From 6f9dbdad3a9210a27fddcc58a56590b4087758b1 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 16 Apr 2009 12:39:01 +0200 Subject: [PATCH] vuurmuur: Define a sane ruleset. --- etc/vuurmuur/interfaces/inet-nic.conf | 11 +++++++++++ etc/vuurmuur/interfaces/loopback-nic.conf | 11 +++++++++++ etc/vuurmuur/interfaces/vservers-nic.conf | 11 +++++++++++ etc/vuurmuur/interfaces/zeratul-nic.conf | 11 +++++++++++ etc/vuurmuur/rules/blocklist.conf | 1 + etc/vuurmuur/rules/rules.conf | 11 +++++++++++ etc/vuurmuur/services/ssh-host | 11 +++++++++++ etc/vuurmuur/vuurmuur_conf.conf | 2 +- .../zones/direct/networks/zeratul/hosts/zeratul.host | 4 ++++ .../zones/direct/networks/zeratul/network.config | 6 ++++++ etc/vuurmuur/zones/direct/zone.config | 2 ++ etc/vuurmuur/zones/inet/networks/world/network.config | 6 ++++++ etc/vuurmuur/zones/inet/zone.config | 2 ++ .../zones/internal/networks/vservers/hosts/build.host | 4 ++++ .../zones/internal/networks/vservers/hosts/dns.host | 4 ++++ .../zones/internal/networks/vservers/hosts/ldap.host | 4 ++++ .../zones/internal/networks/vservers/hosts/login.host | 4 ++++ .../zones/internal/networks/vservers/hosts/mail.host | 4 ++++ .../zones/internal/networks/vservers/hosts/mysql.host | 4 ++++ .../zones/internal/networks/vservers/hosts/www.host | 4 ++++ .../zones/internal/networks/vservers/network.config | 6 ++++++ etc/vuurmuur/zones/internal/zone.config | 2 ++ 22 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 etc/vuurmuur/interfaces/inet-nic.conf create mode 100644 etc/vuurmuur/interfaces/loopback-nic.conf create mode 100644 etc/vuurmuur/interfaces/vservers-nic.conf create mode 100644 etc/vuurmuur/interfaces/zeratul-nic.conf create mode 100644 etc/vuurmuur/rules/blocklist.conf create mode 100644 etc/vuurmuur/rules/rules.conf create mode 100644 etc/vuurmuur/services/ssh-host create mode 100644 etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host create mode 100644 etc/vuurmuur/zones/direct/networks/zeratul/network.config create mode 100644 etc/vuurmuur/zones/direct/zone.config create mode 100644 etc/vuurmuur/zones/inet/networks/world/network.config create mode 100644 etc/vuurmuur/zones/inet/zone.config create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host create mode 100644 etc/vuurmuur/zones/internal/networks/vservers/network.config create mode 100644 etc/vuurmuur/zones/internal/zone.config diff --git a/etc/vuurmuur/interfaces/inet-nic.conf b/etc/vuurmuur/interfaces/inet-nic.conf new file mode 100644 index 0000000..5dcc007 --- /dev/null +++ b/etc/vuurmuur/interfaces/inet-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="94.142.244.14" +INTERFACE="" +VIRTUAL="No" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT=" " +DEVICE="eth0" diff --git a/etc/vuurmuur/interfaces/loopback-nic.conf b/etc/vuurmuur/interfaces/loopback-nic.conf new file mode 100644 index 0000000..190a1f1 --- /dev/null +++ b/etc/vuurmuur/interfaces/loopback-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="127.0.0.1" +INTERFACE="" +VIRTUAL="No" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="" +DEVICE="lo" diff --git a/etc/vuurmuur/interfaces/vservers-nic.conf b/etc/vuurmuur/interfaces/vservers-nic.conf new file mode 100644 index 0000000..78390b9 --- /dev/null +++ b/etc/vuurmuur/interfaces/vservers-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.1" +INTERFACE="" +VIRTUAL="No" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="Virtual interface for the vservers " +DEVICE="dummy0" diff --git a/etc/vuurmuur/interfaces/zeratul-nic.conf b/etc/vuurmuur/interfaces/zeratul-nic.conf new file mode 100644 index 0000000..6d788f7 --- /dev/null +++ b/etc/vuurmuur/interfaces/zeratul-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="172.31.1.2" +INTERFACE="" +VIRTUAL="No" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="Direct link to Zeratul " +DEVICE="eth1" diff --git a/etc/vuurmuur/rules/blocklist.conf b/etc/vuurmuur/rules/blocklist.conf new file mode 100644 index 0000000..d70674f --- /dev/null +++ b/etc/vuurmuur/rules/blocklist.conf @@ -0,0 +1 @@ +RULE="" diff --git a/etc/vuurmuur/rules/rules.conf b/etc/vuurmuur/rules/rules.conf new file mode 100644 index 0000000..1e49c3c --- /dev/null +++ b/etc/vuurmuur/rules/rules.conf @@ -0,0 +1,11 @@ +RULE="Accept service any from firewall to world.inet options comment=\"Outgoing host traffic\"" +RULE="Accept service any from vservers.internal to world.inet options comment=\"Outgoing vserver traffic\"" +RULE="Snat service any from vservers.internal to world.inet options comment=\"snat for vservers\"" +RULE="Accept service any from zeratul.direct to firewall options comment=\"direct traffic from zeratul\"" +RULE="Accept service any from firewall to zeratul.direct options comment=\"direct traffice to zeratul\"" +RULE="Accept service ssh-host from any to firewall(any) options comment=\"ssh access to the host\"" +RULE="Portfw service http from world.inet to www.vservers.internal options comment=\"http to