From e3fa41233b78a1093d2055681a35e7334324d86b Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Thu, 8 Sep 2005 02:03:51 +0000 Subject: [PATCH] new zones file format and other stuff.. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2643 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/three-interface.xml | 97 ++++++++++------------------- Shorewall-docs2/two-interface.xml | 7 ++- 2 files changed, 36 insertions(+), 68 deletions(-) diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 07031dc2f..71f1ea3e2 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2005-03-31 + 2005-09-07 2002-2005 @@ -202,39 +202,11 @@ a set of zones. In the three-interface sample configuration, the following zone names are used: - - - - - Name - - Description - - - - - - net - - The Internet - - - - loc - - Your Local Network - - - - dmz - - Demilitarized Zone - - - - - - Zone names are defined in + #ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS +net +loc +dmzZone names are defined in /etc/shorewall/zones. Shorewall also recognizes the firewall system as its own zone - by @@ -341,11 +313,11 @@ fw net ACCEPT - If your external interface is If your external interface is ppp0 or ippp0 then you will want to set CLAMPMSS=yes in - /etc/shorewall/shorewall.conf. + /etc/shorewall/shorewall.conf. Your Local Interface will be an ethernet adapter (eth0, class="devicefile">ippp0 or if you have a static IP address, you can remove dhcp from the option list. - - - If you specify nobogons for your external - interface, you will want to check the Shorewall - Errata periodically for updates to the - /usr/share/shorewall/bogons file. -
@@ -429,10 +394,11 @@ fw net ACCEPT - Before starting Shorewall, you should look at the IP address of your - external interface and if it is one of the above ranges, you should remove - the norfc1918 option from the external interface's - entry in /etc/shorewall/interfaces. + Before starting Shorewall, you should look at + the IP address of your external interface and if it is one of the above + ranges, you should remove the norfc1918 option from the + external interface's entry in + /etc/shorewall/interfaces. You will want to assign your local addresses from one sub-network or subnet and your DMZ addresses from another subnet. For our purposes, we @@ -606,9 +572,10 @@ fw net ACCEPT - If you are using the Debian package, please check your - shorewall.conf file to ensure that the following is - set correctly; if it is not, change it appropriately: + If you are using the Debian package, please + check your shorewall.conf file to ensure that the + following is set correctly; if it is not, change it appropriately: + IP_FORWARDING=On @@ -645,9 +612,9 @@ DNAT net dmz:<server local IP address>[:You run a Web Server on DMZ Computer 2 and you want to forward incoming TCP port 80 to that system - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT net dmz:10.10.11.2 tcp 80 -ACCEPT loc dmz:10.10.11.2 tcp 80 + #ACTION SOURCE DEST PROTO DEST PORT(S) +Web/DNAT net dmz:10.10.11.2 +Web/ACCEPT loc dmz:10.10.11.2 Entry 1 forwards port 80 from the Internet. @@ -755,11 +722,11 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP If you run the name server on the firewall: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowDNS loc fw -AllowDNS dmz fw Run name server on DMZ +DNS/ACCEPT loc fw +DNS/ACCEPT dmz fw Run name server on DMZ computer 1: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowDNS loc dmz:10.10.11.1 -AllowDNS fw dmz:10.10.11.1 +DNS/ACCEPT loc dmz:10.10.11.1 +DNS/ACCEPT fw dmz:10.10.11.1 In the rules shown above, AllowDNS is an example of a defined action. Shorewall includes a number of @@ -792,20 +759,20 @@ ACCEPT dmz fw udp 53 The three-interface sample includes the following rule: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowDNS fw net That rule allow DNS access from - your firewall and may be removed if you commented out the line in +DNS/ACCEPT fw net That rule allow DNS access + from your firewall and may be removed if you commented out the line in /etc/shorewall/policy allowing all connections from the firewall to the Internet. The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowSSH loc fw -AllowSSH loc dmz Those rules allow you to run +SSH/ACCEPT loc fw +SSH/ACCEPT loc dmz Those rules allow you to run an SSH server on your firewall and in each of your DMZ systems and to connect to those servers from your local systems. If you wish to enable other connections between your systems, the general format for using a defined action is: #ACTION SOURCE DEST PROTO DEST PORT(S) -<action> <source zone> <destination zone> +<macro> <source zone> <destination zone> The general format when not using a defined action is:#ACTION SOURCE DEST PROTO DEST PORT(S) @@ -815,10 +782,10 @@ ACCEPT <source zone> <destination zone> <protocol&g You want to run a publicly-available DNS server on your firewall system - Using defined actions: + Using defined macros: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowDNS net fw +DNS/ACCEPT net fw Not using defined actions: @@ -837,7 +804,7 @@ ACCEPT net fw udp 53 I don't recommend enabling telnet to/from the Internet because it uses clear text (even for login!). If you want shell access to your firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) -AllowSSH net fw +SSH/ACCEPT net fw Bering diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index b16b38ce2..3983ce23f 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -213,7 +213,7 @@ Shorewall views the network where it is running as being composed of a set of zones. In the two-interface sample configuration, the following - zone names are used: + zone names are used: #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS @@ -363,8 +363,9 @@ fw net ACCEPT The above policy will: from the option list. If your internal interface is a bridge create using the - brctl utility then you must add the - routeback option to the option list. + brctl utility then you must + add the routeback option to the option + list.