sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-29 18:32:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
52549e02d7
firehol/examples/server-dmz.conf
ktsaou 4c0c1ff168 *** empty log message ***
2003-01-07 02:03:09 +00:00

113 lines
3.4 KiB
Plaintext
Raw Blame History

#
# $Id: server-dmz.conf,v 1.2 2003/01/07 02:03:09 ktsaou Exp $
#
# CASE:
# Configuration file for a dual path server.
#
# The first network interface is connected to the internet to accept
# requests for services running on this server.
#
# The second network interface is connected to a private LAN, through
# which a number of similar servers communicate with each other.
#
# The server will only be allowed to accept and send specific traffic
# matching the servers and clients defined.
version 5
# ----------------------------------------------------------------------
# The Ethernet interface this server is connected to the Internet.
# You can use more than one (space separated) and if your server
# has many aliases for the same interface, you can use the plus sign
# to match them all (e.g. eth0+).
internet_interface="eth0+"
# Enter here all the IPs your server accepts requests from the internet.
# This variable accepts a space separated list of IPs, hostnames, etc.
# You can leave this empty if you don't want to restrict the IPs traffic
# was targeting.
internet_ips=""
# The servers you wish to run on the internet side of this host.
internet_servers="http smtp"
# The clients you wish to run on the internet side of this host.
internet_clients="dns"
# At what frequency to accept requests from the internet?
internet_requests="100/sec"
# ----------------------------------------------------------------------
# Similar to the internet_interface, but this time for the private one.
private_interface="eth1+"
# Similar to the internet_ips, but this time for the private.
private_ips=""
# The address space of all the servers this host might communicate with,
# in the private LAN.
# Leaving this empty will not check the IPs of the private LAN.
private_subnet=""
# The servers you wish to run on the private side of this host.
private_servers="ssh"
# The clients you wish to run on the private side of this host.
private_clients="http dns icmp"
# At what frequency to accept requests from the private LAN?
private_requests="20/sec"
# ----------------------------------------------------------------------
# Normally, you don't have to edit anything bellow.
# ----------------------------------------------------------------------
# A trick that adds "dst" in front of internet_ips only if it is not
# empty. Otherwise, this does nothing.
unset internet_params
test ! -z "${internet_ips}" && internet_params=(dst "${internet_ips}")
# Internet interface
interface "${internet_interface}" internet \
src not "${UNROUTABLE_IPS}" "${internet_params[@]}"
protection strong ${internet_requests}
# The internet servers
server "${internet_servers}" accept
# The internet clients
client "${internet_clients}" accept
# Speed up idents by rejecting them
server ident reject with tcp-reset
# ----------------------------------------------------------------------
# Fix also the parameters for the private network.
unset private_params
test ! -z "${private_subnet}" && private_params=(src "${private_subnet}")
unset private_params2
test ! -z "${private_ips}" && private_params2=(dst "${private_ips}")
# Private interface
interface "${private_interface}" private \
"${private_params[@]}" "${private_params2[@]}"
protection strong ${private_requests}
# The private servers
server "${private_servers}" accept
# The private clients
client "${private_clients}" accept
# Speed up idents by rejecting them
server ident reject with tcp-reset
Reference in New Issue View Git Blame Copy Permalink