mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-23 05:01:34 +01:00
Update three-interface guide for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
749fdfa5af
commit
0a73d365dd
@ -90,7 +90,7 @@
|
|||||||
|
|
||||||
<mediaobject>
|
<mediaobject>
|
||||||
<imageobject>
|
<imageobject>
|
||||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
|
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
|
||||||
</imageobject>
|
</imageobject>
|
||||||
</mediaobject>
|
</mediaobject>
|
||||||
</figure>
|
</figure>
|
||||||
@ -148,19 +148,18 @@
|
|||||||
<title>Conventions</title>
|
<title>Conventions</title>
|
||||||
|
|
||||||
<para>Points at which configuration changes are recommended are flagged
|
<para>Points at which configuration changes are recommended are flagged
|
||||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
||||||
format="GIF" />.</para>
|
|
||||||
|
|
||||||
<para>Configuration notes that are unique to Debian and it's derivatives
|
<para>Configuration notes that are unique to Debian and it's derivatives
|
||||||
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
||||||
format="GIF" />.</para>
|
format="GIF"/>.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="PPTP">
|
<section id="PPTP">
|
||||||
<title>PPTP/ADSL</title>
|
<title>PPTP/ADSL</title>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
||||||
server in that modem, you must make the <ulink
|
server in that modem, you must make the <ulink
|
||||||
@ -176,7 +175,7 @@
|
|||||||
<filename>/etc/shorewall</filename> -- for simple setups, you will only
|
<filename>/etc/shorewall</filename> -- for simple setups, you will only
|
||||||
need to deal with a few of these as described in this guide.</para>
|
need to deal with a few of these as described in this guide.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>After you have installed Shorewall, locate the three-interface
|
<para>After you have installed Shorewall, locate the three-interface
|
||||||
Sample configuration:</para>
|
Sample configuration:</para>
|
||||||
@ -210,7 +209,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
|
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
|
||||||
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
|
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
|
||||||
role="bold"><filename
|
role="bold"><filename
|
||||||
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
|
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
|
||||||
@ -248,8 +247,7 @@
|
|||||||
a set of zones. In the three-interface sample configuration, the following
|
a set of zones. In the three-interface sample configuration, the following
|
||||||
zone names are used:</para>
|
zone names are used:</para>
|
||||||
|
|
||||||
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4
|
net ipv4
|
||||||
loc ipv4
|
loc ipv4
|
||||||
@ -305,7 +303,7 @@ dmz ipv4</programlisting>Zone names are defined in
|
|||||||
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||||
the three-interface sample has the following policies:</para>
|
the three-interface sample has the following policies:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP info
|
net all DROP info
|
||||||
all all REJECT info</programlisting>
|
all all REJECT info</programlisting>
|
||||||
@ -315,7 +313,7 @@ all all REJECT info</programlisting>
|
|||||||
commented out. If you want your firewall system to have full access to
|
commented out. If you want your firewall system to have full access to
|
||||||
servers on the Internet, uncomment that line.</para>
|
servers on the Internet, uncomment that line.</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
$FW net ACCEPT</programlisting>
|
$FW net ACCEPT</programlisting>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
@ -351,7 +349,7 @@ $FW net ACCEPT</programlisting>
|
|||||||
local network from a security perspective. If you want to do this, add
|
local network from a security perspective. If you want to do this, add
|
||||||
these two policies:</para>
|
these two policies:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
loc $FW ACCEPT
|
loc $FW ACCEPT
|
||||||
$FW loc ACCEPT</programlisting>
|
$FW loc ACCEPT</programlisting>
|
||||||
|
|
||||||
@ -363,7 +361,7 @@ $FW loc ACCEPT</programlisting>
|
|||||||
<emphasis>net</emphasis> zone even though connections are not allowed from
|
<emphasis>net</emphasis> zone even though connections are not allowed from
|
||||||
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
|
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
||||||
file and make any changes that you wish.</para>
|
file and make any changes that you wish.</para>
|
||||||
@ -377,7 +375,7 @@ $FW loc ACCEPT</programlisting>
|
|||||||
|
|
||||||
<mediaobject>
|
<mediaobject>
|
||||||
<imageobject>
|
<imageobject>
|
||||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
|
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
|
||||||
</imageobject>
|
</imageobject>
|
||||||
</mediaobject>
|
</mediaobject>
|
||||||
</figure>
|
</figure>
|
||||||
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
|
|||||||
the external interface.</para>
|
the external interface.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>I<emphasis role="bold">f your external interface is <filename
|
<para>I<emphasis role="bold">f your external interface is <filename
|
||||||
class="devicefile">ppp0</filename> or <filename
|
class="devicefile">ppp0</filename> or <filename
|
||||||
@ -463,7 +461,7 @@ root@lists:~# </programlisting>
|
|||||||
exactly one default route via your ISP's Router.</para>
