mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-05 13:08:50 +01:00
Update Shared Config Doc
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
2bf9048057
commit
fd1d4a3f35
@ -2,7 +2,7 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||||
<article>
|
<article>
|
||||||
<!--mangle$Id$-->
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Shared Shorewall and Shorewall6 Configuration</title>
|
<title>Shared Shorewall and Shorewall6 Configuration</title>
|
||||||
@ -20,6 +20,8 @@
|
|||||||
<copyright>
|
<copyright>
|
||||||
<year>2017</year>
|
<year>2017</year>
|
||||||
|
|
||||||
|
<year>2020</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
@ -37,7 +39,7 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Introduction</title>
|
<title>Introduction</title>
|
||||||
|
|
||||||
<para>Netfilter separates management of IPv4 and IPv6 configurations. Each
|
<para>Iptables separates management of IPv4 and IPv6 configurations. Each
|
||||||
address family has its own utility (iptables and ip6tables), and changes
|
address family has its own utility (iptables and ip6tables), and changes
|
||||||
made to the configuration of one address family do not affect the other.
|
made to the configuration of one address family do not affect the other.
|
||||||
While Shorewall also separates the address families in this way, it is
|
While Shorewall also separates the address families in this way, it is
|
||||||
@ -68,7 +70,7 @@
|
|||||||
|
|
||||||
<para>Here is a diagram of this installation:</para>
|
<para>Here is a diagram of this installation:</para>
|
||||||
|
|
||||||
<graphic fileref="images/Network2017.png"/>
|
<graphic fileref="images/Network2020.png"/>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -76,36 +78,40 @@
|
|||||||
|
|
||||||
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
|
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
|
||||||
|
|
||||||
<programlisting>root@gateway:~# ls -l /etc/shorewall/
|
<programlisting>root@gateway:~# ls -l /etc/shorewall
|
||||||
total 92
|
total 120
|
||||||
-rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors
|
-rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors
|
||||||
-rw-r--r-- 1 root root 109 Oct 20 09:18 actions
|
-rw-r--r-- 1 root root 109 Oct 20 2017 actions
|
||||||
-rw-r--r-- 1 root root 654 Oct 13 13:46 conntrack
|
-rw-r--r-- 1 root root 82 Oct 5 2018 arprules
|
||||||
-rw-r--r-- 1 root root 104 Oct 13 13:21 hosts
|
-rw-r--r-- 1 root root 528 Oct 7 2019 blrules
|
||||||
-rw-r--r-- 1 root root 867 Jul 1 10:50 interfaces
|
-rw-r--r-- 1 root root 1797 Sep 16 2019 capabilities
|
||||||
-rw-r--r-- 1 root root 107 Jun 29 15:14 isusable
|
-rw-r--r-- 1 root root 656 Jun 10 2018 conntrack
|
||||||
-rw-r--r-- 1 root root 240 Oct 13 13:34 macro.FTP
|
-rw-r--r-- 1 root root 104 Oct 13 2017 hosts
|
||||||
-rw-r--r-- 1 root root 559 Oct 19 12:56 mangle
|
-rw-r--r-- 1 root root 867 Jun 10 2018 interfaces
|
||||||
-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
|
-rw-r--r-- 1 root root 107 Jun 29 2017 isusable
|
||||||
-rw-r--r-- 1 root root 2687 Oct 15 14:20 params
|
-rw-r--r-- 1 root root 240 Oct 13 2017 macro.FTP
|
||||||
-rw-r--r-- 1 root root 738 Oct 15 12:16 policy
|
-rw-r--r-- 1 root root 705 Oct 22 2019 mangle
|
||||||
-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
|
-rw-r--r-- 1 root root 1308 Apr 2 2018 mirrors
|
||||||
|
-rw-r--r-- 1 root root 2889 Apr 23 17:13 params
|
||||||
|
-rw-r--r-- 1 root root 1096 Oct 14 2019 policy
|
||||||
|
-rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
|
||||||
-rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp
|
-rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp
|
||||||
-rw-r--r-- 1 root root 738 Nov 8 09:34 routes
|
-rw-r--r-- 1 root root 726 Oct 24 2018 routes
|
||||||
-rw-r--r-- 1 root root 729 Nov 7 12:52 rtrules
|
-rw-r--r-- 1 root root 729 Mar 1 11:08 rtrules
|
||||||
-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
|
-rw-r--r-- 1 root root 8593 Feb 25 08:49 rules
|
||||||
-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
|
-rw-r--r-- 1 root root 5490 Mar 1 18:34 shorewall.conf
|
||||||
-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
|
-rw-r--r-- 1 root root 1090 Sep 16 2019 snat
|
||||||
-rw-r--r-- 1 root root 181 Jun 29 15:12 started
|
-rw-r--r-- 1 root root 180 Jan 30 2018 started
|
||||||
-rw-r--r-- 1 root root 435 Oct 13 13:21 tunnels
|
-rw-r--r-- 1 root root 539 Feb 6 14:33 stoppedrules
|
||||||
-rw-r--r-- 1 root root 941 Oct 15 11:27 zones
|
-rw-r--r-- 1 root root 435 Oct 13 2017 tunnels
|
||||||
root@gateway:~# ls -l /etc/shorewall6/
|
-rw-r--r-- 1 root root 941 Oct 15 2017 zones
|
||||||
total 8
|
root@gateway:~# ls -l /etc/shorewall6
|
||||||
lrwxrwxrwx 1 root root 20 Jul 6 16:35 mirrors -> ../shorewall/mirrors
|
total 12
|
||||||
lrwxrwxrwx 1 root root 19 Jul 6 12:48 params -> ../shorewall/params
|
-rw-r--r-- 1 root root 1786 Sep 16 2019 capabilities
|
||||||
-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
|
lrwxrwxrwx 1 root root 20 Jul 6 2017 mirrors -> ../shorewall/mirrors
|
||||||
root@gateway:~#
|
lrwxrwxrwx 1 root root 19 Jul 6 2017 params -> ../shorewall/params
|
||||||
</programlisting>
|
-rw-r--r-- 1 root root 5324 Oct 18 2019 shorewall6.conf
|
||||||
|
root@gateway:~#</programlisting>
|
||||||
|
|
||||||
<para>The various configuration files are described in the sections that
|
<para>The various configuration files are described in the sections that
|
||||||
follow. Note that in all cases, these files use the <ulink
|
follow. Note that in all cases, these files use the <ulink
|
||||||
@ -171,7 +177,7 @@ DEFAULT_PAGER=/usr/bin/less
|
|||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall.conf"
|
# For information about the settings in this file, type "man shorewall.conf"
|
||||||
#
|
#
|
||||||
# Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
|
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -197,9 +203,10 @@ INVALID_LOG_LEVEL=
|
|||||||
LOG_BACKEND=netlink
|
LOG_BACKEND=netlink
|
||||||
LOG_MARTIANS=Yes
|
LOG_MARTIANS=Yes
|
||||||
LOG_VERBOSITY=1
|
LOG_VERBOSITY=1
|
||||||
|
LOG_ZONE=Src
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
|
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
|
||||||
LOGFORMAT=": %s %s"
|
LOGFORMAT="%s %s"
|
||||||
LOGTAGONLY=Yes
|
LOGTAGONLY=Yes
|
||||||
LOGLIMIT="s:5/min"
|
LOGLIMIT="s:5/min"
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
||||||
@ -246,7 +253,7 @@ RSH_COMMAND='ssh ${root}@${system} ${command}'
|
|||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
ACCOUNTING=Yes
|
ACCOUNTING=Yes
|
||||||
ACCOUNTING_TABLE=mangle
|
ACCOUNTING_TABLE=filter
|
||||||
ADD_IP_ALIASES=No
|
ADD_IP_ALIASES=No
|
||||||
ADD_SNAT_ALIASES=No
|
ADD_SNAT_ALIASES=No
|
||||||
ADMINISABSENTMINDED=Yes
|
ADMINISABSENTMINDED=Yes
|
||||||
@ -256,7 +263,7 @@ AUTOMAKE=Yes
|
|||||||
BALANCE_PROVIDERS=No
|
BALANCE_PROVIDERS=No
|
||||||
BASIC_FILTERS=No
|
BASIC_FILTERS=No
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
CLAMPMSS=Yes
|
CLAMPMSS=No
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
COMPLETE=No
|
COMPLETE=No
|
||||||
DEFER_DNS_RESOLUTION=No
|
DEFER_DNS_RESOLUTION=No
|
||||||
@ -266,22 +273,19 @@ DISABLE_IPV6=No
|
|||||||
DOCKER=No
|
DOCKER=No
|
||||||
DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
|
DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
|
||||||
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
|
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
|
||||||
EXPAND_POLICIES=Yes
|
EXPAND_POLICIES=No
|
||||||
EXPORTMODULES=Yes
|
EXPORTMODULES=Yes
|
||||||
FASTACCEPT=Yes
|
FASTACCEPT=Yes
|
||||||
FORWARD_CLEAR_MARK=No
|
FORWARD_CLEAR_MARK=No
|
||||||
HELPERS="ftp,irc"
|
HELPERS="ftp,irc"
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
IGNOREUNKNOWNVARIABLES=No
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
INLINE_MATCHES=Yes
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
IP_FORWARDING=Yes
|
IP_FORWARDING=Yes
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
LOAD_HELPERS_ONLY=Yes
|
|
||||||
MACLIST_TABLE=filter
|
MACLIST_TABLE=filter
|
||||||
MACLIST_TTL=60
|
MACLIST_TTL=60
|
||||||
MANGLE_ENABLED=Yes
|
MANGLE_ENABLED=Yes
|
||||||
MAPOLDACTIONS=No
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
MINIUPNPD=No
|
MINIUPNPD=No
|
||||||
MULTICAST=No
|
MULTICAST=No
|
||||||
@ -291,6 +295,7 @@ OPTIMIZE=All
|
|||||||
OPTIMIZE_ACCOUNTING=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
PERL_HASH_SEED=12345
|
PERL_HASH_SEED=12345
|
||||||
REJECT_ACTION=
|
REJECT_ACTION=
|
||||||
|
RENAME_COMBINED=No
|
||||||
REQUIRE_INTERFACE=No
|
REQUIRE_INTERFACE=No
|
||||||
RESTART=restart
|
RESTART=restart
|
||||||
RESTORE_DEFAULT_ROUTE=No
|
RESTORE_DEFAULT_ROUTE=No
|
||||||
@ -332,8 +337,7 @@ TC_BITS=8
|
|||||||
PROVIDER_BITS=2
|
PROVIDER_BITS=2
|
||||||
PROVIDER_OFFSET=16
|
PROVIDER_OFFSET=16
|
||||||
MASK_BITS=8
|
MASK_BITS=8
|
||||||
ZONE_BITS=0
|
ZONE_BITS=0</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -348,7 +352,7 @@ ZONE_BITS=0
|
|||||||
# For information about the settings in this file, type "man shorewall6.conf"
|
