#26 Le 28/06/2006, à 10:45
- Vinvin2021
Re : Guide d'installation et configuration de Shorewall
Euh .... Je ne sais pas ...
Essaie en ajoutant également cette règle-ci :
DROP net $FW icmp 808
Hors ligne
#27 Le 28/06/2006, à 12:29
- Vinvin2021
Re : Guide d'installation et configuration de Shorewall
Pour tester son pare-feux en ligne, il ya également ce site http://www.pcflank.com/ (« Test Your System » sur la gauche). Et voici une introduction aux réseaux informatiques et à la sécurité http://olivieraj.free.fr/fr/linux/information/firewall/
Hors ligne
#28 Le 29/06/2006, à 09:46
- Ivan le pas terrible
Re : Guide d'installation et configuration de Shorewall
ok vinvin je vais faire ca...
je signale aussi que les regles bloquent l'acces au lan :
avant quand je demandais serveurs reseaux j'avais le groupe microsoft visible avec tous les volumes partages
et maintenant plus rien.
le pire c'est qu'en arrêtant shorewall on ne retrouve pas le reseau...
je viens de le verifier en installant une autre machine avec ubuntu : sans shorewall on accede au lan, sur l'autre machine, meme avec shorewall stoppe, on n'y accede plus.
(desole pour les accents qui manquent : ce matin impossible de recuperer le clavier qui faut)
#29 Le 29/06/2006, à 09:53
- Ivan le pas terrible
Re : Guide d'installation et configuration de Shorewall
ah ca marche pas vinvin :
iptables v1.3.3: Invalid ICMP type `808'
#30 Le 29/06/2006, à 10:47
- Vinvin2021
Re : Guide d'installation et configuration de Shorewall
Ah mince ... Je ne sais pas t'aider.
le pire c'est qu'en arrêtant shorewall on ne retrouve pas le reseau...
je viens de le verifier en installant une autre machine avec ubuntu : sans shorewall on accede au lan, sur l'autre machine, meme avec shorewall stoppe, on n'y accede plus.
Tu pourrais essayer ça :
sudo shorewall clear
D'après le manuel, cela « Remove all rules and chains installed by the firewall »
Hors ligne
#31 Le 14/07/2006, à 03:31
- tekalo
Re : Guide d'installation et configuration de Shorewall
Salut,
J'ai configuré shorewall comme cela a été très bien expliqué précèdemment, et le firewall a passé les différents tests....donc a priori pas de problème à ce niveau là.
Par contre, j'ai un petit soucis avec le démarrage automatique de shorewall....en effet, après avoir mis startup=1 dans /etc/default/shorewall, je n'ai plus accès à internet!!!!!!
Du coup, j'ai remis le startup à 0 et je suis obligé de lancer shorewall manuellement
Est-ce que quelqu'un aurait une solution svp
#32 Le 06/09/2006, à 18:31
- beben
Re : Guide d'installation et configuration de Shorewall
Merci a tous, je commencer a galerer grave.
Tres bon poste, il y a des liens tres utile aussi.
L'intelligence est la chose la mieu repartie chez l'etre humain : qu'il en soit ou non pourvu, il a toujours l'impression d'en avoir assez vu que c'est avec ça qu'il juge.
Descartes ou Coluche comme vous voulez
Hors ligne
#33 Le 28/10/2006, à 16:48
- patgrisly
Re : Guide d'installation et configuration de Shorewall
Je viens de réinstaller et c'est bon de retrouver une page comme celle-ci,
un bémol (amicale )tout de même a propos des
sudo gedit
Hors ligne
#34 Le 04/11/2006, à 18:10
- tekalo
Re : Guide d'installation et configuration de Shorewall
Salut,
je re-deterre ce topic car j'ai toujours pas résolu mon problème....(voir mon message précédent)
Si une âme charitable pouvait m'aider
#35 Le 03/04/2007, à 14:01
- thaypan
Re : Guide d'installation et configuration de Shorewall
Comment configurer un filtre IP avec Shorewall utilisant les Blacklist de Bluetrack.co.uk?
Hors ligne
#36 Le 02/07/2007, à 13:25
- ccousin
Re : Guide d'installation et configuration de Shorewall
Bonjour à tous,
j'utilise Shorewall v2.2.3 sur Debian.
je cherche à accéder à la passerelle web en déclarant dans les "rules" l'autorisation d'un MAC ADDRESS venant du net.
est-ce possible ? quel est la syntaxe à employer ?
j'explique :
le client distant dispose d'un IP de FAI dynamique ! Je ne peut donc pas l'autoriser !!
par contre sa MAC ADDRESS çà devrait le faire pour lui permettre d'accéder à mon réseau !
