Rock64-wall image

[stuartiannaylor]

https://sourceforge.net/projects/rock64-...g/download

https://sourceforge.net/projects/rock64-wall/

Will be knocking up a simple firewall router image based on Ayufans xenial image.

Currently just a simple base with webmin / dnsmasq with iptables completely open with routing enable

Base uploaded next will be openvpn, snort

Finish off with dansuardian / squid.

May include samba4 and use kerberos will see how things go

[Luke]

https://sourceforge.net/projects/rock64-...g/download

https://sourceforge.net/projects/rock64-wall/

Will be knocking up a simple firewall router image based on Ayufans xenial image.

Currently just a simple base with webmin / dnsmasq with iptables completely open with routing enable

Base uploaded next will be openvpn, snort

Finish off with dansuardian / squid.

May include samba4 and use kerberos will see how things go

This is really good. May I suggest that perhaps you put together a script instead of a dedicated image and push that to ayufan ? Kind of like how ayufan added the OMV script to his minimal.

[stuartiannaylor]

https://sourceforge.net/projects/rock64-...g/download

https://sourceforge.net/projects/rock64-wall/

Will be knocking up a simple firewall router image based on Ayufans xenial image.

Currently just a simple base with webmin / dnsmasq with iptables completely open with routing enable

Base uploaded next will be openvpn, snort

Finish off with dansuardian / squid.

May include samba4 and use kerberos will see how things go

This is really good. May I suggest that perhaps you put together a script instead of a dedicated image and push that to ayufan ? Kind of like how ayufan added the OMV script to his minimal.

Prob not a script as I fail totally with regexs, but yeah loaded up the image for those who just want to grab at various stages without having to bother.
With each image just going to document the cli commands used and a little bit of rationale & reason why.

Image first then go back to scratch and do it again a just document cli, which prob this aft will do.

I may use the full isc dhcp & bind9 but to be honest I have used them before and always been a little bemused as yeah I know what they can do above dnsmasq but frankly never have.
dnsmasq is just a great lightweight dns/dhcp that if someone can post good reasons I might also go down that route.

Will see what you guys say.

So far it been extremely simple, so not much to script, but thought maybe my fudges and poor attempts may be a gauntlet thrown to someone else


## CLI Commands from start

Starting with xenial-minimal-rock64-0.5.10-118-arm64 https://github.com/ayufan-rock64/linux-b...m64.img.xz

```
sudo -i
systemctl -l
```

Looking through the list of services we have 2 failures ureadahead & zram-config.
Also noticed network-manager in that list! Bye to him as well.

```
apt-get remove ureadahead
apt-get remove zram-config
apt-get remove network-manager
apt-get remove dnsmasq-base
```

Really not more than a little bit of housekeeping but yeah get rid of network manager for a server base.
So now to turn on IP4 forwarding and because I have over 1gb ram I am actually going to tell Ubuntu to prefer it a bit more.

```
nano /etc/sysctl.conf
```

change #net.ipv4.ip_forward=1 to net.ipv4.ip_forward=1 to enable
At the end tack on
# Improve cache management
vm.vfs_cache_pressure=50

I have also banged my 32Gb eMMC opened up gparted and created a 4Gb swap.
If you do add this line as it will prefer memory and is a good level with more fickle media such a SSD & flash.

vm.swappiness=10

So its up to you and either just delete the hash to enable net.ipv4.ip_forward=1 and ignore the rest if you so wish.

```
ip addr show
```

If you have plugged in a USB ethernet adapter you will see that it is down and highly likely to have an ethernet name from hell like mine which is enx00e04c534458!

So we are going to create a udev persistant rule to give us a much nicer name.
```
nano /etc/udev/rules.d/70-persistent-net.rules
```
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:53:44:58", KERNEL=="eth*", NAME="eth1"

From the ip addr show I returned

3: enx00e04c534458: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fas t state DOWN group default qlen 1000
link/ether 00:e0:4c:53:44:58 brd ff:ff:ff:ff:ff:ff

You can see where I copied and pasted the mac notation into the persistant rule and on next boot I will have eth1.
Same with multiple Nics if you are going to go crazy and maybe have a DMZ or even port trunking just increment NAME="ethx".
Again not essential but for me are much more logical when adminstering the system.

So before we install webmin a bit more housekeeping.
```
apt-get update
apt-get upgrade
apt autoremove
```
So webmin needs.
```
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

wget http://prdownloads.sourceforge.net/webad...50_all.deb

dpkg --install webmin_1.850_all.deb

rm webmin_1.850_all.deb
```
At this stage you could fire up webmin on the eth0 IP and configure from there but prefer cli to start with also dnsmasq module for webmin needs to be downloaded and installed and doesn't at all like remarks in the config file.

My router creates a private lan on 192.168.1.0 which will be the WAN subnet.
I have chosen 192.168.0.0 for my LAN subnet but...
"The private address segments (10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255) are commonly referred to as "non-routable" addresses."

