Discussion:
[Shorewall-users] Adding WiFi DMZ for Guest "pass through" only. How to make sure I avoid the rest of my LAN?
d***@123mail.org
2017-03-11 16:56:06 UTC
Permalink
I'm working on my 1st shorewall setup.

It's running on a 2 ethernet interface box, with a VPN connection too.

Reading the copious docs I got all that working \o/

Now I want to add a USB WiFi interface that will be used for only one purpose -- as an AccessPoint for guests to access the EXTERNAL internet only.

I want to just allow them to login in (using hostapd) and get to the 'net. Hostapd + dhcp gives them a 10.128.128.##/24 address on login. Nothing else in my LAN will ever use that segment.

I want them to completely bypass all my internal LAN infrastructure -- no broadcast, no FW rules, etc. All firewall-ing, dns, etc. I want them to worry about on their own -- and using external resources )e.g., NOT using my LAN dns).

I'd like to make sure that providing that access is a lightweight on my shorewall as possible.

So I _think_ I need to set this up as a DMZ.

So far, just based on reading & examples, I added this to my shorewall config

hosts
wifi0 WIFI0_IF:10.128.128.0/24

zones
wifi0 ipv4

params
GUEST_WIFI0_IF=wlan0

interfaces
wifi0 WIFI0_IF optional,physical=$GUEST_WIFI0_IF,dhcp,tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0

Does that look about right? I'm not sure if that's "overdone or underdone" :-/ The examples I found all seem to integrate the wifi INTO the lan -- I'm trying to make sure it AVOIDS the lan, and is just a "fast/lean pipe" to the net. The "leave my LAN alone" part is what I'm most concerned about from a security perspective. Not putting unneccessary load on my firewall would be nice too.

If the above is right, is there a MACRO that makes it simple for

rules

? Or is there a simple rule(s) that should do it?

Thanks,

DT
Tom Eastep
2017-03-11 19:38:22 UTC
Permalink
Post by d***@123mail.org
I'm working on my 1st shorewall setup.
It's running on a 2 ethernet interface box, with a VPN connection too.
Reading the copious docs I got all that working \o/
Now I want to add a USB WiFi interface that will be used for only
one purpose -- as an AccessPoint for guests to access the EXTERNAL
internet only.
I want to just allow them to login in (using hostapd) and get to
the 'net. Hostapd + dhcp gives them a 10.128.128.##/24 address on
login. Nothing else in my LAN will ever use that segment.
I want them to completely bypass all my internal LAN infrastructure
-- no broadcast, no FW rules, etc. All firewall-ing, dns, etc. I
want them to worry about on their own -- and using external
resources )e.g., NOT using my LAN dns).
I'd like to make sure that providing that access is a lightweight
on my shorewall as possible.
So I _think_ I need to set this up as a DMZ.
So far, just based on reading & examples, I added this to my
shorewall config
hosts wifi0 WIFI0_IF:10.128.128.0/24
zones wifi0 ipv4
params GUEST_WIFI0_IF=wlan0
interfaces wifi0 WIFI0_IF
optional,physical=$GUEST_WIFI0_IF,dhcp,tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
Does that look about right? I'm not sure if that's "overdone or
underdone" :-/ The examples I found all seem to integrate the wifi
INTO the lan -- I'm trying to make sure it AVOIDS the lan, and is
just a "fast/lean pipe" to the net. The "leave my LAN alone" part
is what I'm most concerned about from a security perspective. Not
putting unneccessary load on my firewall would be nice too.
If the above is right, is there a MACRO that makes it simple for
rules
? Or is there a simple rule(s) that should do it?
You don't need any rules. You just need policies:

