Shorewall6: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
 
(Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt)
Zeile 5: Zeile 5:
= Beschreibung =
= Beschreibung =
shorewall6 ist eine Firewall-Software.
shorewall6 ist eine Firewall-Software.
= Installation =
<pre>apt install shorewall6
cd /etc/shorewall
DEVNET=eno1
DEVLOC=virbr1
cat <<EOS >interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net  $DEVNET  detect    nosmurfs
loc  $DEVLOC  detect    routeback,bridge
EOS
cat <<EOS >zones
#ZONE  TYPE        OPTIONS IN_OPTIONS OUT_OPTIONS
fw      firewall
net    ipv4
loc    ipv4
EOS
cat <<EOS >masq
#INTERFACE      SOURCE          ADDRESS        PROTO  PORT(S) IPSEC  MARK
eth0            10.0.0.0/8
EOS
cat <<EOS >policy
#SOURCE DEST    POLICY          LOG    LIMIT:          CONNLIMIT:
# From Firewall Policy
fw      fw      ACCEPT
fw      net    ACCEPT
fw      loc    ACCEPT
# From localnet Policy
loc    loc    ACCEPT
loc    net    ACCEPT
loc    fw      ACCEPT
# From Net Policy
net    fw      DROP            info
net    loc    DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all    all    REJECT          info
EOS
cat <<EOS >rules
#ACTION        SOURCE DEST PROTO  DEST        SOURCE ORIGINAL RATE
SSH/ACCEPT    net    fw  -      -            -    -        12/min:8
ACCEPT        net    fw  tcp    80,81,443,444
Ping/ACCEPT    all    all
#ACTION SOURCE DEST                PROTO DEST  SOURCE ORIGINAL RATE
DNAT    net    loc:10.10.10.100:22 tcp  10100  -
EOS
</pre>


= Konfiguration =
= Konfiguration =

Aktuelle Version vom 11. Oktober 2019, 15:45 Uhr

Links[Bearbeiten]

Beschreibung[Bearbeiten]

shorewall6 ist eine Firewall-Software.

Installation[Bearbeiten]

apt install shorewall6
cd /etc/shorewall
DEVNET=eno1
DEVLOC=virbr1
cat <<EOS >interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net   $DEVNET   detect    nosmurfs
loc   $DEVLOC   detect    routeback,bridge
EOS
cat <<EOS >zones
#ZONE   TYPE        OPTIONS IN_OPTIONS OUT_OPTIONS
fw      firewall
net     ipv4
loc     ipv4
EOS
cat <<EOS >masq
#INTERFACE      SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0            10.0.0.0/8
EOS
cat <<EOS >policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      loc     ACCEPT
# From localnet Policy
loc     loc     ACCEPT
loc     net     ACCEPT
loc     fw      ACCEPT
# From Net Policy
net     fw      DROP            info
net     loc     DROP            info 
# THE FOLLOWING POLICY MUST BE LAST
all     all     REJECT          info
EOS
cat <<EOS >rules
#ACTION        SOURCE DEST PROTO   DEST         SOURCE ORIGINAL RATE
SSH/ACCEPT     net    fw   -       -            -     -         12/min:8
ACCEPT         net    fw   tcp    80,81,443,444
Ping/ACCEPT    all    all
#ACTION SOURCE DEST                PROTO DEST   SOURCE ORIGINAL RATE
DNAT    net    loc:10.10.10.100:22 tcp   10100  -
EOS

Konfiguration[Bearbeiten]

  • Beispiele in /usr/share/doc/shorewall/examples/two-interfaces
  • /etc/shorewall/shorewall.conf
IP_FORWARDING=On
  • komplette /etc/shorewall/policy
    • Ergänzt wurde die Zeile "fw net ACCEPT"
#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT

loc	net		ACCEPT
net	all		DROP		$LOG_LEVEL
# der VM-Host soll auch ins Internet:
fw	net		ACCEPT
# THE FOLOWING POLICY MUST BE LAST
all	all		REJECT		$LOG_LEVEL