D'avance merci
Tof
#37 Le 13/07/2007, à 23:22
- chaoswizard
Re : Guide d'installation et configuration de Shorewall
Merci bien, ça marche super !!!
Ubuntu ==> Debian ==> Archlinux
Hors ligne
#38 Le 27/09/2007, à 08:16
- kmchen
Re : Guide d'installation et configuration de Shorewall
coussin: J'ai un début de réponse à ta question:
tu ajoutes l'option maclist dans une déclaration de ton fichier host ou interface
puis tu ajoutes l'adr mac de ton correspondant dans un fichier maclist:
/etc/shorewall$ cat hosts
loc eth0:192.168.0.0/24 maclist
/etc/shorewall$ cat maclist
eth0 xx.xx.xx.xx.xx.xx
/etc/shorewall$ cat interfaces
- eth0 detect routefilter,dhcp,tcpflags,logmartians,nosmurfs,maclist
Mais pb (pour moi): plus d'accès WEB
Dernière modification par kmchen (Le 27/09/2007, à 08:50)
Création site web
http://www.webologix.com
Hors ligne
#39 Le 17/05/2008, à 22:29
- mafia
Re : Guide d'installation et configuration de Shorewall
bonjour
des que j active le par feu j ai plus internet
debian:~# shorewall start
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: net
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Proxy ARP
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Refresh of Black List...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Clearing Traffic Control/QOS
Deleting user chains...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up Proxy ARP...
Setting up one-to-one NAT...
Setting up SMURF control...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up rules for DHCP...
Setting up RFC1918 Filtering...
Setting up TCP Flags checking...
Setting up ARP filtering...
Setting up Route Filtering...
WARNING: Cannot set route filtering on eth0
Setting up Martian Logging...
WARNING: Cannot set Martian logging on eth0
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up IPSEC management...
Setting up Rules...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up TC Rules...
Activating Rules...
nano /etc/shorewall/interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,dhcp,tcpflags,log$#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
connexion internet 100 mega plus routeur
merci
Dernière modification par mafia (Le 17/05/2008, à 22:32)
Hors ligne
#40 Le 17/05/2008, à 23:15
- chaoswizard
Re : Guide d'installation et configuration de Shorewall
Je te mets rapidement mes fichiers si ça peut t'aider :
interfaces :
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter,dhcp,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
policy :
SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
zones :
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Ubuntu ==> Debian ==> Archlinux
Hors ligne
#41 Le 18/05/2008, à 09:27
- mafia
Re : Guide d'installation et configuration de Shorewall
debian:/home/mafia# shorewall restart
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: net
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Proxy ARP
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Refresh of Black List...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Shorewall is not running
Starting Shorewall....
Initializing...
Clearing Traffic Control/QOS
Deleting user chains...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up Proxy ARP...
Setting up one-to-one NAT...
Setting up SMURF control...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up rules for DHCP...
Setting up TCP Flags checking...
Setting up ARP filtering...
Setting up Route Filtering...
WARNING: Cannot set route filtering on eth0
Setting up Martian Logging...
WARNING: Cannot set Martian logging on eth0
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up IPSEC management...
Setting up Rules...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up TC Rules...
Activating Rules...
done.
re sa marche toujour pas
Hors ligne
#42 Le 18/05/2008, à 11:26
- chaoswizard
Re : Guide d'installation et configuration de Shorewall
Heu, tu peux nous mettre ton fichier rules (on sait jamais).
Tu utilises bien une carte ethernet (eth0) ?
Ubuntu ==> Debian ==> Archlinux
Hors ligne
#43 Le 18/05/2008, à 12:07
- mafia
Re : Guide d'installation et configuration de Shorewall
oui
#
# Shorewall version 3.0 - Sample Rules File for one-interface configuration.
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>. If
# the macro accepts an action
# parameter (Look at the macro
# source to see if it has PARAM in
# the TARGET column) then the macro
# name is followed by "/" and the
# action (ACCEPT, DROP, REJECT, ...)
# to be substituted for the
# parameter. Example: FTP/ACCEPT.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all", "all+" or "none" If the ACTION
# is DNAT or REDIRECT, sub-zones of the specified zone
# may be excluded from the rule by following the zone
# name with "!' and a comma-separated list of sub-zone
# names.
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, clients may be
# further restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all". "all+" or "none".
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "ipp2p:udp", "ipp2p:all" a number, or "all".