|
exactly one default route via your ISP's Router.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>The Shorewall three-interface sample configuration assumes that the
|
<para>The Shorewall three-interface sample configuration assumes that the
|
||||||
external interface is <filename class="devicefile">eth0</filename>, the
|
external interface is <filename class="devicefile">eth0</filename>, the
|
||||||
@ -528,7 +526,7 @@ root@lists:~# </programlisting>
|
|||||||
<title>Example sub-network</title>
|
<title>Example sub-network</title>
|
||||||
|
|
||||||
<tgroup cols="2">
|
<tgroup cols="2">
|
||||||
<colspec align="left" />
|
<colspec align="left"/>
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
<row>
|
<row>
|
||||||
@ -573,7 +571,7 @@ root@lists:~# </programlisting>
|
|||||||
directly. To communicate with systems outside of the subnetwork, systems
|
directly. To communicate with systems outside of the subnetwork, systems
|
||||||
send packets through a gateway (router).</para>
|
send packets through a gateway (router).</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>Your local computers (Local Computers 1 & 2) should be
|
<para>Your local computers (Local Computers 1 & 2) should be
|
||||||
configured with their default gateway set to the IP address of the
|
configured with their default gateway set to the IP address of the
|
||||||
@ -596,7 +594,7 @@ root@lists:~# </programlisting>
|
|||||||
|
|
||||||
<mediaobject>
|
<mediaobject>
|
||||||
<imageobject>
|
<imageobject>
|
||||||
<imagedata fileref="images/dmz2.png" />
|
<imagedata fileref="images/dmz2.png"/>
|
||||||
</imageobject>
|
</imageobject>
|
||||||
|
|
||||||
<caption><para>The default gateway for the DMZ computers would be
|
<caption><para>The default gateway for the DMZ computers would be
|
||||||
@ -652,7 +650,7 @@ root@lists:~# </programlisting>
|
|||||||
class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>If your external firewall interface is <filename
|
<para>If your external firewall interface is <filename
|
||||||
class="devicefile">eth0</filename> then you do not need to modify the file
|
class="devicefile">eth0</filename> then you do not need to modify the file
|
||||||
@ -665,7 +663,7 @@ root@lists:~# </programlisting>
|
|||||||
modify the SOURCE column to list just your local interface (10.10.10.0/24
|
modify the SOURCE column to list just your local interface (10.10.10.0/24
|
||||||
in the above example).</para>
|
in the above example).</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>If your external IP is static, you can enter it in the third column
|
<para>If your external IP is static, you can enter it in the third column
|
||||||
in the <filename
|
in the <filename
|
||||||
@ -673,7 +671,7 @@ root@lists:~# </programlisting>
|
|||||||
entry if you like although your firewall will work fine if you leave that
|
entry if you like although your firewall will work fine if you leave that
|
||||||
column empty. Entering your static IP in column 3 makes processing
|
column empty. Entering your static IP in column 3 makes processing
|
||||||
outgoing packets a little more efficient.<graphic align="left"
|
outgoing packets a little more efficient.<graphic align="left"
|
||||||
fileref="images/openlogo-nd-25.png" /></para>
|
fileref="images/openlogo-nd-25.png"/></para>
|
||||||
|
|
||||||
<para><emphasis role="bold">If you are using the Debian package, please
|
<para><emphasis role="bold">If you are using the Debian package, please
|
||||||
check your <filename>shorewall.conf</filename> file to ensure that the
|
check your <filename>shorewall.conf</filename> file to ensure that the
|
||||||
@ -736,7 +734,7 @@ root@lists:~# </programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>If you are running a distribution that logs netfilter messages to a
|
<para>If you are running a distribution that logs netfilter messages to a
|
||||||
log other than <filename>/var/log/messages</filename>, then modify the
|
log other than <filename>/var/log/messages</filename>, then modify the
|
||||||
@ -776,7 +774,7 @@ root@lists:~# </programlisting>
|
|||||||
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
||||||
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
||||||
</section>
|
</section>
|
||||||
@ -801,7 +799,7 @@ root@lists:~# </programlisting>
|
|||||||
|
|
||||||
<para>The general form of a simple port forwarding rule in <filename
|
<para>The general form of a simple port forwarding rule in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNAT net dmz:<emphasis><server local IP address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
DNAT net dmz:<emphasis><server local IP address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||||
If you don't specify the <emphasis><varname><server
|
If you don't specify the <emphasis><varname><server
|
||||||
port></varname></emphasis>, it is assumed to be the same as
|
port></varname></emphasis>, it is assumed to be the same as
|
||||||
@ -816,7 +814,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
|||||||
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
||||||
incoming TCP port 80 to that system</title>
|
incoming TCP port 80 to that system</title>
|
||||||
|
|
||||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
Web(DNAT) net dmz:10.10.11.2
|
Web(DNAT) net dmz:10.10.11.2
|
||||||
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -833,8 +831,7 @@ Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
|||||||
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
|
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
