forked from extern/shorewall_code
Modify the Setup Guide for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
c3d005526c
commit
ccb5f6b052
@ -106,19 +106,13 @@
|
|||||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||||
|
|
||||||
<para>If you install using the .deb, you will find that your <filename
|
<para>If you install using the .deb, you will find that your <filename
|
||||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
class="directory">/etc/shorewall</filename> directory is almost empty.
|
||||||
is intentional. The released configuration file skeletons may be found
|
This is intentional. The released configuration file skeletons may be
|
||||||
on your system in the directory <filename
|
found on your system in the directory <filename
|
||||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||||
Simply copy the files you need from that directory to <filename
|
Simply copy the files you need from that directory to <filename
|
||||||
class="directory">/etc/shorewall</filename> and modify the
|
class="directory">/etc/shorewall</filename> and modify the
|
||||||
copies.</para>
|
copies.</para>
|
||||||
|
|
||||||
<para>Note that you must copy <filename
|
|
||||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
|
||||||
and /usr/share/doc/shorewall-common/default-config/modules to
|
|
||||||
<filename class="directory">/etc/shorewall</filename> even if you do
|
|
||||||
not modify those files.</para>
|
|
||||||
</warning></para>
|
</warning></para>
|
||||||
|
|
||||||
<para>As each file is introduced, I suggest that you look through the
|
<para>As each file is introduced, I suggest that you look through the
|
||||||
@ -269,8 +263,7 @@ dmz ipv4</programlisting>
|
|||||||
<filename>/etc/shorewall/policy</filename> file had the following
|
<filename>/etc/shorewall/policy</filename> file had the following
|
||||||
policies:</para>
|
policies:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
# LEVEL
|
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP info
|
net all DROP info
|
||||||
all all REJECT info</programlisting>
|
all all REJECT info</programlisting>
|
||||||
@ -416,10 +409,11 @@ all all REJECT info</programlisting>
|
|||||||
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
|
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
|
||||||
</ulink>file, that file would might contain:</para>
|
</ulink>file, that file would might contain:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>?FORMAT 2
|
||||||
net eth0 detect
|
#ZONE INTERFACE OPTIONS
|
||||||
loc eth1 detect
|
net eth0
|
||||||
dmz eth2 detect</programlisting>
|
loc eth1
|
||||||
|
dmz eth2</programlisting>
|
||||||
|
|
||||||
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
|
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
|
||||||
in the /etc/shorewall/interfaces file.</para>
|
in the /etc/shorewall/interfaces file.</para>
|
||||||
@ -435,10 +429,11 @@ dmz eth2 detect</programlisting>
|
|||||||
<example id="multi">
|
<example id="multi">
|
||||||
<title>Multiple Interfaces to a Zone</title>
|
<title>Multiple Interfaces to a Zone</title>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>?FORMAT 2
|
||||||
net eth0 detect
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
loc eth1 detect
|
net eth0
|
||||||
loc eth2 detect</programlisting>
|
loc eth1
|
||||||
|
loc eth2</programlisting>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||||
@ -1409,8 +1404,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
|||||||
<filename><ulink
|
<filename><ulink
|
||||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) PORT(S) DEST
|
|
||||||
DNAT net loc:192.168.201.4 tcp www</programlisting>
|
DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||||
|
|
||||||
<para>If one of your daughter's friends at address <emphasis
|
<para>If one of your daughter's friends at address <emphasis
|
||||||
@ -1489,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
192.0.2.177 eth2 eth0 No
|
192.0.2.177 eth2 eth0 No
|
||||||
192.0.2.178 eth2 eth0 No</programlisting>
|
192.0.2.178 eth2 eth0 No</programlisting>
|
||||||
|
|
||||||
@ -1608,7 +1602,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
|||||||
You would do that by adding an entry in <filename><ulink
|
You would do that by adding an entry in <filename><ulink
|
||||||
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
|
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
|
||||||
|
|
||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||||
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
|
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
|
||||||
|
|
||||||
