High Availability Firewall with Linux & FWbuilder: V Config Files

V. Config files

21. Configuration Files

a. kickstart fw-01: fw-01.cfg

# Kickstart for fw-01

# LFA 13 Feb 2010

install

text

lang en_US.iso88591

#keyboard la-latin1

#keyboard us

#keyboard us-acentos

#rootpw --iscrypted $1$WsA6OJke$53tSRFT.Ml7J/DwkWGt.P0

firewall --disabled

authconfig --enableshadow --enablemd5

selinux --disabled

#timezone America/Santiago

network --device eth0 --bootproto static --ip 192.168.100.11 --netmask 255.255.255.0 --nameserver 192.168.100.31 --hostname fw-01

network --device eth1 --bootproto static --ip 200.201.202.11 --netmask 255.255.255.240 --gateway 200.201.202.1

network --device eth2 --bootproto static --ip 192.168.150.11 --netmask 255.255.255.0

network --device eth3 --bootproto static --ip 192.168.255.11 --netmask 255.255.255.0

clearpart --all

bootloader --location=mbr --driveorder=sda

# 1 GB swap

part swap --size=1000 --asprimary

part / --fstype ext3 --size=10 --asprimary --grow

reboot

%packages

@base

@core

@editors

@mail-server

@text-internet

iptraf

ftp

hwbrowser

net-snmp-utils

ntp

sysstat

system-config-date

system-config-language

system-config-lvm

vim-common

vim-enhanced

vim-minimal

wget

x86info

xorg-x11-xauth

-amtu

-autofs

-bluez-gnome

-bluez-hcidump

-bluez-libs

-bluez-utils

-conman

-coolkey

-cpuspeed

-crash

-Deployment_Guide-en-US

-dhcpv6-client

-dosfstools

-dovecot

-fetchmail

-finger

-firstboot

-firstboot-tui

-httpd-manual

-irda-utils

-jwhois

-mcelog

-mkbootdisk

-mysql

-nfs-utils

-nmap

-pcmciautils

-rp-pppoe

-samba-client

-spamassassin

-squid

-sysreport

-system-config-keyboard

-system-config-network

-system-config-network-tui

-talk

-tcpdump

-tux

-vnc

-webalizer

-words

-ypbind

-yp-tools

-yum-updatesd

b. kickstart fw-02: fw-02.cfg

# Kickstart for fw-02

# LFA 13 Feb 2010

install

text

lang en_US.iso88591

#keyboard la-latin1

#keyboard us

#keyboard us-acentos

#rootpw --iscrypted $1$WsA6OJke$53tSRFT.Ml7J/DwkWGt.P0

firewall --disabled

authconfig --enableshadow --enablemd5

selinux --disabled

#timezone America/Santiago

network --device eth0 --bootproto static --ip 192.168.100.12 --netmask 255.255.255.0 --nameserver 192.168.100.31 --hostname fw-02

network --device eth1 --bootproto static --ip 200.201.202.12 --netmask 255.255.255.240 --gateway 200.201.202.1

network --device eth2 --bootproto static --ip 192.168.150.12 --netmask 255.255.255.0

network --device eth3 --bootproto static --ip 192.168.255.12 --netmask 255.255.255.0

clearpart --all

bootloader --location=mbr --driveorder=sda

# 1 GB swap

part swap --size=1000 --asprimary

part / --fstype ext3 --size=10 --asprimary --grow

reboot

%packages

@base

@core

@editors

@mail-server

@text-internet

iptraf

ftp

hwbrowser

net-snmp-utils

ntp

sysstat

system-config-date

system-config-language

system-config-lvm

vim-common

vim-enhanced

vim-minimal

wget

x86info

xorg-x11-xauth

-amtu

-autofs

-bluez-gnome

-bluez-hcidump

-bluez-libs

-bluez-utils

-conman

-coolkey

-cpuspeed

-crash

-Deployment_Guide-en-US

-dhcpv6-client

-dosfstools

-dovecot

-fetchmail

-finger

-firstboot

-firstboot-tui

-httpd-manual

-irda-utils

-jwhois

-mcelog

-mkbootdisk

-mysql

-nfs-utils

-nmap

-pcmciautils

-rp-pppoe

-samba-client

-spamassassin

-squid

-sysreport

-system-config-keyboard

-system-config-network

-system-config-network-tui

-talk

-tcpdump

-tux

-vnc

-webalizer

-words

-ypbind

-yp-tools

-yum-updatesd

c. kickstart fw-console: fw-console.cfg

# Kickstart for fw-console

# LFA 13 Feb 2010

install

text

lang en_US.iso88591

#keyboard la-latin1

#rootpw --iscrypted $1$WsA6OJke$53tSRFT.Ml7J/DwkWGt.P0

firewall --disabled

authconfig --enableshadow --enablemd5

selinux --disabled

#timezone America/Santiago

network --device eth0 --bootproto static --ip 192.168.100.11 --netmask 255.255.255.0 --gateway 192.168.100.10 --nameserver 192.168.100.31 --hostname fw-console

clearpart --all

bootloader --location=mbr --driveorder=sda

# 1 GB swap

part swap --size=1000 --asprimary

part / --fstype ext3 --size=10 --asprimary --grow

reboot

%packages

@base

@core

@editors

@mail-server

@text-internet

iptraf

ftp

hwbrowser

net-snmp-utils

ntp

sysstat

system-config-date

system-config-language

system-config-lvm

vim-common

vim-enhanced

vim-minimal

wget

x86info

xorg-x11-xauth

-amtu

-autofs

-bluez-gnome

-bluez-hcidump

-bluez-libs

-bluez-utils

-conman

-coolkey

-cpuspeed

-crash

-Deployment_Guide-en-US

-dhcpv6-client

-dosfstools

-dovecot

-fetchmail

-finger

-firstboot

-firstboot-tui

-httpd-manual

-irda-utils

-jwhois

-mcelog

-mkbootdisk

-mysql

-nfs-utils

-nmap

-pcmciautils

-rp-pppoe

-samba-client

-spamassassin

-squid

-sysreport

-system-config-keyboard

-system-config-network

-system-config-network-tui

-talk

-tcpdump

-tux

-vnc

-webalizer

-words

-ypbind

-yp-tools

-yum-updatesd

d. /etc/hosts

::1 localhost6.localdomain6 localhost6

127.0.0.1 localhost.localdomain localhost

192.168.100.10 fw-cluster

192.168.100.11 fw-01

192.168.100.12 fw-02

192.168.100.13 fw-console

192.168.100.120 pc-01

192.168.100.31 dns-01

192.168.100.32 db-01

192.168.150.10 fw-cluster-dmz

192.168.150.11 fw-01-dmz

192.168.150.12 fw-02-dmz

192.168.150.21 mail-01

192.168.150.22 web-01

192.168.255.11 fw-01-sync

192.168.255.12 fw-02-sync

200.201.202.1 gw-01

200.201.202.10 fw-cluster-out

200.201.202.11 fw-01-out

200.201.202.12 fw-02-out

e. /etc/hosts.allow (fw-console)

ALL: localhost

sshd: 192.168.100.120

sendmail: 192.168.100.11

sendmail: 192.168.100.12

f. /etc/hosts.allow (fw-01, fw-02)

