Contenu | Rechercher | Menus

Annonce

Ubuntu-fr vend de superbes t-shirts et de belles clés USB 32Go
Rendez-vous sur la boutique En Vente Libre

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 06/06/2006, à 13:06

Early

Guide d'installation et configuration de Shorewall

Installation et configuration du firewall Shorewall Monoposte ("one-interface") pour une seule carte réseau.

Ce tutorial est fortement inspiré du post de chimel qui décrit l'installation de shorewall "two-interfaces" (deux cartes réseaux).
http://forum.ubuntu-fr.org/viewtopic.php?id=32822

I. Installation de Shorewall ( actuellement la dernière version est la 3.0.4-1 ).

- désinstallez éventuellement firestarter
sudo apt-get remove --purge firestarter (ou via Synaptic)

- puis
sudo apt-get install shorewall shorewall-doc (égalemment disponible dans Synaptic)


II. Configuration du parefeu.

1_ Création du fichier de configuration interfaces de shorewall :
sudo gedit /etc/shorewall/interfaces
(copiez le contenu suivant et enregistrez)



#
# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration.
#
# /etc/shorewall/interfaces
#
#	You must add an entry in this file for each network interface on your
#	firewall system.
#
# Columns are:
#
#	ZONE		Zone for this interface. Must match the name of a
#			zone defined in /etc/shorewall/zones. You may not
#			list the firewall zone in this column.
#
#			If the interface serves multiple zones that will be
#			defined in the /etc/shorewall/hosts file, you should
#			place "-" in this column.
#
#			If there are multiple interfaces to the same zone,
#			you must list them in separate entries:
#
#			Example:
#
#				loc	eth1	-	
#				loc	eth2	-
#
#	INTERFACE	Name of interface. Each interface may be listed only
#			once in this file. You may NOT specify the name of
#			an alias (e.g., eth0:0) here; see
#			http://www.shorewall.net/FAQ.htm#faq18
#
#			You may specify wildcards here. For example, if you
#			want to make an entry that applies to all PPP
#			interfaces, use 'ppp+'.
#
#			There is no need to define the loopback	interface (lo)
#			in this file.
#
#	BROADCAST	The broadcast address for the subnetwork to which the
#			interface belongs. For P-T-P interfaces, this
#			column is left blank.If the interface has multiple
#			addresses on multiple subnets then list the broadcast
#			addresses as a comma-separated list.
#
#			If you use the special value "detect", the firewall
#			will detect the broadcast address for you. If you
#			select this option, the interface must be up before
#			the firewall is started, you must have iproute
#			installed.
#
#			If you don't want to give a value for this column but
#			you want to enter a value in the OPTIONS column, enter
#			"-" in this column.
#
#	OPTIONS		A comma-separated list of options including the
#			following:
#
#			dhcp	     - Specify this option when any of
#				       the following are true:
#				       1. the interface gets its IP address
#					  via DHCP
#				       2. the interface is used by
#					  a DHCP server running on the firewall
#				       3. you have a static IP but are on a LAN
#					  segment with lots of Laptop DHCP
#					  clients.
#				       4. the interface is a bridge with
#					  a DHCP server on one port and DHCP
#					  clients on another port.
#
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses. If packet mangling or
#				       connection-tracking match is enabled in
#				       your kernel, packets whose destination
#				       addresses are reserved by RFC 1918 are
#				       also rejected.
#
#			routefilter  - turn on kernel route filtering for this
#				       interface (anti-spoofing measure). This
#				       option can also be enabled globally in
#				       the /etc/shorewall/shorewall.conf file.
#
#			logmartians  - turn on kernel martian logging (logging
#				       of packets with impossible source
#				       addresses. It is suggested that if you
#				       set routefilter on an interface that
#				       you also set logmartians. This option
#				       may also be enabled globally in the
#				       /etc/shorewall/shorewall.conf file.
#
#			blacklist    - Check packets arriving on this interface
#				       against the /etc/shorewall/blacklist
#				       file.
#
#			maclist	     - Connection requests from this interface
#				       are compared against the contents of
#				       /etc/shorewall/maclist. If this option
#				       is specified, the interface must be
#				       an ethernet NIC and must be up before
#				       Shorewall is started.
#
#			tcpflags     - Packets arriving on this interface are
#				       checked for certain illegal combinations
#				       of TCP flags. Packets found to have
#				       such a combination of flags are handled
#				       according to the setting of
#				       TCP_FLAGS_DISPOSITION after having been
#				       logged according to the setting of
#				       TCP_FLAGS_LOG_LEVEL.
#
#			proxyarp     -
#				Sets
#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
#				Do NOT use this option if you are
#				employing Proxy ARP through entries in
#				/etc/shorewall/proxyarp. This option is
#				intended soley for use with Proxy ARP
#				sub-networking as described at:
#				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#			routeback    - If specified, indicates that Shorewall
#				       should include rules that allow
#				       filtering traffic arriving on this
#				       interface back out that same interface.
#
#			arp_filter   - If specified, this interface will only
#				       respond to ARP who-has requests for IP
#				       addresses configured on the interface.
#				       If not specified, the interface can
#				       respond to ARP who-has requests for
#				       IP addresses on any of the firewall's
#				       interface. The interface must be up
#				       when Shorewall is started.
#
#			arp_ignore[=<number>]
#				     - If specified, this interface will
#				       respond to arp requests based on the
#				       value of <number>.
#
#				       1 - reply only if the target IP address
#				       is local address configured on the
#				       incoming interface
#
#				       2 - reply only if the target IP address
#				       is local address configured on the
#				       incoming interface and both with the
#				       sender's IP address are part from same
#				       subnet on this interface
#
#				       3 - do not reply for local addresses
#				       configured with scope host, only
#				       resolutions for global and link
#				       addresses are replied
#
#				       4-7 - reserved
#
#				       8 - do not reply for all local
#				       addresses
#
#				       If no <number> is given then the value
#				       1 is assumed
#
#				       WARNING -- DO NOT SPECIFY arp_ignore
#				       FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
#			nosmurfs     - Filter packets for smurfs
#				       (packets with a broadcast
#				       address as the source).
#
#				       Smurfs will be optionally logged based
#				       on the setting of SMURF_LOG_LEVEL in
#				       shorewall.conf. After logging, the
#				       packets are dropped.
#
#			detectnets   - Automatically taylors the zone named
#				       in the ZONE column to include only those
#				       hosts routed through the interface.
#
#			upnp	     - Incoming requests from this interface
#				       may be remapped via UPNP (upnpd).
#
#			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
#				 INTERNET INTERFACE.
#
#			The order in which you list the options is not
#			significant but the list should have no embedded white
#			space.
#
#	Example 1:	Suppose you have eth0 connected to a DSL modem and
#			eth1 connected to your local network and that your
#			local subnet is 192.168.1.0/24. The interface gets
#			it's IP address via DHCP from subnet
#			206.191.149.192/27. You have a DMZ with subnet
#			192.168.2.0/24 using eth2.
#
#			Your entries for this setup would look like:
#
#			net	eth0	206.191.149.223	dhcp
#			local	eth1	192.168.1.255
#			dmz	eth2	192.168.2.255
#
#	Example 2:	The same configuration without specifying broadcast
#			addresses is:
#
#			net	eth0	detect		dhcp
#			loc	eth1	detect
#			dmz	eth2	detect
#
#	Example 3:	You have a simple dial-in system with no ethernet
#			connections.
#
#			net	ppp0	-
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth0            detect          norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

