remote firewall advice
Drake Diedrich
dld at coyote.com.au
Mon Feb 17 03:52:16 EST 2003
Hi Bob,
What I do for both my parents and in-laws (who are now both on
pure-Linux. All the kids were getting really embarrassed having to explain
to people that it wasn't *us* that was sending viruses, but someone who had
all of our email addresses on their computer and connected through
earthlink.. hmmmm, who in 6 billion people best matches *that* profile..).
Three expert computer kids *could not* clean that system over Thanksgiving,
so it's been wiped.
Anyway, the setup they both have is that when the machines (Linux)
connect, they register themselves with a bind9 server running on a Linux box
at one of the kids computers (was mine, but then I had to give up my /26..).
That box is also running the mailserver for coyote.com.au. Their incoming
mail comes through this machine and is forwarded to the address they
register on connect (in the d.coyote.com.au subdomain). Authentication is
possible, but I don't bother with it, as I do strong authentication at the
SMTP layer, and all an attacker can do is DoS for the duration of the
attack. The postfix-tls mail server is sent an ETRN, and immediately ships
the queued email through to the client machine. Any email sent to them is
immediately forwarded, no waiting 2-5 minutes for polling. Email is also
backed up at the smtp server, which has come in handy twice (one hard disk
failure, one experiment with a different mail client). The server-client
connection is authenticated and encrypted, so it's actually a little safer
than using an ISP's mail system. I was originally using the postfix-tls
server as their outbound mail relay, but ISPs have started blocking that, so
outbound is through the ISP's normal smtp server now.
Some config file snippets:
(um, warning, I assembled this latest one in a hurry on a Redhat desktop,
much source compiled by hand, so files are all over the place. I'm afraid
to clean it up).
named.conf
---------
zone "coyote.com.au" {
type master;
file "/var/named/coyote.com.au";
};
zone "d.coyote.com.au" {
type master;
file "/var/named/d.coyote.com.au";
allow-update { 0.0.0.0/0; };
};
d.coyote.com.au
---------------
$ORIGIN .
$TTL 86400 ; 1 day
d.coyote.com.au IN SOA ns1.coyote.com.au. postmaster.coyote.com.au.
(
929330614 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS ns1.coyote.com.au.
NS ns2.coyote.com.au.
MX 100 smtp.coyote.com.au.
$ORIGIN d.coyote.com.au.
$TTL 3600 ; 1 hour
charybdis A 216.119.0.202
$TTL 0 ; 0 seconds
localhost A 169.254.0.0
$TTL 3600 ; 1 hour
two A 216.119.3.177
underhill A 203.194.37.163
undone A 192.168.1.254
The bind9 server, for some reason I haven't sorted out, returns the
server's address on all queries from the internet, but returns the real
client address on localhost (to the postfix server). I wish I knew how I
managed that, it almost sounds like a feature. :) It didn't do that on the
two Debian bind9 servers before this one..
The entries at the bottom were all added online, not by hand in the config
file.
postfix main.cf on server
-------------------------
myhostname = smtp.coyote.com.au
myorigin = coyote.com.au
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, smt
p.coyote.com.au,hanguk.coyote.com.au,hanguk.diedrich.net
smtpd_recipient_restrictions= permit_mynetworks check_relay_domains permit_tls_all_clientcerts
debug_peer_level = 2
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_CApath = /etc/postfix/certs
smtp_tls_CApath = /etc/postfix/certs
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtp_tls_loglevel = 2
smtp_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
# only use TLS authenticated connections to these client machines
# I don't actually know that the wildcard works -dld
smtp_enforce_tls_recipients = underhill.d.coyote.com.au
smtp_enforce_tls_sites = underhill.d.coyote.com.au
smtp_enforce_tls_recipients = undone.d.coyote.com.au
smtp_enforce_tls_sites = undone.d.coyote.com.au
smtp_enforce_tls_recipients = *.d.coyote.com.au
smtp_enforce_tls_sites = *.d.coyote.com.au
# keep mail a long time, since it may be a while between logins when they
# go off somewhere. Also poll reasonably frequently in case the ETRN gets
# lost
maximal_queue_lifetime = 60
maximal_backoff_time = 1800
postfix main.cf on client machine
---------------------------------
# no domain listed, so it works on multiple dialups whose smtp server
# just happen to all be smtp.domain.
relayhost = smtp
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_CApath = /etc/postfix/certs
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_CApath = /etc/postfix/certs
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2
smtpd_tls_ask_ccert = yes
maximal_queue_lifetime = 60
maximal_backoff_time = 900
You also need to create all the SSL certs, and either put the self-signed
certs on the server and client, or sign them with a common CA and
put the CA cert on all machines. Stuff like:
openssl req -new -days 1826 -text -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl req -x509 -days 1826 -in server.csr -text -key server.key -out server.cr
t
CA's require even more flags and files - I use a kit: the easy-rsa one
from OpenVPN.
Some other commands in my notes that may come in handy:
openssl c_rehash /etc/postfix/certs
# openssl req -new -key duhKey.pem -out duh.csr
# openssl ca -days 3650 -out duh.crt -in duh.csr -CA ca.key
. vars
./build-key duh
./build-ca
./sign-req duh
The following are run in the hooks that run after the connection comes up,
and sometimes before the connection goes down. 169.254.0.0 is supposed
to be another unroutable number, DHCP-no-host-address-available or something.
127.0.0.2 or something like that would probably also work.
nsupdate-up
-----------
#!/bin/sh -x
set -e
INTERFACE=$1
NETWORK=`ip addr show ${INTERFACE} | awk '/inet/ { print $2;}'`
ADDR=`echo ${NETWORK} | sed -e 's/\/.*//'`
HOSTNAME=`hostname`
nsupdate <<EOF
server ddns.coyote.com.au
update delete $HOSTNAME.d.coyote.com.au A
update add $HOSTNAME.d.coyote.com.au 3600 A $ADDR
send
EOF
telnet smtp.coyote.com.au smtp <<EOF
ETRN $HOSTNAME.d.coyote.com.au
EOF
nsupdate-down
-------------
#!/bin/sh
set -e
INTERFACE=$1
NETWORK=`ip addr show ${INTERFACE} | awk '/inet/ { print $2;}'`
ADDR=`echo ${NETWORK} | sed -e 's/\/.*//'`
HOSTNAME=`hostname -s`
nsupdate <<EOF
server ddns.coyote.com.au
update delete $HOSTNAME.d.coyote.com.au A
update add $HOSTNAME.d.coyote.com.au 3600 A 169.254.0.0
send
EOF
Configuring an IMAP/POP server and webcache and virus/spam filters and a
local BIND and DHCP and masquerading and the Windows machine to use these is
less interesting but all useful (so I can plug in my laptop and not need to
configure anything when I visit). The above all works out of the box on
Debian 3.0. I had to hand compile both bind9 and postfix-tls on the Redhat
box, but it may have been available, I just didn't know where.
-Drake
More information about the linux
mailing list