PromoxFirewall

Aus Info-Theke
Zur Navigation springen Zur Suche springen

shorewall als Firewall[Bearbeiten]

Orginalartikel

Installation[Bearbeiten]

apt-get install shorewall6

Konfiguration[Bearbeiten]

  • /etc/network/interfaces:
auto eth0
iface eth0 inet static
        address 192.168.2.64
        netmask 255.255.255.0
        gateway 192.168.2.3
        post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

  • /etc/shorewall/shorewall.conf:

DISABLE_IPV6=No

  • Neu: /etc/shorewall/shorewall.conf
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
dmz     ipv4
  • Neu: /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          blacklist,nosmurfs
dmz     venet0          detect          routeback
dmz     vmbr0           detect          routeback,bridge
  • /etc/shorewall/policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK

# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      dmz     ACCEPT

# From DMZ Policy

dmz     dmz     ACCEPT
dmz     net     ACCEPT
dmz     fw      DROP            info

# From Net Policy
net     fw      DROP            info
net     dmz     DROP            info 

# THE FOLLOWING POLICY MUST BE LAST
#
all     all     REJECT          info
  • Neu: /etc/shorewall/rules
#ACTION          SOURCE     DEST       PROTO   DEST        SOURCE     ORIGINAL    RATE

# Permit access to SSH
SSH/ACCEPT       net        fw         -       -            -          -          6/min:5

# Permit access to Proxmox Manager and Console
ACCEPT           net        fw         tcp     80,443,5900:5999

# PING Rules
Ping/ACCEPT      all        all

# LAST LINE -- DO NOT REMOVE
  • Neu: /etc/shorewall/maskq
#INTERFACE      SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0            10.0.0.0/8

# LAST LINE -- DO NOT REMOVE

Test[Bearbeiten]

shorewall try /etc/shorewall 60