(IMPORTANT : si votre réseau -ou votre ordinateur- possède une adresse IP statique, supprimez l'option "norfc1918".)


2_ Création du fichier de configuration policy de shorewall :
sudo gedit /etc/shorewall/policy
(copiez le contenu suivant et enregistrez)


#
# Shorewall version 3.0 - Sample Policy File for one-interface configuration.
#
# /etc/shorewall/policy
#
#		     THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
#	This file determines what to do with a new connection request if we
#	don't get a match from the /etc/shorewall/rules file . For each
#	source/destination pair, the file is processed in order until a
#	match is found ("all" will match any client or server).
#
#	                INTRA-ZONE POLICIES ARE PRE-DEFINED
#
#	For $FW and for all of the zoned defined in /etc/shorewall/zones,
#	the POLICY for connections from the zone to itself is ACCEPT (with no
#	logging or TCP connection rate limiting but may be overridden by an
#	entry in this file. The overriding entry must be explicit (cannot use
#	"all" in the SOURCE or DEST).
#
# Columns are:
#
#	SOURCE		Source zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all".
#
#	DEST		Destination zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all"
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
#			ACCEPT		- Accept the connection
#			DROP		- Ignore the connection request
#			REJECT		- For TCP, send RST. For all other,
#					  send "port unreachable" ICMP.
#			QUEUE		- Send the request to a user-space
#					  application using the QUEUE target.
#			CONTINUE	- Pass the connection request past
#					  any other rules that it might also
#					  match (where the source or
#					  destination zone in those rules is
#					  a superset of the SOURCE or DEST
#					  in this policy).
#			NONE		- Assume that there will never be any
#					  packets from this SOURCE
#					  to this DEST. Shorewall will not set
#					  up any infrastructure to handle such
#					  packets and you may not have any
#					  rules with this SOURCE and DEST in
#					  the /etc/shorewall/rules file. If
#					  such a packet _is_ received, the
#					  result is undefined. NONE may not be
#					  used if the SOURCE or DEST columns
#					  contain the firewall zone ($FW) or
#					  "all".
#
#			If this column contains ACCEPT, DROP or REJECT and a
#			corresponding common action is defined in
#			/etc/shorewall/actions (or
#			/usr/share/shorewall/actions.std) then that action
#			will be invoked before the policy named in this column
#			is enforced.
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#			Beginning with Shorewall version 1.3.12, you may
#			also specify ULOG (must be in upper case). This will
#			log to the ULOG target and sent to a separate log
#			through use of ulogd
#			(http://www.gnumonks.org/projects/ulogd).
#
#			If you don't want to log but need to specify the
#			following column, place "-" here.
#
#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
#			and the size of an acceptable burst. If not specified,
#			TCP connections are not limited.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
$FW		net		ACCEPT
net		all		DROP		info
# The FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

3_ Création du fichier de configuration zones de shorewall :
sudo gedit /etc/shorewall/zones
(copiez le contenu suivant et enregistrez)


#
# Shorewall version 3.0 - Sample Zones File for one-interface configuration.
#
# /etc/shorewall/zones
#
#	This file determines your network zones.
#
# Columns are:
#
#	ZONE	Short name of the zone (5 Characters or less in length).
#		The names "all" and "none" are reserved and may not be
#		used as zone names.
#
#		Where a zone is nested in one or more other zones,
#		you may follow the (sub)zone name by ":" and a
#		comma-separated list of the parent zones. The parent
#		zones must have been defined in earlier records in this
#		file.
#
#		Example:
#
#			#ZONE     TYPE     OPTIONS
#			a	  ipv4
#			b	  ipv4
#			c:a,b     ipv4
#
#		Currently, Shorewall uses this information only to reorder the
#		zone list so that parent zones appear after their subzones in
#		the list. In the future, Shorewall may make more extensive use
#		of that information.
#
#	TYPE	ipv4 -	This is the standard Shorewall zone type and is the
#			default if you leave this column empty or if you enter
#			"-" in the column. Communication with some zone hosts
#			may be encrypted. Encrypted hosts are designated using
#			the 'ipsec'option in /etc/shorewall/hosts.
#		ipsec -	Communication with all zone hosts is encrypted
#			Your kernel and iptables must include policy
#			match support.
#		firewall
#		      - Designates the firewall itself. You must have
#			exactly one 'firewall' zone. No options are
#			permitted with a 'firewall' zone. The name that you
#			enter in the ZONE column will be stored in the shell
#			variable $FW which you may use in other configuration
#			files to designate the firewall zone.
#
#	OPTIONS,	A comma-separated list of options as follows:
#	IN OPTIONS,
#	OUT OPTIONS	reqid=<number> where <number> is specified
#			using setkey(8) using the 'unique:<number>
#			option for the SPD level.
#
#			spi=<number> where <number> is the SPI of
#			the SA used to encrypt/decrypt packets.
#
#			proto=ah|esp|ipcomp
#
#			mss=<number> (sets the MSS field in TCP packets)
#
#			mode=transport|tunnel
#
#			tunnel-src=<address>[/<mask>] (only
#			available with mode=tunnel)
#
#			tunnel-dst=<address>[/<mask>] (only
#			available with mode=tunnel)
#
#			strict	Means that packets must match all rules.
#
#			next	Separates rules; can only be used with
#				strict..
#
#		Example:
#			mode=transport,reqid=44
#
#	The options in the OPTIONS column are applied to both incoming
#	and outgoing traffic. The IN OPTIONS are applied to incoming
#	traffic (in addition to OPTIONS) and the OUT OPTIONS are
#	applied to outgoing traffic.
#
#	If you wish to leave a column empty but need to make an entry
#	in a following column, use "-".
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

