces or IP addresses): /etc/init.d/network reload Flush the packet filters, permitting all traffic (ip forwarding is off) /etc/init.d/network ipfilter flush Shut down all networking, shutting down all interfaces: /etc/init.d/network stop Get a list of other stuff you can do with this script: /etc/init.d/network Install sshd-1 and ssh-1, and learn to use them. You can get the putty shareware ssh package for windows (see http://lrp.c0wz.com) or use your favorite ssh/scp client. Not only can you configure your router remotely (somewhat cool), but you can easily copy files to/from your LRP box using scp without typing mount -t msdos until you're fingertips bleed, and you avoid the whole 8.3 filenameing thing with floppy disks (extremely cool). ############################################################################### ############################################################################### REFERENCE SECTION ############################################################################### ############################################################################### ############################################################################### CONVENTIONS ############################################################################### The configuration variables are listed in the general order they appear in the Materhorn scripts, and are broken down into sections of similar functionality. Following the list of variables, is an attempt to define the syntax of the parameters used. Each variable is listed in the following format: 1st line: VARIABLE = VARIABLE is the name of the environment variable in network.conf is either a list of possible values, or a parameter that can be found in the list of parameter definitions, which follows the variable reference section. The text description attempts to list information about usage that might not be immediately obvious from just the parameter definition. NOTE: A space is shown between the variable name, the equals sign, and any settings listed. This is for READABILITY only, when entered in network.conf, there should be no spaces (ie - VARIABLE=setting). In addition, if there need to be any spaces in the value assigned to the variable, you must enclose in double quotes (ie VARIABLE="sett ing") 2nd line: Default: is the default value for this setting, if one exists. Otherwise, this a typical value appropriate for most configurations, or N/A if no default value makes sense. In some cases, there will be a different default value for the standard and extended scripts. In this case, will be of the form: Default: STD= EXT= is the default value for the standard scripts, and is the default value for the extended scripts. A default value of Undefined means this variable either does not exist, or is commented out by default. 3rd line: Scripts: This line lists which versions of the script support this variable. STD is used to indicate the original Materhorn scripts EXT is used to indicate the extended Materhorn scripts 4th line (optional): Requires: [ ] Lists other settings that are required for this setting to be meaningful. The requires field should not be viewed as exhaustive. If a setting is listed as required, it MUST be set for this variable to have any effect. You are warned that there may be other settings, or combinations of settings, which are not listed as required, that may also cause this variable to have no effect Text description Each variable definition is followed by a text description of its function. ############################################################################### SPACE SEPARATED LIST ############################################################################### Several configuration variables use a space separated list of items. Frequently, the items themselves contain several parameters, in which case these 'local' parameters are separated with an underscore '_', or other non-whitespace character. For an example, refer to the definition of a protocol port definition: = _/_ An example definition would be: tcp_1.2.3.4/32_www Note that there are no spaces between any of the parameters. Several of these definitions can be grouped together in a single environment variable. Note that since spaces are being used to separate items, the variable definition must be enclosed in quotes. An example would be: VARIABLE="tcp_1.2.3.4/32_www tcp_1.2.3.4/32_ssh" If you find your lines are getting too long for comfort, you can break the variable definition into several pieces, spanning several lines, using the backslash character '\', which is a standard unix shell feature. An example would be: VARIABLE="tcp_1.2.3.4/32_www tcp_1.2.3.4/32_ssh \ udp_1.2.3.4/32_domain" Note that you must have whitespace either between the last item defined on the line, or between the start of the next line and the first item on the next line (there is whitespace in both places in the above example). ############################################################################### INDEXED VARIABLE