shorewall toujours
Bon, j'ai continué mon pârcours du débutant .... et j'ai modifié les
fichiers de conf. ci-joints, ce qui a donné ceci :
shorewall restart
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Restarting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: ppp0:0.0.0.0/0
Local Zone: ppp0:0.0.0.0/0
DMZ Zone: ppp0:0.0.0.0/0
Deleting user chains...
Configuring Proxy ARP and NAT
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "ACCEPT loc fw tcp ssh" added.
Rule "ACCEPT net fw tcp ssh,auth" added.
Rule "ACCEPT fw net udp ntp" added.
Adding rules for DHCP
Setting up ICMP Echo handling...
Processing /etc/shorewall/policy...
Policy REJECT for fw to net.
Policy ACCEPT for net to fw.
Policy REJECT for loc to fw.
Policy ACCEPT for loc to net.
Policy REJECT for dmz to fw.
Masqueraded Subnets and Hosts:
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Shorewall Restarted
touch: creating `/var/lock/subsys/shorewall': No such file or directory
ça veut dire quoi ce touch ???
Je peux me connecter, j'ai été faire un quick test sur www.pcflank.com ,
pas de problème avec les troyens, mais il me signale que le port 135 est
ouvert , pas bon donc, comment fermer les portes de manière efficace ??
Et aussi un probléme de browser privacy ...
Je suppose que la config laisse encore à désirer, je joins mes fichiers
de config actuels. Merci pour vos conseils.
Merci
#
# Shorewall 1.2 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# place "-" in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface.
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27 and you want pings from the internet
# to be ignored. You interface a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 noping,dhcp
# local eth1 192.168.1.255 routestopped
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect noping,dhcp
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests.
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 "-" noping
loc ppp0 "-" noping
dmz ppp0 "-" noping
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.2 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each client/server pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# CLIENT Location of client. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# SERVER Location of server. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the network are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#CLIENT SERVER POLICY LOG LEVEL
loc net ACCEPT
net all DROP info
all all ACCEPT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 1.2 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# If any of the following columns contain the word "none" then the rule
# is ignored:
#
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or $FW to indicate the
# firewall itself.
#
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# SERVER Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER. The value "all" is
# intended to be used when your internet IP address is
# dynamic and you want to do port forwarding or you want
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY
# OTHER SITUATION.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)except when the destination address is 192.168.2.2
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Allow SSH from the local network
#
ACCEPT loc $FW tcp ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT net $FW tcp ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT $FW net udp ntp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Loc. Local Networks
dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Reply to: