mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 11:11:32 +02:00
Update the Bridge document for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
a47cfb4f63
commit
9e6109bc36
@ -134,7 +134,7 @@
|
|||||||
the bridge would work exactly the same if public IP addresses were used
|
the bridge would work exactly the same if public IP addresses were used
|
||||||
(remember that the bridge doesn't deal with IP addresses).</para>
|
(remember that the bridge doesn't deal with IP addresses).</para>
|
||||||
|
|
||||||
<graphic fileref="images/bridge.png" />
|
<graphic fileref="images/bridge.png"/>
|
||||||
|
|
||||||
<para>There are a several key differences in this setup and a normal
|
<para>There are a several key differences in this setup and a normal
|
||||||
Shorewall configuration:</para>
|
Shorewall configuration:</para>
|
||||||
@ -180,7 +180,7 @@
|
|||||||
systems connected to that switch. All of the systems on the local side of
|
systems connected to that switch. All of the systems on the local side of
|
||||||
the <emphasis role="bold">router</emphasis> would still be configured with
|
the <emphasis role="bold">router</emphasis> would still be configured with
|
||||||
IP addresses in 192.168.1.0/24 as shown below.<graphic
|
IP addresses in 192.168.1.0/24 as shown below.<graphic
|
||||||
fileref="images/bridge3.png" /></para>
|
fileref="images/bridge3.png"/></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Bridge">
|
<section id="Bridge">
|
||||||
@ -596,8 +596,8 @@ all all REJECT info
|
|||||||
is connected to <filename class="devicefile">eth0</filename> and the
|
is connected to <filename class="devicefile">eth0</filename> and the
|
||||||
switch to <filename class="devicefile">eth1</filename>:</para>
|
switch to <filename class="devicefile">eth1</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
world br0 detect bridge
|
world br0 bridge
|
||||||
net br0:eth0
|
net br0:eth0
|
||||||
loc br0:eth1
|
loc br0:eth1
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
@ -645,9 +645,9 @@ br0 192.168.1.0/24 routeback
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting> #ZONE INTERFACE OPTIONS
|
||||||
world br0 - bridge
|
world br0 bridge
|
||||||
world br1 - bridge
|
world br1 bridge
|
||||||
z1 br0:p+
|
z1 br0:p+
|
||||||
z2 br1:p+</programlisting>
|
z2 br1:p+</programlisting>
|
||||||
|
|
||||||
@ -657,11 +657,11 @@ br0 192.168.1.0/24 routeback
|
|||||||
configuration may be defined using the following in
|
configuration may be defined using the following in
|
||||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting> #ZONE INTERFACE OPTIONS
|
||||||
world br0 - bridge
|
world br0 bridge
|
||||||
world br1 - bridge
|
world br1 bridge
|
||||||
z1 br0:x+ - physical=p+
|
z1 br0:x+ physical=p+
|
||||||
z2 br1:y+ - physical=p+</programlisting>
|
z2 br1:y+ physical=p+</programlisting>
|
||||||
|
|
||||||
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
||||||
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
||||||
@ -673,8 +673,7 @@ br0 192.168.1.0/24 routeback
|
|||||||
|
|
||||||
<para>Example from /etc/shorewall/rules:</para>
|
<para>Example from /etc/shorewall/rules:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
|
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -683,7 +682,7 @@ br0 192.168.1.0/24 routeback
|
|||||||
|
|
||||||
<para>A system running Shorewall doesn't have to be exclusively a bridge
|
<para>A system running Shorewall doesn't have to be exclusively a bridge
|
||||||
or a router -- it can act as both, which is also know as a brouter. Here's
|
or a router -- it can act as both, which is also know as a brouter. Here's
|
||||||
an example:<graphic fileref="images/bridge2.png" /></para>
|
an example:<graphic fileref="images/bridge2.png"/></para>
|
||||||
|
|
||||||
<para>This is basically the same setup as shown in the <ulink
|
<para>This is basically the same setup as shown in the <ulink
|
||||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
||||||
@ -710,11 +709,11 @@ loc ipv4</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
||||||
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
follows:<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
pub br0 detect routefilter,bridge
|
pub br0 routefilter,bridge
|
||||||
net br0:eth0
|
net br0:eth0
|
||||||
dmz br0:eth2
|
dmz br0:eth2
|
||||||
loc eth1 detect</programlisting></para>
|
loc eth1</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -761,9 +760,7 @@ all all REJECT info</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||||
#
|
|
||||||
PORT(S) PORT(S)
|
|
||||||
ACCEPT all all icmp 8
|
ACCEPT all all icmp 8
|
||||||
ACCEPT loc $DMZ tcp 25,53,80,443,...
|
ACCEPT loc $DMZ tcp 25,53,80,443,...
|
||||||
ACCEPT loc $DMZ udp 53
|
ACCEPT loc $DMZ udp 53
|
||||||
@ -784,7 +781,7 @@ ACCEPT $FW $DMZ tcp 53 </
|
|||||||
|
|
||||||
<para>This configuration is shown in the following diagram.</para>
|
<para>This configuration is shown in the following diagram.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/veth1.png" />
|
<graphic align="center" fileref="images/veth1.png"/>
|
||||||
|
|
||||||
<para>In this configuration, veth0 is assigned the internal IP address;
|
<para>In this configuration, veth0 is assigned the internal IP address;
|
||||||
br0 does not have an IP address.</para>
|
br0 does not have an IP address.</para>
|
||||||
@ -872,8 +869,7 @@ iface veth0 inet static
|
|||||||
<para>For this configuration, we need several additional zones as shown
|
<para>For this configuration, we need several additional zones as shown
|
||||||
here:</para>
|
here:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4
|
net ipv4
|
||||||
zone1 bport
|
zone1 bport
|
||||||
@ -943,8 +939,7 @@ all all REJECT:info</programlisting>
|
|||||||
|
|
||||||
<para>Rules allowing traffic from the net to zone2 look like this:</para>
|
<para>Rules allowing traffic from the net to zone2 look like this:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT col zone2 tcp 22 - - - - <emphasis
|
ACCEPT col zone2 tcp 22 - - - - <emphasis
|
||||||
role="bold">net</emphasis></programlisting>
|
role="bold">net</emphasis></programlisting>
|
||||||
|
|
||||||
@ -969,8 +964,7 @@ ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22
|
|||||||
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
|
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
|
||||||
zone3:</para>
|
zone3:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
DNAT- net loc:172.168.4.45 tcp 80
|
DNAT- net loc:172.168.4.45 tcp 80
|
||||||
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
|
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
|
||||||
role="bold">net</emphasis></programlisting>
|
role="bold">net</emphasis></programlisting>
|
||||||
@ -979,15 +973,13 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - -
|
|||||||
role="bold">zonei</emphasis> zones to the <emphasis
|
role="bold">zonei</emphasis> zones to the <emphasis
|
||||||
role="bold">net</emphasis> zone look like this:</para>
|
role="bold">net</emphasis> zone look like this:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT loc net tcp 21 - - - - <emphasis
|
ACCEPT loc net tcp 21 - - - - <emphasis
|
||||||
role="bold">zone1</emphasis></programlisting>
|
role="bold">zone1</emphasis></programlisting>
|
||||||
|
|
||||||
<para>And to the firewall:</para>
|
<para>And to the firewall:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT zone2 col tcp - - - - <emphasis
|
ACCEPT zone2 col tcp - - - - <emphasis
|
||||||
role="bold">zone2</emphasis></programlisting>
|
role="bold">zone2</emphasis></programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user