LIST ############################################################################### Several of the settings in network.conf make use of what I am calling an indexed variable list. This is a list of variables that have an integer number (index) appended to the basename of the variable. These all take the form of: BASENAME0= BASENAME1= BASENAME2= BASENAME3= and so on... The basename used, and the values entered depend on what the indexed list is to be used for. When listed in the reference section below, the index value is represented as a lower case letter 'n'. You should replace the 'n' with an integer number. These indexed variable lists are typically used where it is difficult or impossible to know ahead of time how many entries you might have for a specific function. Indexed lists are used, for example, to configure your hosts file and DNS settings. The original Materhorn scripts have a MAX_LOOP variable, that control how large the index number can be. Because of this, the original Materhorn scripts will 'skip over' missing numbers. The extended scripts do not use the MAX_LOOP variable, but continue to process the variable list until there is a missing or empty variable. VARIABLE0= VARIABLE1= <- Index 2 missing or empty...EXT scripts stop here VARIABLE3= <- STD script still processes indexes up to MAX_LOOP ############################################################################### GENERAL SETTINGS ############################################################################### VERBOSE = YES | NO Default: YES Scripts: STD EXT When set to YES, the scripts output additional information about how things are configured. MAX_LOOP = Default: 10 Scripts: STD For the standard scripts, this variable controls the maximum number of entries to search for in an indexed variable list. IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached. (DNS0 - DNS7 == 8 entires) Setting this value too high will decrease the speed of the configuration system. The extended scripts do not use this variable, and simply continue processing entries until a missing number is reached. See INDEXED VARIABLE LIST above for details. IPFWDING_KERNEL = YES | NO | FILTER_ON Default: STD=NO EXT=FILTER_ON Scripts: STD EXT If YES, this enables IP forwarding in the kernel. When set to FILTER_ON, forwarding will be enabled after the IP filtering rules are loaded. IPALWAYSDEFRAG_KERNEL = YES | NO Default: STD=NO EXT=YES Scripts: STD EXT When YES, enables IP Global defragmentation in the kernel. **WARNING** - If this was turned on everywhere in a network of routers, it can result in TCP connections failing and TCP connection resets. ONLY turn this on if the box is a firewall or the single point of entry for a network, or an endpoint for port forwarding or a load balancer for a WWW server farm. DO NOT turn this on if the box is a conventional router as it breaks the TCP/IP RFC's. This option is needed when using IP NAT, IP masquerading, IP autofw, IP portfw, transparent proxying or other kernel operations that intercept a packet flow and redirect it. It is a useful tool when using a packet filtering router to protect directly attached ethernet networks of servers as it stops fragment attacks on the servers behind the router. Another use is packet filtering router to protect dial-in Internet users on NASes (Portmasters, TC racks etc) from various SMB and fragment attacks and to redirect all WWW connections into a WWW proxy-caching server. CONFIG_HOSTNAME = YES | NO Default: STD=NO EXT=YES Scripts: STD EXT If YES, the configuration scripts create the /etc/hostname file using the HOSTNAME variable. Any current hostname file will be **OVERWRITTEN** CONFIG_HOSTSFILE = YES | NO Default: STD=NO EXT=YES Scripts: STD EXT If YES, the configuration scripts create the /etc/hosts file using the HOSTSn indexed variable list, (see HOSTSFILE section, below). Any current hosts file will be **OVERWRITTEN** CONFIG_DNS = YES | NO Default: STD=NO EXT=YES Scripts: STD EXT If yes, the configuration scripts create the /etc/resolv.conf file using the DOMAINS variable and DNSn indexed variable list (see DOMAIN SEARCH ORDER section, below). Any current resolv.conf file will be **OVERWRITTEN** ############################################################################### INTERFACES ############################################################################### IF_AUTO = [ ] Default: STD="" EXT="eth0 eth1" Scripts: STD EXT A space separated list of interfaces that get started on boot. Tunneling interfaces like CIPE should be after the raw interfaces they depend on. The interfaces are started in the order they occur on the list, and are shutdown in the reverse order of IF_LIST. The interfaces are configured with settings provided by the variables listed in the INTERFACE CONFIGURATION section. IF_LIST = [ ] Default: "$IF_AUTO" Scripts: STD EXT A space separated list of interfaces that can be ACTIVE on this machine. Interfaces in this list that are not also in IF_AUTO must be started