Any of those 10.0.0.0 is common but plenty to choose from, but it is important its a "non-routable" addresses." scope.
```
nano /etc/network/interfaces.d/eth1
```
Copy & paste or chose your own based on

auto eth1
iface eth1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
post-up iptables-restore < /etc/iptables.up.rules

Now dnsmasq
```
apt-get install dnsmasq

cp /etc/dnsmasq.conf /etc/dnsmasq.old
```
As we edit dnsmasq.conf delete all the remarks and we have a backup copy in dnsmasq.old for reference as the webmin module just doesn't like them.
```
nano /etc/dnsmasq.conf
```
Delete all the guff and start with something simple you can always refer back to dnsmasq.old for more complex setups.

domain-needed
bogus-priv
no-resolv
no-poll
server=192.168.1.1
server=8.8.8.8
interface=eth1
domain=rock.lan
dhcp-range=192.168.0.24,192.168.0.254,12h

Then we will set up a FQDN in /etc/hosts & /etc/hostname
```
nano /etc/hosts
```
so its looks something like

127.0.0.1 localhost
127.0.1.1 rock64.rock.lan rock64
192.168.0.1 rock64.rock.lan rock64


# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```
nano /etc/hostname
```
rock64.rock.lan

Obviously change to whatever registered or non registered domain name that fits your organisation.

Then set the iptables and NAT masquerade up the easy way.
```
apt-get install iptables
```
In a browser type in https://wan-assigned-router-addr:10000
Mine is https://192.168.1.20:10000 and log into webmin with the sudo user rock64

In networking -> linux firewall
Select Do network address translation on external interface in my case set to eth0
Enable firewall at boot and click setup firewall.

Now to get the dnsmasq module that is a bit old & creaky but after getting rid of all the remarks in dnsmasq.conf seems to work quite well and is good for refernce at least.

So google search for webmin dnsmasq
I downloaded from http://nixbit.com/software/dnsmasq-webmi...le-review/

Webmin -> Webmin Configuration -> Webmin modules.
Select From uploaded files and browse to the .wbm download
Click install module

System -> Bootup & Shutdown scroll down to the bottom and click Shutdown system & confirm click shutdown system

Swap your ethernet cables around so router is on eth0 (wan) and you switch/hub is on eth1 (lan)

Press the power on button on the rock64.

What you might have to do is force dhcp to get the new ip address (windows way).
```
ipconfig /release
ipconfig /renew

