shorewall encore et toujours (Honte sur moi ...)
Bon, j'ai procédé comme conseillé, installé shorewall, téléchargé,
extrait et copié les fichiers de "one-interface sample", comme indiqué.
Le seul fichier que j'ai modifié est le fichier interfaces, j'ai ajouté
la ligne conseillée dans la doc, ça donne ceci :
shorewall restart
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Shorewall Not Currently Running
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: ppp0:0.0.0.0/0
Deleting user chains...
Configuring Proxy ARP and NAT
Adding Common Rules
IP Forwarding Disabled! BON, YA PROBLEME ...??
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Error: Undefined Client Zone in rule "ACCEPT loc fw tcp ssh"
Complété
J'ai été voir dans le fichier "rules", que j'ai modifié plusieurs fois
sans succès, il y qq chose qui m'échapppe , si vous pouvez
m'éclairer....
Merci
Claude
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27 and you want pings from the internet
# to be ignored. You interface a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 noping,dhcp
# local eth1 192.168.1.255 routestopped
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect noping,dhcp
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests.
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - noping
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# q(http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 1.2 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# If any of the following columns contain the word "none" then the rule
# is ignored:
#
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or $FW to indicate the
# firewall itself.
#
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# SERVER Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER. The value "all" is
# intended to be used when your internet IP address is
# dynamic and you want to do port forwarding or you want
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY
# OTHER SITUATION.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)except when the destination address is 192.168.2.2
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Allow SSH from the local network
#
ACCEPT loc $FW tcp ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT net $FW tcp ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT $FW net udp ntp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall 1.2 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it
# wrong. Unless you are ABSOLUTELY SURE that you need entries
# in this file, don't touch it!
#
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# routestopped - route messages to and from this
# member when the firewall is in the
# stopped state
#
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
Reply to: