Shorewall

/etc/default/shorewall

startup=1
mkdir /etc/shorewall/vardir
chmod 0750 /etc/shorewall/vardir

/etc/shorewall/shorewall.conf

VARDIR=/etc/shorewall/vardir

LOGRATE=10/minute
LOGBURST=5

IP_FORWARDING=Off
touch /etc/shorewall/blacklist

/etc/shorewall/interfaces

net     eth0            detect          norfc1918,routefilter,tcpflags,logmartians,nosmurfs,blacklist

/etc/shorewall/zones

fw      firewall
net     ipv4

/etc/shorewall/policy

$FW             net             DROP            info
net             $FW             DROP            info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/start

dmesg -n5

/etc/shorewall/rules

# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT          $FW             net                     icmp

# SMTP
ACCEPT          $FW             net                     tcp     25      1024:65535

# WHOIS
ACCEPT          $FW             net                     tcp     43      1024:65535

# DNS
ACCEPT          $FW             net                     udp     53      1024:65535

# HTTP
# Ubuntu
ACCEPT          $FW             net:195.248.90.38       tcp     80      1024:65535
ACCEPT          $FW             net:195.228.252.133     tcp     80      1024:65535
ACCEPT          $FW             net:91.189.90.142       tcp     80      1024:65535
ACCEPT          $FW             net:91.189.89.182       tcp     80      1024:65535
ACCEPT          $FW             net:91.189.89.8         tcp     80      1024:65535
ACCEPT          $FW             net:91.189.89.6         tcp     80      1024:65535
ACCEPT          $FW             net:91.189.88.37        tcp     80      1024:65535
ACCEPT          $FW             net:91.189.88.31        tcp     80      1024:65535
ACCEPT          $FW             net:82.211.81.138       tcp     80      1024:65535
#GeoIP
ACCEPT          $FW             net:67.15.94.80         tcp     80      1024:65535

# NTP
ACCEPT          $FW             net:193.67.79.202       udp     123     1024:65535

# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/REJECT     net             $FW

# FTP
ACCEPT          net:your_range  $FW             tcp     21      1024:65535      -       2/sec:3

# SSH
ACCEPT          net:your_range  $FW             tcp     22      1024:65535      -       2/sec:3

# SMTP
ACCEPT          net             $FW             tcp     25      1024:65535      -       1/sec:1

# HTTP
ACCEPT          net             $FW             tcp     80      1024:65535      -       24/sec:32

# HTTPS
ACCEPT          net             $FW             tcp     443     1024:65535      -       5/sec:10



http://www.shorewall.net/

 
Logged in as: Oszkár Kmetti
other/shorewall.txt · Last modified: 2009.01.14 16:55 by oszi
 
Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki