vuurmuur: Define a sane ruleset.

diff --git a/etc/vuurmuur/interfaces/inet-nic.conf b/etc/vuurmuur/interfaces/inet-nic.conf
new file mode 100644 (file)
index 0000000..5dcc007
--- /dev/null
+++ b/etc/vuurmuur/interfaces/inet-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="94.142.244.14"
+INTERFACE=""
+VIRTUAL="No"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT="                                                                                                                                                                                                                                                "
+DEVICE="eth0"

diff --git a/etc/vuurmuur/interfaces/loopback-nic.conf b/etc/vuurmuur/interfaces/loopback-nic.conf
new file mode 100644 (file)
index 0000000..190a1f1
--- /dev/null
+++ b/etc/vuurmuur/interfaces/loopback-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="127.0.0.1"
+INTERFACE=""
+VIRTUAL="No"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT=""
+DEVICE="lo"

diff --git a/etc/vuurmuur/interfaces/vservers-nic.conf b/etc/vuurmuur/interfaces/vservers-nic.conf
new file mode 100644 (file)
index 0000000..78390b9
--- /dev/null
+++ b/etc/vuurmuur/interfaces/vservers-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.1"
+INTERFACE=""
+VIRTUAL="No"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT="Virtual interface for the vservers                                                                                                                                                                                                              "
+DEVICE="dummy0"

diff --git a/etc/vuurmuur/interfaces/zeratul-nic.conf b/etc/vuurmuur/interfaces/zeratul-nic.conf
new file mode 100644 (file)
index 0000000..6d788f7
--- /dev/null
+++ b/etc/vuurmuur/interfaces/zeratul-nic.conf
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+IPADDRESS="172.31.1.2"
+INTERFACE=""
+VIRTUAL="No"
+RULE="protect against source-routed-packets"
+RULE="protect against icmp-redirect"
+RULE="protect against send-redirect"
+RULE="protect against rp-filter"
+RULE="protect against log-martians"
+COMMENT="Direct link to Zeratul                                                                                                                                                                                                                          "
+DEVICE="eth1"

diff --git a/etc/vuurmuur/rules/blocklist.conf b/etc/vuurmuur/rules/blocklist.conf
new file mode 100644 (file)
index 0000000..d70674f
--- /dev/null
+++ b/etc/vuurmuur/rules/blocklist.conf
@@ -0,0 +1 @@
+RULE=""

diff --git a/etc/vuurmuur/rules/rules.conf b/etc/vuurmuur/rules/rules.conf
new file mode 100644 (file)
index 0000000..1e49c3c
--- /dev/null
+++ b/etc/vuurmuur/rules/rules.conf
@@ -0,0 +1,11 @@
+RULE="Accept service any from firewall to world.inet options comment=\"Outgoing host traffic\""
+RULE="Accept service any from vservers.internal to world.inet options comment=\"Outgoing vserver traffic\""
+RULE="Snat service any from vservers.internal to world.inet options comment=\"snat for vservers\""
+RULE="Accept service any from zeratul.direct to firewall options comment=\"direct traffic from zeratul\""
+RULE="Accept service any from firewall to zeratul.direct options comment=\"direct traffice to zeratul\""
+RULE="Accept service ssh-host from any to firewall(any) options comment=\"ssh access to the host\""
+RULE="Portfw service http from world.inet to www.vservers.internal options comment=\"http to www\""
+RULE="Portfw service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\""
+RULE="Portfw service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\""
+RULE="Portfw service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\""
+RULE="Portfw service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\""

diff --git a/etc/vuurmuur/services/ssh-host b/etc/vuurmuur/services/ssh-host
new file mode 100644 (file)
index 0000000..5fdcddf
--- /dev/null
+++ b/etc/vuurmuur/services/ssh-host
@@ -0,0 +1,11 @@
+ACTIVE="Yes"
+TCP="22*1024:65535"
+UDP=""
+ICMP=""
+GRE=""
+AH=""
+ESP=""
+PROTO_41=""
+BROADCAST="No"
+HELPER=""
+COMMENT="The ssh daemon on the host, which runs on an    alternative port.                                                                                                                                                                               "

diff --git a/etc/vuurmuur/vuurmuur_conf.conf b/etc/vuurmuur/vuurmuur_conf.conf
index efc136db6b2a9c5826cc0a79c60ed79f834a9bd1..5a7459b97f3e8f20c819d1da862a373c2e07a8c8 100644 (file)
--- a/etc/vuurmuur/vuurmuur_conf.conf
+++ b/etc/vuurmuur/vuurmuur_conf.conf
@@ -9,7 +9,7 @@ ADVANCED_MODE="No"
 MAINMENU_STATUS="Yes"
 
