summaryrefslogtreecommitdiff
path: root/docs/firewall.md
blob: 37621eaf0e8a2be95cb65543d7c20e537d63ae84 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Configuração do shorewall 

De início, instale o shorewall:

    apt-get install shorewall

É necessário que o iptables esteja configurado para encaminhar os pacotes de
uma porta externa para os vservers. As seguinte diretiva precisa ser alterada
na configuração original no arquivo `/etc/shorewall/shorewall.conf`:

    IP_FORWARDING=Yes

O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede:

    #ZONE   INTERFACE       BROADCAST       OPTIONS
    - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

O arquivo `/etc/shorewall/zones` deve conter as zonas da rede:

    ###############################################################################
    #ZONE   TYPE            OPTIONS         IN                      OUT
    #                                       OPTIONS                 OPTIONS
    fw      firewall
    vm      ipv4
    net     ipv4
    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

O arquivo `/etc/shorewall/hosts` associa zonas a subredes:

    #ZONE   HOST(S)                                 OPTIONS
    vm      eth0:192.168.0.0/24
    net     eth0:0.0.0.0/0
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes:

    ###############################################################################
    #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
    #                                               LEVEL
    vm              net             ACCEPT
    $FW             net             ACCEPT
    $FW             vm              ACCEPT
    net             all             DROP            info
    # THE FOLLOWING POLICY MUST BE LAST
    all             all             REJECT          info
    #LAST LINE -- DO NOT REMOVE

E o arquivo `/etc/shorewall/rules` define exceções às regras gerais:

    ################################################################
    #ACTION         SOURCE          DEST            PROTO   DEST
    SSH/ACCEPT      net             $FW
    Ping/ACCEPT     net             $FW
    HTTP/ACCEPT     net             $FW
    HTTPS/ACCEPT    net             $FW
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`:

    ###############################################################################
    #INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
    eth0:!192.168.0.0/24    192.168.0.0/24
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`:

    startup=1

Finalmente podemos ligar o shorewall:

    /etc/init.d/shorewall start

## Shorewall e Puppet 

Uma vez que um nodo [puppetmaster](../puppet) estiver rodando, o módulo
[puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary)
poderá ser utilizado para gerenciar o firewall. No entanto, se você for
substituir o presente procedimento pela sua versão via puppet, certifique-se de
apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`.