net wifiO ACCEPT
wifiO net ACCEPT
all wifiO REJECT
wifiO all REJECT

And you don't need the hosts file entry either.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Ryan Joiner
2017-03-11 23:22:09 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by d***@123mail.org
I'm working on my 1st shorewall setup.
It's running on a 2 ethernet interface box, with a VPN connection too.
Reading the copious docs I got all that working \o/
Now I want to add a USB WiFi interface that will be used for only
one purpose -- as an AccessPoint for guests to access the EXTERNAL
internet only.
I want to just allow them to login in (using hostapd) and get to
the 'net. Hostapd + dhcp gives them a 10.128.128.##/24 address on
login. Nothing else in my LAN will ever use that segment.
I want them to completely bypass all my internal LAN infrastructure
-- no broadcast, no FW rules, etc. All firewall-ing, dns, etc. I
want them to worry about on their own -- and using external
resources )e.g., NOT using my LAN dns).
I'd like to make sure that providing that access is a lightweight
on my shorewall as possible.
So I _think_ I need to set this up as a DMZ.
So far, just based on reading & examples, I added this to my
shorewall config
hosts wifi0 WIFI0_IF:10.128.128.0/24
zones wifi0 ipv4
params GUEST_WIFI0_IF=wlan0
interfaces wifi0 WIFI0_IF
optional,physical=$GUEST_WIFI0_IF,dhcp,tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
Does that look about right? I'm not sure if that's "overdone or
underdone" :-/ The examples I found all seem to integrate the wifi
INTO the lan -- I'm trying to make sure it AVOIDS the lan, and is
just a "fast/lean pipe" to the net. The "leave my LAN alone" part
is what I'm most concerned about from a security perspective. Not
putting unneccessary load on my firewall would be nice too.
If the above is right, is there a MACRO that makes it simple for
rules
? Or is there a simple rule(s) that should do it?
net wifiO ACCEPT
wifiO net ACCEPT
all wifiO REJECT
wifiO all REJECT
And you don't need the hosts file entry either.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYxFIuAAoJEJbms/JCOk0QlXAQAItA55a96JOJ8eEGZAmUNmc6
6KzBfvB2EUkwkW39acQkGWSjrX9FSC11z0QhrannJC9G43cXNSmsBqXaIS4iT67E
rr3YPfvIlLuWgUv+5KtIh6xNpY9YIAgg11ag+q/0Lfo0RrrIEdkXWzgUhqBQMJ8U
tGrWSWVNXhBDFkXpBlTrRUFADJmEtDJPsCSDez7Z4HaN1yXNpqY3mXHR3lZEx7NN
Xnx9WLdhpx1xJnD9nHDXfyeRqtYiQ8n/+yi5uXAyuwJqMRRDRSjsZzb65LvvLQzz
3IdQ8v0f7ckOOqLRCOy19STzGwfjpSo0SeCEl+AxxTKPZf5b8NAA6a/imBsJce37
gRyv413b7tIpKwNltIY1SMNMpDiFfYstA77I7eNQ5LMOwtO8yk0GBbzAZJ6jZo6Y
X7tM5eaexcbJUeFJ45LacpfJrgNi2fZ4Vs4MBthUjnbLFIijSrVJsra0JdQzL2NK
OSLBF8LIFyEate2Y+9s1Ir9tncRT+X/Tc7r8+O/Ug1s9mhb5EbOzGPdlXjVLI09A
D2tv+AoNPB/mAD5o4YwXIkSShta9EVt1+ZMJm2zx/pgZCs3Yr0owkgwJTgtxJ7TH
B/up9WOT9PEBEfwZ8KpWTflvUkulUvdMuo4JS+bpmlvkiyl16d/S6Dx2Dw1Nu+zk
9hLCyfDQPcaepaUGvcsd
=CDRJ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 3/11/17 12:38 PM, Tom Eastep wrote:
Tom, Hey just curious, how come you say to do:

net wifi ACCEPT

at the top of that policy file? Does that open up more that desired?

Also doesn't there need to be a MASQUERADE line in snat file?
MASQUERADE 10.128.128.0/24 eth0 (or whatever interface for net is)
Tom Eastep
2017-03-12 00:08:54 UTC
Permalink
On 3/11/17 12:38 PM, Tom Eastep wrote: Tom, Hey just curious, how
net wifi ACCEPT
I said

net wifiO ACCEPT
at the top of that policy file? Does that open up more that
desired?
You said that your guests need to do their own firewalling. And this
actually opens up very little since your firewall is doing NAT.
Also doesn't there need to be a MASQUERADE line in snat file?
MASQUERADE 10.128.128.0/24 eth0 (or whatever interface for net is)
Not if you use the snat file from the two-interface sample. It
masquerades all of the RFC 1918 subnets.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
d***@123mail.org
2017-03-12 02:00:55 UTC
Permalink
Tom
Post by Tom Eastep
net wifiO ACCEPT
wifiO net ACCEPT
all wifiO REJECT
wifiO all REJECT
Got it. I didn't understand that policies have an *order*. Thanks for that.
Post by Tom Eastep
You said that your guests need to do their own firewalling. And this
actually opens up very little since your firewall is doing NAT.
Not if you use the snat file from the two-interface sample. It
masquerades all of the RFC 1918 subnets.
Wasn't me asking :-) But helpful anyway.

DT
d***@123mail.org
2017-03-12 02:38:13 UTC
Permalink
Tom,
Post by Tom Eastep
net wifiO ACCEPT
wifiO net ACCEPT
all wifiO REJECT
wifiO all REJECT
So with your recommendation above, everything from a client attached thru the wifi/hostapd interface works -- as long I give the client a STATIC IP.

But when I want to serve that IP from the DHCP server on the same box -- which HAS been supposedly configured to listen on the wifi0 interface -- I get stuck at "Getting IP address ...". And it never gets it.

So I guess just having DHCPd listen on the interface isn't enough, and I have to ALLOW the DHCP traffic?

I undertand I'm contradicting my earlier comment about not touching anythin on my LAN -- I guess I have to touch DHCP :-/

Of course don't want to open too much now.

Is that done with a POLICY too? Or now do I need to look at a rule?

DT
d***@123mail.org
2017-03-12 04:24:40 UTC
Permalink
Lesson learned: Stumble around long enough in the docs and you'll find "it"!

Adding 2 rules

DHCPfwd(ACCEPT) $FW wifi0
Ping(ACCEPT) $FW wifi0

Did the trick. All good now.

DT

Loading...