Shorewall: Difference between revisions
Jump to navigation
Jump to search
| Line 40: | Line 40: | ||
= To get NFS working = | = To get NFS working = | ||
On | On nfs-kernel-server machine: | ||
Edit your /etc/shorewall/rules file like this: | Edit your /etc/shorewall/rules file like this: | ||
<pre> | |||
# Permit NFS | # Permit NFS | ||
ACCEPT net $FW tcp 111 | ACCEPT net $FW tcp 111 | ||
| Line 50: | Line 50: | ||
ACCEPT net $FW tcp 32765:32767 | ACCEPT net $FW tcp 32765:32767 | ||
ACCEPT net $FW udp 32765:32767 | ACCEPT net $FW udp 32765:32767 | ||
</pre> | |||
On nfs-common machine: | |||
<pre> | |||
# Permit NFS | |||
ACCEPT $FW loc tcp 111 | |||
ACCEPT $FW loc udp 111 | |||
ACCEPT $FW loc udp 2049 | |||
ACCEPT $FW loc tcp 2049 | |||
ACCEPT $FW loc tcp 32765:32767 | |||
ACCEPT $FW loc udp 32765:32767 | |||
</pre> | |||
/etc/default/nfs-common: | /etc/default/nfs-common: | ||
<pre> | |||
STATDOPTS="-p 32765 -o 32766" | STATDOPTS="-p 32765 -o 32766" | ||
</pre> | |||
/etc/default/nfs-kernel-server: | |||
<pre> | |||
RPCMOUNTDOPTS="-p 32767" | |||
</pre> | |||
/etc/ | Make sure in your /etc/services you have the following | ||
<pre> | |||
nfs 2049/tcp # Network File System nfs 2049/udp # Network File System | |||
</pre> | |||
== old system == | |||
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server. | The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server. | ||
<pre> | |||
# /etc/services | # /etc/services | ||
# NFS ports as per the NFS-HOWTO | # NFS ports as per the NFS-HOWTO | ||
| Line 77: | Line 96: | ||
rpc.quotad 32769/tcp # RPC quotad | rpc.quotad 32769/tcp # RPC quotad | ||
rpc.quotad 32769/udp # RPC quotad | rpc.quotad 32769/udp # RPC quotad | ||
</pre> | |||
/etc/default/quota | /etc/default/quota | ||
<pre> | |||
RPCRQUOTADOPTS="-p 32769" | RPCRQUOTADOPTS="-p 32769" | ||
</pre> | |||
You can check which ports are being used with | You can check which ports are being used with | ||
<pre> | |||
rpcinfo -p | rpcinfo -p | ||
</pre> | |||
= Single NIC Machine = | = Single NIC Machine = | ||
Revision as of 10:35, 13 May 2013
2 NIC machine
In /usr/share/doc/shorewall/examples/two-interfaces make the following edits to the following files and then copy them to /etc/shorewall
rules
SNMP(ACCEPT) loc $FW # Public services ACCEPT net fw tcp smtp ACCEPT net fw tcp pop3 # 143 is for IMAP ACCEPT net fw tcp 143 ACCEPT net fw tcp ssh FTP/ACCEPT net fw ACCEPT net fw tcp domain ACCEPT net fw udp domain ACCEPT net fw tcp http ACCEPT net fw tcp https ACCEPT net fw tcp snmp ACCEPT net fw udp snmp # X11 forwarding ACCEPT fw loc tcp x11 ACCEPT fw loc udp x11
just copy the following files to /etc/shorewall/:
interfaces masq policy routestopped zones
/etc/default/shorewall
startup=1
To get NFS working
On nfs-kernel-server machine: Edit your /etc/shorewall/rules file like this:
# Permit NFS ACCEPT net $FW tcp 111 ACCEPT net $FW udp 111 ACCEPT net $FW udp 2049 ACCEPT net $FW tcp 2049 ACCEPT net $FW tcp 32765:32767 ACCEPT net $FW udp 32765:32767
On nfs-common machine:
# Permit NFS ACCEPT $FW loc tcp 111 ACCEPT $FW loc udp 111 ACCEPT $FW loc udp 2049 ACCEPT $FW loc tcp 2049 ACCEPT $FW loc tcp 32765:32767 ACCEPT $FW loc udp 32765:32767
/etc/default/nfs-common:
STATDOPTS="-p 32765 -o 32766"
/etc/default/nfs-kernel-server:
RPCMOUNTDOPTS="-p 32767"
Make sure in your /etc/services you have the following
nfs 2049/tcp # Network File System nfs 2049/udp # Network File System
old system
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.
# /etc/services # NFS ports as per the NFS-HOWTO # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS # Listing here does not mean they will bind to these ports. rpc.nfsd 2049/tcp # RPC nfsd rpc.nfsd 2049/udp # RPC nfsd rpc.statd-bc 32765/tcp # RPC statd broadcast rpc.statd-bc 32765/udp # RPC statd broadcast rpc.statd 32766/tcp # RPC statd listen rpc.statd 32766/udp # RPC statd listen rpc.mountd 32767/tcp # RPC mountd rpc.mountd 32767/udp # RPC mountd rcp.lockd 32768/tcp # RPC lockd/nlockmgr rcp.lockd 32768/udp # RPC lockd/nlockmgr rpc.quotad 32769/tcp # RPC quotad rpc.quotad 32769/udp # RPC quotad
/etc/default/quota
RPCRQUOTADOPTS="-p 32769"
You can check which ports are being used with
rpcinfo -p
Single NIC Machine
/etc/default/shorewall Set startup=1 In /usr/share/doc/shorewall-common/default-config make the following edits to the following files and then copy them to /etc/shorewall interfaces net eth1 82.94.91.79 modules (no edits) policy fw net ACCEPT net all DROP info all all REJECT info NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely rules (under SECTION NEW) ACCEPT net fw tcp smtp ACCEPT net fw tcp pop3 ACCEPT net fw tcp ssh FTP/ACCEPT net fw ACCEPT net fw tcp domain ACCEPT net fw udp domain ACCEPT fw net udp domain ACCEPT net fw tcp http ACCEPT fw net tcp http ACCEPT net fw tcp https ACCEPT net fw tcp snmp ACCEPT fw net tcp snmp ACCEPT net fw udp snmp ACCEPT fw net udp snmp ACCEPT net fw tcp 143 ACCEPT net fw udp 143 start dmesg -n5 zones net ipv4 (above fw firewall)