|
||||||
must use DNAT from the loc zone as well (see below).</para>
|
must use DNAT from the loc zone as well (see below).</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) PORT(S) DEST
|
|
||||||
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
|
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
|
||||||
|
|
||||||
<para>where <replaceable>external-ip-address</replaceable> is the
|
<para>where <replaceable>external-ip-address</replaceable> is the
|
||||||
@ -846,8 +843,7 @@ Web(DNAT) loc dmz:10.10.11.2 - - -
|
|||||||
you have problems connecting to your web server, try the following
|
you have problems connecting to your web server, try the following
|
||||||
rule and try connecting to port 5000 (e.g., connect to
|
rule and try connecting to port 5000 (e.g., connect to
|
||||||
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
|
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
|
||||||
external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
external IP).<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S)
|
|
||||||
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -855,8 +851,7 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
|||||||
<para>If you want to be able to access your server from the local
|
<para>If you want to be able to access your server from the local
|
||||||
network using your external address, then if you have a static
|
network using your external address, then if you have a static
|
||||||
external IP you can replace the loc->dmz rule above
|
external IP you can replace the loc->dmz rule above
|
||||||
with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||||
you have a dynamic IP then you must ensure that your external
|
you have a dynamic IP then you must ensure that your external
|
||||||
interface is up before starting Shorewall and you must take steps
|
interface is up before starting Shorewall and you must take steps
|
||||||
@ -871,8 +866,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Make your <literal>loc->dmz</literal> rule:
|
<para>Make your <literal>loc->dmz</literal> rule:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist></para>
|
</orderedlist></para>
|
||||||
@ -886,7 +880,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
|||||||
</itemizedlist></para>
|
</itemizedlist></para>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>At this point, add the DNAT and ACCEPT rules for your
|
<para>At this point, add the DNAT and ACCEPT rules for your
|
||||||
servers.</para>
|
servers.</para>
|
||||||
@ -924,7 +918,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif"
|
<para><inlinegraphic fileref="images/BD21298_.gif"
|
||||||
format="GIF" /></para>
|
format="GIF"/></para>
|
||||||
|
|
||||||
<para>You can configure a <emphasis>Caching Name Server</emphasis>
|
<para>You can configure a <emphasis>Caching Name Server</emphasis>
|
||||||
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
|
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
|
||||||
@ -942,10 +936,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
|||||||
<filename>/etc/shorewall/rules</filename>.</para>
|
<filename>/etc/shorewall/rules</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist> If you run the name server on the firewall:
|
</itemizedlist> If you run the name server on the firewall:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) loc $FW
|
DNS(ACCEPT) loc $FW
|
||||||
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
||||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) loc dmz:10.10.11.1
|
DNS(ACCEPT) loc dmz:10.10.11.1
|
||||||
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||||
|
|
||||||
@ -960,7 +954,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
|||||||
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
||||||
server on the firewall) could also have been coded as follows:</para>
|
server on the firewall) could also have been coded as follows:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT loc $FW tcp 53
|
ACCEPT loc $FW tcp 53
|
||||||
ACCEPT loc $FW udp 53
|
ACCEPT loc $FW udp 53
|
||||||
ACCEPT dmz $FW tcp 53
|
ACCEPT dmz $FW tcp 53
|
||||||
@ -983,24 +977,24 @@ ACCEPT dmz $FW udp 53 </programlist
|
|||||||
<title>Other Connections</title>
|
<title>Other Connections</title>
|
||||||
|
|
||||||
<para>The three-interface sample includes the following rule:
|
<para>The three-interface sample includes the following rule:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
||||||
from your firewall and may be removed if you commented out the line in
|
from your firewall and may be removed if you commented out the line in
|
||||||
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
||||||
the firewall to the Internet.</para>
|
the firewall to the Internet.</para>
|
||||||
|
|
||||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
SSH(ACCEPT) loc $FW
|
SSH(ACCEPT) loc $FW
|
||||||
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
||||||
an SSH server on your firewall and in each of your DMZ systems and to
|
an SSH server on your firewall and in each of your DMZ systems and to
|
||||||
connect to those servers from your local systems.</para>
|
connect to those servers from your local systems.</para>
|
||||||
|
|
||||||
<para>If you wish to enable other connections between your systems, the
|
<para>If you wish to enable other connections between your systems, the
|
||||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
||||||
|
|
||||||
<para>The general format when not using a defined macro
|