manually. ALLIF_ACCEPT_REDIRECTS = YES | NO Default: NO Scripts: STD EXT If YES, accepts ICMP Redirects on ALL interfaces. This also depends on the /proc per interface IP forwarding flag. DEF_IP_SPOOF = YES | NO Default: YES Scripts: STD EXT If YES, protection against IP spoofing is provided by default. /proc/sys/net/ipv4/conf/default/rp_filter set to '1' DEF_IP_KRNL_LOGMARTIANS = YES | NO Default: YES Scripts: STD EXT If YES, the kernel logs martian packets by default. /proc/sys/net/ipv4/conf/default/log_martians set to '1' BRG_SWITCH = YES | NO Default: NO Scripts: STD EXT If YES, enables bridging support. Since this is rarely used on LRP, you're on your own for getting this running. BRG_EXEMPT_PROTOS = [ ] Default: "" Scripts: STD EXT A space separated list of protocols to exempt from bridging. Type "brcfg list" at your LRP prompt to get a list of available protocols. ############################################################################### INTERFACE CONFIGURATION ############################################################################### NOTE: All interface configuration variables are of the form xxx_VARIABLE, where xxx is the interface (ie eth0, eth1, ppp0, etc), and VARIABLE is one of the interface parameters, such as IPADDR, MASKLEN, etc. The variables are listed in this section in the form xxx_VARIABLE. You are responsible for changing the xxx prefix to the appropriate interface for your system. xxx_IPADDR = Default: N/A Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx This variable assigns the primary IP address of the interface. Aliases are assigned with the xxx_ALIASn variable, below. xxx_ALIASn = Default: N/A Scripts: EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx This is an indexed variable list of additional IP address to assign to the interface. Each variable contains an IP address that will be assigned to interface xxx as an alias. Each alias is assigned a label of the form xxx:n, where n ranges from 1 to the number of alias entries. xxx_MASKLEN = Default: N/A Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx This variable assigns the mask-length, or subnet mask. It is an integer number ranging from 0 to 32, representing the number of 1's in the conventional 'dot-quad' subnet mask (ie 255.255.255.0 represents a MASKLEN of 24). xxx_BROADCAST = Default: N/A Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx This variable assigns the broadcast address for the interface. Typically, this is all zeros or all ones in the 'local' portion of your IP address, but can vary in some configurations. xxx_DEFAULT_GW = Default: N/A Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx This variable configures a default gateway route via the address provided. The default gateway setting tells LRP how to route packets that are not headed to one of the networks directly connected to your LRP box. You typically only want one default gateway, assigned on your external interface. The address is normally provided by your ISP. xxx_IP_SPOOF = YES | NO Default: YES Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If YES, protection against IP spoofing is provided for this interface. /proc/sys/net/ipv4/conf/xxx/rp_filter set to '1' xxx_IP_KRNL_LOGMARTIANS = YES | NO Default: YES Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If YES, protection the kernel logs martian packets on this interface. /proc/sys/net/ipv4/conf/xxx/log_martians set to '1' xxx_IP_SHARED_MEDIA = YES | NO Default: NO Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If YES, this interface is set up for shared media. /proc/sys/net/ipv4/conf/xxx/shared_media set to '1' This setting affects the processing of ICMP redirects. Setting it to NO makes this more secure. Don't turn this off if you have two IP networks/subnets on the same media. xxx_BRIDGE = YES | NO Default: NO Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If YES, bridging is enabled on this interface. xxx_PROXY_ARP = YES | NO Default: NO Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If YES, proxy arp is enabled for this interface. /proc/sys/net/ipv4/conf/xxx/proxy_arp set to '1' xxx_FAIRQ = YES | NO Default: NO Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If YES, enables Stochastic Fair Queueing on this interface. NOTE: The following variables are used to configure Fair Queueing. If you are not using the Fair Queueing support provided by the Materhorn scripts for a particular interface (xxx_FAIRQ=YES), you may safely leave these variables undefined. xxx_TXQLEN = Default: Undefined Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If defined, this sets the transmit queue length for the interface. xxx_BNDWIDTH = Default: Undefined Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If defined, this variable sets the interface bandwidth for Fair Queueing xxx_HNDL = Default: Undefined Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If defined, this variable provides a queue handle, which must be unique, for Fair Queueing. xxx_IABURST = Default: