High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
Global Open Versity, ICT Labs
Build & Deploy Secure Shorewall Firewall Network.v1.2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
EBT107 – Secure Firewall System Administration Training
1
Global Open VersityIT Security & Network Defense Hands-on Labs Training Manual
Build & Deploy Secure Shorewall Firewall Protected Network
Kefa RabahGlobal Open Versity, Vancouver Canada
krabah@globalopenversity.org www.globalopenversity.org
Table of Contents Page No.
BUILD & DEPLOY SECURE SHOREWALL FIREWALL PROTECTED NETWORK 1
Introduction 1
Part 1: Network Configuration 3
Part 2: Dynamic Host Configuration Protocol (DHCP) 3
Step 1: Install and Configure DHCP Server 3
Part 3: Download and Install Shorewall 5
Step 1: Download & Install Shorewall 5
Step 2: Configure Shorewall 5
Part 4: Using Web Webmin to Configure Shorewall 6
Step 1: Basic Configuration 6
Step 2: Configure Network Zones 8
Step 3: Configure Network Interfaces 11
Step 4: Configure the Default Policies (Policy) 13
Step 5: Configure Masquerading (masq) Rule 15
Step 6: Check Firewall Configuration 17
Step 7: Finally Start the Shorewall Firewall 18
Part 5: Advanced Configuration for Shorewall Firewall 18
Step1: Configuring Shorewall Firewall Rules 18
Step 1: Webserver installed on the Firewall box 19
Step 2: Port forwarding – Webserver on a box on the LAN 20
1. Port forwarding for Clients on the LAN 20
2. Port forwarding for Clients on the DMZ 21
3. Port Redirection 22
Step 3: Test DMZ Connectivity 23
Step 4: Type of Service (ToS) 24
Part 6: Troubleshooting 25
Part 7: Installing and configuring anti-virus software ClamAV 26
Part 8: Need More Training on Linux: 28
Secure Firewall Administration Training 28
Linux Administration Training 28
Part 9: Hands-on Lab Assignments 29
Global Open Versity, ICT Labs
Build & Deploy Secure Shorewall Firewall Network.v1.2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
EBT107 – Secure Firewall System Administration Training
1
Global Open VersityIT Security & Network Defense Hands-on Labs Training Manual
Build & Deploy Secure Shorewall Firewall Protected Network
By Kefa Rabah,krabah@globalopenversity.orgJuly 26, 2010GTS Institute
Introduction
TheShorewall, is a high-level tool for configuring Netfilter. You describe your firewall/gatewayrequirements using entries in a set of configuration files. Shorewall reads those configuration files and withthe help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can beused on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linuxsystem. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.CentOSis a community-supported, free and open source operating system based on Red Hat EnterpriseLinux. It exists to provide a free enterprise class computing platform and strives to maintain 100% binarycompatibility with its upstream distribution .CentOS stands for
"Community ENTerprise OperatingSystem"
. CentOS is the perfect server for people who need an enterprise class operating system stabilitywithout the cost of certification and support and pocket burning baggage that comes with proprietarysoftware. And the beauty is CentOS is free.Webminis a web-based GUI interface for system administration for Linux/UNIX. Using any modern webbrowser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes theneed to manually edit UNIX configuration files like
/etc/passwd,
and lets you manage a system fromthe console or remotely with ease. Here we’ll use Webmin mainly to configure Shorewall firewall.Lockdown server: we also need to lockdown our firewall server to secure our application servers againstcyber-criminals and malwares. For this we’ll use
Clamd
. Clamd
which comes integrated with
ClamAV
and
Clamav-db
fits the bill for our task. It’s a multi-threaded daemon that uses
libclamav
to scan files for viruses. The daemon listens for incoming connections on Unix and/or TCP socket and scans files or directories on demand for viruses. The daemon is fully configurable via the
clamd.conf
file. It reads theconfiguration from
/etc/clamd.conf
.Clam AntiVirus(
ClamAV
) is an open source (GPL) anti-virustoolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilitiesincluding a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of sharedlibrary.
Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over to scribd.com and check out a good howto entitled “Install Guide Linux CentOS5 Server v1.1” to get youstarted.
Add a Comment