ALL: localhost

sshd: 192.168.100.13

sshd: 192.168.100.120

sshd: 192.168.255.11

sshd: 192.168.255.12

snmpd: 192.168.100.13

g. /etc/snmp/snmpd.conf

com2sec local localhost Ro987dfG

com2sec local 127.0.0.1 Ro987dfG

group MyRWGroup v1 local

group MyRWGroup v2c local

group MyRWGroup usm local

com2sec cacti 192.168.100.13 Ro987dfG

com2sec cacti 192.168.100.120 Ro987dfG

group MyROGroup v1 cacti

group MyROGroup v2c cacti

group MyROGroup usm cacti

view all included .1 80

access MyROGroup "" any noauth exact all none none

access MyRWGroup "" any noauth exact all all none

view roview included .1

view rwview included system.sysContact

view rwview included system.sysName

view rwview included system.sysLocation

view rwview included interfaces.ifTable.ifEntry.ifAdminStatus

view rwview included at.atTable.atEntry.atPhysAddress

view rwview included at.atTable.atEntry.atNetAddress

view rwview included ip.ipForwarding

view rwview included ip.ipDefaultTTL

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask

view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5

view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex

view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress

view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress

view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType

view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState

view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger

view rwview included snmp.snmpEnableAuthenTraps

access notConfigGroup "" any noauth exact roview rwview none

pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat

smuxpeer .1.3.6.1.4.1.674.10892.1

h. /etc/ssh/sshd_config

Protocol 2

SyslogFacility AUTHPRIV

PermitRootLogin no

PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes

UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL

X11Forwarding yes

Banner /etc/issue.net

Subsystem sftp /usr/libexec/openssh/sftp-server

AllowUsers root fwadmin

i. /etc/ssh/ssh_config

Host *

Protocol 2

GSSAPIAuthentication yes

ForwardX11Trusted yes

SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

SendEnv LC_IDENTIFICATION LC_ALL

j. /etc/ha.d/ha.cf (fw-01)

keepalive 2

deadtime 20

warntime 15

initdead 120

udpport 694

ucast eth0 192.168.100.12

ucast eth2 192.168.150.12

ucast eth3 192.168.255.12

auto_failback on

node fw-01

node fw-02

use_logd yes

crm

k. /etc/ha.d/ha.cf (fw-02)

keepalive 2

deadtime 20

warntime 15

initdead 135

udpport 694

ucast eth0 192.168.100.11

ucast eth2 192.168.150.11

ucast eth3 192.168.255.11

auto_failback on

node fw-01

node fw-02

use_logd yes

crm

l. /etc/ha.d/haresources

fw-01 \

IPaddr::192.168.100.10/24/eth0 \

IPaddr::200.201.202.10/28/eth1 \

IPaddr::192.168.150.10/24/eth2 \

primary-backup.sh

m. /etc/ha.d/authkeys

auth 3

3 md5 0980ADFooqw888

n. /etc/logd.cf

#debugfile /var/log/ha-debug

logfile /var/log/ha-log

#logfacility daemon

#entity logd

#useapphbd no

#sendqlen 256

#recvqlen 256

o. /etc/conntrackd/conntrackd.conf (fw-01)

Sync {

Mode ALARM {

RefreshTime 15

CacheTimeout 180

}

Multicast { # local dedicated IP on sync network

IPv4_address 225.0.0.50

Group 3780

IPv4_interface 192.168.255.11

Interface eth3

McastSndSocketBuffer 1249280

McastRcvSocketBuffer 1249280

Checksum on

}

General {

Nice -20

HashSize 32768

HashLimit 131072

LogFile on

LockFile /var/lock/conntrack.lock

UNIX {

Path /var/run/conntrackd.ctl

Backlog 20

}

NetlinkBufferSize 2097152

NetlinkBufferSizeMaxGrowth 8388608

Filter From Userspace {

Protocol Accept {

TCP

SCTP

DCCP

}

Address Ignore { # all local IP and vIP

IPv4_address 127.0.0.1

IPv4_address 192.168.100.11

IPv4_address 192.168.150.11

IPv4_address 200.201.201.11

IPv4_address 192.168.255.11

IPv4_address 192.168.100.10

IPv4_address 192.168.150.10

IPv4_address 200.201.201.10

}

p. /etc/conntrackd/conntrackd.conf (fw-02)

