PromoxFirewall: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „= shorewall als Firewall = [http://myatus.com/p/guide-firewall-and-router-with-proxmox/ Orginalartikel] == Installation == <pre>apt-get install shorewall6 </pr…“)
 
 
(2 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 60: Zeile 60:
#
#
all    all    REJECT          info
all    all    REJECT          info
</pre>
*  Neu: /etc/shorewall/rules
<pre>#ACTION          SOURCE    DEST      PROTO  DEST        SOURCE    ORIGINAL    RATE
# Permit access to SSH
SSH/ACCEPT      net        fw        -      -            -          -          6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT          net        fw        tcp    80,443,5900:5999
# PING Rules
Ping/ACCEPT      all        all
# LAST LINE -- DO NOT REMOVE
</pre>
* Neu: /etc/shorewall/maskq
<pre>#INTERFACE      SOURCE          ADDRESS        PROTO  PORT(S) IPSEC  MARK
eth0            10.0.0.0/8
# LAST LINE -- DO NOT REMOVE
</pre>
== Test ==
<pre>shorewall try /etc/shorewall 60
</pre>
</pre>

Aktuelle Version vom 16. Mai 2017, 20:47 Uhr

shorewall als Firewall[Bearbeiten]

Orginalartikel

Installation[Bearbeiten]

apt-get install shorewall6

Konfiguration[Bearbeiten]

  • /etc/network/interfaces:
auto eth0
iface eth0 inet static
        address 192.168.2.64
        netmask 255.255.255.0
        gateway 192.168.2.3
        post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

  • /etc/shorewall/shorewall.conf:

DISABLE_IPV6=No

  • Neu: /etc/shorewall/shorewall.conf
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
dmz     ipv4
  • Neu: /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          blacklist,nosmurfs
dmz     venet0          detect          routeback
dmz     vmbr0           detect          routeback,bridge
  • /etc/shorewall/policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK

# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      dmz     ACCEPT

# From DMZ Policy

dmz     dmz     ACCEPT
dmz     net     ACCEPT
dmz     fw      DROP            info

# From Net Policy
net     fw      DROP            info
net     dmz     DROP            info 

# THE FOLLOWING POLICY MUST BE LAST
#
all     all     REJECT          info
  • Neu: /etc/shorewall/rules
#ACTION          SOURCE     DEST       PROTO   DEST        SOURCE     ORIGINAL    RATE

# Permit access to SSH
SSH/ACCEPT       net        fw         -       -            -          -          6/min:5

# Permit access to Proxmox Manager and Console
ACCEPT           net        fw         tcp     80,443,5900:5999

# PING Rules
Ping/ACCEPT      all        all

# LAST LINE -- DO NOT REMOVE
  • Neu: /etc/shorewall/maskq
#INTERFACE      SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0            10.0.0.0/8

# LAST LINE -- DO NOT REMOVE

Test[Bearbeiten]

shorewall try /etc/shorewall 60