mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
Initial revision
This commit is contained in:
commit
d513cedaf1
68
examples/home-router.conf
Executable file
68
examples/home-router.conf
Executable file
@ -0,0 +1,68 @@
|
||||
version 1
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# Custom Rules
|
||||
|
||||
# This is needed because I run a transparent cache.
|
||||
# The command is not executed right away, it will be processed
|
||||
# when the firewall will be activated.
|
||||
# HINT: This is a normal iptables command. Nothing fancy.
|
||||
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 ! -d 1.1.1.1 -j REDIRECT --to-port 3128
|
||||
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# Some definitions, you can define whatever you like...
|
||||
# ----------------------------------------------------------
|
||||
# The IP address space on our LAN
|
||||
tsaousis="1.1.1.1/28"
|
||||
|
||||
# The tructed IPs from our office
|
||||
secure="2.2.2.2/32"
|
||||
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# IMPORTANT NOTE:
|
||||
# ----------------------------------------------------------
|
||||
# This script has a very simple rule:
|
||||
# INPUT or SOURCE (inface, src, etc) always refers to the CLIENT.
|
||||
# OUTPUT or DESTINATION (outface, dst, etc) always refers to the SERVER.
|
||||
#
|
||||
# So, when you say:
|
||||
# interface ppp0 myname src x.y.z.w/m
|
||||
# you are matching all CLIENTS comming from ppp0, AND from the x.y.z.w/m network.
|
||||
#
|
||||
# Similarly, when you say:
|
||||
# router myclients inface eth0 outface ppp0
|
||||
# you are matching all CLIENTS on eth0 trying to use services from ppp0
|
||||
# while, with:
|
||||
# router myservers inface ppp0 outface eth0
|
||||
# you are matching all CLIENTS on ppp0 trying to use services from eth0
|
||||
# ----------------------------------------------------------
|
||||
|
||||
# Give the name "internet" to everything comming from ppp+
|
||||
# making sure they don't have our LAN IP addresses.
|
||||
interface ppp+ internet src not "${tsaousis}"
|
||||
policy drop # This is also the default
|
||||
protection strong 1/sec 1 # Also, limit incoming reqs to 1/sec
|
||||
|
||||
# Public Services
|
||||
server smtp accept # Yes, we run a mailer
|
||||
server ident reject # Speed-up idents by rejecting them
|
||||
|
||||
# Trusted Services
|
||||
server ssh accept src "${secure}"
|
||||
|
||||
# This is a workstation
|
||||
client all accept # This machine can ask anything
|
||||
# For correct accounting, put this last
|
||||
|
||||
# Give the name "home" to our local LAN
|
||||
interface eth0 home
|
||||
policy accept # Accept everything from/to home
|
||||
|
||||
|
||||
# Give the name "router" to all requests comming from eth0 AND our local IP
|
||||
# address space, and going out to ppp+
|
||||
router router inface eth0 outface ppp+ src "${tsaousis}"
|
||||
policy drop # This is also the default
|
||||
route all accept # Accept all client from eth0 to ppp+
|
162
examples/office.conf
Executable file
162
examples/office.conf
Executable file
@ -0,0 +1,162 @@
|
||||
# ----------------------------------------------------------
|
||||
# FireHOL Configuration
|
||||
#
|
||||
# Instructions
|
||||
# ------------
|
||||
#
|
||||
# 1. General
|
||||
# This file is a normal BASH script that gets executed, as any other script.
|
||||
# You can use all BASH features, including functions, variables, loops, traps,
|
||||
# etc.
|
||||
# Please do not use the EXIT trap since the calling script uses it for cleaning
|
||||
# up temporary files. Also, do not exit from this script using the exit command.
|
||||
#
|
||||
#
|
||||
# 2. Primary Commands
|
||||
# The following primary commands are supported:
|
||||
#
|
||||
# i. interface <real machine interface> <name> [optional rule parameters]
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# The interface command creates an INPUT/OUTPUT firewall on the given interface.
|
||||
# By default the policy is DROP, so that if no subcommands are given, the
|
||||
# firewall will just DROP all incoming and outgoing packets using this
|
||||
# interface.
|
||||
#
|
||||
#
|
||||
# ii. router <name> [optional rule parameters]
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# The router command creates a FORWARD firewall.
|
||||
#
|
||||
#
|
||||
# 3. Sub-Commands
|
||||
# The following sub-commands can be applied to any primary command.
|
||||
#
|
||||
# i. policy <policy name>
|
||||
# ~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Policy sets the default policy for the primary command. The default policy is
|
||||
# DROP. Other policies can include ACCEPT, REJECT, DENY and RETURN.
|
||||
#
|
||||
# ii. server <server name> <policy> [optional rule parameters]
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# server is only valid in interfaces, not routers.
