extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

More updates to MyNetwork

Browse Source
This commit is contained in:
Tom Eastep 2009-08-01 07:56:31 -07:00
parent 70dfdb517e
commit 4cd41a81f7
1 changed files with 39 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
docs/MyNetwork.xml
View File

@ -165,7 +165,7 @@
show correct usage, they don't necessarily provide any useful benefit. I show correct usage, they don't necessarily provide any useful benefit. I
have tried to point those out in the sub-sections that follow.</para> have tried to point those out in the sub-sections that follow.</para>
<section> <section id="params">
<title>/etc/shorewall/params</title> <title>/etc/shorewall/params</title>
<para><programlisting>MIRRORS=62.216.169.37,\ <para><programlisting>MIRRORS=62.216.169.37,\
@ -186,7 +186,7 @@ VPS_IF=venet0</programlisting>As shown, this file defines variables to hold
and the network interfaces.</para> and the network interfaces.</para>
</section> </section>
<section> <section id="conf">
<title>/etc/shorewall/shorewall.conf</title> <title>/etc/shorewall/shorewall.conf</title>
<para><programlisting>############################################################################### <para><programlisting>###############################################################################
@ -300,7 +300,7 @@ TCP_FLAGS_DISPOSITION=DROP
there</para> there</para>
</section> </section>
<section> <section id="zones">
<title>/etc/shorewall/zones</title> <title>/etc/shorewall/zones</title>
<para><programlisting>fw firewall <para><programlisting>fw firewall
@ -318,7 +318,7 @@ drct:loc ipv4 #Direct internet access</programlisting>The
registration) don't work through the proxy.</para> registration) don't work through the proxy.</para>
</section> </section>
<section> <section id="interfaces">
<title>/etc/shorewall/interfaces</title> <title>/etc/shorewall/interfaces</title>
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS
@ -328,9 +328,24 @@ net $EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmu
net $COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0 net $COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0
loc tun+ detect</programlisting>Notice that VPN clients are treated loc tun+ detect</programlisting>Notice that VPN clients are treated
the same as local hosts.</para> the same as local hosts.</para>
<para>I set the <emphasis role="bold">proxyarp</emphasis> option on
$EXT_IF so that </para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The firewall will respond to ARP who-has requests for the
servers in the DMZ.</para>
</listitem>
<listitem>
<para>To keep OpenVZ happy (it issues dire warnings if the option is
not set on the associated external interface).</para>
</listitem>
</orderedlist>
</section> </section>
<section> <section id="hosts">
<title>/etc/shorewall/hosts</title> <title>/etc/shorewall/hosts</title>
<para><programlisting>#ZONE HOST(S) OPTIONS <para><programlisting>#ZONE HOST(S) OPTIONS
@ -345,7 +360,7 @@ drct $INT_IF:dynamic</programlisting>The <emphasis
role="bold">loc</emphasis>).</para> role="bold">loc</emphasis>).</para>
</section> </section>
<section> <section id="policy">
<title>/etc/shorewall/policy</title> <title>/etc/shorewall/policy</title>
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST <para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
@ -366,7 +381,7 @@ all all REJECT $LOG</programlisting>I'm a bit
someday...</para> someday...</para>
</section> </section>
<section> <section id="accounting">
<title>/etc/shorewall/accounting</title> <title>/etc/shorewall/accounting</title>
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ <para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
@ -411,7 +426,7 @@ COUNT web $VPS_IF:206.124.146.0/24 $EXT_IF
</orderedlist> </orderedlist>
</section> </section>
<section> <section id="blacklist">
<title>/etc/shorewall/blacklist</title> <title>/etc/shorewall/blacklist</title>
<para><programlisting>#ADDRESS/SUBNET PROTOCOL PORT <para><programlisting>#ADDRESS/SUBNET PROTOCOL PORT
@ -421,7 +436,7 @@ COUNT web $VPS_IF:206.124.146.0/24 $EXT_IF
traffic.</para> traffic.</para>
</section> </section>
<section> <section id="compile">
<title>/etc/shorewall/compile</title> <title>/etc/shorewall/compile</title>
<para><programlisting>use strict; <para><programlisting>use strict;
@ -438,7 +453,7 @@ add_rule $chainref, q(-j ACCEPT);
created.</para> created.</para>
</section> </section>
<section> <section id="findgw">
<title>/etc/shorewall/findgw</title> <title>/etc/shorewall/findgw</title>
<para><programlisting>if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then <para><programlisting>if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