<para>The general format when not using a defined macro
|
||||||
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
||||||
|
|
||||||
<example id="Example2">
|
<example id="Example2">
|
||||||
@ -1009,12 +1003,12 @@ ACCEPT <emphasis><source zone> <destination zone> <protocol&g
|
|||||||
|
|
||||||
<para>Using defined macros:</para>
|
<para>Using defined macros:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNS(ACCEPT) net $FW</programlisting>
|
DNS(ACCEPT) net $FW</programlisting>
|
||||||
|
|
||||||
<para>Not using defined macros:</para>
|
<para>Not using defined macros:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT net $FW tcp 53
|
ACCEPT net $FW tcp 53
|
||||||
ACCEPT net $FW udp 53 </programlisting>
|
ACCEPT net $FW udp 53 </programlisting>
|
||||||
|
|
||||||
@ -1028,13 +1022,13 @@ ACCEPT net $FW udp 53 </programlisting>
|
|||||||
<important>
|
<important>
|
||||||
<para>I don't recommend enabling telnet to/from the Internet because it
|
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||||
uses clear text (even for login!). If you want shell access to your
|
uses clear text (even for login!). If you want shell access to your
|
||||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
SSH(ACCEPT) net $FW</programlisting></para>
|
SSH(ACCEPT) net $FW</programlisting></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
|
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
|
||||||
users will want to add the following two rules to be compatible with
|
users will want to add the following two rules to be compatible with
|
||||||
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT loc $FW udp 53
|
ACCEPT loc $FW udp 53
|
||||||
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
|
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1045,7 +1039,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
<para>Entry 2 allows the <quote>weblet</quote> to work.</para>
|
<para>Entry 2 allows the <quote>weblet</quote> to work.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
|
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
|
||||||
format="GIF" /></para>
|
format="GIF"/></para>
|
||||||
|
|
||||||
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or
|
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or
|
||||||
remove other connections as required.</para>
|
remove other connections as required.</para>
|
||||||
@ -1110,7 +1104,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
<section id="Starting">
|
<section id="Starting">
|
||||||
<title>Starting and Stopping Your Firewall</title>
|
<title>Starting and Stopping Your Firewall</title>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||||
configures your system to start Shorewall at system boot but startup is
|
configures your system to start Shorewall at system boot but startup is
|
||||||
@ -1119,7 +1113,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
firewall, you can enable Shorewall startup by editing
|
firewall, you can enable Shorewall startup by editing
|
||||||
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
||||||
STARTUP_ENABLED=Yes.<graphic align="left"
|
STARTUP_ENABLED=Yes.<graphic align="left"
|
||||||
fileref="images/openlogo-nd-25.png" /><important>
|
fileref="images/openlogo-nd-25.png"/><important>
|
||||||
<para>Users of the <filename>.deb</filename> package must edit
|
<para>Users of the <filename>.deb</filename> package must edit
|
||||||
<filename>/etc/default/shorewall</filename> and set
|
<filename>/etc/default/shorewall</filename> and set
|
||||||
<varname>startup=1</varname>.</para>
|
<varname>startup=1</varname>.</para>
|
||||||
@ -1138,11 +1132,11 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
(<ulink
|
(<ulink
|
||||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
||||||
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||||
the <command>shorewall restart</command> command. If you want to totally
|
the <command>shorewall reload</command> command. If you want to totally
|
||||||
remove any trace of Shorewall from your Netfilter configuration, use
|
remove any trace of Shorewall from your Netfilter configuration, use
|
||||||
<command>shorewall clear</command>.</para>
|
<command>shorewall clear</command>.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||||
|
|
||||||
<para>The three-interface sample assumes that you want to enable routing
|
<para>The three-interface sample assumes that you want to enable routing
|
||||||
to/from <filename class="devicefile">eth1</filename> (your local network)
|
to/from <filename class="devicefile">eth1</filename> (your local network)
|
||||||
@ -1168,7 +1162,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Also, I don't recommend using <quote><command>shorewall
|
<para>Also, I don't recommend using <quote><command>shorewall
|
||||||
restart</command></quote>; it is better to create an alternate
|
reload</command></quote>; it is better to create an alternate
|
||||||
configuration and test it using the <quote><command>shorewall
|
configuration and test it using the <quote><command>shorewall
|
||||||
try</command></quote> command.</para>
|
try</command></quote> command.</para>
|
||||||
</warning></para>
|
</warning></para>
|
||||||
@ -1239,7 +1233,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
|
|
||||||
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||||
|
|
||||||
<para>At this point, disable your existing firewall service.</para>
|
<para>At this point, disable your existing firewall service.</para>
|
||||||
</section>
|
</section>
|
||||||
|
Loading…
Reference in New Issue
Block a user