|
||||
#
|
||||
#
|
||||
# iii. client <client name> <policy> [optional rule parameters]
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# client is only valid in interfaces, not routers.
|
||||
#
|
||||
#
|
||||
# iv. route <route name> <policy> [optional rule parameters]
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# route is only valid in routers.
|
||||
#
|
||||
# 4. Rule parameters
|
||||
# Most commands and subcommands (where noted) support a set of optional rule
|
||||
# parameters. The parameters include:
|
||||
#
|
||||
# i. src <one or more IPs, subnets, hostnames enclosed in double quotes>
|
||||
# src defines THE SOURCE OF THE REQUEST. So, for the server subcommand in
|
||||
# an interface command,src defines the remote clients, while for the
|
||||
# client subcommmand of the same command, it defines the local system.
|
||||
# So, SRC matches the hosts that send the requests.
|
||||
#
|
||||
# ii. dst <one or more IPs, subnets, hostnames enclosed in double quotes>
|
||||
# dst matches the hosts that receive the requests and send the replies.
|
||||
#
|
||||
# iii. inface <one or more real machines interfaces, in double quotes>
|
||||
# inface matches the interfaces the requests are received from.
|
||||
# inface must not be used in interfaces since the program automatically
|
||||
# generates this.
|
||||
#
|
||||
# iv. outface <one or more real machines interfaces, in double quotes>
|
||||
# outface matches the interfaces the replies are sent to.
|
||||
# outface must not be used in interfaces since the program automatically
|
||||
# generate this.
|
||||
#
|
||||
|
||||
version 1
|
||||
|
||||
home="1.1.1.1/28"
|
||||
home_servers="ssh http imap icmp pptp telnet"
|
||||
|
||||
intranet="10.0.0.0/16"
|
||||
itnet="10.0.70.0/24"
|
||||
personal="10.0.70.33 10.0.70.65 10.0.70.69"
|
||||
|
||||
# Define the real eth0 interface.
|
||||
# Later we will define two logical on the same physical interface.
|
||||
|
||||
# Give the name ethernet to eth0
|
||||
interface eth0 ethernet
|
||||
policy return # don't drop whatever not matched here, just continue
|
||||
protection strong
|
||||
|
||||
# Public services
|
||||
server ident reject # prevent timeout on idents
|
||||
server smtp accept # a mailer
|
||||
server dhcp accept # a dhcp server
|
||||
|
||||
|
||||
# Give the name intranet to request comming in/replies going out on eth0
|
||||
# where src/dst (respectivelly) is the intranet LAN.
|
||||
interface eth0 intranet src "${intranet}"
|
||||
policy reject # be friendly to the intranet to prevent timeouts
|
||||
|
||||
# Allow all ICMP
|
||||
server icmp accept # the intranet can ping us.
|
||||
|
||||
# Intranet Services
|
||||
server dns accept # the intranet can use our DNS server
|
||||
server http accept # the web server
|
||||
server samba accept # the SMB file server
|
||||
|
||||
# IT Services, IT is our department
|
||||
server pop3 accept src "${itnet}"
|
||||
server imap accept src "${itnet}"
|
||||
server ssh accept src "${itnet}"
|
||||
server lpd accept src "${itnet}"
|
||||
server portmap accept src "${itnet}"
|
||||
server nfs accept src "${itnet}"
|
||||
|
||||
# Personal Services
|
||||
server mysql accept src "${personal}"
|
||||
|
||||
# This is an Intranet workstation
|
||||
client all accept # To have good accounting, this should be last.
|
||||
|
||||
|
||||
# Give the name internet to all traffic on eth0 not matching the intranet LAN
|
||||
interface eth0 internet src not "${intranet}"
|
||||
policy drop # this is also the default
|
||||
|
||||
server lpd accept src "3.3.3.3/32" # we print spool for this host
|
||||
|
||||
# From my home
|
||||
for x in ${home_servers}
|
||||
do
|
||||
server ${x} accept src "${home}"
|
||||
done
|
||||
|
||||
# This is an Internet workstation too
|
||||
client all accept # To have good accounting, this should be last.
|
||||
|
||||
|
||||
# Well, I use PPTP to connect to this machine from my home.
|
||||
# So, I want to use my home services on this interface too.
|
||||
interface ppp+ home
|
||||
for x in ${home_servers}
|
||||
do
|
||||
server ${x} accept
|
||||
done
|
||||
|
||||
# And when I use PPTP, I want this machine to route me in the intranet
|
||||
router homerouter inface ppp+ outface eth0
|
||||
route all accept # route all client requests (and their replies back)
|
||||
|
||||
|
1801
firehol.sh
Executable file
1801
firehol.sh
Executable file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user