projects / matthijs / servers / drsnuggles.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2c27948)
vuurmuur: Make portforward rules work.
authorroot <root@drsnuggles.stderr.nl>
Thu, 16 Apr 2009 14:49:22 +0000 (16:49 +0200)
committerroot <root@drsnuggles.stderr.nl>
Thu, 16 Apr 2009 14:49:22 +0000 (16:49 +0200)
The Portfw rules did not work, since vuurmuur does not know the concept
of local networks and produced FORWARD rules in place of INPUT rules. We
emulate this behaviour by giving the firewall a virtual interface for
each vserver on the world.inet network. This needs splitting the Portfw
rules into a normal Dnat rule and a hacky Accept rule, which gets in_int
set.

etc/vuurmuur/interfaces/vserver-dns-nic.conf [new file with mode: 0644] patch | blob
etc/vuurmuur/interfaces/vserver-login-nic.conf [new file with mode: 0644] patch | blob
etc/vuurmuur/interfaces/vserver-mail-nic.conf [new file with mode: 0644] patch | blob
etc/vuurmuur/interfaces/vserver-www-nic.conf [new file with mode: 0644] patch | blob
etc/vuurmuur/rules/rules.conf patch | blob | history
etc/vuurmuur/zones/inet/networks/world/network.config patch | blob | history

diff --git a/etc/vuurmuur/interfaces/vserver-dns-nic.conf b/etc/vuurmuur/interfaces/vserver-dns-nic.conf
new file mode 100644 (file)
index 0000000..d9f2b89
--- /dev/null
+++ b/etc/vuurmuur/interfaces/vserver-dns-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.5"
+INTERFACE=""
+VIRTUAL="Yes"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT=""
+DEVICE="eth0"
diff --git a/etc/vuurmuur/interfaces/vserver-login-nic.conf b/etc/vuurmuur/interfaces/vserver-login-nic.conf
new file mode 100644 (file)
index 0000000..50409f3
--- /dev/null
+++ b/etc/vuurmuur/interfaces/vserver-login-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.9"
+INTERFACE=""
+VIRTUAL="Yes"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT=""
+DEVICE="eth0"
diff --git a/etc/vuurmuur/interfaces/vserver-mail-nic.conf b/etc/vuurmuur/interfaces/vserver-mail-nic.conf
new file mode 100644 (file)
index 0000000..152283c
--- /dev/null
+++ b/etc/vuurmuur/interfaces/vserver-mail-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.10"
+INTERFACE=""
+VIRTUAL="Yes"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT=""
+DEVICE="eth0"
diff --git a/etc/vuurmuur/interfaces/vserver-www-nic.conf b/etc/vuurmuur/interfaces/vserver-www-nic.conf
new file mode 100644 (file)
index 0000000..586e667
--- /dev/null
+++ b/etc/vuurmuur/interfaces/vserver-www-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.7"
+INTERFACE=""
+VIRTUAL="Yes"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT=""
+DEVICE="eth0"
diff --git a/etc/vuurmuur/rules/rules.conf b/etc/vuurmuur/rules/rules.conf
index 1532bbe9fd619caa95d73476c7e32d1a8d7e3b14..8fd8344ecc55c2d9d328b2ce42872289ac6411f1 100644 (file)
--- a/etc/vuurmuur/rules/rules.conf
+++ b/etc/vuurmuur/rules/rules.conf
@@ -7,8 +7,13 @@ RULE="Accept service any from zeratul.direct to firewall options comment=\"direc
 RULE="Accept service any from firewall to zeratul.direct options comment=\"direct traffice to zeratul\""
 RULE="separator"
 RULE="Accept service ssh-host from any to firewall(any) options comment=\"ssh access to the host\""
-RULE="Portfw service http from world.inet to www.vservers.internal options comment=\"http to www\""
-RULE="Portfw service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\""
-RULE="Portfw service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\""
-RULE="Portfw service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\""
-RULE="Portfw service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\""
+RULE="Dnat service http from world.inet to www.vservers.internal options comment=\"http to www\""
+RULE="Accept service http from world.inet to firewall options in_int=\"vserver-www-nic\""
+RULE="Dnat service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\""
+RULE="Accept service smtp from world.inet to firewall options in_int=\"vserver-mail-nic\""
+RULE="Dnat service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\""
+RULE="Accept service dns from world.inet to firewall options in_int=\"vserver-dns-nic\""
+RULE="Dnat service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\""
+RULE="Accept service imaps from world.inet to firewall options in_int=\"vserver-mail-nic\""
+RULE="Dnat service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\""
+RULE="Accept service ssh from world.inet to firewall options in_int=\"vserver-login-nic\""
diff --git a/etc/vuurmuur/zones/inet/networks/world/network.config b/etc/vuurmuur/zones/inet/networks/world/network.config
index b38e3bfa665affabcd17590ea4c23a5e16492fa1..b4c6b3724e5f9e99ef604f18e7a6a660500e9a10 100644 (file)
--- a/etc/vuurmuur/zones/inet/networks/world/network.config
+++ b/etc/vuurmuur/zones/inet/networks/world/network.config
@@ -2,5 +2,9 @@ ACTIVE="Yes"
 NETWORK="0.0.0.0"
 NETMASK="0.0.0.0"
 INTERFACE="inet-nic"
+INTERFACE="vserver-www-nic"
+INTERFACE="vserver-mail-nic"
+INTERFACE="vserver-dns-nic"
+INTERFACE="vserver-login-nic"
 RULE=""
 COMMENT=""
Configuration files for drsnuggles.stderr.nl