summary refs log blame commit diff stats
path: root/all_tests.py
blob: 33b16f7f22235b01b82df44056058167cdbdaa49 (plain) (tree) 
50845f37 ^

22449efd ^




084a0743 ^

22449efd ^




084a0743 ^

22449efd ^


1

2
3
4
5

6

7
8
9
10

11

12
13

                 



                                                                   
 



                                                                                       
 

                                                                  
#!/usr/bin/python
"""Run all the tests inside the test/ directory as a test suite."""
if __name__ == '__main__':
	import unittest
	from test import *

	tests = []
	for key, val in vars().copy().items():
		if key.startswith('tc_'):
			tests.extend(v for k,v in vars(val).items() if type(v) == type)

	suite = unittest.TestSuite(map(unittest.makeSuite, tests))
	unittest.TextTestRunner(verbosity=2).run(suite)
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-13 10:48:09 +0000
an>a href="http://shorewall.net">Shorewall</a> is a gateway/firewall configuration tool. "You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements.".</p> <p>This is a resume from <a href="http://shorewall.net/two-interface.htm">Basic Two-Interface Firewall</a>. </p> <h3 id="shorewall-install">2.3.1. Install Shorewall</h3> <p>Shorewall port is part of <a href="https://crux.nu/portdb/index.php?a=repo&amp;q=kris">Kris Collection</a> and <a href="../install/ports.html#sysdoccollection">sysdoc collection</a>.</p> <pre> $ prt-get depinst shorewall </pre> <p>Get the samples from distribution file;</p> <pre> $ mkdir sample && cd sample $ tar xf ../shorewall-5.0.8.2.tar.bz2 $ cd /srv/ports/work/shorewall-5.0.8.2 $ ls README.txt policy shorewall.conf.annotated interfaces policy.annotated stoppedrules interfaces.annotated rules stoppedrules.annotated masq rules.annotated zones masq.annotated shorewall.conf zones.annotated </pre> <p>Copy files to /etc/shorewall</p> <pre> $ sudo cp Samples/two-interfaces/* /etc/shorewall/ </pre> <p>Distribution extracted files are not needed anymore;</p> <pre> $ cd ../../ && rm -fR sample </pre> <h3 id="shorewall-configure">2.3.2. Configure Shorewall</h3> <p>Tip how to get help about files in /etc/shorewall, for example to get help about file zones call man shorewall-zones. There are Some files have names ending in '.annotated'. You might choose to look at those files instead.</p> <p>Rules about traffic to allow and what traffic to deny are expressed in terms of zones;</p> <ul> <li>Define default policy for connections from one zone to another zone in /etc/shorewall/policy.</li> <li>Define exceptions to those default policies in /etc/shorewall/rules.</li> </ul> <p>Edit <a href="../conf/etc/shorewall/shorewall.conf">/etc/shorewall/shorewall.conf</a></p> <pre> ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes </pre> <h4 id="shorewall-interfaces">2.3.5. Configure Interfaces</h4> <p>Show defoult route, last should be your external interface;</p> <pre> # ip route ls </pre> <p>This example assumes enp8s0 is connected to router and wlp7s0 is wireless access point.</p> <p>Edit <a href="../conf/etc/shorewall/interfaces">/etc/shorewall/interfaces</a></p> <pre> ############################################################################### #ZONE INTERFACE OPTIONS net enp8s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc wlp7s0 tcpflags,nosmurfs,routefilter,logmartians </pre> <p>Edit <a href="../conf/etc/shorewall/stoppedrules">/etc/shorewall/stoppedrules</a></p> <pre> ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT enp3s0 - ACCEPT - enp3s0 </pre> <h4 id="shorewall-zones">2.3.3. Configure Zones</h4> <p>Shorewall recognizes the firewall system as its own zone, as can be seen on zones defined by two-interfaces example;</p> <p>Edit <a href="../conf/etc/shorewall/zones">/etc/shorewall/zones</a></p> <pre> ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 </pre> <h4 id="shorewall-policy">2.3.4. Configure Policy</h4> <p>Change default /etc/shorewall/policy this example will limit witch connections are allow to and from firewall, default policy will be drop;</p> <p>Edit <a href="../conf/etc/shorewall/policy">/etc/shorewall/policy</a></p> <pre> ############################################################################## #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT info net all DROP warning $FW net DROP warning loc $FW DROP warning $FW loc DROP warning # THE FOLLOWING POLICY MUST BE LAST all all REJECT warning </pre> <h4 id="shorewall-snat">2.3.6. SNAT/Masquerading</h4> <p>In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static.</p> <p>Since <a href="../conf/etc/rc.d/net">/etc/rc.d/net</a> configured enp8s0 static, change /etc/shorewall/masq so that uses SNAT;</p> <p>Edit <a href="../conf/etc/shorewall/masq">/etc/shorewall/masq</a></p> <pre> ####################################################################################### #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK # wlp7s0 10.0.0.0/24 192.168.1.254 </pre> <h4 id="shorewall-dnat">2.3.7. DNAT</h4> <p>Destination Network Address Translation are defined in /etc/shorewall/rules;</p> <h4 id="shorewall-rules">2.3.8. Rules</h4> <p>Example <a href="../conf/etc/shorewall/rules">/etc/shorewall/rules</a> file.</p> <h4 id="shorewall-log">2.3.9. Logging</h4> <pre> $ sudo mkdir /var/log/shorewall </pre> <p>Example of syslog-ng configuration for shorewall;</p> <pre> destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); }; destination d_shorewall_info { file ("/var/log/shorewall/info.log"); }; filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); }; filter f_shorewall_info { level (info) and match ("Shorewall" value("MESSAGE")); }; log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);}; log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);}; </pre>
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-13 10:48:08 +0000