mirror of
https://github.com/firehol/firehol.git
synced 2024-06-29 18:32:16 +00:00
113 lines
3.4 KiB
Plaintext
113 lines
3.4 KiB
Plaintext
#
|
|
# $Id: server-dmz.conf,v 1.2 2003/01/07 02:03:09 ktsaou Exp $
|
|
#
|
|
# CASE:
|
|
# Configuration file for a dual path server.
|
|
#
|
|
# The first network interface is connected to the internet to accept
|
|
# requests for services running on this server.
|
|
#
|
|
# The second network interface is connected to a private LAN, through
|
|
# which a number of similar servers communicate with each other.
|
|
#
|
|
# The server will only be allowed to accept and send specific traffic
|
|
# matching the servers and clients defined.
|
|
|
|
version 5
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# The Ethernet interface this server is connected to the Internet.
|
|
# You can use more than one (space separated) and if your server
|
|
# has many aliases for the same interface, you can use the plus sign
|
|
# to match them all (e.g. eth0+).
|
|
internet_interface="eth0+"
|
|
|
|
# Enter here all the IPs your server accepts requests from the internet.
|
|
# This variable accepts a space separated list of IPs, hostnames, etc.
|
|
# You can leave this empty if you don't want to restrict the IPs traffic
|
|
# was targeting.
|
|
internet_ips=""
|
|
|
|
# The servers you wish to run on the internet side of this host.
|
|
internet_servers="http smtp"
|
|
|
|
# The clients you wish to run on the internet side of this host.
|
|
internet_clients="dns"
|
|
|
|
# At what frequency to accept requests from the internet?
|
|
internet_requests="100/sec"
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# Similar to the internet_interface, but this time for the private one.
|
|
private_interface="eth1+"
|
|
|
|
# Similar to the internet_ips, but this time for the private.
|
|
private_ips=""
|
|
|
|
# The address space of all the servers this host might communicate with,
|
|
# in the private LAN.
|
|
# Leaving this empty will not check the IPs of the private LAN.
|
|
private_subnet=""
|
|
|
|
# The servers you wish to run on the private side of this host.
|
|
private_servers="ssh"
|
|
|
|
# The clients you wish to run on the private side of this host.
|
|
private_clients="http dns icmp"
|
|
|
|
# At what frequency to accept requests from the private LAN?
|
|
private_requests="20/sec"
|
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
# Normally, you don't have to edit anything bellow.
|
|
# ----------------------------------------------------------------------
|
|
|
|
# A trick that adds "dst" in front of internet_ips only if it is not
|
|
# empty. Otherwise, this does nothing.
|
|
unset internet_params
|
|
test ! -z "${internet_ips}" && internet_params=(dst "${internet_ips}")
|
|
|
|
# Internet interface
|
|
interface "${internet_interface}" internet \
|
|
src not "${UNROUTABLE_IPS}" "${internet_params[@]}"
|
|
|
|
protection strong ${internet_requests}
|
|
|
|
# The internet servers
|
|
server "${internet_servers}" accept
|
|
|
|
# The internet clients
|
|
client "${internet_clients}" accept
|
|
|
|
# Speed up idents by rejecting them
|
|
server ident reject with tcp-reset
|
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# Fix also the parameters for the private network.
|
|
unset private_params
|
|
test ! -z "${private_subnet}" && private_params=(src "${private_subnet}")
|
|
|
|
unset private_params2
|
|
test ! -z "${private_ips}" && private_params2=(dst "${private_ips}")
|
|
|
|
# Private interface
|
|
interface "${private_interface}" private \
|
|
"${private_params[@]}" "${private_params2[@]}"
|
|
|
|
protection strong ${private_requests}
|
|
|
|
# The private servers
|
|
server "${private_servers}" accept
|
|
|
|
# The private clients
|
|
client "${private_clients}" accept
|
|
|
|
# Speed up idents by rejecting them
|
|
server ident reject with tcp-reset
|
|
|