mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-01 23:45:53 +02:00
Update three-interface guide for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
749fdfa5af
commit
0a73d365dd
@ -148,8 +148,7 @@
|
|||||||
<title>Conventions</title>
|
<title>Conventions</title>
|
||||||
|
|
||||||
<para>Points at which configuration changes are recommended are flagged
|
<para>Points at which configuration changes are recommended are flagged
|
||||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
||||||
format="GIF" />.</para>
|
|
||||||
|
|
||||||
<para>Configuration notes that are unique to Debian and it's derivatives
|
<para>Configuration notes that are unique to Debian and it's derivatives
|
||||||
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
||||||
@ -248,8 +247,7 @@
|
|||||||
a set of zones. In the three-interface sample configuration, the following
|
a set of zones. In the three-interface sample configuration, the following
|
||||||
zone names are used:</para>
|
zone names are used:</para>
|
||||||
|
|
||||||
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4
|
net ipv4
|
||||||
loc ipv4
|
loc ipv4
|
||||||
@ -305,7 +303,7 @@ dmz ipv4</programlisting>Zone names are defined in
|
|||||||
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||||
the three-interface sample has the following policies:</para>
|
the three-interface sample has the following policies:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP info
|
net all DROP info
|
||||||
all all REJECT info</programlisting>
|
all all REJECT info</programlisting>
|
||||||
@ -315,7 +313,7 @@ all all REJECT info</programlisting>
|
|||||||
commented out. If you want your firewall system to have full access to
|
commented out. If you want your firewall system to have full access to
|
||||||
servers on the Internet, uncomment that line.</para>
|
servers on the Internet, uncomment that line.</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
$FW net ACCEPT</programlisting>
|
$FW net ACCEPT</programlisting>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
@ -351,7 +349,7 @@ $FW net ACCEPT</programlisting>
|
|||||||
local network from a security perspective. If you want to do this, add
|
local network from a security perspective. If you want to do this, add
|
||||||
these two policies:</para>
|
these two policies:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
loc $FW ACCEPT
|
loc $FW ACCEPT
|
||||||
$FW loc ACCEPT</programlisting>
|
$FW loc ACCEPT</programlisting>
|
||||||
|
|
||||||
@ -801,7 +799,7 @@ root@lists:~# </programlisting>
|
|||||||
|
|
||||||
<para>The general form of a simple port forwarding rule in <filename
|
<para>The general form of a simple port forwarding rule in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNAT net dmz:<emphasis><server local IP address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
DNAT net dmz:<emphasis><server local IP address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||||
If you don't specify the <emphasis><varname><server
|
If you don't specify the <emphasis><varname><server
|
||||||
port></varname></emphasis>, it is assumed to be the same as
|
port></varname></emphasis>, it is assumed to be the same as
|
||||||
@ -816,7 +814,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
|||||||
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
||||||
incoming TCP port 80 to that system</title>
|
incoming TCP port 80 to that system</title>
|
||||||
|
|
||||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
Web(DNAT) net dmz:10.10.11.2
|
Web(DNAT) net dmz:10.10.11.2
|
||||||
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -833,8 +831,7 @@ Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
|||||||
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
|
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
|
||||||
must use DNAT from the loc zone as well (see below).</para>
|
must use DNAT from the loc zone as well (see below).</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) PORT(S) DEST
|
|
||||||
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
|
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
|
||||||
|
|
||||||
<para>where <replaceable>external-ip-address</replaceable> is the
|
<para>where <replaceable>external-ip-address</replaceable> is the
|
||||||
@ -846,8 +843,7 @@ Web(DNAT) loc dmz:10.10.11.2 - - -
|
|||||||
you have problems connecting to your web server, try the following
|
you have problems connecting to your web server, try the following
|
||||||
rule and try connecting to port 5000 (e.g., connect to
|
rule and try connecting to port 5000 (e.g., connect to
|
||||||
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
|
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
|
||||||
external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
external IP).<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S)
|
|
||||||
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -855,8 +851,7 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
|||||||
<para>If you want to be able to access your server from the local
|
<para>If you want to be able to access your server from the local
|
||||||
network using your external address, then if you have a static
|
network using your external address, then if you have a static
|
||||||
external IP you can replace the loc->dmz rule above
|
external IP you can replace the loc->dmz rule above
|
||||||
with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||||
you have a dynamic IP then you must ensure that your external
|
you have a dynamic IP then you must ensure that your external
|
||||||
interface is up before starting Shorewall and you must take steps
|
interface is up before starting Shorewall and you must take steps
|
||||||