# For information about the settings in this file, type "man shorewall6.conf"
|
||||||
#
|
#
|
||||||
# Manpage also online at
|
# Manpage also online at
|
||||||
# https://shorewall.org/manpages/shorewall.conf.html
|
# http://www.shorewall.net/manpages6/shorewall6.conf.html
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -373,9 +377,10 @@ BLACKLIST_LOG_LEVEL="none"
|
|||||||
INVALID_LOG_LEVEL=
|
INVALID_LOG_LEVEL=
|
||||||
LOG_BACKEND=netlink
|
LOG_BACKEND=netlink
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
|
LOG_ZONE=Src
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
|
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
|
||||||
LOGFORMAT="%s %s "
|
LOGFORMAT="%s %s"
|
||||||
LOGLIMIT="s:5/min"
|
LOGLIMIT="s:5/min"
|
||||||
LOGTAGONLY=Yes
|
LOGTAGONLY=Yes
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
||||||
@ -443,11 +448,9 @@ FORWARD_CLEAR_MARK=No
|
|||||||
HELPERS=ftp
|
HELPERS=ftp
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
IGNOREUNKNOWNVARIABLES=No
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
INLINE_MATCHES=No
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
IP_FORWARDING=Keep
|
IP_FORWARDING=Keep
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
LOAD_HELPERS_ONLY=Yes
|
|
||||||
MACLIST_TABLE=filter
|
MACLIST_TABLE=filter
|
||||||
MACLIST_TTL=
|
MACLIST_TTL=
|
||||||
MANGLE_ENABLED=Yes
|
MANGLE_ENABLED=Yes
|
||||||
@ -458,6 +461,7 @@ OPTIMIZE=All
|
|||||||
OPTIMIZE_ACCOUNTING=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
PERL_HASH_SEED=0
|
PERL_HASH_SEED=0
|
||||||
REJECT_ACTION=
|
REJECT_ACTION=
|
||||||
|
RENAME_COMBINED=No
|
||||||
REQUIRE_INTERFACE=No
|
REQUIRE_INTERFACE=No
|
||||||
RESTART=restart
|
RESTART=restart
|
||||||
RESTORE_DEFAULT_ROUTE=No
|
RESTORE_DEFAULT_ROUTE=No
|
||||||
@ -470,7 +474,7 @@ TRACK_PROVIDERS=Yes
|
|||||||
TRACK_RULES=No
|
TRACK_RULES=No
|
||||||
USE_DEFAULT_RT=Yes
|
USE_DEFAULT_RT=Yes
|
||||||
USE_NFLOG_SIZE=Yes
|
USE_NFLOG_SIZE=Yes
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=Yes
|
||||||
USE_RT_NAMES=No
|
USE_RT_NAMES=No
|
||||||
VERBOSE_MESSAGES=No
|
VERBOSE_MESSAGES=No
|
||||||
WARNOLDCAPVERSION=Yes
|
WARNOLDCAPVERSION=Yes
|
||||||
@ -497,6 +501,7 @@ PROVIDER_BITS=2
|
|||||||
PROVIDER_OFFSET=8
|
PROVIDER_OFFSET=8
|
||||||
MASK_BITS=8
|
MASK_BITS=8
|
||||||
ZONE_BITS=0
|
ZONE_BITS=0
|
||||||
|
#LAST LINE -- DO NOT REMOVE
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -526,11 +531,13 @@ if [ $g_family = 4 ]; then
|
|||||||
#
|
#
|
||||||
FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface
|
FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface
|
||||||
# See /etc/shorewall/providers
|
# See /etc/shorewall/providers
|
||||||
STATISTICAL=No # Don't use statistical load balancing
|
STATISTICAL= # Use statistical load balancing
|
||||||
LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX)
|
LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX)
|
||||||
MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS)
|
MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS)
|
||||||
SERVER=70.90.191.125 # IP address of shorewall.org
|
SERVER=70.90.191.125 # IP address of www.shorewall.org
|
||||||
PROXY= # Use TPROXY for local web access
|
IRSSIEXT=10.2.10.2 # External address of irssi.shorewall.net
|
||||||
|
IRSSIINT=172.20.2.44 # Internal IP address of irssi.shorewall.net
|
||||||
|
PROXY=Yes # Use TPROXY for local web access
|
||||||
ALL=0.0.0.0/0 # Entire address space
|
ALL=0.0.0.0/0 # Entire address space
|
||||||
LOC_ADDR=172.20.1.253 # IP address of the local LAN interface
|
LOC_ADDR=172.20.1.253 # IP address of the local LAN interface
|
||||||
FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
|
FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
|
||||||
@ -540,9 +547,9 @@ if [ $g_family = 4 ]; then
|
|||||||
# Interface Options
|
# Interface Options
|
||||||
#
|
#
|
||||||
LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2
|
LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2
|
||||||
FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0
|
FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth0
|
||||||
PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1
|
PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth1
|
||||||
DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0
|
DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodbl,physical=br0
|
||||||
IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1
|
IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1
|
||||||
else
|
else
|
||||||
#
|