Undefined Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If defined, this variable controls interactive bursts for Fair Queueing. xxx_IARATE = Default: Undefined Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If defined, this variable controls the interactive rate for Fair Queueing. xxx_PXMTU = Default: Undefined Scripts: STD EXT Requires: IF_AUTO=xxx and/or IF_LIST=xxx If defined, this variable defines the physical MTU (maximum transmission unit) size (in bytes) for Fair Queueing. This value includes the link layer header. ############################################################################### IP FILTER SETUP: GENERIC PARAMETERS ############################################################################### IPFILTER_SWITCH = none | router | firewall Default: STD=none EXT=firewall Scripts: STD EXT Selects the basic IP filtering/firewalling setup of the router. "None" is used for a straight through router, "router" for a filtering router with IP spoof protection and Martian protection and "firewall" for a basic IP masquerading/NAT firewall. The basic filter types are provided in /etc/ipfilter.conf. If you want more than what is provided read the man pages for ipchains or ipfwadm and BE CAREFUL when directly editing ipfilter.conf! SNMP_BLOCK = YES | NO Default: YES Scripts: STD EXT If YES, SNMP requests are denied and logged) by the default firewall rules. If NO, SNMP requests are allowed from the hosts listed in SNMP_MANAGER, below, and rejected from all other hosts. NOTE: The standard Materhorn scripts contain a bug that prevents this feature from working correctly. The bug causes SNMP_BLOCK to always be viewed as equal to 'NO'. This problem is fixed in the extended scripts. SNMP_MANAGER = [ ] Default: 10.100.1.2 Scripts: STD EXT This is a space separated list of IP address to allow through the firewall for SNMP access. SNMP_BLOCK must be NO for this variable to have any effect. MRK_CRIT = Default: 1 Scripts: STD EXT This is the mark value assigned to critical traffic (routing, DNS) when using Fair Queueing. MRK_IA = Default: 2 Scripts: STD EXT This is the mark value assigned to interactive traffic (telnet, ssh, IRC) when using Fair Queueing. CLS_FAIRQ = [ ] Default: "${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" Scripts: STD EXT This is a space separated list of definitions for Fair Queueing. ############################################################################### IP FILTER SETUP: EXTERNAL INTERFACE ############################################################################### EXTERN_IF = Default: STD=ppp0 EXT=eth0 Scripts: STD EXT This defines the external interface for use in setting up the firewall rules. This should be the interface that connects to the internet. EXTERN_DHCP = YES | NO Default: NO Scripts: EXT If YES, the EXTERN_IP value (see below) is ignored, and overwritten with the address obtained from the interface itself. For this to work properly, you need an external process (such as the ISC dhclient provided by Charles Steinkuehler) that updates the interface IP address, and reloads the firewall rules whenever the external address changes. IF_DHCP = Default: $EXT_IF Scripts: EXT This variable is used by the dhclient scripts to control which interface to attempt to configure via dhcp. Currently, the EXT script only supports dynamic configuration of your external interface. EXTERN_DYNADDR = YES | NO Default: NO Scripts: STD EXT If YES, the firewall rules force kernel spoof protection and martian logging, and the external IP address/netmask used in various firewall rules is set to 0/0. If NO, the per-interface and default kernel spoof protection and martian logging rules apply, and the external IP address/netmask used in the firewall rules is that of your actual interface. NOTE: If you are using the ISC dhclient package I created, it reloads the firewall rules if your external IP address changes, so you should set this to NO, even though you have a dynamic IP address. This setting is mainly for folks who have no control over their external IP address (perhaps PPP users?). EXTERN_IP = Default: N/A Scripts: STD EXT This is your external IP address. It seems a bit redundant to have to enter this both here and in the interface config section, but that's how it is. This value is overwritten by your actual interface settings if you are using the extended scripts and matching ISC dhclient (see EXTERN_DHCP, above). EXTERN_UDP_PORTS = [ ] Default: STD="0/0_domain 0/0_ntp" EXT="" Scripts: STD EXT This is a space separated list of UDP ports to open on the LRP box. The source address/mask values are typically either 0/0 (allowing access to the whole world), or of the form 1.2.3.4/32, allowing just your friend with IP address 1.2.3.4 entry. The implicit destination address is the external IP address of your LRP box (see EXTERN_IP, above). EXTERN_TCP_PORTS = [ ] Default: STD="0/0_ssh 0/0_smtp" EXT="" Scripts: STD EXT This is a space separated list of TCP ports to open on the LRP box. The source address/mask