aboutsummaryrefslogtreecommitdiff
path: root/firewall.md
diff options
context:
space:
mode:
Diffstat (limited to 'firewall.md')
-rw-r--r--firewall.md78
1 files changed, 78 insertions, 0 deletions
diff --git a/firewall.md b/firewall.md
new file mode 100644
index 0000000..a76a114
--- /dev/null
+++ b/firewall.md
@@ -0,0 +1,78 @@
+[[!toc levels=4]]
+
+Configuração do shorewall
+=========================
+
+De início, instale o shorewall:
+
+ apt-get install shorewall
+
+É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`:
+
+ IP_FORWARDING=Yes
+
+O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+ - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+O arquivo `/etc/shorewall/zones` deve conter as zonas da rede:
+
+ ###############################################################################
+ #ZONE TYPE OPTIONS IN OUT
+ # OPTIONS OPTIONS
+ fw firewall
+ vm ipv4
+ net ipv4
+ #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+O arquivo `/etc/shorewall/hosts` associa zonas a subredes:
+
+ #ZONE HOST(S) OPTIONS
+ vm eth0:192.168.0.0/24
+ net eth0:0.0.0.0/0
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
+
+O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes:
+
+ ###############################################################################
+ #SOURCE DEST POLICY LOG LIMIT:BURST
+ # LEVEL
+ vm net ACCEPT
+ $FW net ACCEPT
+ $FW vm ACCEPT
+ net all DROP info
+ # THE FOLLOWING POLICY MUST BE LAST
+ all all REJECT info
+ #LAST LINE -- DO NOT REMOVE
+
+E o arquivo `/etc/shorewall/rules` define exceções às regras gerais:
+
+ ################################################################
+ #ACTION SOURCE DEST PROTO DEST
+ SSH/ACCEPT net $FW
+ Ping/ACCEPT net $FW
+ HTTP/ACCEPT net $FW
+ HTTPS/ACCEPT net $FW
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`:
+
+ ###############################################################################
+ #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
+ eth0:!192.168.0.0/24 192.168.0.0/24
+ #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`:
+
+ startup=1
+
+Finalmente podemos ligar o shorewall:
+
+ /etc/init.d/shorewall start
+
+Shorewall e Puppet
+==================
+
+Uma vez que um nodo [puppetmaster](../puppet) estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`.