Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / etc / firehol / examples / server-dmz.conf < prev

Wrap

Text File | 2005-10-18 | 3KB | 113 lines

# # $Id: server-dmz.conf,v 1.2 2003/01/07 02:03:09 ktsaou Exp $ # # CASE: # Configuration file for a dual path server. # # The first network interface is connected to the internet to accept # requests for services running on this server. # # The second network interface is connected to a private LAN, through # which a number of similar servers communicate with each other. # # The server will only be allowed to accept and send specific traffic # matching the servers and clients defined. version 5 # ---------------------------------------------------------------------- # The Ethernet interface this server is connected to the Internet. # You can use more than one (space separated) and if your server # has many aliases for the same interface, you can use the plus sign # to match them all (e.g. eth0+). internet_interface="eth0+" # Enter here all the IPs your server accepts requests from the internet. # This variable accepts a space separated list of IPs, hostnames, etc. # You can leave this empty if you don't want to restrict the IPs traffic # was targeting. internet_ips="" # The servers you wish to run on the internet side of this host. internet_servers="http smtp" # The clients you wish to run on the internet side of this host. internet_clients="dns" # At what frequency to accept requests from the internet? internet_requests="100/sec" # ---------------------------------------------------------------------- # Similar to the internet_interface, but this time for the private one. private_interface="eth1+" # Similar to the internet_ips, but this time for the private. private_ips="" # The address space of all the servers this host might communicate with, # in the private LAN. # Leaving this empty will not check the IPs of the private LAN. private_subnet="" # The servers you wish to run on the private side of this host. private_servers="ssh" # The clients you wish to run on the private side of this host. private_clients="http dns icmp" # At what frequency to accept requests from the private LAN? private_requests="20/sec" # ---------------------------------------------------------------------- # Normally, you don't have to edit anything bellow. # ---------------------------------------------------------------------- # A trick that adds "dst" in front of internet_ips only if it is not # empty. Otherwise, this does nothing. unset internet_params test ! -z "${internet_ips}" && internet_params=(dst "${internet_ips}") # Internet interface interface "${internet_interface}" internet \ src not "${UNROUTABLE_IPS}" "${internet_params[@]}" protection strong ${internet_requests} # The internet servers server "${internet_servers}" accept # The internet clients client "${internet_clients}" accept # Speed up idents by rejecting them server ident reject with tcp-reset # ---------------------------------------------------------------------- # Fix also the parameters for the private network. unset private_params test ! -z "${private_subnet}" && private_params=(src "${private_subnet}") unset private_params2 test ! -z "${private_ips}" && private_params2=(dst "${private_ips}") # Private interface interface "${private_interface}" private \ "${private_params[@]}" "${private_params2[@]}" protection strong ${private_requests} # The private servers server "${private_servers}" accept # The private clients client "${private_clients}" accept # Speed up idents by rejecting them server ident reject with tcp-reset