#
|
||||||
@ -553,18 +560,19 @@ else
|
|||||||
STATISTICAL=No # Don't use statistical load balancing
|
STATISTICAL=No # Don't use statistical load balancing
|
||||||
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS)
|
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS)
|
||||||
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS)
|
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS)
|
||||||
SERVER=[2001:470:b:227::43] # IP address of shorewall.org (HTTP, FTP and RSYNC)
|
SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC)
|
||||||
PROXY=3 # Use TPROXY for local web access
|
IRSSI=[2601:601:a000:16f1::]/64 # IP address of asus.shorewall.org (Bit Torrent)
|
||||||
|
PROXY=Yes # Use TPROXY for local web access
|
||||||
ALL=[::]/0 # Entire address space
|
ALL=[::]/0 # Entire address space
|
||||||
LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interface
|
LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interface
|
||||||
FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface
|
FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
|
||||||
FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST
|
FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST
|
||||||
IPSECMSS=1440
|
IPSECMSS=1440
|
||||||
#
|
#
|
||||||
# Interface Options
|
# Interface Options
|
||||||
#
|
#
|
||||||
PROD_OPTIONS=forward=1,optional,physical=sit1
|
PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
|
||||||
FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0
|
FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
|
||||||
LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
|
LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
|
||||||
DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
|
DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
|
||||||
IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
|
IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
|
||||||
@ -579,11 +587,9 @@ fi</programlisting>
|
|||||||
<programlisting>###############################################################################
|
<programlisting>###############################################################################
|
||||||
#ZONE TYPE OPTIONS IN OUT
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
# OPTIONS OPTIONS
|
# OPTIONS OPTIONS
|
||||||
|
|
||||||
#
|
#
|
||||||
# By using the 'ip' type, both Shorewall and Shorewall6 can share this file
|
# By using the 'ip' type, both Shorewall and Shorewall6 can share this file
|
||||||
#
|
#
|
||||||
|
|
||||||
fw { TYPE=firewall }
|
fw { TYPE=firewall }
|
||||||
net { TYPE=ip }
|
net { TYPE=ip }
|
||||||
loc { TYPE=ip }
|
loc { TYPE=ip }
|
||||||
@ -599,7 +605,11 @@ vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
|
|||||||
<para>/etc/shorewall/interfaces makes heavy use of variables set in
|
<para>/etc/shorewall/interfaces makes heavy use of variables set in
|
||||||
/etc/shorewall/params:</para>
|
/etc/shorewall/params:</para>
|
||||||
|
|
||||||
<programlisting>#
|
<programlisting>?FORMAT 2
|
||||||
|
###############################################################################
|
||||||
|
#ZONE INTERFACE OPTIONS
|
||||||
|
|
||||||
|
#
|
||||||
# The two address families use different production interfaces and different
|
# The two address families use different production interfaces and different
|
||||||
#
|
#
|
||||||
# LOC_IF is the local LAN for both families
|
# LOC_IF is the local LAN for both families
|
||||||
@ -614,8 +624,7 @@ loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS }
|
|||||||
net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
|
net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
|
||||||
net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
|
net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
|
||||||
dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS }
|
dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS }
|
||||||
apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }
|
apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -623,11 +632,10 @@ apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }
|
|||||||
|
|
||||||
<para>/etc/shorewall/hosts is used to define the vpn zone:</para>
|
<para>/etc/shorewall/hosts is used to define the vpn zone:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS OPTIONS
|
<programlisting>##ZONE HOSTS OPTIONS
|
||||||
vpn { HOSTS=PROD_IF:$ALL }
|
vpn { HOSTS=PROD_IF:$ALL }
|
||||||
vpn { HOSTS=FAST_IF:$ALL }
|
vpn { HOSTS=FAST_IF:$ALL }
|
||||||
vpn { HOSTS=LOC_IF:$ALL }
|
