...
| Code Block |
|---|
root@debian9-base:/etc/shorewall# for i in `ls`; do echo "========= $i ========="; cat $i | grep -v "^#" | grep -v "^$"; echo "========= $i ========="; echo ""; done ========= hosts ========= ========= hosts ========= ========= interfaces ========= net enp0s3 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians wifi enp0s8 detect tcpflags,nosmurfs,routefilter,logmartians ========= interfaces ========= ========= masq ========= enp0s3 192.168.9.0/24 ========= masq ========= ========= policy ========= $FW net REJECT INFO(uid) $FW wifi ACCEPT INFO(uid) wifi all REJECT net all DROP INFO all all REJECT info ========= policy ========= ========= routestopped ========= ========= routestopped ========= ========= rules ========= Invalid(DROP) net all ACCEPT:INFO(uid) net $FW $FW tcp 22 ACCEPT:INFO(uid) net $FW $FW udp 123 ACCEPT:INFO(uid) net $FW icmp ACCEPT:INFO(uid) $FW net tcp 465,587,995,993 ACCEPT:INFO(uid) $FW net udp 53,123 ACCEPT:INFO(uid) $FW net icmp ACCEPT:INFO(uid) $FW net tcp - - - - $FW net tcp root465,587,995,993 ACCEPT:INFO(uid) $FW net udp 53,123 ACCEPT:INFO(uid) net$FW net icmp ACCEPT:INFO(uid) $FW net tcp udp - - - - root ACCEPT:INFO(uid) $FW net udp - net - icmp - - root ACCEPT:INFO(uid) $FW net icmp - - - - root ACCEPT:INFO(uid) $FW - net root ACCEPT:INFO(uid) $FW net tcp - - - - _apt ACCEPT:INFO(uid) $FW net net udp - - - - _apt ACCEPT:INFO(uid) $FW net net icmp - - - - _apt ========= rules ========= ========= shorewall.conf ========= .... STARTUP_ENABLED=Yes .... IP_FORWARDING=On .... ========= shorewall.conf ========= ========= zones ========= fw firewall net ipv4 wifi ipv4 ========= zones ========= |
In /etc/default/shorewall, set
...
| Code Block |
|---|
root@debian9-base:~# cat /etc/rsyslog.d/40-shorewall.conf
:msg, contains, "Shorewall:" /var/log/shorewall
& stop
root@debian9-base:~# cat /etc/logrotate.d/shorewall
/var/log/shorewall-init.log {
weekly
rotate 108
compress
nomissingok
create 0640 root adm
}
/var/log/shorewall
{
rotate 731
daily
nomissingok
notifempty
delaycompress
compress
dateext
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
root@debian9-base:~# cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/auth.log
{
rotate 731
daily
dateext
nomissingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
root@debian9-base:~# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
nomissingok
monthly
create 0664 root utmp
rotate 24
}
/var/log/btmp {
nomissingok
monthly
create 0660 root utmp
rotate 24
}
# system-specific logs may be configured here
|
...
| Code Block |
|---|
root@debian9-base:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The external interface
auto enp0s3
iface enp0s3 inet static
address 192.168.10.52
network 192.168.10.0
netmask 255.255.255.0
broadcast 192.168.10.255
gateway 192.168.10.1
# The wifi interface
auto enp0s8
iface enp0s8 inet static
address 192.168.9.1
netmask 255.255.255.0
broadcast 192.168.9.255
root@debian9-base:~# cat /etc/dhcp/dhcpd.conf | grep -v "^#" | grep -v "^$"
# Some of the following lines are there by default and are probably not required
ddns-update-style none;
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
include "/etc/ltsp/dhcpd.conf";
root@debian9-base:~# cat /etc/ltsp/dhcpd.conf
#
# Default LTSP dhcpd.conf config file.
#
authoritative;
subnet 192.168.9.0 netmask 255.255.255.0 {
range 192.168.9.40 192.168.9.250;
option domain-name "test.av";
option domain-name-servers 192.168.9.1;
option broadcast-address 192.168.9.255;
option routers 192.168.9.1;
option subnet-mask 255.255.255.0;
option root-path "/opt/ltsp/amd64";
if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
filename "/ltsp/amd64/pxelinux.0";
} else {
filename "/ltsp/amd64/nbi.img";
}
} |
| Code Block |
|---|
apt-get install isc-dhcp-server |
...
| Code Block |
|---|
# Just after: wifi all REJECT # Added: wifi1 net ACCEPT INFO wifi1 $FW ACCEPT INFO(uid) $FW wifi1 ACCEPT INFO(uid) # Before: net all DROP INFO |
...