In
Part 1, we installed the excellent Monowall and completed basic configurations. In part 2, we use it to create a firewall and set up secure remote access over the Internet.
How to Set Up an Internet Firewall with MonowallIdeally you have an Internet connection that you can connect only to your little two-computer test lab (see
Part 1) until you are comfortable with Monowall.
The Internet is a big bad scary place full of malware, and also full of much automated spew that we don't need pouring into our own private networks. The simplest firewall blocks all incoming traffic, except for allowing only responses to traffic that originates from inside your LAN, such as email and Web surfing. If you are not running any Internet-facing services then this is the firewall for you. The Number1 rule of firewalls is "Deny all, allow only as needed."
You will need the configuration settings for your account from your Internet service provider. If you have your own static IP address then most likely it's your IP address, gateway, and the addresses of your ISP's nameservers. If it's a dynamic account then you'll need just the nameserver addresses.
Enter Monowall's webGUI and set up your WAN interface. Do this on the
Interfaces > WAN screen. Start at the very top with the
Type dropdown menu. Select
Static or
DHCP, whichever is appropriate for your Internet account.
Skip MAC address.
If you have a static address, then enter it and your gateway address in
Static IP configuration. Skip everything else until you get to the bottom where it has a checkbox for
Block private networks. Make sure this is checked, and then click
Save.
Now go to the
System >
General Setup tab and enter your ISP's DNS servers in the
DNS Servers section. Do this even if you have a DHCP account, and leave the
Allow DNS server list to be overridden by DHCP/PPP box checked.
Do one more bit of housekeeping while you're here -- at the bottom, change the
NTP time server to
pool.ntp.org. This is always the best default since it links to the global NTP server pool. When you configure which NTP server your LAN clients should use, point them to your Monowall server.
That's it. Plug Monowall into your Internet interface and you should be able to Web surf from your test LAN PC. You can run a quick test from
GRC ShieldsUP! to test your firewall.
Note how it detects and reports your public IP address. Then click the
Proceed button to go to the next page. In the ShieldsUP!! Services box click the All service ports button. A progress graph appears as each port is tested. You should not see any red.
When it's finished, it will mark the test as a failure because of the Ping Reply test. Do not disable ping, or more precisely ICMP echo. Some admins mistakenly believe that blocking pings is good security. It isn't, and it's an essential network function, so ignore this "failure."
Secure IPsec VPNA VPN (virtual private network) is a secure tunnel over untrusted networks, so you can safely log into to your work network from home, or connect branch offices. If you've been doing any Windows networking, you're probably familiar with PPTP (Point-to-point protocol). It is popular because it is easy to set up. However it is not very secure, so it is better to invest a little time learning how to run a more secure VPN. Monowall supports IPsec (Internet protocol security), which provides good strong security.
If you're going to enable remote access to your network, you really need an Internet account with a static IP address. It is possible, but painful, to use a low-budget dynamic Internet account. It's not worth the hassle -- spend the few more bucks to get a static address.
VPN Between Two NetworksBefore you set this up there are some prerequisites. First, you cannot connect overlapping
subnets. If your LAN is in the 192.168.1.0/24 range, then you cannot set up a VPN tunnel with another 192.168.1.0/24 network, because you must have unique subnets. Then there must be a VPN server on the other end of the connection. This can be another Monowall box or some other IPsec server.
In the Monowall webGUI, go to the
VPN >
IPsec >
Tunnels tab. Check
Enable IPsec. Then click on the little plus button to add a VPN connection, which opens a screen like Figure 1.
Figure 1: Creating a new site-to-site
VPN tunnel.The
Mode is Tunnel, which we can't change. The
Disable option is nice, an easy way to turn it off for troubleshooting. Obviously do not disable it now!
Interface is WAN. Check
Enable Nat Traversal. The
Dead Peer Detection option automatically closes the tunnel when it is not being used; 60 seconds is a reasonable value. (The IPsec protocol passes "I am here" messages even when there is no user activity.) The
Local Subnet defines how much of your LAN you want to be remotely accessible; the LAN subnet is your whole LAN, and you don't have to type in the address.
Remote Subnet, which is the network on the other end of the connection, must be exactly the same as the
Local Subnet setting on the other end of the connection. The
Description field is anything you want, like a nickname for this connection, or notes on its purpose.
Now move on to the
Phase 1 proposal section (see Figure 2).
Figure 2: Security settings for your
new VPN tunnel. Set
Negotiation Mode to
Aggressive.
My Identifier can be a number of things; the easiest is your WAN IP address. The
Encryption Algorithm must match what the other endpoint uses, and
3DES is pretty much universal. The
Hash algorithm should be SHA1 because it is stronger than MD5, though again this needs to agree with the other endpoint. Same for
DH key group; 1024 bits (2) is a good balance between speed and security.
The
Lifetime field controls (in seconds) how long your side of the tunnel will wait for Phase 1 to be completed. The Monowall manual recommends 28800.
The
Pre-Shared key must be exactly the same on both sides of the connection. Make this strong, more than 10 characters and mixed-case, numbers, and punctuation.
Now move on to the "Phase 2 proposal" section (Figure 3).
Figure 3: Configuring the VPN tunnel
protocol and encryption types. For
Protocol select
ESP. In the
Encryption Algorithms section it is safe to select everything, though it is better to select only what you're going to use. Use
SHA1 in the
Hash Algorithms section if possible, because it is stronger than MD5. Set
PFS Key Group to option 2, or 1024 bits.
The
Lifetime value, in seconds, controls the lifetime of your negotiated keys. 28800 is eight hours, which should get you through a workday. Don't go over 86400, which is 24 hours.
Click
Save and
Apply Changes, and your IPsec server is ready to connect to your other endpoint. How the connection is initiated depends on the IPsec server used on the other end; if it's another Monowall server then it will connect when you click
Apply Changes, and you should be able to ping back and forth. The most important thing to remember is all those settings need to be the same.
Mobile VPN UserFirst go to the
VPN >
IPsec >
Pre-Shared Keys tab and create a key for your user. Use their email address as the identifier, and create a long key (at least ten characters) using mixed-case, punctuation marks and numbers. Then go to the Mobile clients tab and set it up just like creating a site-to-site tunnel, using the identifier and pre-shared key you created.
The client setup depends on the software on the client machine; again remember to make everything the same where it needs to be. The Monowall handbook has a
detailed example using the SafeNet SoftRemoteLT client software.
source:.smallbusinesscomputing