# "ipp2p*" requires ipp2p match support in your kernel
# and iptables.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd (This feature was
# #removed from Netfilter in kernel
# #version 2.6.14).
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
# tcp 22
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
## Ping
DROP net $FW icmp
ACCEPT $FW net icmp
## Masquer identité
DROP net $FW tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Hors ligne
#44 Le 24/05/2008, à 11:04
- mafia
Re : Guide d'installation et configuration de Shorewall
toujour personne
Hors ligne
#45 Le 25/05/2008, à 19:56
- chaoswizard
Re : Guide d'installation et configuration de Shorewall
Désolé, là, je ne vois pas...
Ubuntu ==> Debian ==> Archlinux
Hors ligne
#46 Le 01/06/2008, à 16:13
- mafia
Re : Guide d'installation et configuration de Shorewall
oui je j utilises bien une carte ethernet + un routeur comment faire merci beaucoup
je voudrais bloquet des ports 139.135.137.445. tous les ports dranger:)
Dernière modification par mafia (Le 01/06/2008, à 21:13)
Hors ligne
#47 Le 06/06/2008, à 20:15
- mafia
Re : Guide d'installation et configuration de Shorewall
debian:~# shorewall start
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: net
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Proxy ARP
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Refresh of Black List...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Clearing Traffic Control/QOS
Deleting user chains...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up Proxy ARP...
Setting up one-to-one NAT...
Setting up SMURF control...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up rules for DHCP...
Setting up RFC1918 Filtering...
Setting up TCP Flags checking...
Setting up ARP filtering...
Setting up Route Filtering...
WARNING: Cannot set route filtering on eth0
Setting up Martian Logging...
WARNING: Cannot set Martian logging on eth0
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up IPSEC management...
Setting up Rules...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up TC Rules...
Activating Rules...
done.
Hors ligne
#48 Le 06/06/2008, à 20:29
- mafia
Re : Guide d'installation et configuration de Shorewall
c est regler merci quand meme
par contre je voudrais des ports 139 135 138 445 etc
Dernière modification par mafia (Le 06/06/2008, à 20:31)
Hors ligne
#49 Le 06/06/2008, à 21:03
- mafia
Re : Guide d'installation et configuration de Shorewall
voila mon teste de port comment secure le 80
Secure
21 (FTP)
This port is completely invisible to the outside world.
Secure
23 (Telnet)
This port is completely invisible to the outside world.
Secure
25 (SMTP Mail Server Port)
This port is completely invisible to the outside world.
Secure
79 (Finger)
This port is completely invisible to the outside world.
Open and Unsecure!
80 (HTTP)
If this computer is not supposed to be acting as a web server you should not have this port open.
Secure
110 (POP3 Mail Server Port)
This port is completely invisible to the outside world.
Secure
139 (Net BIOS)
This port is completely invisible to the outside world.
Secure
143 (IMAP)
This port is completely invisible to the outside world.
Secure
443 (HTTPS)
This port is completely invisible to the outside world.
Hors ligne
#50 Le 29/10/2009, à 14:54
- deepveryinside
Re : Guide d'installation et configuration de Shorewall
Bonjour,
Je suis tout nouveau sur ubuntu.
je viens de suivre les instructions du premier post.
j ai une petite erreur, et je n arrive pas a trouver la solution:
je redémarre donc:sudo shorewall restart
et ca m affiche:
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: net
Firewall Zone: fw
Validating interfaces file...
ERROR: Invalid zone (Shorewall) in record "Shorewall version 3.0 - Sample Interfaces File for one-interface configuration."
Terminated
es-ce-que cela veux dire qu'en fait j ai une double interface? ce qui veut dire si j ai bien compris deux cartes réseaux.
Désolé de vous déranger pour quelque chose qui doit surement être simple pour vous.
je vous remercie par avance, et vous assure qu en tant que noob, je me documente un max, mais bon, un ptit coup de main de temps en temps ca dépanne bien ^^
merci d avance
(au fait, je suis sur une dedibox et j accède en ssh avec putty)
ps : j ai lu dans un autre tuto qu'il y avais les configs de base dans le dossier
/usr/share/doc/shorewall/default-config, malheureusement, il existe pas ou il est vide )
Hors ligne