build:firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
build:firewall [2007/05/30 20:47] 71.10.176.218 Updated per installation of Debian 4.0 on Bud. (CMB) |
build:firewall [2009/08/03 16:18] (current) 167.206.189.6 |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| We originally went with [[http://pcxfirewall.sourceforge.net/|PCX Firewall]] on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with [[http://www.shorewall.net/|Shorewall]]. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. | We originally went with [[http://pcxfirewall.sourceforge.net/|PCX Firewall]] on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with [[http://www.shorewall.net/|Shorewall]]. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. | ||
| + | |||
| + | We currently aren't running a firewall on bock. Solaris 10 ships with IPF, but it has suffered from throughput problems, so we're leaving it off. | ||
| ===== Requirements ===== | ===== Requirements ===== | ||
| - | Shorewall doesn't seem to have any requirements, except ''iptables'' and ''iproute''. | + | Shorewall doesn't seem to have any requirements, except ''iptables'', ''iproute'', and ''libatm1''. |
| <code rootshell> | <code rootshell> | ||
| - | apt-get install iproute iproute-doc | + | apt-get install iproute iproute-doc libatm1 |
| </code> | </code> | ||
| Line 13: | Line 15: | ||
| * 22 -- SSH | * 22 -- SSH | ||
| - | * 25 -- SMTP | + | * 25 -- SMTP (Bud only) |
| - | * 53 -- DNS | + | * 53 -- DNS (Bud only) |
| * 80 -- HTTP | * 80 -- HTTP | ||
| - | * 110 -- POP | + | * 110 -- POP (Bud only) |
| * 123 -- NTP (UDP) | * 123 -- NTP (UDP) | ||
| - | * 143 -- IMAP | + | * 143 -- IMAP (Bud only) |
| * 443 -- HTTPS | * 443 -- HTTPS | ||
| - | * 993 -- IMAPS | + | * 993 -- IMAPS (Bud only) |
| - | * 995 -- POPS | + | * 995 -- POPS (Bud only) |
| - | * 10000 -- Webmin (HTTPS) | + | |
| ===== Installation ===== | ===== Installation ===== | ||
| Line 28: | Line 29: | ||
| Install shorewall (and its documentation): | Install shorewall (and its documentation): | ||
| <code rootshell> | <code rootshell> | ||
| - | apt-get install -y shorewall shorewall-doc | + | apt-get install shorewall shorewall-doc |
| </code> | </code> | ||
| - | |||
| ===== Configuration ===== | ===== Configuration ===== | ||
| Line 44: | Line 44: | ||
| gunzip *.gz | gunzip *.gz | ||
| </code> | </code> | ||
| + | |||
| + | If the system has more than one interface, see the other directories of examples. | ||
| In ''/etc/shorewall/shorewall.conf'', set some configuration options. Change the following lines: | In ''/etc/shorewall/shorewall.conf'', set some configuration options. Change the following lines: | ||
| Line 65: | Line 67: | ||
| ACCEPT net $FW tcp 993 | ACCEPT net $FW tcp 993 | ||
| ACCEPT net $FW tcp 995 | ACCEPT net $FW tcp 995 | ||
| - | ACCEPT net $FW tcp 10000 | ||
| </file> | </file> | ||
| + | |||
| + | If the system has more than one interface, duplicate the same rules for each interface unless there is a reason to not do that. In that case, document the purpose and restrictions for each interface, and why the rules are different. | ||
| ===== Startup ===== | ===== Startup ===== | ||
| Line 87: | Line 90: | ||
| ===== TODO ===== | ===== TODO ===== | ||
| + | |||
| + | Can we restrict some ports to the local subnet? | ||
| Determine if our port list is correct for what we need open. We might want to open up additional ports for LMTP, SMTP w/ SSL, and SMTP w/ forced STARTTLS. Perhaps Squid caching and Rsync as well. We might want to remove Webmin and some of the other ports. | Determine if our port list is correct for what we need open. We might want to open up additional ports for LMTP, SMTP w/ SSL, and SMTP w/ forced STARTTLS. Perhaps Squid caching and Rsync as well. We might want to remove Webmin and some of the other ports. | ||
| Line 103: | Line 108: | ||
| ===== Comments ===== | ===== Comments ===== | ||
| - | |||
build/firewall.1180576041.txt.gz · Last modified: 2007/05/30 20:47 by 71.10.176.218
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