Sync {

Mode ALARM {

RefreshTime 15

CacheTimeout 180

}

Multicast { # local dedicated IP on sync network

IPv4_address 225.0.0.50

Group 3780

IPv4_interface 192.168.255.12

Interface eth3

McastSndSocketBuffer 1249280

McastRcvSocketBuffer 1249280

Checksum on

}

General {

Nice -20

HashSize 32768

HashLimit 131072

LogFile on

LockFile /var/lock/conntrack.lock

UNIX {

Path /var/run/conntrackd.ctl

Backlog 20

}

NetlinkBufferSize 2097152

NetlinkBufferSizeMaxGrowth 8388608

Filter From Userspace {

Protocol Accept {

TCP

SCTP

DCCP

}

Address Ignore { # all local IP and vIP

IPv4_address 127.0.0.1

IPv4_address 192.168.100.12

IPv4_address 192.168.150.12

IPv4_address 200.201.201.12

IPv4_address 192.168.255.12

IPv4_address 192.168.100.10

IPv4_address 192.168.150.10

IPv4_address 200.201.201.10

}

q. /etc/conntrackd/conntrackd.init

#!/bin/sh

# conntrack Start conntrack sync services

# License: GNU General Public License (GPL)

# chkconfig: 35 75 04

# description: Startup script conntrack sync services.

# processname: conntrackd

# lock: /var/lock/conntrack.lock

# config: /etc/conntrackd/conntrackd.conf

CONNTRACKD_BIN=/usr/sbin/conntrackd

CONNTRACKD_LOCK=/var/lock/conntrack.lock

CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf

case "$1" in

start)

if [ -r $CONNTRACKD_CONFIG ]

then

else

logger "ERROR: cant read $CONNTRACKD_CONFIG ."

echo "ERROR: cant read $CONNTRACKD_CONFIG ."

exit 1

# is conntrackd running? request some statistics to check it

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s >/dev/null

if [ $? -eq 1 ]

then

# something's wrong, do we have a lock file?

if [ -f $CONNTRACKD_LOCK ]

then

logger "WARNING: conntrackd was not cleanly stopped."

logger "If you suspect that it has crashed:"

logger "1) Enable coredumps"

logger "2) Try to reproduce the problem"

logger "3) Post the coredump to netfilter-devel@vger.kernel.org"

rm -f $CONNTRACKD_LOCK

logger "Starting conntrackd ..."

echo "Starting conntrackd ..."

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d

if [ $? -eq 1 ]

then

logger "ERROR: cannot launch conntrackd"

echo "ERROR: cannot launch conntrackd"

exit 1

else

logger "OK"

echo "OK"

echo "==="; ps -ef |grep conntrackd|grep -v "grep"|grep -v "start"

else

echo "==="; ps -ef |grep conntrackd|grep -v "grep"|grep -v "start"

logger "ERROR: conntrackd already running ."

echo "ERROR: conntrackd already running ."

exit 1

# shorten kernel conntrack timers to remove the zombie entries.

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -t"

echo "ERROR: failed to invoke conntrackd -t"

# request resynchronization with master firewall replica (if any)

# Note: this does nothing in the alarm approach.

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -n"

echo "ERROR: failed to invoke conntrackd -n"

;;

stop)

# stop conntrackd.

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -k

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -k. not running"

echo "ERROR: failed to invoke conntrackd -k. not running"

echo "==="; ps -ef |grep conntrackd|grep -v "grep"|grep -v "stop"

;;

status)

echo "==="; ps -ef |grep conntrackd|grep -v "grep"|grep -v "status"

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s multicast

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -s multicast. not running"

echo "ERROR: failed to invoke conntrackd -s multicast. not running"

;;

logger "ERROR: conntrackd.init {start|stop|status}"

echo "Usage: conntrackd.init {start|stop|status}"

exit 1

;;

esac

exit 0

r. /etc/conntrackd/primary-backup.sh

#!/bin/sh

# This software may be used and distributed according to the terms

# of the GNU General Public License, incorporated herein by reference.

# Description:

# This is the script for primary-backup setups for keepalived

# (http://www.keepalived.org). You may adapt it to make it work with other

# high-availability managers.

# Do not forget to include the required modifications to your keepalived.conf

# file to invoke this script during keepalived's state transitions.

# Contributions to improve this script are welcome :).

CONNTRACKD_BIN=/usr/sbin/conntrackd

CONNTRACKD_LOCK=/var/lock/conntrack.lock

CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf

case "$1" in

start|primary)

# commit the external cache into the kernel table

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -c"

# flush the internal and the external caches

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -f"

# resynchronize my internal cache to the kernel table

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -R"

# send a bulk update to backups

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -B"

;;

stop|backup)

# is conntrackd running? request some statistics to check it

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s

if [ $? -eq 1 ]

then

# something's wrong, do we have a lock file?

if [ -f $CONNTRACKD_LOCK ]

then

logger "WARNING: conntrackd was not cleanly stopped."

logger "If you suspect that it has crashed:"

logger "1) Enable coredumps"

logger "2) Try to reproduce the problem"

logger "3) Post the coredump to netfilter-devel@vger.kernel.org"

rm -f $CONNTRACKD_LOCK

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d

if [ $? -eq 1 ]

then

logger "ERROR: cannot launch conntrackd"

#exit 1

# shorten kernel conntrack timers to remove the zombie entries.

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -t"

# request resynchronization with master firewall replica (if any)

# Note: this does nothing in the alarm approach.

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -n"

;;

fault)

# shorten kernel conntrack timers to remove the zombie entries.

$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t

if [ $? -eq 1 ]

then

logger "ERROR: failed to invoke conntrackd -t"

;;

logger "ERROR: unknown state transition"

echo "Usage: primary-backup.sh {primary|backup|fault}"

exit 1

;;

esac

exit 0

s. /usr/local/bon/firewall_down.sh

# /usr/local/bin/firewall_down.sh

# This software may be used and distributed according to the terms

# of the GNU General Public License, incorporated herein by reference

# 25 Jan 2002

# 2 Fev 2002 # derruba interface e para router

# descarrega todas as politicas de filtragem (iptables)

# e lista o resultado final

echo -e "\n================= desativando roteamento ==============\n"

echo 0 > /proc/sys/net/ipv4/ip_forward

WAN_INT=`/sbin/iptables -t filter -n -L FORWARD -v|grep "wan2lan"|awk {'print $6'}`

echo -e "\n================= desativando Wan Int ($WAN_INT) ==============\n"

if [ "$WAN_INT" != "ppp0" ]

then

/sbin/ifdown $WAN_INT

echo -e "\n=========== Limpando regras (iptables) ===========\n"

for table in filter nat mangle # `cat /proc/net/ip_tables_name`

echo -e "\t-- $table --"

/sbin/iptables -t $table -F # zera chains padrao

/sbin/iptables -t $table -X # zera chains usuario

for chain in `/sbin/iptables -n -L -t $table|grep "Chain "|cut -d\ -f 2`

echo -e "\t\t-- $chain --"

/sbin/iptables -t $table -P $chain ACCEPT

done

for mod in ebtable_nat ebt_dnat ebt_snat ebtables

/sbin/rmmod $mod

done

for mod in ip_nat_amanda ip_nat_ftp ip_nat_h323 ip_nat_irc ip_nat_pptp ip_nat_sip ip_nat_snmp_basic ip_nat_tftp

/sbin/rmmod $mod

done

for mod in ip_conntrack_amanda ip_conntrack_ftp ip_conntrack_h323 ip_conntrack_irc ip_conntrack_netbios_ns ip_conntrack_netlink ip_conntrack_pptp ip_conntrack_proto_sctp ip_conntrack_sip ip_conntrack_tftp

/sbin/rmmod $mod

done

for mod in iptable_mangle iptable_filter iptable_nat ipt_LOG ip_tables

/sbin/rmmod $mod

done

for mod in ts_kmp xt_conntrack xt_limit xt_multiport xt_state xt_tcpudp x_tables

/sbin/rmmod $mod

done

for mod in ip_nat ip_conntrack nfnetlink

/sbin/rmmod $mod

done

echo -e "\n=========== Limpo ! ==========\n"

t. /usr/local/bin/checa_conntrack.sh

# /opt/nagios/lib/checa_conntrack.sh

# This software may be used and distributed according to the terms

# of the GNU General Public License, incorporated herein by reference

# 29 Enero 2010

# monitora tabla conntrack

# actual / max ( hash) = % ocupacion

max=`cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max`

buc=`cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets`

cont=`cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count`

ocupado=`expr $cont \* 100 / $max`

if [ $ocupado -gt 90 ]

then

MSG="CRITCAL"