vpn { HOSTS=LOC_IF:$ALL }</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -638,20 +646,29 @@ vpn { HOSTS=LOC_IF:$ALL }
|
|||||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL RATE
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL RATE
|
||||||
|
|
||||||
$FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
$FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
||||||
$FW { DEST=all, POLICY=ACCEPT }
|
|
||||||
|
|
||||||
loc { DEST=net, POLICY=ACCEPT }
|
?if __IPV4
|
||||||
|
$FW { DEST=all, POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT), LOGLEVEL=$LOG_LEVEL }
|
||||||
|
?else
|
||||||
|
$FW { DEST=all, POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multicast(ACCEPT) LOGLEVEL=$LOG_LEVEL }
|
||||||
|
?endif
|
||||||
|
|
||||||
|
loc,apps { DEST=net, POLICY=ACCEPT }
|
||||||
loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
|
loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
|
||||||
loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
||||||
|
|
||||||
|
?if __IPV4
|
||||||
net { DEST=net, POLICY=NONE }
|
net { DEST=net, POLICY=NONE }
|
||||||
|
?else
|
||||||
|
net { DEST=net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
||||||
|
?endif
|
||||||
net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
|
net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
|
||||||
net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
|
net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
|
||||||
|
|
||||||
dmz { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
dmz { DEST=fw POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
||||||
|
dmz { DEST=dmz POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
||||||
|
|
||||||
all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -676,7 +693,9 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<programlisting>#
|
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||||
|
|
||||||
|
#
|
||||||
# This could be cleaned up a bit, but I'm leaving it as is for now
|
# This could be cleaned up a bit, but I'm leaving it as is for now
|
||||||
#
|
#
|
||||||
# - The two address families use different fw mark geometry
|
# - The two address families use different fw mark geometry
|
||||||
@ -687,7 +706,9 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
|||||||
?if $FALLBACK
|
?if $FALLBACK
|
||||||
# FAST_IF is primary, PROD_IF is fallback
|
# FAST_IF is primary, PROD_IF is fallback
|
||||||
#
|
#
|
||||||
|
?if $VERBOSITY > 0
|
||||||
?info Compiling with FALLBACK
|
?info Compiling with FALLBACK
|
||||||
|
?endif
|
||||||
IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
|
IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
|
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
|
||||||
@ -696,25 +717,29 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
|
|||||||
?endif
|
?endif
|
||||||
?elsif $STATISTICAL
|
?elsif $STATISTICAL
|
||||||
# Statistically balance traffic between FAST_IF and PROD_IF
|
# Statistically balance traffic between FAST_IF and PROD_IF
|
||||||
|
?if $VERBOSITY > 0
|
||||||
?info Compiling with STATISTICAL
|
?info Compiling with STATISTICAL
|
||||||
|
?endif
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
|
IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary,persistent }
|
||||||
|
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,load=0.33333333,fallback,persistent }
|
||||||
?else
|
?else
|
||||||
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=track,load=0.33333333,persistent }
|
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=track,load=0.33333333,persistent }
|
||||||
?endif
|
?endif
|
||||||
?else
|
?else
|
||||||
?INFO Compiling with BALANCE
|
?if $VERBOSITY > 0
|
||||||
IPv6Beta { NUMBER=1, MARK=0x100, INTERFACE=eth0, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
|
?info Compiling with BALANCE
|
||||||
|
?endif
|
||||||
|
IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1, OPTIONS=nohostroute,loose,balance,persistent }
|
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=nohostroute,loose,balance,persistent }
|
||||||
?else
|
?else
|
||||||
?warning No BALANCE IPv6 configuration
|
?warning No BALANCE IPv6 configuration
|
||||||
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent }
|
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent }
|
||||||
?endif
|
?endif
|
||||||
?endif
|
?endif
|
||||||
|
|
||||||
Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
|
Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -754,7 +779,7 @@ Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