values are typically either 0/0 (allowing access to the whole world), or of the form 1.2.3.4/32, allowing just your friend with IP address 1.2.3.4 entry. The implicit destination address is the external IP address of your LRP box (see EXTERN_IP, above). EXTERN_UDP_PORTn = Default: Undefined Scripts: EXT This is an indexed variable list of UDP ports to allow through the firewall. The extended port definition allows for the specification of a destination address, which is useful if you have several external IP addresses and are using IP aliasing. If the destination address equals EXTERN_IP (see above), this list performs the same function as EXTERN_UDP_PORTS (see above). The source address/mask values are typically either 0/0 (allowing access to the whole world), or of the form 1.2.3.4/32, allowing just your friend with IP address 1.2.3.4 entry. The destination address should be one of your assigned external IP address (see xxx_IPADDR and xxx_ALIASn, above). EXTERN_TCP_PORTn = Default: Undefined Scripts: EXT This is an indexed variable list of TCP ports to allow through the firewall. The extended port definition allows for the specification of a destination address, which is useful if you have several external IP addresses and are using IP aliasing. If the destination address equals EXTERN_IP (see above), this list performs the same function as EXTERN_TCP_PORTS (see above). The source address/mask values are typically either 0/0 (allowing access to the whole world), or of the form 1.2.3.4/32, allowing just your friend with IP address 1.2.3.4 entry. The destination address should be one of your assigned external IP address (see xxx_IPADDR and xxx_ALIASn, above). EXTERN_ICMP_PORTn = Default: Undefined Scripts: EXT This is an indexed variable list of ICMP types to allow through the firewall. This is provided primarily as a means of allowing outside networks to ping any aliased external IP addresses, which would otherwise be blocked by the standard firewall rules, which allow ICMP through only to the EXTERN_IP address. The source address/mask values are typically either 0/0 (allowing access to the whole world), or of the form 1.2.3.4/32, allowing just your friend with IP address 1.2.3.4 entry. The destination address should be one of your assigned external IP address (see xxx_IPADDR and xxx_ALIASn, above). Since ICMP does not have 'ports', the port value is actually the ICMP type. A range of types can be specified using 'low:hi'. All ICMP types, from low to hi, inclusive, will be allowed. To allow all types, you can use the shortcut of just a colon ':'. SILENT_DENY = [ Default: Undefined Scripts: EXT This is a space separated list of ports to silently deny. Any packets which fit the definitions provided, are denied and NOT logged. This is useful if your logs are filling up with denied packets that you know about, but for some reason or another, cannot stop. In my case, I was receiving RIP broadcasts from an upstream Cisco (which I did not administer). The packets were harmless, but filled up my logs pretty fast (about 1 packet/minute). Be VERY CAREFUL when specifying the port definitions. The rules created here come before ANY other rules, so if your rules are too broad, you could end up blocking traffic you really wanted to log, or denying a service you really wanted to permit. I suggest using a /32 netmask on all address, unless you really have a good reason not to. ############################################################################### IP FILTER SETUP: INTERNAL INTERFACE ############################################################################### INTERN_IF = Default: STD="eth0" EXT="eth1" Scripts: STD EXT This defines the internal interface for use in setting up the firewall rules. This should be the interface that connects to your internal network. INTERN_NET = Default: 192.168.1.0/24 Scripts: STD EXT This is the network specification of your internal network for use in setting up the firewall rules. INTERN_IP = Default: 192.168.1.1 Scripts: STD EXT This is your internal IP address. It seems a bit redundant to have to enter this both here and in the interface config section, but that's how it is. MASQ_SWITCH = YES | NO Default: YES Scripts: STD EXT If YES, the internal network is masqueraded to the outside world, allowing machines on the internal network to be transparently connected to the internet. NOMASQ_DEST_BYPASS = ??? Default: Undefined Scripts: STD EXT A space separated list of values that doesn't seem to do anything in the firewall setup scripts. Perhaps left over from a previous version? NOMASQ_DEST = [ ] Default: Undefined Scripts: STD EXT A space separated list of ports that will not be masqueraded. This list is used to reject packets from the internal network to the specified destination address and port combination. You can use this to globally block access to specific services, or to selectively block access to specific IP addresses. INTERN_xxx_SERVER = Default: STD=INTERN_SSH_SERVER=10.10.104.1 