4_ Création du fichier de configuration rules de shorewall :
sudo gedit /etc/shorewall/rules
(copiez le contenu suivant et enregistrez)


#
# Shorewall version 3.0 - Sample Rules File for one-interface configuration.
#
# /etc/shorewall/rules
#
#	Rules in this file govern connection establishment. Requests and
#	responses are automatically allowed using connection tracking. For any
#	particular (source,dest) pair of zones, the rules are evaluated in the
#	order in which they appear in this file and the first match is the one
#	that determines the disposition of the request.
#
#	In most places where an IP address or subnet is allowed, you
#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
#	indicate that the rule matches all addresses except the address/subnet
#	given. Notice that no white space is permitted between "!" and the
#	address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
#	   you cannot use an ACCEPT rule to allow traffic from the internet to
#	   that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
#	ESTABLISHED		Packets in the ESTABLISHED state are processed
#				by rules in this section.
#
#				The only ACTIONs allowed in this section are
#				ACCEPT, DROP, REJECT, LOG and QUEUE
#
#				There is an implicit ACCEPT rule inserted
#				at the end of this section.
#
#	RELATED			Packets in the RELATED state are processed by
#				rules in this section.
#
#				The only ACTIONs allowed in this section are
#				ACCEPT, DROP, REJECT, LOG and QUEUE
#
#				There is an implicit ACCEPT rule inserted
#				at the end of this section.
#
#	NEW			Packets in the NEW and INVALID states are
#				processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
#	   ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
#	comfortable with the differences between the various connection
#	tracking states, then I suggest that you omit the ESTABLISHED and
#	RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
#			LOG, QUEUE or an <action>.
#
#				ACCEPT	 -- allow the connection request
#				ACCEPT+	 -- like ACCEPT but also excludes the
#					    connection from any subsequent
#					    DNAT[-] or REDIRECT[-] rules
#				NONAT	 -- Excludes the connection from any
#					    subsequent DNAT[-] or REDIRECT[-]
#					    rules but doesn't generate a rule
#					    to accept the traffic.
#				DROP	 -- ignore the request
#				REJECT	 -- disallow the request and return an
#					    icmp-unreachable or an RST packet.
#				DNAT	 -- Forward the request to another
#					    system (and optionally another
#					    port).
#				DNAT-	 -- Advanced users only.
#					    Like DNAT but only generates the
#					    DNAT iptables rule and not
#					    the companion ACCEPT rule.
#				SAME	 -- Similar to DNAT except that the
#					    port may not be remapped and when
#					    multiple server addresses are
#					    listed, all requests from a given
#					    remote system go to the same
#					    server.
#				SAME-	 -- Advanced users only.
#					    Like SAME but only generates the
#					    NAT iptables rule and not
#					    the companion ACCEPT rule.
#				REDIRECT -- Redirect the request to a local
#					    port on the firewall.
#				REDIRECT-
#					 -- Advanced users only.
#					    Like REDIRET but only generates the
#					    REDIRECT iptables rule and not
#					    the companion ACCEPT rule.
#
#				CONTINUE -- (For experts only). Do not process
#					    any of the following rules for this
#					    (source zone,destination zone). If
#					    The source and/or destination IP
#					    address falls into a zone defined
#					    later in /etc/shorewall/zones, this
#					    connection request will be passed
#					    to the rules defined for that
#					    (those) zone(s).
#				LOG	 -- Simply log the packet and continue.
#				QUEUE	 -- Queue the packet to a user-space
#					    application such as ftwall
#					    (http://p2pwall.sf.net).
#				<action> -- The name of an action defined in
#					    /etc/shorewall/actions or in
#					    /usr/share/shorewall/actions.std.
#				<macro>	 -- The name of a macro defined in a
#					    file named macro.<macro-name>. If
#					    the macro accepts an action
#					    parameter (Look at the macro
#					    source to see if it has PARAM in
#					    the TARGET column) then the macro
#					    name is followed by "/" and the
#					    action (ACCEPT, DROP, REJECT, ...)
#					    to be substituted for the
#					    parameter. Example: FTP/ACCEPT.
#
#			The ACTION may optionally be followed
#			by ":" and a syslog log level (e.g, REJECT:info or
#			DNAT:debug). This causes the packet to be
#			logged at the specified level.
#
#			If the ACTION names an action defined in
#			/etc/shorewall/actions or in
#			/usr/share/shorewall/actions.std then:
#
#			- If the log level is followed by "!' then all rules
#			  in the action are logged at the log level.
#
#			- If the log level is not followed by "!" then only
#			  those rules in the action that do not specify
#			  logging are logged at the specified level.
#
#			- The special log level 'none!' suppresses logging
#			  by the action.
#
#			You may also specify ULOG (must be in upper case) as a
#			log level.This will log to the ULOG target for routing
#			to a separate log through use of ulogd
#			(http://www.gnumonks.org/projects/ulogd).
#
#			Actions specifying logging may be followed by a
#			log tag (a string of alphanumeric characters)
#			are appended to the string generated by the
#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
#			Example: ACCEPT:info:ftp would include 'ftp '
#			at the end of the log prefix generated by the
#			LOGPREFIX setting.
#
#	SOURCE		Source hosts to which the rule applies. May be a zone
#			defined in /etc/shorewall/zones, $FW to indicate the
#			firewall itself, "all", "all+" or "none" If the ACTION
#			is DNAT	or REDIRECT, sub-zones of the specified zone
#			may be excluded from the rule by following the zone
#			name with "!' and a comma-separated list of sub-zone
#			names.
#
#			When "none" is used either in the SOURCE or DEST
#			column, the rule is ignored.
#
#			When "all" is used either in the SOURCE or DEST column
#			intra-zone traffic is not affected. When "all+" is
#			used, intra-zone traffic is affected.
#
#			Except when "all[+]" is specified, clients may be
#			further restricted to a list of subnets and/or hosts by
#			appending ":" and a comma-separated list of subnets
#			and/or hosts. Hosts may be specified by IP or MAC
#			address; mac addresses must begin with "~" and must use
#			"-" as a separator.
#
#			Hosts may be specified as an IP address range using the
#			syntax <low address>-<high address>. This requires that
#			your kernel and iptables contain iprange match support.
#			If you kernel and iptables have ipset match support
#			then you may give the name of an ipset prefaced by "+".
#			The ipset name may be optionally followed by a number
#			from 1 to 6 enclosed in square brackets ([]) to
#			indicate the number of levels of source bindings to be
#			matched.
#
#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
#
#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