@ -447,7 +462,7 @@ fi</programlisting>The Comcast line has a dynamic IP address assigned with the
help of dhclient.</para> help of dhclient.</para>
</section> </section>
<section> <section id="isusable">
<title>/etc/shorewall/isusable</title> <title>/etc/shorewall/isusable</title>
<para><programlisting>local status <para><programlisting>local status
@ -459,7 +474,7 @@ return $status</programlisting>For use with <ulink
url="MultiISP.html#lsm">lsm</ulink>.</para> url="MultiISP.html#lsm">lsm</ulink>.</para>
</section> </section>
<section> <section id="libprivate">
<title>/etc/shorewall/lib.private</title> <title>/etc/shorewall/lib.private</title>
<para><programlisting>start_lsm() { <para><programlisting>start_lsm() {
@ -486,7 +501,7 @@ EOF
url="MultiISP.html#lsm">lsm</ulink>.</para> url="MultiISP.html#lsm">lsm</ulink>.</para>
</section> </section>
<section> <section id="masq">
<title>/etc/shorewall/masq</title> <title>/etc/shorewall/masq</title>
<para><programlisting>#INTERFACE SOURCE ADDRESS <para><programlisting>#INTERFACE SOURCE ADDRESS
@ -527,14 +542,15 @@ Comcast 2 0x20000 main $COM_IF detect track,balance
the multi-ISP aspects of this configuration.</para> the multi-ISP aspects of this configuration.</para>
</section> </section>
<section> <section id="proxyarp">
<title>/etc/shorewall/proxyarp</title> <title>/etc/shorewall/proxyarp</title>
<para><programlisting>&lt;empty&gt;</programlisting>I let OpenVZ <para><programlisting>&lt;empty&gt;</programlisting>As mentioned <link
configure the Proxy ARP for my servers.</para> linkend="interfaces">above</link>, I set the proxyarp on the associated
external interface instead of defining proxy ARP in this file.</para>
</section> </section>
<section> <section id="restored">
<title>/etc/shorewall/restored</title> <title>/etc/shorewall/restored</title>
<para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then <para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
@ -545,7 +561,7 @@ chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
Make the state file world-readable.</para> Make the state file world-readable.</para>
</section> </section>
<section> <section id="route_rules">
<title>/etc/shorewall/route_rules</title> <title>/etc/shorewall/route_rules</title>
<para><programlisting>#SOURCE DEST PROVIDER PRIORITY <para><programlisting>#SOURCE DEST PROVIDER PRIORITY
@ -560,7 +576,7 @@ chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
interface.</para> interface.</para>
</section> </section>
<section> <section id="routestopped">
<title>/etc/shorewall/routestopped</title> <title>/etc/shorewall/routestopped</title>
<para><programlisting>#INTERFACE HOST(S) OPTIONS PROTO <para><programlisting>#INTERFACE HOST(S) OPTIONS PROTO
@ -570,7 +586,7 @@ $EXT_IF - notrack 41</programlistin
the lights on while Shorewall is stopped.</para> the lights on while Shorewall is stopped.</para>
</section> </section>
<section> <section id="rules">
<title>/etc/shorewall/rules</title> <title>/etc/shorewall/rules</title>
<para><programlisting>############################################################################################################################################################################### <para><programlisting>###############################################################################################################################################################################
@ -708,7 +724,7 @@ COMMENT
ACCEPT any any icmp 8</programlisting></para> ACCEPT any any icmp 8</programlisting></para>
</section> </section>
<section> <section id="started">
<title>/etc/shorewall/started</title> <title>/etc/shorewall/started</title>
<para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then <para><programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
@ -719,7 +735,7 @@ chmod 744 ${VARDIR}/state</programlisting>If lsm isn't running then start it.
Make the state file world-readable.</para> Make the state file world-readable.</para>
</section> </section>
<section> <section id="stopped">
<title>/etc/shorewall/stopped</title> <title>/etc/shorewall/stopped</title>
<para><programlisting>if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then <para><programlisting>if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then
@ -730,7 +746,7 @@ chmod 744 ${VARDIR}/state</programlisting>Kill lsm if the command is stop or
clear. Make the state file world-readable.</para> clear. Make the state file world-readable.</para>
</section> </section>
<section> <section id="tunnels">
<title>/etc/shorewall/tunnels</title> <title>/etc/shorewall/tunnels</title>
<para><programlisting>#TYPE ZONE GATEWAY GATEWAY <para><programlisting>#TYPE ZONE GATEWAY GATEWAY