summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2010-02-02 21:49:43 -0200
committerSilvio Rhatto <rhatto@riseup.net>2010-02-02 21:49:43 -0200
commit8c22ff697fc5df6e9646f6834d9b3750dd863f59 (patch)
tree8cd2308017892b3f6dbd39988708a96bb97cf89e
parent52de4478f790aeccee5ba6c4164a3486bd779756 (diff)
downloadpadrao-8c22ff697fc5df6e9646f6834d9b3750dd863f59.tar.gz
padrao-8c22ff697fc5df6e9646f6834d9b3750dd863f59.tar.bz2
Adicionando procedimento de firewall
-rw-r--r--firewall.mdwn76
1 files changed, 76 insertions, 0 deletions
diff --git a/firewall.mdwn b/firewall.mdwn
index e69de29..bb3687a 100644
--- a/firewall.mdwn
+++ b/firewall.mdwn
@@ -0,0 +1,76 @@
+Configuração do shorewall
+=========================
+
+De início, instale o shorewall:
+
+ apt-get install shorewall
+
+É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`:
+
+ IP_FORWARDING=Yes
+
+O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+ - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+O arquivo `/etc/shorewall/zones` deve conter as zonas da rede:
+
+ ###############################################################################
+ #ZONE TYPE OPTIONS IN OUT
+ # OPTIONS OPTIONS
+ fw firewall
+ vm ipv4
+ net ipv4
+ #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+O arquivo `/etc/shorewall/hosts` associa zonas a subredes:
+
+ #ZONE HOST(S) OPTIONS
+ vm eth0:192.168.0.0/24
+ net eth0:0.0.0.0/0
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
+
+O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes:
+
+ ###############################################################################
+ #SOURCE DEST POLICY LOG LIMIT:BURST
+ # LEVEL
+ vm net ACCEPT
+ $FW net ACCEPT
+ $FW vm ACCEPT
+ net all DROP info
+ # THE FOLLOWING POLICY MUST BE LAST
+ all all REJECT info
+ #LAST LINE -- DO NOT REMOVE
+
+E o arquivo `/etc/shorewall/rules` define exceções às regras gerais:
+
+ ################################################################
+ #ACTION SOURCE DEST PROTO DEST
+ SSH/ACCEPT net $FW
+ Ping/ACCEPT net $FW
+ HTTP/ACCEPT net $FW
+ HTTPS/ACCEPT net $FW
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`:
+
+ ###############################################################################
+ #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
+ eth0:!192.168.0.0/24 192.168.0.0/24
+ #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`:
+
+ startup=1
+
+Finalmente podemos ligar o shorewall:
+
+ /etc/init.d/shorewall start
+
+Shorewall e Puppet
+==================
+
+Uma vez que um nodo puppetmaster estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`.