#						Internet
#
#			loc:192.168.1.1,192.168.1.2
#						Hosts 192.168.1.1 and
#						192.168.1.2 in the local zone.
#			loc:~00-A0-C9-15-39-78	Host in the local zone with
#						MAC address 00:A0:C9:15:39:78.
#
#			net:192.0.2.11-192.0.2.17
#						Hosts 192.0.2.11-192.0.2.17 in
#						the net zone.
#
#			Alternatively, clients may be specified by interface
#			by appending ":" to the zone name followed by the
#			interface name. For example, loc:eth1 specifies a
#			client that communicates with the firewall system
#			through eth1. This may be optionally followed by
#			another colon (":") and an IP/MAC/subnet address
#			as described above (e.g., loc:eth1:192.168.1.5).
#
#	DEST		Location of Server. May be a zone defined in
#			/etc/shorewall/zones, $FW to indicate the firewall
#			itself, "all". "all+" or "none".
#
#			When "none" is used either in the SOURCE or DEST
#			column, the rule is ignored.
#
#			When "all" is used either in the SOURCE or DEST column
#			intra-zone traffic is not affected. When "all+" is
#			used, intra-zone traffic is affected.
#
#			Except when "all[+]" is specified, the server may be
#			further restricted to a particular subnet, host or
#			interface by appending ":" and the subnet, host or
#			interface. See above.
#
#				Restrictions:
#
#				1. MAC addresses are not allowed.
#				2. In DNAT rules, only IP addresses are
#				   allowed; no FQDNs or subnet addresses
#				   are permitted.
#				3. You may not specify both an interface and
#				   an address.
#
#			Like in the SOURCE column, you may specify a range of
#			up to 256 IP addresses using the syntax
#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
#			the connections will be assigned to addresses in the
#			range in a round-robin fashion.
#
#			If you kernel and iptables have ipset match support
#			then you may give the name of an ipset prefaced by "+".
#			The ipset name may be optionally followed by a number
#			from 1 to 6 enclosed in square brackets ([]) to
#			indicate the number of levels of destination bindings
#			to be matched. Only one of the SOURCE and DEST columns
#			may specify an ipset name.
#
#			The port that the server is listening on may be
#			included and separated from the server's IP address by
#			":". If omitted, the firewall will not modifiy the
#			destination port. A destination port may only be
#			included if the ACTION is DNAT or REDIRECT.
#
#			Example: loc:192.168.1.3:3128 specifies a local
#			server at IP address 192.168.1.3 and listening on port
#			3128. The port number MUST be specified as an integer
#			and not as a name from /etc/services.
#
#			if the ACTION is REDIRECT, this column needs only to
#			contain the port number on the firewall that the
#			request should be redirected to.
#
#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
#                       "ipp2p*" requires ipp2p match support in your kernel
#                       and iptables.
#
#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
#			names (from /etc/services), port numbers or port
#			ranges; if the protocol is "icmp", this column is
#			interpreted as the destination icmp-type(s).
#
#			If the protocol is ipp2p, this column is interpreted
#			as an ipp2p option without the leading "--" (example
#			"bit" for bit-torrent). If no port is given, "ipp2p" is
#			assumed.
#
#			A port range is expressed as <low port>:<high port>.
#
#			This column is ignored if PROTOCOL = all but must be
#			entered if any of the following ields are supplied.
#			In that case, it is suggested that this field contain
#			 "-"
#
#			If your kernel contains multi-port match support, then
#			only a single Netfilter rule will be generated if in
#			this list and the CLIENT PORT(S) list below:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
#			any source port is acceptable. Specified as a comma-
#			separated list of port names, port numbers or port
#			ranges.
#
#			If you don't want to restrict client ports but need to
#			specify an ORIGINAL DEST in the next column, then
#			place "-" in this column.
#
#			If your kernel contains multi-port match support, then
#			only a single Netfilter rule will be generated if in
#			this list and the DEST PORT(S) list above:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
#			then if included and different from the IP
#			address given in the SERVER column, this is an address
#			on some interface on the firewall and connections to
#			that address will be forwarded to the IP and port
#			specified in the DEST column.
#
#			A comma-separated list of addresses may also be used.
#			This is usually most useful with the REDIRECT target
#			where you want to redirect traffic destined for
#			particular set of hosts.
#
#			Finally, if the list of addresses begins with "!" then
#			the rule will be followed only if the original
#			destination address in the connection request does not
#			match any of the addresses listed.
#
#			For other actions, this column may be included and may
#			contain one or more addresses (host or network)
#			separated by commas. Address ranges are not allowed.
#			When this column is supplied, rules are generated
#			that require that the original destination address
#			matches one of the listed addresses. This feature is
#			most useful when you want to generate a filter rule
#			that corresponds to a DNAT- or REDIRECT- rule. In this
#			usage, the list of addresses should not begin with "!".
#
#			See http://shorewall.net/PortKnocking.html for an
#			example of using an entry in this column with a
#			user-defined action rule.
#
#	RATE LIMIT	You may rate-limit the rule by placing a value in
#			this colume:
#
#				<rate>/<interval>[:<burst>]
#
#			where <rate> is the number of connections per
#			<interval> ("sec" or "min") and <burst> is the
#			largest burst permitted. If no <burst> is given,
#			a value of 5 is assumed. There may be no
#			no whitespace embedded in the specification.
#
#				Example: 10/sec:20
#
#	USER/GROUP	This column may only be non-empty if the SOURCE is
#			the firewall itself.
#
#			The column may contain:
#
#	[!][<user name or number>][:<group name or number>][+<program name>]
#
#			When this column is non-empty, the rule applies only
#			if the program generating the output is running under
#			the effective <user> and/or <group> specified (or is
#			NOT running under that id if "!" is given).
#
#			Examples:
#
#				joe	#program must be run by joe
#				:kids	#program must be run by a member of
#					#the 'kids' group
#				!:kids	#program must not be run by a member
#					#of the 'kids' group
#				+upnpd	#program named upnpd (This feature was
#					#removed from Netfilter in kernel
#					#version 2.6.14).
#
#	Example: Accept SMTP requests from the DMZ to the internet
#
#	#ACTION SOURCE	DEST PROTO	DEST	SOURCE	ORIGINAL
#	#				PORT	PORT(S) DEST
#	ACCEPT	dmz	net	  tcp	smtp
#
#	Example: Forward all ssh and http connection requests from the
#		 internet to local system 192.168.1.3
#
#	#ACTION SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
#	#					PORT	PORT(S) DEST
#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
#
#	Example: Forward all http connection requests from the internet
#		 to local system 192.168.1.3 with a limit of 3 per second and
#		 a maximum burst of 10
#
#	#ACTION SOURCE DEST	       PROTO  DEST  SOURCE  ORIGINAL RATE
#	#				      PORT  PORT(S) DEST     LIMIT
#	DNAT	net    loc:192.168.1.3 tcp    http  -	    -	     3/sec:10
#
#	Example: Redirect all locally-originating www connection requests to
#		 port 3128 on the firewall (Squid running on the firewall
#		 system) except when the destination address is 192.168.2.2
#
#	#ACTION	 SOURCE	DEST	  PROTO	DEST	SOURCE	ORIGINAL
#	#				PORT	PORT(S) DEST
#	REDIRECT loc	3128	  tcp	www	 -	!192.168.2.2
#
#	Example: All http requests from the internet to address
#		 130.252.100.69 are to be forwarded to 192.168.1.3
#
#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
#	#					PORT	PORT(S) DEST
#	DNAT	  net	loc:192.168.1.3 tcp	80	-	130.252.100.69
#
#	Example: You want to accept SSH connections to your firewall only
#		 from internet IP addresses 130.252.100.69 and 130.252.100.70
#
#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
#	#					PORT	PORT(S) DEST
#	ACCEPT	 net:130.252.100.69,130.252.100.70 $FW \
#					tcp	22
#############################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#							PORT	PORT(S)		DEST		LIMIT		GROUP

# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping/REJECT	net		$FW

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT		$FW		net		icmp		

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5_ Adaptez le fichier rules à vos besoins :
Le fonctionnement de shorewall est assez simple, dans un premier temps il rejette tout ce qui vient d'internet, puis on ajoute des exceptions dans le fichier rules pour ouvrir des ports par exemple.

- Tout d'abord, dans cette configuration, le port 113 (concerne l'identité) n'est pas masqué, pour y remedier:
sudo gedit /etc/shorewall/rules et insérez dans le fichier ce qui suit
(avant la ligne "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" tongue)

# Masquer identité
DROP		net		$FW		tcp		113

explication : on va ignorer (DROP) les paquets provenant du "net" à destination du firewall ($FW) utilisant le protocole tcp sur le port 113.

Modifications supplémentaires (facultatives) :

- Ouvrir les ports pour aMule ( il s'agit des ports par default souvent bridés! )

# aMule
ACCEPT		net		$FW		tcp		4662
ACCEPT		$FW		net		tcp		4662
ACCEPT		net		$FW		udp		4672
ACCEPT		$FW		net		udp		4672
ACCEPT		net		$FW		udp		4665
ACCEPT		$FW		net		udp		4665

- Ouvrir les ports pour un ftp en mode passif

# Ftp en mode passif
ACCEPT          net             $FW             tcp             21
ACCEPT          $FW             net             tcp             21
ACCEPT          net             $FW             tcp             50000:50100
ACCEPT          $FW             net             tcp             50000:50100

explication : pour ouvrir un plage de ports utilisez le symbole ":", ici la plage de ports 50000 à 50100 est ouverte.


6_ Activer shorewall au démarrage du système :
sudo gedit /etc/default/shorewall et remplacez "startup=0" par "startup=1"


7_ Lancer shorewall :
sudo shorewall start

(Important : verifiez que le log de démarrage n'affiche pas d'erreur(s) lors de l'activation des règles.)


8_ Relancer shorewall après une modification :
sudo shorewall restart


## Tester son firewall :
https://www.grc.com/x/ne.dll?bh0bkyd2
http://probe.hackerwatch.org/probe/probe.asp


## Plus d'infos sur shorewall :
http://www.shorewall.net/standalone_fr.html

##################################################################

Bonjour à tous, je souhaite réaliser un mini tutorial concernant l'installation et la configuration de Shorewall, voici un premier éssai.
J'attends vos remarques, corréctions afin d'améliorer ce document
Merci d'avance

Edit : amélioration mise en page, changement balises quote -> code, corréction fautes.

Dernière modification par Early (Le 10/06/2006, à 18:19)

Hors ligne

#2 Le 06/06/2006, à 14:08

Link31

Re : Guide d'installation et configuration de Shorewall

Qu'est-ce que ce post fait dans l'éphémère ? Si tu remplaçais tes quotes par des balises code ça serait parfait pour la rubrique Trucs et astuces !

edit : ah, il est mieux ici smile

Dernière modification par Link31 (Le 06/06/2006, à 16:05)

Hors ligne

#3 Le 06/06/2006, à 15:40

kidlimonade

Re : Guide d'installation et configuration de Shorewall

un  post comme on les aime merci


asus zenbook ux31a

Hors ligne

#4 Le 07/06/2006, à 09:31

Haddock

Re : Guide d'installation et configuration de Shorewall

smile
pareil que le monsieur plus haut
merci beaucoup


Toutes voiles dehors pour le Libre, mille sabords !

Hors ligne

#5 Le 07/06/2006, à 14:01

Early

Re : Guide d'installation et configuration de Shorewall

smilebig_smile

Hors ligne

#6 Le 10/06/2006, à 10:46

patgrysli

Re : Guide d'installation et configuration de Shorewall

Salut,
J'avais déja tenté d'y comprendre quelques choses,mais sans succès,en suivant ton tuto a la lettre,shorewall fonctionne plutot bien,j'ai cependant un port litigeux
(voir snapshoot) c'est le port ftp que tu conseil de modifier .
Qu'en dites vous?
http://img90.imageshack.us/my.php?image=capture4ja.png
@+

Hors ligne

#7 Le 10/06/2006, à 13:08

Early

Re : Guide d'installation et configuration de Shorewall

Salut patgrysli

En regardant ton screenshot, le résultat par rapport à ton port 21 signifie que ton port est ouvert mais qu'aucun programme (ftp) n'accèpte de connection sur ce port.

Si j'ai bien compris, tu ne souhaites pas installer de serveur ftp :

A ce moment la tu n'a pas besoin de rajouter le paragraphe concernant le ftp dans mon tuto.
Ou bien tu commentes ces lignes pour qu'elles ne soit pas prises en compte, ou tu les supprimes.

Pour cela sudo gedit /etc/shorewall/rules puis commenter (ou supprimer) les lignes suivantes :

# Ftp en mode passif
# ACCEPT          net             $FW             tcp             21
# ACCEPT          $FW             net             tcp             21
# ACCEPT          net             $FW             tcp             50000:50100
# ACCEPT          $FW             net             tcp             50000:50100

Redémarrer ensuite Shorewall : sudo shorewall restart
Faire un nouveau test et constater que le port 21 est à présent masqué!

Dernière modification par Early (Le 10/06/2006, à 13:09)

Hors ligne

#8 Le 10/06/2006, à 15:19

patgrysli

Re : Guide d'installation et configuration de Shorewall

Salut,
Je les avais enlevés,puis remis,je les réenleves smile
Hormis(ftp )t'as vu?complètement invisible!
J'aurais du faire le test sans shorewall,juste pour me faire une idée.
tuto incontournable,qui me permet de  toucher du bout de mes gros doigts
au réglages les plus intimes d'ubuntu.
[edit]
J'imagine que comme pour amule ,bittorent a besoin de ports ouverts ,
je suis passé par google http://www.teknophobe.com/aide/10_bitto … 15_fr.html
c'est un peu confus pour moi,on parle d'un puis de plusieurs port a ouvrir selon l'ancienneté de l'apli,
un conseil?
@+

Dernière modification par patgrysli (Le 10/06/2006, à 16:02)

Hors ligne

#9 Le 10/06/2006, à 18:09

Early

Re : Guide d'installation et configuration de Shorewall

re patgrysli,

En effet en suivant cette config, ton pc est completement masqué, il ne reponds pas non plus aux requetes de ping, il offre donc un bon niveau de protéction.

De plus il est facile d'ouvrir ou de refermer des ports, voire des plages de ports, grâce au fichier /etc/shorewall/rules.

Pour tester ta protection sans le parefeu :

sudo shorewall stop

puis

sudo shorewall start

En ce qui concerne bittorent, ben.. j'y connais rien!! Mais, comme tu le dis, la démarche reste la même que mon exemple pour amule, reste à trouver les bons ports utilisés par ce client tongue

Hors ligne

#10 Le 11/06/2006, à 09:23

patgrysli

Re : Guide d'installation et configuration de Shorewall

salut,
J'ai refais les 2 tests après avoir arrêté shorewall comme décrit ci-dessus
et ils sont ok ,vert de chez vert ???
J'ai également lu,qu'après une install de shorewall,il y avait des problèmes avec freebox et que le fait d'arrêter le daemon ne les résolvais pas,continuerais t'il a tourner en tache de fond?
sinon pour bittorent j'ai rajouté ceci aux règles

#bittorent

ACCEPT        net        $FW        tcp        6881 - 6889
ACCEPT        $FW        net         tcp       6881 - 6889

sans résultats. hmm

[edit] rectification bittorent fonctionne ainsi  smile

amicalement patte

Dernière modification par patgrysli (Le 12/06/2006, à 08:17)

Hors ligne

#11 Le 12/06/2006, à 11:16

patgrysli

Re : Guide d'installation et configuration de Shorewall

Salut,
J'ai préféré refaire un post plutôt que d'éditer le précédant.
J'ai refais un test après avoir désinstallé shorewall et le résultat est plus que surprenant(pour moi smile )je vous met une copie du résultat sans le pare-feu http://img121.imageshack.us/my.php?image=capture6hk.png.
En revoici une,shorewall lancé et bien configuré http://img77.imageshack.us/my.php?image … re15ur.png
Mes connaissances ne me permette pas de savoir si le fait que les ports soient juste fermés ou alors comme dans mon cas invisibles (merci a early et aux autres )porte vraiment a conséquence,ayant entendu,plus que souvent,que sous linux il ne devrait pas y avoir de soucis sans pare-feu.