ST=2

elif [ $ocupado -gt 80 ]

then

MSG="WARNING"

ST=1

else

MSG="OK"

ST=0

echo -e "$MSG - $cont / $max ($buc) = $ocupado %"

exit $ST

u. /usr/local/bin/firewall_ls.sh

# /usr/local/bin/firewall_ls.sh

# This software may be used and distributed according to the terms

# of the GNU General Public License, incorporated herein by reference

# 25 de Janeiro 2002

# lista as politicas atuais

echo -e "\nZerar contadores ? (N/s) \c"

read zero

if [ "$zero" = "S" -o "$zero" = "s" ]

then

zero="-Z"

else

zero=""

echo -e "\n=========== Listando regras (iptables) ==========="

for table in filter nat mangle # `cat /proc/net/ip_tables_name`

echo -e "\n\t=== $table ===\n"

/sbin/iptables -n -L $zero -t $table -v --line-numbers

done

echo -e "\n=========== Listando modulos Kernel =========\n"

lsmod | grep "ip"

echo -e "\n=========== FIM =========\n"

v. /etc/sysconfig/syslog (fw-console)

SYSLOGD_OPTIONS="-m 0 -r -x "

KLOGD_OPTIONS="-x"

SYSLOG_UMASK=077

w. /etc/logrotate.d/syslog (fw-01, fw-02, fw-console)

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/local6.log /var/log/local5.log /var/log/local4.log /var/log/local3.log /var/log/local2.log /var/log/local1.log /var/log/local0.log {

sharedscripts

compress

daily

rotate 30

postrotate

/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true

endscript

}

x. /etc/syslogd.conf (fw-console)

local0.* /var/log/local0.log

local1.* /var/log/local1.log

local2.* /var/log/local2.log

local3.* /var/log/local3.log

local4.* /var/log/local4.log

local5.* /var/log/local5.log

local6.* /var/log/local6.log

*.info;mail.none;authpriv.none;cron.none;local0.none;local1.none;local2.none;local3.none;local4.none;local5.none;local6.none /var/log/messages

authpriv.* /var/log/secure

mail.* -/var/log/maillog

cron.* /var/log/cron

*.emerg *

uucp,news.crit /var/log/spooler

local7.* /var/log/boot.log

y. /etc/syslogd.conf (fw-01, fw-02)

*.info;mail.none;authpriv.none;cron.none @fw-console

authpriv.* /var/log/secure

mail.* -/var/log/maillog

cron.* /var/log/cron

*.emerg *

uucp,news.crit /var/log/spooler

local7.* /var/log/boot.log

z. /etc/ntp.conf (fw-01, fw-02)

restrict default ignore

restrict 127.0.0.1

restrict 192.168.100.13 mask 255.255.255.255 nomodify notrap noquery

server fw-console

fudge 127.127.1.0 stratum 10

#driftfile /var/lib/ntp/drift

aa. /etc/ntp.conf (fw-console)

restrict default notrust nomodify notrap noquery

restrict 127.0.0.1

restrict 192.158.100.13

restrict 192.168.100.0 mask 255.255.0.0 nomodify notrap noquery

restrict 192.168.150.0 mask 255.255.0.0 nomodify notrap noquery

restrict 192.168.200.0 mask 255.255.0.0 nomodify notrap noquery

restrict pool.ntp.org mask 255.255.255.255 nomodify notrap noquery

server pool.ntp.org

server 127.127.1.0 # local clock

fudge 127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift

broadcastdelay 0.008

bb. /etc/ntp/ntpservers (fw-console)

pool.ntp.org

cc. /etc/ntp/ntpservers (fw-01, fw-02)

fw-console

Contents I II III IV V VI

High Availability Firewall with Linux & FWbuilder

Monday, February 15, 2010

V Config Files

No comments:

Post a Comment