<para>With this entry in place, you daughter has her own IP address
|
<para>With this entry in place, you daughter has her own IP address
|
||||||
@ -1622,8 +1616,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
|||||||
to use a DNAT rule for you daughter's web server -- you would rather
|
to use a DNAT rule for you daughter's web server -- you would rather
|
||||||
just use an ACCEPT rule:</para>
|
just use an ACCEPT rule:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST
|
||||||
# PORT(S) PORT(S) DEST
|
|
||||||
ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||||
|
|
||||||
<para>A word of warning is in order here. ISPs typically configure
|
<para>A word of warning is in order here. ISPs typically configure
|
||||||
@ -1725,8 +1718,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
|
|
||||||
<para>You probably want to allow ping between your zones:</para>
|
<para>You probably want to allow ping between your zones:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz icmp echo-request
|
ACCEPT net dmz icmp echo-request
|
||||||
ACCEPT net loc icmp echo-request
|
ACCEPT net loc icmp echo-request
|
||||||
ACCEPT dmz loc icmp echo-request
|
ACCEPT dmz loc icmp echo-request
|
||||||
@ -1735,8 +1727,7 @@ ACCEPT loc dmz icmp echo-request</programlisting>
|
|||||||
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
|
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
|
||||||
Web Server on DMZ 1. The rules that you would need are:</para>
|
Web Server on DMZ 1. The rules that you would need are:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
|
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
|
||||||
#Internet
|
#Internet
|
||||||
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
|
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
|
||||||
@ -1760,8 +1751,7 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
|
|||||||
<para>If you run a public DNS server on 192.0.2.177, you would need to
|
<para>If you run a public DNS server on 192.0.2.177, you would need to
|
||||||
add the following rules:</para>
|
add the following rules:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
|
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
|
||||||
#Internet
|
#Internet
|
||||||
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
|
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
|
||||||
@ -1784,8 +1774,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
|
|||||||
scp utility can also do publishing and software update
|
scp utility can also do publishing and software update
|
||||||
distribution.</para>
|
distribution.</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT loc dmz tcp ssh #SSH to the DMZ
|
ACCEPT loc dmz tcp ssh #SSH to the DMZ
|
||||||
ACCEPT net $FW tcp ssh #SSH to the
|
ACCEPT net $FW tcp ssh #SSH to the
|
||||||
#Firewall</programlisting>
|
#Firewall</programlisting>
|
||||||
@ -1816,22 +1805,11 @@ ACCEPT net $FW tcp ssh #SSH to the
|
|||||||
<para><filename>/etc/shorewall/interfaces</filename> (The
|
<para><filename>/etc/shorewall/interfaces</filename> (The
|
||||||
<quote>options</quote> will be very site-specific).</para>
|
<quote>options</quote> will be very site-specific).</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>?FORMAT 2
|
||||||
net eth0 detect routefilter
|
#ZONE INTERFACE OPTIONS
|
||||||
loc eth1 detect
|
net eth0 routefilter
|
||||||
dmz eth2 detect</programlisting>
|
loc eth1
|
||||||
|
dmz eth2</programlisting>
|
||||||
<para>The setup described here requires that your network interfaces be
|
|
||||||
brought up before Shorewall can start. This opens a short window during
|
|
||||||
which you have no firewall protection. If you replace
|
|
||||||
<quote>detect</quote> with the actual broadcast addresses in the entries
|
|
||||||
above, you can bring up Shorewall before you bring up your network
|
|
||||||
interfaces.</para>
|
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
||||||
net eth0 192.0.2.255
|
|
||||||
loc eth1 192.168.201.7
|
|
||||||
dmz eth2 192.168.202.7</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
|
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
|
||||||
|
|
||||||
@ -1851,8 +1829,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename></para>
|
<para><filename>/etc/shorewall/rules</filename></para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz icmp echo-request
|
ACCEPT net dmz icmp echo-request
|
||||||
ACCEPT net loc icmp echo-request
|
ACCEPT net loc icmp echo-request
|
||||||
ACCEPT dmz loc icmp echo-request
|
ACCEPT dmz loc icmp echo-request
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user