|
|||||||
# not effective in routing the 'ping' request packets out of FAST_IF.
|
# not effective in routing the 'ping' request packets out of FAST_IF.
|
||||||
# The following route solves that problem.
|
# The following route solves that problem.
|
||||||
#
|
#
|
||||||
{ PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
|
{ PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE=FAST_IF, OPTIONS=persistent }
|
||||||
?endif</programlisting>
|
?endif</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -822,12 +847,13 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
|
|||||||
<para>/etc/shorewall/rules has only a couple of rules that are
|
<para>/etc/shorewall/rules has only a couple of rules that are
|
||||||
conditional based on address family:</para>
|
conditional based on address family:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
<programlisting>##############################################################################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||||
|
|
||||||
?SECTION ALL
|
?SECTION ALL
|
||||||
|
|
||||||
Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
|
Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
|
||||||
Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
|
Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
|
||||||
|
|
||||||
?SECTION ESTABLISHED
|
?SECTION ESTABLISHED
|
||||||
|
|
||||||
@ -845,8 +871,8 @@ ACCEPT { SOURCE=dmz, DEST=dmz }
|
|||||||
?SECTION INVALID
|
?SECTION INVALID
|
||||||
|
|
||||||
RST(ACCEPT) { SOURCE=all, DEST=all }
|
RST(ACCEPT) { SOURCE=all, DEST=all }
|
||||||
|
FIN(ACCEPT) { SOURCE=all, DEST=all }
|
||||||
DROP { SOURCE=net, DEST=all }
|
DROP { SOURCE=net, DEST=all }
|
||||||
FIN { SOURCE=all, DEST=all }
|
|
||||||
|
|
||||||
?SECTION UNTRACKED
|
?SECTION UNTRACKED
|
||||||
|
|
||||||
@ -863,17 +889,26 @@ CONTINUE { SOURCE=$FW, DEST=all }
|
|||||||
# Stop certain outgoing traffic to the net
|
# Stop certain outgoing traffic to the net
|
||||||
#
|
#
|
||||||
REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 } #Stop direct loc->net SMTP (Comcast uses submission).
|
REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 } #Stop direct loc->net SMTP (Comcast uses submission).