Hors ligne

#12 Le 15/06/2006, à 10:52

Haddock

Re : Guide d'installation et configuration de Shorewall

Early je tenais encore à te remercier : ton tuto est vraiment formidable !
J'ai tout compris et réussi du premier coup.
Du coup, tu as droit à une reconnaissance éternelle. wink

EDIT : euh... peut être mon enthousiastomètre s'est emballé trop vite smile
je ne peux plus me connecter aux machines W$ sur le Lan via parcourir le réseau/réseau W$
Serait-ce lui qui bloque ?

Dernière modification par Haddock (Le 15/06/2006, à 12:42)


Toutes voiles dehors pour le Libre, mille sabords !

Hors ligne

#13 Le 15/06/2006, à 11:31

bruno

Re : Guide d'installation et configuration de Shorewall

Shorewall est excellent et tout est très bien documenté avec les traductions en français et les fichiers de config à télécharger sur le site officiel

En particulier le tuto pour une machine a une seule interface (standalone)

ou pour une machine à deux interfaces(routeur/parefeu)

Hors ligne

#14 Le 18/06/2006, à 12:41

patgrisly

Re : Guide d'installation et configuration de Shorewall

Salut,
Une petite correction a propos de bittorrent.
Suite a une réinstallation complète d'ubuntu et de shorewall,
je n'ai pas dut écrire de règles pour bittorrent pour ça fonctionne!
je suis en train de récupérer le dvd knopix a 1050 kb/s.

Hors ligne

#15 Le 23/06/2006, à 00:37

Vinvin2021

Re : Guide d'installation et configuration de Shorewall

Merci Early pour ton tutorial !
Depuis le temps que je souhaitais améliorer la sécurité de ma bécane sans devoir apprendre les règles de iptable ! smile

Le comportement de shorewall est étrange chez moi : lorsqu'il est lancé (sudo shorewall start), ma connexion internet semble coupée : plus rien ne marche, même pas le ping de google.fr
Je stoppe alors shorewall (sudo shorewall stop) : la connexion à internet revient.

De plus, après avoir éteint shorewall, les « règles » semblent avoir été mémorisées, car je passe les tests :
https://www.grc.com/x/ne.dll?bh0bkyd2
http://probe.hackerwatch.org/probe/probe.asp
avec succès, alors que j'échouais systématiquement quand shorewall n'était pas installé.

Observez-vous le même genre de comportement chez vous ?
Votre connexion à internet fonctionne-t-elle après un « sudo shorewall start » ?
Les règles par défaut sont-elles trop restrictives ?

Vinvin

Hors ligne

#16 Le 23/06/2006, à 08:10

patgrisly

Re : Guide d'installation et configuration de Shorewall

Salut,
Ca ne vas pas t'aider beaucoup
mais en dhcp,je n'ai eu aucun soucis de connection .
Pas de soucis ,non plus pour "sudo shorewall start"

Hors ligne

#17 Le 23/06/2006, à 17:14

Vinvin2021

Re : Guide d'installation et configuration de Shorewall

Mince ! Je patauge toujours ... neutral
Pour info, pourriez-vous poster les logs de démarrage qui s'affichent quand vous tapez « sudo shorewall start » ?
Merci d'avance !

Hors ligne

#18 Le 24/06/2006, à 09:14

patgrisly

Re : Guide d'installation et configuration de Shorewall

Salut vinvin,
voila le log demandé,
quelle genre de connection as-tu?

patte@ordinaire:~$ sudo shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Connmark Match: Available
   Raw Table: Available
   CLASSIFY Target: Available
Determining Zones...
   IPv4 Zones: Code net
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   WARNING: Zone Code is empty
   net Zone: eth0:0.0.0.0/0
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Processing /etc/shorewall/routestopped ...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up TCP Flags checking...
Setting up Kernel Route Filtering...
Setting up Martian Logging...
Setting up IPSEC...
Processing /etc/shorewall/rules...
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "REJECT net fw icmp 8 - - - -" added.
..End Macro
   Rule "ACCEPT fw net icmp     " added.
   Rule "DROP net fw tcp 113    " added.
   Rule "ACCEPT net fw tcp 7629    " added.
   Rule "ACCEPT fw net tcp 7629    " added.
   Rule "ACCEPT net fw udp 7639    " added.
   Rule "ACCEPT fw net udp 7639    " added.
   Rule "ACCEPT net fw tcp 7632    " added.
   Rule "ACCEPT fw net tcp 7632    " added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "DROP - - udp 135,445 -  -" added.
   Rule "DROP - - udp 137:139 -  -" added.
   Rule "DROP - - udp 1024: 137  -" added.
   Rule "DROP - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "REJECT - - udp 135,445 -  -" added.
   Rule "REJECT - - udp 137:139 -  -" added.
   Rule "REJECT - - udp 1024: 137  -" added.
   Rule "REJECT - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy DROP for net to fw using chain net2all
Setting up Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Activating Rules...
Shorewall Restarted

Dernière modification par patgrisly (Le 24/06/2006, à 09:14)

