PromoxFirewall
Zur Navigation springen
Zur Suche springen
shorewall als Firewall[Bearbeiten]
Installation[Bearbeiten]
apt-get install shorewall6
Konfiguration[Bearbeiten]
- /etc/network/interfaces:
auto eth0
iface eth0 inet static
address 192.168.2.64
netmask 255.255.255.0
gateway 192.168.2.3
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
- /etc/shorewall/shorewall.conf:
DISABLE_IPV6=No
- Neu: /etc/shorewall/shorewall.conf
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 dmz ipv4
- Neu: /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect blacklist,nosmurfs dmz venet0 detect routeback dmz vmbr0 detect routeback,bridge
- /etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK # From Firewall Policy fw fw ACCEPT fw net ACCEPT fw dmz ACCEPT # From DMZ Policy dmz dmz ACCEPT dmz net ACCEPT dmz fw DROP info # From Net Policy net fw DROP info net dmz DROP info # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info
- Neu: /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # Permit access to SSH SSH/ACCEPT net fw - - - - 6/min:5 # Permit access to Proxmox Manager and Console ACCEPT net fw tcp 80,443,5900:5999 # PING Rules Ping/ACCEPT all all # LAST LINE -- DO NOT REMOVE
- Neu: /etc/shorewall/maskq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 10.0.0.0/8 # LAST LINE -- DO NOT REMOVE
Test[Bearbeiten]
shorewall try /etc/shorewall 60