|
||||||
REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } #MS Messaging
|
#REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } #MS Messaging
|
||||||
|
|
||||||
REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
|
REJECT { SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
|
||||||
REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
|
REJECT { SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
|
||||||
|
|
||||||
REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }
|
REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }
|
||||||
|
|
||||||
REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
|
REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
|
||||||
|
|
||||||
|
?if __IPV6
|
||||||
|
DROP { SOURCE=net:PROD_IF, DEST=net:PROD_IF }
|
||||||
|
?endif
|
||||||
|
|
||||||
?COMMENT
|
?COMMENT
|
||||||
|
|
||||||
|
######################################################################################################
|
||||||
|
# SACK
|
||||||
|
#
|
||||||
|
DROP:$LOG_LEVEL { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535
|
||||||
|
|
||||||
######################################################################################################
|
######################################################################################################
|
||||||
# 6in4
|
# 6in4
|
||||||
#
|
#
|
||||||
@ -884,7 +919,8 @@ REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
|
|||||||
######################################################################################################
|
######################################################################################################
|
||||||
# Ping
|
# Ping
|
||||||
#
|
#
|
||||||
Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
|
Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn,apps, DEST=$FW,loc,dmz,vpn,apps }
|
||||||
|
Ping(ACCEPT) { SOURCE=dmz, DEST=dmz }
|
||||||
Ping(ACCEPT) { SOURCE=all, DEST=net }
|
Ping(ACCEPT) { SOURCE=all, DEST=net }
|
||||||
######################################################################################################
|
######################################################################################################
|
||||||
# SSH
|
# SSH
|
||||||
@ -900,6 +936,11 @@ SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=ssh,
|
|||||||
#
|
#
|
||||||
DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
|
DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
|
||||||
DNS(ACCEPT) { SOURCE=$FW, DEST=net }
|
DNS(ACCEPT) { SOURCE=$FW, DEST=net }
|
||||||
|
?if $TEST
|
||||||
|
DNS(REDIRECT) loc 53 - 53 - !&LOC_IF
|
||||||
|
DNS(REDIRECT) fw 53 - 53 - !::1
|
||||||
|
?endif
|
||||||
|
DropDNSrep { SOURCE=net, DEST=all }
|
||||||
######################################################################################################
|
######################################################################################################
|
||||||
# Traceroute
|
# Traceroute
|
||||||
#
|
#
|
||||||
@ -910,6 +951,7 @@ Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz }
|
|||||||
#
|
#
|
||||||
SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS }
|
SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS }
|
||||||
SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
|
SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
|
||||||
|
SMTP(ACCEPT) { SOURCE=dmz, DEST=dmz:$LISTS }
|
||||||
SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net }
|
SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net }
|
||||||
IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL }
|
IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL }
|
||||||
Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
|
Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
|
||||||
@ -919,7 +961,6 @@ IMAP(ACCEPT) { SOURCE=loc,vpn, DEST=net }
|
|||||||
# NTP
|
# NTP
|
||||||
#
|
#
|
||||||
NTP(ACCEPT) { SOURCE=all, DEST=net }
|
NTP(ACCEPT) { SOURCE=all, DEST=net }
|
||||||
NTP(ACCEPT) { SOURCE=loc,vpn,dmz,apps DEST=$FW }
|
|
||||||
######################################################################################################
|
######################################################################################################
|
||||||
# Squid
|
# Squid
|
||||||
ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 }
|
ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 }
|
||||||
@ -929,8 +970,8 @@ ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 }
|
|||||||
Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW }
|
Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW }
|
||||||
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy }
|
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy }
|
||||||
Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
|
Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
|
||||||
HTTP(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
|
HTTP(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
|
||||||
HTTPS(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
|
HTTPS(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
|
||||||
Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW }
|
Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW }
|
||||||
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root }
|
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root }
|
||||||
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep }
|
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep }
|
||||||
@ -952,6 +993,10 @@ FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER }
|
|||||||
#
|
#
|
||||||
ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
|
ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
|
||||||
######################################################################################################
|
######################################################################################################
|
||||||
|
# Git
|
||||||
|
#
|
||||||
|
Git(ACCEPT) { source=all, DEST=dmz:$SERVER }
|
||||||
|
######################################################################################################
|
||||||
# whois
|
# whois
|
||||||
#
|
#
|
||||||
Whois(ACCEPT) { SOURCE=all, DEST=net }
|
Whois(ACCEPT) { SOURCE=all, DEST=net }
|
||||||
@ -963,12 +1008,45 @@ SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW }
|
|||||||
######################################################################################################