Others Undefined EXT=All Undefined Scripts: STD EXT This group of variables controls port-forwarding services from the LRP box's external interface to internal machines. Allowed xxx services are FTP, WWW, SMTP, POP3, IMAP, and SSH. Services forwarded using these variables are always forwarded from the LRP box's external IP address (see EXTERN_IP, above). If you expect people on the internet to be able to use your server, you must also open the appropriate ports in your firewall rules (see EXTERN_UDP_PORTS, EXTERN_UDP_PORTn, EXTERN_TCP_PORTS, AND EXTERN_TCP_PORTn, above). EXTERN_SSH_PORT = Default: STD=24 EXT=Undefined Scripts: STD EXT This controls the port used by the INTERN_SSH_SERVER rule, above. If you don't want to use the standard SSH port, you need to define this variable and provide the desired port number. INTERN_SERVERn = Default: Undefined Scripts: EXT This is an indexed variable list of services to port-forward to the internal network. It allows specification of the local IP address to use for forwarding, so can be used with additional IP aliases on the external interface. The destination port can also be specified, so you could potentially forward several external IP addresses to the same internal machine on different ports. ############################################################################### IP FILTER SETUP: DMZ NETWORK ############################################################################### DMZ_SWITCH = YES | NO | PRIVATE Default: STD=Undefined EXT=NO Scripts: STD EXT If YES, specifies that you have a block of public IP address on a DMZ network that you would like routed by your LRP box. If PRIVATE (supported by EXT scripts only), specifies that you have an RFC 1597 private IP address DMZ network you would like masqueraded and port-forwarded by the LRP box. NOTE: PRIVATE refers to the IP address space used for your DMZ, and does NOT indicate that the DMZ network is 'private' as in not visible by anyone by you. You can control the port settings on your firewall to allow as many (or few) folks as you want to access your DMZ, regardless of the PRIVATE setting. DMZ_IF = Default: STD=Undefined EXT=eth2 Scripts: STD EXT Requires: DMZ_SWITCH=YES or DMZ_SWITCH=PRIVATE This defines the DMZ interface for use in setting up the firewall rules. This should be the interface that connects to your DMZ network. DMZ_NET = Default: STD=Undefined EXT=192.168.2.0/24 Scripts: STD EXT Requires: DMZ_SWITCH=YES or DMZ_SWITCH=PRIVATE This is the network specification of your DMZ network for use in setting up the firewall rules. DMZ_CLOSED_DEST = [ ] Default: Undefined Scripts: STD EXT Requires: DMZ_SWITCH=YES This is a space separated list of port definitions. Packets that match the port specifications provided will be rejected by the firewall, and will not be forwarded to the DMZ network. DMZ_OPEN_DEST = [ ] Default: Undefined Scripts: STD EXT Requires: DMZ_SWITCH=YES This is a space separated list of port definitions. Packets that match the port specifications provided will be routed through to the DMZ network. DMZ_HIGH_TCP_CONNECT = YES | NO Default: Undefined Scripts: STD EXT Requires: DMZ_SWITCH=YES If YES, inbound connections from the internet are allowed to DMZ ports >= 1024. This switch should be used in conjunction with DMZ_CLOSED_DEST, to block high ports that are known security problems. DMZ_SERVERn = Default: Undefined Scripts: EXT Requires: DMZ_SWITCH=PRIVATE This is an indexed variable list of services to port-forward from your LRP box to machines on the DMZ network. Reverse masquerading rules are automatically created to allow machines on the internal network to access the DMZ server using the public IP address of the LRP box. If DMZ_OUTBOUND_ALL is NO, reverse masquerading rules are also created to allow connections from the external interface to work properly. DMZ_OUTBOUND_ALL = YES | NO Default: Undefined Scripts: EXT Requires: DMZ_SWITCH=PRIVATE If YES, the DMZ network is masqueraded to the external network, providing complete access to the internet for machines on the DMZ network. If NO, machines on the DMZ network are only connected to the internet by the port-forward rules set up by any DMZ_SERVERn lines, and the corresponding reverse masquerade rule required for port-forwarded services to work properly. ############################################################################### ANCILLARY FILE CREATION ############################################################################### HOSTNAME = Default: myrouter Scripts: STD EXT Requires: CONFIG_HOSTNAME=YES This is used to create a hostname file, which sets the machine name to HOSTSn = Default: Varies Scripts: STD EXT Requires: CONFIG_HOSTSFILE=YES This is an indexed variable list of hosts file entries. Each is used to create a line in the /etc/hosts file. DOMAINS = [ ] Default: STD="somewhere.net domain2.net" EXT="private.network" Scripts: STD EXT Requires: CONFIG_DNS=YES This is a space separated list of domain names to use in resolving domain