diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2017-10-01 17:21:16 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2017-10-01 17:21:16 -0300 |
| commit | 07d75df75ada34ef4b7de9cb07770b19251520f1 (patch) | |
| tree | a3b814eda00e61afbaf9f778edee4ccaba92741d /firewall.mdwn | |
| parent | ef09f1fdae32c8d46b464bb50a85bb69097c211a (diff) | |
| download | padrao-07d75df75ada34ef4b7de9cb07770b19251520f1.tar.gz padrao-07d75df75ada34ef4b7de9cb07770b19251520f1.tar.bz2 | |
Change markdown extension to .md
Diffstat (limited to 'firewall.mdwn')
| -rw-r--r-- | firewall.mdwn | 78 |
1 files changed, 0 insertions, 78 deletions
diff --git a/firewall.mdwn b/firewall.mdwn deleted file mode 100644 index a76a114..0000000 --- a/firewall.mdwn +++ /dev/null @@ -1,78 +0,0 @@ -[[!toc levels=4]] - -Configuração do shorewall -========================= - -De início, instale o shorewall: - - apt-get install shorewall - -É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`: - - IP_FORWARDING=Yes - -O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede: - - #ZONE INTERFACE BROADCAST OPTIONS - - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - -O arquivo `/etc/shorewall/zones` deve conter as zonas da rede: - - ############################################################################### - #ZONE TYPE OPTIONS IN OUT - # OPTIONS OPTIONS - fw firewall - vm ipv4 - net ipv4 - #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - -O arquivo `/etc/shorewall/hosts` associa zonas a subredes: - - #ZONE HOST(S) OPTIONS - vm eth0:192.168.0.0/24 - net eth0:0.0.0.0/0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE - -O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes: - - ############################################################################### - #SOURCE DEST POLICY LOG LIMIT:BURST - # LEVEL - vm net ACCEPT - $FW net ACCEPT - $FW vm ACCEPT - net all DROP info - # THE FOLLOWING POLICY MUST BE LAST - all all REJECT info - #LAST LINE -- DO NOT REMOVE - -E o arquivo `/etc/shorewall/rules` define exceções às regras gerais: - - ################################################################ - #ACTION SOURCE DEST PROTO DEST - SSH/ACCEPT net $FW - Ping/ACCEPT net $FW - HTTP/ACCEPT net $FW - HTTPS/ACCEPT net $FW - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - -Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`: - - ############################################################################### - #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK - eth0:!192.168.0.0/24 192.168.0.0/24 - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - -Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`: - - startup=1 - -Finalmente podemos ligar o shorewall: - - /etc/init.d/shorewall start - -Shorewall e Puppet -================== - -Uma vez que um nodo [puppetmaster](../puppet) estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`. |