Adicionando procedimento de firewall

diff --git a/firewall.mdwn b/firewall.mdwn
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..bb3687a9a9c8a09f360c6f1003e9cdae109b7efd 100644 (file)
--- a/firewall.mdwn
+++ b/firewall.mdwn
@@ -0,0 +1,76 @@
+Configuração do shorewall 
+=========================
+
+De início, instale o shorewall:
+
+    apt-get install shorewall
+
+É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`:
+
+    IP_FORWARDING=Yes
+
+O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede:
+
+    #ZONE   INTERFACE       BROADCAST       OPTIONS
+    - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918
+    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+O arquivo `/etc/shorewall/zones` deve conter as zonas da rede:
+
+    ###############################################################################
+    #ZONE   TYPE            OPTIONS         IN                      OUT
+    #                                       OPTIONS                 OPTIONS
+    fw      firewall
+    vm      ipv4
+    net     ipv4
+    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+O arquivo `/etc/shorewall/hosts` associa zonas a subredes:
+
+    #ZONE   HOST(S)                                 OPTIONS
+    vm      eth0:192.168.0.0/24
+    net     eth0:0.0.0.0/0
+    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
+
+O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes:
+
+    ###############################################################################
+    #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
+    #                                               LEVEL
+    vm              net             ACCEPT
+    $FW             net             ACCEPT
+    $FW             vm              ACCEPT
+    net             all             DROP            info
+    # THE FOLLOWING POLICY MUST BE LAST
+    all             all             REJECT          info
+    #LAST LINE -- DO NOT REMOVE
+
+E o arquivo `/etc/shorewall/rules` define exceções às regras gerais:
+
+    ################################################################
+    #ACTION         SOURCE          DEST            PROTO   DEST
+    SSH/ACCEPT      net             $FW
+    Ping/ACCEPT     net             $FW
+    HTTP/ACCEPT     net             $FW
+    HTTPS/ACCEPT    net             $FW
+    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`:
+
+    ###############################################################################
+    #INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
+    eth0:!192.168.0.0/24    192.168.0.0/24
+    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`:
+
+    startup=1
+
+Finalmente podemos ligar o shorewall:
+
+    /etc/init.d/shorewall start
+
+Shorewall e Puppet 
+==================
+
+Uma vez que um nodo puppetmaster estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`.