names. This variable is used to create the /etc/resolv.conf file. DNSn = Default: N/A Scripts: STD EXT Requires: CONFIG_DNS=YES This is an indexed variable list of your Domain Name Servers. Each IP address is used to create an entry in resolv.conf, configuring DNS name resolution. ############################################################################### PARAMETER DEFINITIONS ############################################################################### = ??? Used for Fair Queueing. A string specifying a domain name. This can either be a real domain name, if your LRP box is part of a network covered by DNS or NIS services, or you can use a 'fake' domain name, to keep name lookup from getting confused. Note the standard scripts default value of 'somewhere.net' is an actual domain name registered on the internet. The extended scripts default to 'private.network', which is unlikely to ever be a 'real' domain. = Used by the firewall rules to match the destination, or 'to' IP address field = Used by the firewall rules to match the destination, or 'to' IP port field = This parameter adds a destination address to the standard port definition, allowing support of multiple external IP addresses. Note that the individual fields are separated by a space. = [ ] If left unspecified, defaults to = __ Fully Qualified Domain Name. This is used when creating the hosts file. If your machine is named 'hal9000' and is part of the space.oddity network, the FQDN would be hal9000.space.oddity This is a 'nickname' to use for a computer when we don't want to type the entire hostname or FQDN. For instance we might assign 'hal' to hal9000.space.oddity used in the FQDN example above. A machine can have more than one host alias, but the same host alias should not be used more than once (ie we could call hal9000.space.oddity 'hal' or 'braindead', but we can't call more than one machine 'hal'). A string specifying the desired hostname of the LRP machine. = [ ] Each becomes a line in the hosts file. The hosts file is used to map names to IP addresses without using DNS. It may be handy to create a hosts file that lists machines on your internal network (unlikely to be covered by DNS, NIS, or some other name-service), so you can use a names (like 'bobs_workstation') instead of IP addresses to access machines from your LRP box. Specifies an integer number (you know, 0, 1, 2, 3, 4, ...) = ??? Used for Fair Queueing. = ??? Used for Fair Queueing. Specifies a network device to use. These are standard linux devices, such as eth0, ppp0, and so on. = / This is an IP address qualified by a netmask. It can be used to match addresses ranging from a single IP address to the entire internet. Specifies an IP address in dot-quad notation, ie 1.2.3.4 Specifies an IP address mask length. This is a number between 0 and 32, which corresponds to the number of '1' bits in a conventional dot-quad subnet mask (ie. 255.255.255.0 equals an IP mask length of 24). = Used to define a local IP address when creating port-forwarding rules = Used to define a local TCP/UDP port when creating port-forwarding rules = ??? Used for Fair Queueing. = A network address is an IP address with all local address bits set to zero. = / This is similar to an , but the IP address is the reserved case of a network address. = | | : Specifies a port for use by the firewall rules. There are three ways to define a port. You can use the port name (ie 'www' or 'ssh', see the /etc/services file for a list of port names), the port number, or specify a range of ports with the : syntax. When specifying a range of ports, if you leave the left hand value blank, 0 is assumed. If you leave the right hand value blank, the maximum port number is assumed. To easily specify all ports, you can use just a colon ':'. Occasionally, you may need to use a port value with the ICMP protocol. Since ICMP does not use ports, the port value actually specifies one of the ICMP message types. The : range specifier and shortcuts work with ICMP types as well as conventional TCP/UDP port values. = _ Specifies parameters to use when matching packets for the firewall rules. A string specifying a legal port name. See the /etc/services file for valid port names, and the port numbers they correspond to. A string or number specifying an IP protocol. Typical values would be TCP, UDP, or ICMP, although you may also use protocol numbers. Some services, such as IPSec, use their own protocols, and may need to be specified by number if you need to create rules allowing these packets through your firewall. = _ Specifies parameters to use when matching packets for the firewall rules. = ??? Used for Fair Queueing. = Used to define a remote IP address when creating port-forwarding rules = Used to define a remote TCP/UDP port when creating port-forwarding rules = Used by the firewall rules when matching the source, or 'from' IP address of a packet Used by the firewall rules when matching the source, or 'from' port of a packet = ??? Used for Fair Queueing.