diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2024-02-24 15:03:05 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2024-02-24 15:03:05 -0300 |
| commit | c1b973a39a5be58eb4465603b971235ed7fedd4d (patch) | |
| tree | 4cd1890930fa3ee59e244a9d963592a7b51979d4 /firewall.md | |
| parent | 3541adeafcdb79efdedc1f9d29a3bca15571c611 (diff) | |
| download | padrao-c1b973a39a5be58eb4465603b971235ed7fedd4d.tar.gz padrao-c1b973a39a5be58eb4465603b971235ed7fedd4d.tar.bz2 | |
Feat: migrate docs from Ikiwiki to MkDocs
Diffstat (limited to 'firewall.md')
| -rw-r--r-- | firewall.md | 78 |
1 files changed, 0 insertions, 78 deletions
diff --git a/firewall.md b/firewall.md deleted file mode 100644 index a76a114..0000000 --- a/firewall.md +++ /dev/null @@ -1,78 +0,0 @@ -[[!toc levels=4]] - -Configuração do shorewall -========================= - -De início, instale o shorewall: - - apt-get install shorewall - -É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`: - - IP_FORWARDING=Yes - -O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede: - - #ZONE INTERFACE BROADCAST OPTIONS - - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - -O arquivo `/etc/shorewall/zones` deve conter as zonas da rede: - - ############################################################################### - #ZONE TYPE OPTIONS IN OUT - # OPTIONS OPTIONS - fw firewall - vm ipv4 - net ipv4 - #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - -O arquivo `/etc/shorewall/hosts` associa zonas a subredes: - - #ZONE HOST(S) OPTIONS - vm eth0:192.168.0.0/24 - net eth0:0.0.0.0/0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE - -O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes: - - ############################################################################### - #SOURCE DEST POLICY LOG LIMIT:BURST - # LEVEL - vm net ACCEPT - $FW net ACCEPT - $FW vm ACCEPT - net all DROP info - # THE FOLLOWING POLICY MUST BE LAST - all all REJECT info - #LAST LINE -- DO NOT REMOVE - -E o arquivo `/etc/shorewall/rules` define exceções às regras gerais: - - ################################################################ - #ACTION SOURCE DEST PROTO DEST - SSH/ACCEPT net $FW - Ping/ACCEPT net $FW - HTTP/ACCEPT net $FW - HTTPS/ACCEPT net $FW - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - -Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`: - - ############################################################################### - #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK - eth0:!192.168.0.0/24 192.168.0.0/24 - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - -Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`: - - startup=1 - -Finalmente podemos ligar o shorewall: - - /etc/init.d/shorewall start - -Shorewall e Puppet -================== - -Uma vez que um nodo [puppetmaster](../puppet) estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`. |