Hors ligne

#19 Le 24/06/2006, à 09:24

Vinvin2021

Re : Guide d'installation et configuration de Shorewall

Merci de ton aide Patgrisly smile

J'ai une connexion par une carte ethernet reliée à un simple modem (pas un routeur). J'ai configuré ma connexion avec pppoeconf. Il semble que je dois adapter le fichier /etc/shorewall/interfaces comme expliqué ici.
Je poursuis les tests ... tongue

Hors ligne

#20 Le 24/06/2006, à 10:01

patgrisly

Re : Guide d'installation et configuration de Shorewall

De rien smile
C'est un lien que j'avais déjà parcouru,
il faut éditer comme tu le dis /etc/shorewall/interfaces

sudo gedit /etc/shorewall/interfaces

et mettre un tirait a la place de detect.
Dis nous si tu as réussi ,
ça auras le mérite de rendre ce tuto plus complet.
@+[edit]Quand je regarde mon log plus haut ,je vois une erreur

WARNING: Zone Code is empty
   net Zone: eth0:0.0.0.0/0

tout a l'air de fonctionner nickel,mais dans le but d'approfondir,j'aimerais savoir à quoi c'est dut .
re@ +

Dernière modification par patgrisly (Le 24/06/2006, à 10:07)

Hors ligne

#21 Le 24/06/2006, à 21:47

Vinvin2021

Re : Guide d'installation et configuration de Shorewall

Bon, il y a du mieux ! big_smile
Conformément à la documentation, j'ai adapté le fichier /etc/shorewall/interfaces à ma connexion internet (pas de routeur, la carte ethernet est reliée à un simple modem, la connexion est paramétrée avec pppoeconf).

Voici donc la fin du fichier interfaces :

#
###############################################################################
#ZONE    INTERFACE    BROADCAST    OPTIONS
net     ppp0            -          norfc1918,routefilter,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Dans le répertoire /usr/share/shorewall, j'ai supprimé les macros, à l'exception des 6 macros suivantes : macro.AllowICMP macro.Auth macro.DropDNSrep macro.DropUPnP macro.Ping macro.SMB

Et voici le logs de démarrage qui s'affiche quand je tape « sudo shorewall start » :

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Connmark Match: Available
   Raw Table: Available
   CLASSIFY Target: Available
Determining Zones...
   IPv4 Zones: net
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   net Zone: ppp0:0.0.0.0/0
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Processing /etc/shorewall/routestopped ...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Adding Anti-smurf Rules
Enabling RFC1918 Filtering
Setting up TCP Flags checking...
Setting up Kernel Route Filtering...
Setting up Martian Logging...
Setting up IPSEC...
Processing /etc/shorewall/rules...
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "REJECT net fw icmp 8 - - - -" added.
..End Macro
   Rule "ACCEPT fw net icmp     " added.
   Rule "DROP net fw tcp 113    " added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "DROP - - udp 135,445 -  -" added.
   Rule "DROP - - udp 137:139 -  -" added.
   Rule "DROP - - udp 1024: 137  -" added.
   Rule "DROP - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "REJECT - - udp 135,445 -  -" added.
   Rule "REJECT - - udp 137:139 -  -" added.
   Rule "REJECT - - udp 1024: 137  -" added.
   Rule "REJECT - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy DROP for net to fw using chain net2all
Setting up Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Activating Rules...
Shorewall Started

Par rapport à Patgrisly, j'ai :

Determining Zones...
   IPv4 Zones: net
   Firewall Zone: fw

au lieu de :

IPv4 Zones: Code net

Et

Determining Hosts in Zones...
   net Zone: ppp0:0.0.0.0/0

au lieu de

net Zone: eth0:0.0.0.0/0

Pas de warning chez moi.

Les tests de sécurité en ligne sont maintenant passés avec succès ! Chouette ! tongue
Le plus rigolo dans cette histoire, c'est qu'un copain vient de me filer un routeur ADSL. Je devrais donc changer de type de connexion ! big_smile

Hors ligne

#22 Le 24/06/2006, à 22:36

patgrisly

Re : Guide d'installation et configuration de Shorewall

vinvin a écrit :

Le plus rigolo dans cette histoire, c'est qu'un copain vient de me filer un routeur ADSL. Je devrais donc changer de type de connexion ! big_smile

Ca nous auras permis d'avancer sur la question,je vais encore chercher quoi faire avec ces macros.
Amicalement, patte.

Hors ligne

#23 Le 27/06/2006, à 11:33

Ivan le pas terrible

Re : Guide d'installation et configuration de Shorewall

hello...
comment installer un firewall sans se casser la tête
ben, on suivant ce tuto cool
merci beaucoup

sauf que j'ai le port 808 ouvert avec la config de base
il y a une raison particulière à que ce port reste ouvert ?

#24 Le 27/06/2006, à 12:35

Vinvin2021

Re : Guide d'installation et configuration de Shorewall

Ah ?
C'est bizarre, normalement tous les ports sont invisibles avec la configuration par défaut. Tu as peut-être un message d'erreur lorsque tu lances shorewall ?
Ou alors tu peux ajouter manuellement la ligne suivante à la fin du fichier rules :

DROP    net     $FW     tcp     808

Peut-être faut-il également ajouter celle-ci :

DROP    net     $FW     udp     808

Hors ligne

#25 Le 28/06/2006, à 09:00

Ivan le pas terrible

Re : Guide d'installation et configuration de Shorewall

Vinvin2021 a écrit :

Ah ?
C'est bizarre, normalement tous les ports sont invisibles avec la configuration par défaut. Tu as peut-être un message d'erreur lorsque tu lances shorewall ?

hello
non aucun message particulier

Vinvin2021 a écrit :

Ou alors tu peux ajouter manuellement la ligne suivante à la fin du fichier rules :

DROP    net     $FW     tcp     808

Peut-être faut-il également ajouter celle-ci :

DROP    net     $FW     udp     808

oké : je viens de mettre les 2 règles
j'ai relancé shorewall
relancé ensuite le test de grc.com et il me sort encore que le 808 est ouvert