 # NEWRULE_LOG enables logging for new rules.
-NEWRULE_LOG="Yes"
+NEWRULE_LOG="No"
 
 # NEWRULE_LOGLIMIT sets the maximum number of logs per second for new rules.
 NEWRULE_LOGLIMIT="20"

diff --git a/etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host b/etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host
new file mode 100644 (file)
index 0000000..0b204f9
--- /dev/null
+++ b/etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host
@@ -0,0 +1,4 @@
+ACTIVE="No"
+IPADDRESS=""
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/direct/networks/zeratul/network.config b/etc/vuurmuur/zones/direct/networks/zeratul/network.config
new file mode 100644 (file)
index 0000000..85aa30d
--- /dev/null
+++ b/etc/vuurmuur/zones/direct/networks/zeratul/network.config
@@ -0,0 +1,6 @@
+ACTIVE="Yes"
+NETWORK="172.31.1.0"
+NETMASK="255.255.255.0"
+INTERFACE="zeratul-nic"
+RULE=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/direct/zone.config b/etc/vuurmuur/zones/direct/zone.config
new file mode 100644 (file)
index 0000000..c25223c
--- /dev/null
+++ b/etc/vuurmuur/zones/direct/zone.config
@@ -0,0 +1,2 @@
+ACTIVE="Yes"
+COMMENT="The direct link to Zeratul                                                                                                                                                                                                                      "

diff --git a/etc/vuurmuur/zones/inet/networks/world/network.config b/etc/vuurmuur/zones/inet/networks/world/network.config
new file mode 100644 (file)
index 0000000..b38e3bf
--- /dev/null
+++ b/etc/vuurmuur/zones/inet/networks/world/network.config
@@ -0,0 +1,6 @@
+ACTIVE="Yes"
+NETWORK="0.0.0.0"
+NETMASK="0.0.0.0"
+INTERFACE="inet-nic"
+RULE=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/inet/zone.config b/etc/vuurmuur/zones/inet/zone.config
new file mode 100644 (file)
index 0000000..39ff50a
--- /dev/null
+++ b/etc/vuurmuur/zones/inet/zone.config
@@ -0,0 +1,2 @@
+ACTIVE="Yes"
+COMMENT="The world wide internet                                                                                                                                                                                                                         "

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host
new file mode 100644 (file)
index 0000000..4d3ac45
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.3"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host
new file mode 100644 (file)
index 0000000..b829bff
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.5"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host
new file mode 100644 (file)
index 0000000..5335d95
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.4"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host
new file mode 100644 (file)
index 0000000..979ca6b
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.9"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host
new file mode 100644 (file)
index 0000000..7b2783a
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.10"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host
new file mode 100644 (file)
index 0000000..24db540
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.6"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host
new file mode 100644 (file)
index 0000000..819c3a8
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host
@@ -0,0 +1,4 @@
+ACTIVE="Yes"
+IPADDRESS="10.42.0.7"
+MAC=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/networks/vservers/network.config b/etc/vuurmuur/zones/internal/networks/vservers/network.config
new file mode 100644 (file)
index 0000000..8f948b0
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/networks/vservers/network.config
@@ -0,0 +1,6 @@
+ACTIVE="Yes"
+NETWORK="10.42.0.0"
+NETMASK="255.255.255.0"
+INTERFACE="vservers-nic"
+RULE=""
+COMMENT=""

diff --git a/etc/vuurmuur/zones/internal/zone.config b/etc/vuurmuur/zones/internal/zone.config
new file mode 100644 (file)
index 0000000..b22a609
--- /dev/null
+++ b/etc/vuurmuur/zones/internal/zone.config
@@ -0,0 +1,2 @@
+ACTIVE="Yes"
+COMMENT="Internal networks                                                                                                                                                                                                                               "