@ -871,8 +866,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Make your <literal>loc->dmz</literal> rule:
|
<para>Make your <literal>loc->dmz</literal> rule:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist></para>
|
</orderedlist></para>
|
||||||
@ -942,10 +936,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
|||||||
<filename>/etc/shorewall/rules</filename>.</para>
|
<filename>/etc/shorewall/rules</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist> If you run the name server on the firewall:
|
</itemizedlist> If you run the name server on the firewall:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) loc $FW
|
DNS(ACCEPT) loc $FW
|
||||||
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
||||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) loc dmz:10.10.11.1
|
DNS(ACCEPT) loc dmz:10.10.11.1
|
||||||
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||||
|
|
||||||
@ -960,7 +954,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
|||||||
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
||||||
server on the firewall) could also have been coded as follows:</para>
|
server on the firewall) could also have been coded as follows:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT loc $FW tcp 53
|
ACCEPT loc $FW tcp 53
|
||||||
ACCEPT loc $FW udp 53
|
ACCEPT loc $FW udp 53
|
||||||
ACCEPT dmz $FW tcp 53
|
ACCEPT dmz $FW tcp 53
|
||||||
@ -983,24 +977,24 @@ ACCEPT dmz $FW udp 53 </programlist
|
|||||||
<title>Other Connections</title>
|
<title>Other Connections</title>
|
||||||
|
|
||||||
<para>The three-interface sample includes the following rule:
|
<para>The three-interface sample includes the following rule:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
||||||
from your firewall and may be removed if you commented out the line in
|
from your firewall and may be removed if you commented out the line in
|
||||||
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
||||||
the firewall to the Internet.</para>
|
the firewall to the Internet.</para>
|
||||||
|
|
||||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
SSH(ACCEPT) loc $FW
|
SSH(ACCEPT) loc $FW
|
||||||
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
||||||
an SSH server on your firewall and in each of your DMZ systems and to
|
an SSH server on your firewall and in each of your DMZ systems and to
|
||||||
connect to those servers from your local systems.</para>
|
connect to those servers from your local systems.</para>
|
||||||
|
|
||||||
<para>If you wish to enable other connections between your systems, the
|
<para>If you wish to enable other connections between your systems, the
|
||||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
||||||
|
|
||||||
<para>The general format when not using a defined macro
|
<para>The general format when not using a defined macro
|
||||||
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
||||||
|
|
||||||
<example id="Example2">
|
<example id="Example2">
|
||||||
@ -1009,12 +1003,12 @@ ACCEPT <emphasis><source zone> <destination zone> <protocol&g
|
|||||||
|
|
||||||
<para>Using defined macros:</para>
|
<para>Using defined macros:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) net $FW</programlisting>
|
DNS(ACCEPT) net $FW</programlisting>
|
||||||
|
|
||||||
<para>Not using defined macros:</para>
|
<para>Not using defined macros:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT net $FW tcp 53
|
ACCEPT net $FW tcp 53
|
||||||
ACCEPT net $FW udp 53 </programlisting>
|
ACCEPT net $FW udp 53 </programlisting>
|
||||||
|
|
||||||
@ -1028,13 +1022,13 @@ ACCEPT net $FW udp 53 </programlisting>
|
|||||||
<important>
|
<important>
|
||||||
<para>I don't recommend enabling telnet to/from the Internet because it
|
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||||
uses clear text (even for login!). If you want shell access to your
|
uses clear text (even for login!). If you want shell access to your
|
||||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
SSH(ACCEPT) net $FW</programlisting></para>
|
SSH(ACCEPT) net $FW</programlisting></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
|
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
|
||||||
users will want to add the following two rules to be compatible with
|
users will want to add the following two rules to be compatible with
|
||||||
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT loc $FW udp 53
|
ACCEPT loc $FW udp 53
|
||||||
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
|
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1138,7 +1132,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
(<ulink
|
(<ulink
|
||||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
||||||
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||||
the <command>shorewall restart</command> command. If you want to totally
|
the <command>shorewall reload</command> command. If you want to totally
|
||||||
remove any trace of Shorewall from your Netfilter configuration, use
|
remove any trace of Shorewall from your Netfilter configuration, use
|
||||||
<command>shorewall clear</command>.</para>
|
<command>shorewall clear</command>.</para>
|
||||||
|
|
||||||
@ -1168,7 +1162,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Also, I don't recommend using <quote><command>shorewall
|
<para>Also, I don't recommend using <quote><command>shorewall
|
||||||
restart</command></quote>; it is better to create an alternate
|
reload</command></quote>; it is better to create an alternate
|
||||||
configuration and test it using the <quote><command>shorewall
|
configuration and test it using the <quote><command>shorewall
|
||||||
try</command></quote> command.</para>
|
try</command></quote> command.</para>
|
||||||
</warning></para>
|
</warning></para>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user