|
######################################################################################################
|
||||||
# IRC
|
# IRC
|
||||||
#
|
#
|
||||||
IRC(ACCEPT) { SOURCE=loc,apps, DEST=net }
|
SetEvent(IRC) { SOURCE=loc,apps, DEST=net, PROTO=tcp, DPORT=6667 }
|
||||||
|
IfEvent(IRC,ACCEPT,10,1,dst,reset) { SOURCE=net, DEST=loc,apps, PROTO=tcp, DPORT=113 }
|
||||||
|
######################################################################################################
|
||||||
|
# AUTH
|
||||||
|
Auth(REJECT) { SOURCE=net, DEST=all }
|
||||||
######################################################################################################
|
######################################################################################################
|
||||||
# Rsync
|
# Rsync
|
||||||
#
|
#
|
||||||
Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
|
Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
|
||||||
</programlisting>
|
######################################################################################################
|
||||||
|
# IPSEC
|
||||||
|
#
|
||||||
|
?if __IPV4
|
||||||
|
DNAT { SOURCE=loc,net, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,4500, ORIGDEST=70.90.191.123 }
|
||||||
|
?else
|
||||||
|
ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=udp, DPORT=500,4500 }
|
||||||
|
ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=esp }
|
||||||
|
?endif
|
||||||
|
ACCEPT { SOURCE=$FW, DEST=net, PROTO=udp, SPORT=4500 }
|
||||||
|
######################################################################################################
|
||||||
|
# Bit Torrent
|
||||||
|
?if __IPV4
|
||||||
|
DNAT { SOURCE=net, DEST=apps:$IRSSIINT, PROTO=udp,tcp, DPORT=59410, ORIGDEST=$IRSSIEXT }
|
||||||
|
?else
|
||||||
|
ACCEPT { SOURCE=net, DEST=apps:$IRSSI, PROTO=udp,tcp, DPORT=59410 }
|
||||||
|
?endif
|
||||||
|
REJECT { SOURCE=net, DEST=all, PROTO=udp,tcp, DPORT=51413,59410 }
|
||||||
|
######################################################################################################
|
||||||
|
# VNC
|
||||||
|
ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, DPORT=5900 }
|
||||||
|
######################################################################################################
|
||||||
|
# FIN & RST
|
||||||
|
RST(ACCEPT) { SOURCE=all, DEST=all }
|
||||||
|
FIN(ACCEPT) { SOURCE=all, DEST=all }
|
||||||
|
######################################################################################################
|
||||||
|
# Multicast
|
||||||
|
?if __IPV4
|
||||||
|
Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
|
||||||
|
?endif</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -979,6 +1057,10 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
|
|||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||||
|
|
||||||
|
?if $VERSION >= 50109
|
||||||
|
TCPMSS(pmtu,none) { PROTO=tcp }
|
||||||
|
?endif
|
||||||
|
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
#
|
#
|
||||||
# I've had a checksum issue with certain IPv4 UDP packets
|
# I've had a checksum issue with certain IPv4 UDP packets
|
||||||
@ -989,13 +1071,12 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
|
|||||||
|
|
||||||
?if $PROXY
|
?if $PROXY
|
||||||
#
|
#
|
||||||
# Use TPROXY for web access from the local LAN
|
# Use TPROXY for IPv4 web access from the local LAN
|
||||||
#
|
#
|
||||||
DIVERT:R { PROTO=tcp, SPORT=80 }
|
DIVERT:R { PROTO=tcp, SPORT=80 }
|
||||||
DIVERT:R { PROTO=tcp, DPORT=80 }
|
DIVERT:R { PROTO=tcp, DPORT=80 }
|
||||||
TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
|
TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
|
||||||
?endif
|
?endif</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -1003,19 +1084,19 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
|
|||||||
|
|
||||||
<para>NAT entries are quite dependent on the address family:</para>
|
<para>NAT entries are quite dependent on the address family:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
<programlisting>###################################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||||
|
|
||||||
?if __IPV4
|
?if __IPV4
|
||||||
MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
|
MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
|
||||||
MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_IF }
|
MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_IF }
|
||||||
SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
|
SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
|
||||||
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" }
|
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" }
|
||||||
SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 }
|
SNAT(172.20.1.253) { SOURCE=!172.20.1.0/24, DEST=LOC_IF:172.20.1.100 }
|
||||||
?else
|
?else
|
||||||
SNAT(&PROD_IF) { SOURCE=2601:601:8b00:bf0::/60, DEST=PROD_IF }
|
SNAT(&PROD_IF) { SOURCE=2601:601:a000:16f0::/60, DEST=PROD_IF }
|
||||||
SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF }
|
SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF }
|
||||||
?endif
|
?endif</programlisting>
|
||||||
</programlisting>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -1032,8 +1113,6 @@ ipsecnat {ZONE=loc, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
|
|||||||
<section>
|
<section>
|
||||||
<title>proxyarp</title>
|
<title>proxyarp</title>
|
||||||
|
|
||||||
<para>This file is only used in the IPv4 configuration:</para>
|
|
||||||
|
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
|
|
||||||
70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
|
70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
|
||||||
@ -1068,5 +1147,14 @@ return $status
|
|||||||
fi
|
fi
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>stoppedrules</title>
|
||||||
|
|
||||||
|
<para>/etc/shorewall/stoppedrules allow SSH connections into the
|
||||||
|
firewall system when Shorewall[6] is in the stopped state.</para>
|
||||||
|
|
||||||
|
<programlisting/>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
Binary file not shown.
Binary file not shown.
Before Width: | Height: | Size: 61 KiB |
BIN
docs/images/Network2020.dia
Normal file
BIN
docs/images/Network2020.dia
Normal file
Binary file not shown.
BIN
docs/images/Network2020.png
Normal file
BIN
docs/images/Network2020.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 73 KiB |
Loading…
Reference in New Issue
Block a user