From 929e6bc363c53c2daf683608c663678a9dc4a911 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 16 Apr 2009 16:49:22 +0200 Subject: [PATCH] vuurmuur: Make portforward rules work. The Portfw rules did not work, since vuurmuur does not know the concept of local networks and produced FORWARD rules in place of INPUT rules. We emulate this behaviour by giving the firewall a virtual interface for each vserver on the world.inet network. This needs splitting the Portfw rules into a normal Dnat rule and a hacky Accept rule, which gets in_int set. --- etc/vuurmuur/interfaces/vserver-dns-nic.conf | 11 +++++++++++ etc/vuurmuur/interfaces/vserver-login-nic.conf | 11 +++++++++++ etc/vuurmuur/interfaces/vserver-mail-nic.conf | 11 +++++++++++ etc/vuurmuur/interfaces/vserver-www-nic.conf | 11 +++++++++++ etc/vuurmuur/rules/rules.conf | 15 ++++++++++----- .../zones/inet/networks/world/network.config | 4 ++++ 6 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 etc/vuurmuur/interfaces/vserver-dns-nic.conf create mode 100644 etc/vuurmuur/interfaces/vserver-login-nic.conf create mode 100644 etc/vuurmuur/interfaces/vserver-mail-nic.conf create mode 100644 etc/vuurmuur/interfaces/vserver-www-nic.conf diff --git a/etc/vuurmuur/interfaces/vserver-dns-nic.conf b/etc/vuurmuur/interfaces/vserver-dns-nic.conf new file mode 100644 index 0000000..d9f2b89 --- /dev/null +++ b/etc/vuurmuur/interfaces/vserver-dns-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.5" +INTERFACE="" +VIRTUAL="Yes" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="" +DEVICE="eth0" diff --git a/etc/vuurmuur/interfaces/vserver-login-nic.conf b/etc/vuurmuur/interfaces/vserver-login-nic.conf new file mode 100644 index 0000000..50409f3 --- /dev/null +++ b/etc/vuurmuur/interfaces/vserver-login-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.9" +INTERFACE="" +VIRTUAL="Yes" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="" +DEVICE="eth0" diff --git a/etc/vuurmuur/interfaces/vserver-mail-nic.conf b/etc/vuurmuur/interfaces/vserver-mail-nic.conf new file mode 100644 index 0000000..152283c --- /dev/null +++ b/etc/vuurmuur/interfaces/vserver-mail-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.10" +INTERFACE="" +VIRTUAL="Yes" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="" +DEVICE="eth0" diff --git a/etc/vuurmuur/interfaces/vserver-www-nic.conf b/etc/vuurmuur/interfaces/vserver-www-nic.conf new file mode 100644 index 0000000..586e667 --- /dev/null +++ b/etc/vuurmuur/interfaces/vserver-www-nic.conf @@ -0,0 +1,11 @@ +ACTIVE="Yes" +IPADDRESS="10.42.0.7" +INTERFACE="" +VIRTUAL="Yes" +RULE="protect against source-routed-packets" +RULE="protect against icmp-redirect" +RULE="protect against send-redirect" +RULE="protect against rp-filter" +RULE="protect against log-martians" +COMMENT="" +DEVICE="eth0" diff --git a/etc/vuurmuur/rules/rules.conf b/etc/vuurmuur/rules/rules.conf index 1532bbe..8fd8344 100644 --- a/etc/vuurmuur/rules/rules.conf +++ b/etc/vuurmuur/rules/rules.conf @@ -7,8 +7,13 @@ RULE="Accept service any from zeratul.direct to firewall options comment=\"direc RULE="Accept service any from firewall to zeratul.direct options comment=\"direct traffice to zeratul\"" RULE="separator" RULE="Accept service ssh-host from any to firewall(any) options comment=\"ssh access to the host\"" -RULE="Portfw service http from world.inet to www.vservers.internal options comment=\"http to www\"" -RULE="Portfw service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\"" -RULE="Portfw service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\"" -RULE="Portfw service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\"" -RULE="Portfw service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\"" +RULE="Dnat service http from world.inet to www.vservers.internal options comment=\"http to www\"" +RULE="Accept service http from world.inet to firewall options in_int=\"vserver-www-nic\"" +RULE="Dnat service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\"" +RULE="Accept service smtp from world.inet to firewall options in_int=\"vserver-mail-nic\"" +RULE="Dnat service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\"" +RULE="Accept service dns from world.inet to firewall options in_int=\"vserver-dns-nic\"" +RULE="Dnat service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\"" +RULE="Accept service imaps from world.inet to firewall options in_int=\"vserver-mail-nic\"" +RULE="Dnat service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\"" +RULE="Accept service ssh from world.inet to firewall options in_int=\"vserver-login-nic\"" diff --git a/etc/vuurmuur/zones/inet/networks/world/network.config b/etc/vuurmuur/zones/inet/networks/world/network.config index b38e3bf..b4c6b37 100644 --- a/etc/vuurmuur/zones/inet/networks/world/network.config +++ b/etc/vuurmuur/zones/inet/networks/world/network.config @@ -2,5 +2,9 @@ ACTIVE="Yes" NETWORK="0.0.0.0" NETMASK="0.0.0.0" INTERFACE="inet-nic" +INTERFACE="vserver-www-nic" +INTERFACE="vserver-mail-nic" +INTERFACE="vserver-dns-nic" +INTERFACE="vserver-login-nic" RULE="" COMMENT="" -- 2.30.2