ipconfig /all
```
Should see us rocking on the rock.lan

[stuartiannaylor]

Add shorewall

apt-get install shorewall

nano -w /etc/default/shorewall

Change

startup = 0 to startup = 1

Copy the example rules from 

/usr/share/doc/shorewall/examples/two-interfaces/

cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/interfaces
cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall/masq
cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/policy
cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/rules
cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/zones

Here are the contents of mine and apart from rules with an additional DNS rule of loc to fw & webmin, ntp all are verbatum.

/etc/shorewall/interfaces


#

# Shorewall - Sample Interfaces File for two-interface configuration.

# Copyright © 2006-2015 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-interfaces"

###############################################################################

?FORMAT 2

###############################################################################

#ZONE INTERFACE OPTIONS

net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth1            tcpflags,nosmurfs,routefilter,logmartians


/etc/shorewall/masq

#

# Shorewall - Sample Masq file for two-interface configuration.

# Copyright © 2006-2015 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-masq"

################################################################################################################

#INTERFACEEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL

# GROUP DEST
eth0 192.168.0.0/16

/etc/shorewall/policy

#

# Shorewall - Sample Policy File for two-interface configuration.

# Copyright © 2006-2015 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-policy"

###############################################################################

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST



loc net ACCEPT

net all DROP info

# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info

/etc/shorewall/rules


#
# Shorewall - Sample Rules File for two-interface configuration.
# Copyright © 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Invalid(DROP) net all tcp

#       Don't allow connection pickup from the net
#
# Accept NTP connections from the firewall to the network
ACCEPT $FW net udp 123
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
#
# Accept DNS connections from the local network to the network
DNS(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping(DROP) net $FW

ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#Webmin
ACCEPT loc $FW tcp 10000



/etc/shorewall/zones

#

# Shorewall - Sample Zones File for two-interface configuration.

# Copyright © 2006-2014 by the Shorewall Team

#

# This library is free software; you can redistribute it and/or

# modify it under the terms of the GNU Lesser General Public

# License as published by the Free Software Foundation; either

# version 2.1 of the License, or (at your option) any later version.

#

# See the file README.txt for further details.

#------------------------------------------------------------------------------

# For information about entries in this file, type "man shorewall-zones"

###############################################################################

#ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

fw firewall

net ipv4
loc ipv4

So you can now refresh your webmin page and you should automatically get a shorewall admin section.
IP6 is done by shorewall6 and its a duplicate just with IP addresses that twist my melon.
So before anyone says its just an apt-get install shorewall6 if you wish.

Currently we still have the iptables we originally setup but when you do start shorewall it will overwrite those rules with the shorewall setup.
When you stop shorewall it will revert back to a working but open router setup.
So its up to you but to run with shorewall only then firstly

systemctl enable shorewall

As to be honest I think its needed even if the docs I read never mentioned it.

If you want to take out the rules that we originally created and test shorewall only.

nano /etc/network/interfaces.d/eth1

auto eth1

iface eth1 inet static

address 192.168.0.1

network 192.168.0.0

netmask 255.255.255.0

broadcast 192.168.0.255
#post-up iptables-restore < /etc/iptables.up.rules

Comment out the post-up condition with a hash as above.

nano /etc/sysctl.conf
#net.ipv4.ip_forward=1

Again comment out ip_forward.

Click check firewall and if all is ok click apply configuration in webmin.

Then that is the next part done and we are a little more safe with ssh & webmin only available from the local network.

Nextstep is to install openvpn and only allow ssh & webmin on localhost and the only way you can connect is via a vpn.

Which is really how ssh & webmin should be run on any server in my books.

There is a lot of internet chatter about webmin being unsafe which seems to suggest running an admin console public means the software is unsafe.
It so paradoxical that we shall not go there and after the next step once we add the vpn subnet as the only access point to the settings of webmin and ssh dunno just don't get the arguments.
Who would run an web based admin console public??!

So all is good so far with the rockwall next step openvpn.

PS haven't got the functionality to put my rock public and port scan external but the above should find it locked from external access.
Anyone want to check please do.

[Luke]

Maybe pastebin would be better

[stuartiannaylor]

Maybe pastebin would be better

Maybe I will just supply the finished image?

[Luke]

Maybe pastebin would be better

Maybe I will just supply the finished image?

As you prefer

[stuartiannaylor]

Wish my memory was better but scrapped the idea of squid / dansguardian as been round this one before squid / dansguardian is completely useless unless you use MITM ssl filetering.
My vague memory sparked a community centre I once had squid / dansguardian and the realization that kids no what https is and also anonymous proxies, the URL filter was always playing catch up and got ditched because of needed admin time (blacklist / whitelist requests) all the time.

Also because we where public and had open sessions there was such a huge grey area in privacy that even if technically feasible, legally ssl filtering definitely is not depending on environment if there is no user signature.

I have a MS type illness that plays havoc with my memory and others and it took a while to remember why I abandoned this and had an opinion http / url filtering is pretty damn pointless server wise.
The kids that frequented the center knew the anonymous proxies and the dans/squid just seemed to encourage a few to show how clever they where.
Twas a complete failure.

If you are going to do MITM then boy do you need something with some meat to be encrypting / decrypting & filtering volume user ssl and started seeing many implementations as pure snake oil of no worth.

Best way to do it would have internal nat with a dedicated mitm proxy & filter but the whole self issuing certificate distribution is a complete pia and thinking scrap that idea.

Anyone with more recent or contary experience as its almost 5 years ago I had a Zentyal server being a relative failure for filtering.

[stuartiannaylor]

Rock64-wall-snort

Rock64 Base + Snort + Barnyard2 + Pulledpork + Basic Analysis and Security Engine (BASE) + Apache + Webmin

https://sourceforge.net/projects/rock64-...118/snort/

rock64-wall-snort.img.zip https://sourceforge.net/projects/rock64-...p/download

Rock64 1gb = Etho0 DHCP WAN

Need to edit udev persistence rule mentioned in base https://sourceforge.net/projects/rock64-.../118/Base/ 

Webmin https://rock64.rock.lan:10000/?dashboard

BASE http://rock64.rock.lan:10001/base_main.php

[stuartiannaylor]

Rock64-wall-snort-shorewall

Rock64 Base + Snort + Barnyard2 + Pulledpork + Basic Analysis and Security Engine (BASE) + Apache + Webmin + Shorewall

https://sourceforge.net/projects/rock64-...shorewall/

rock64-wall-snort-shorewall.img.zip https://sourceforge.net/projects/rock64-...p/download

Webmin https://rock64.rock.lan:10000/?dashboard

BASE http://rock64.rock.lan:10001/base_main.php

Just wasted loads of time trying to fix a barnyard2 problem. For some reason it takes 10 - 20 minutes to get going and then it catches up to current.
I haven't a clue and thought it was broke, so many hours wasted on that one.

If you are giving it a try post results and also the chipset of your USB ethernet adapter I have one that can only manage 5mbs!
I should have delivery of a Plugable USB 3.0 Gig ethernet with the AX88179 chipset that will at least do 600mbs!

Haven't been able to really stress test things and may have to scrap Snort for Suricata as Snort runs in a single thread whilst Suricata is multithreading.

The barnyard delay have just played havoc I will get round to installing openvpn but going to examine suricata and see how that stacks up once that Plugable adapter shows up.