build:firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
build:firewall [2008/04/02 17:28] 151.145.238.91 Add some corrections from 2008-03-02 installation. (CMB) |
build:firewall [2009/08/03 16:18] (current) 167.206.189.6 |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| We originally went with [[http://pcxfirewall.sourceforge.net/|PCX Firewall]] on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with [[http://www.shorewall.net/|Shorewall]]. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. | We originally went with [[http://pcxfirewall.sourceforge.net/|PCX Firewall]] on our test/development server, as James Pattie was most familiar with it. When we built the production servers, we decided to go with something more standard, so that others would be able to work with it later, if James isn't around. (And he wasn't around when we built the production servers.) So we decided to go with [[http://www.shorewall.net/|Shorewall]]. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. | ||
| + | |||
| + | We currently aren't running a firewall on bock. Solaris 10 ships with IPF, but it has suffered from throughput problems, so we're leaving it off. | ||
| ===== Requirements ===== | ===== Requirements ===== | ||
| Line 29: | Line 31: | ||
| apt-get install shorewall shorewall-doc | apt-get install shorewall shorewall-doc | ||
| </code> | </code> | ||
| - | |||
| ===== Configuration ===== | ===== Configuration ===== | ||
| Line 43: | Line 44: | ||
| gunzip *.gz | gunzip *.gz | ||
| </code> | </code> | ||
| + | |||
| + | If the system has more than one interface, see the other directories of examples. | ||
| In ''/etc/shorewall/shorewall.conf'', set some configuration options. Change the following lines: | In ''/etc/shorewall/shorewall.conf'', set some configuration options. Change the following lines: | ||
| Line 65: | Line 68: | ||
| ACCEPT net $FW tcp 995 | ACCEPT net $FW tcp 995 | ||
| </file> | </file> | ||
| + | |||
| + | If the system has more than one interface, duplicate the same rules for each interface unless there is a reason to not do that. In that case, document the purpose and restrictions for each interface, and why the rules are different. | ||
| ===== Startup ===== | ===== Startup ===== | ||
| Line 103: | Line 108: | ||
| ===== Comments ===== | ===== Comments ===== | ||
| - | |||
build/firewall.1207175282.txt.gz ยท Last modified: 2008/04/02 17:28 by 151.145.238.91
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