www\"" +RULE="Portfw service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\"" +RULE="Portfw service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\"" +RULE="Portfw service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\"" +RULE="Portfw service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\"" diff --git a/etc/vuurmuur/services/ssh-host b/etc/vuurmuur/services/ssh-host new file mode 100644 index 0000000..5fdcddf --- /dev/null +++ b/etc/vuurmuur/services/ssh-host @@ -0,0 +1,11 @@ +ACTIVE="Yes" +TCP="22*1024:65535" +UDP="" +ICMP="" +GRE="" +AH="" +ESP="" +PROTO_41="" +BROADCAST="No" +HELPER="" +COMMENT="The ssh daemon on the host, which runs on an alternative port. " diff --git a/etc/vuurmuur/vuurmuur_conf.conf b/etc/vuurmuur/vuurmuur_conf.conf index efc136d..5a7459b 100644 --- a/etc/vuurmuur/vuurmuur_conf.conf +++ b/etc/vuurmuur/vuurmuur_conf.conf @@ -9,7 +9,7 @@ ADVANCED_MODE="No" MAINMENU_STATUS="Yes" # NEWRULE_LOG enables logging for new rules. -NEWRULE_LOG="Yes" +NEWRULE_LOG="No" # NEWRULE_LOGLIMIT sets the maximum number of logs per second for new rules. NEWRULE_LOGLIMIT="20" diff --git a/etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host b/etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host new file mode 100644 index 0000000..0b204f9 --- /dev/null +++ b/etc/vuurmuur/zones/direct/networks/zeratul/hosts/zeratul.host @@ -0,0 +1,4 @@ +ACTIVE="No" +IPADDRESS="" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/direct/networks/zeratul/network.config b/etc/vuurmuur/zones/direct/networks/zeratul/network.config new file mode 100644 index 0000000..85aa30d --- /dev/null +++ b/etc/vuurmuur/zones/direct/networks/zeratul/network.config @@ -0,0 +1,6 @@ +ACTIVE="Yes" +NETWORK="172.31.1.0" +NETMASK="255.255.255.0" +INTERFACE="zeratul-nic" +RULE="" +COMMENT="" diff --git a/etc/vuurmuur/zones/direct/zone.config b/etc/vuurmuur/zones/direct/zone.config new file mode 100644 index 0000000..c25223c --- /dev/null +++ b/etc/vuurmuur/zones/direct/zone.config @@ -0,0 +1,2 @@ +ACTIVE="Yes" +COMMENT="The direct link to Zeratul " diff --git a/etc/vuurmuur/zones/inet/networks/world/network.config b/etc/vuurmuur/zones/inet/networks/world/network.config new file mode 100644 index 0000000..b38e3bf --- /dev/null +++ b/etc/vuurmuur/zones/inet/networks/world/network.config @@ -0,0 +1,6 @@ +ACTIVE="Yes" +NETWORK="0.0.0.0" +NETMASK="0.0.0.0" +INTERFACE="inet-nic" +RULE="" +COMMENT="" diff --git a/etc/vuurmuur/zones/inet/zone.config b/etc/vuurmuur/zones/inet/zone.config new file mode 100644 index 0000000..39ff50a --- /dev/null +++ b/etc/vuurmuur/zones/inet/zone.config @@ -0,0 +1,2 @@ +ACTIVE="Yes" +COMMENT="The world wide internet " diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host new file mode 100644 index 0000000..4d3ac45 --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/build.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.3" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host new file mode 100644 index 0000000..b829bff --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/dns.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.5" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host new file mode 100644 index 0000000..5335d95 --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/ldap.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.4" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host new file mode 100644 index 0000000..979ca6b --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/login.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.9" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host new file mode 100644 index 0000000..7b2783a --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mail.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.10" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host new file mode 100644 index 0000000..24db540 --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/mysql.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.6" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host b/etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host new file mode 100644 index 0000000..819c3a8 --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/hosts/www.host @@ -0,0 +1,4 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.7" +MAC="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/networks/vservers/network.config b/etc/vuurmuur/zones/internal/networks/vservers/network.config new file mode 100644 index 0000000..8f948b0 --- /dev/null +++ b/etc/vuurmuur/zones/internal/networks/vservers/network.config @@ -0,0 +1,6 @@ +ACTIVE="Yes" +NETWORK="10.42.0.0" +NETMASK="255.255.255.0" +INTERFACE="vservers-nic" +RULE="" +COMMENT="" diff --git a/etc/vuurmuur/zones/internal/zone.config b/etc/vuurmuur/zones/internal/zone.config new file mode 100644 index 0000000..b22a609 --- /dev/null +++ b/etc/vuurmuur/zones/internal/zone.config @@ -0,0 +1,2 @@ +ACTIVE="Yes" +COMMENT="Internal networks " -- 2.30.2