Changes between Version 4 and Version 5 of Configuration


Ignore:
Timestamp:
09/19/07 13:27:07 (12 years ago)
Author:
Victor Julien
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Configuration

    v4 v5  
    33
    44After you have successfully finished your Installation you might want to start configuring your firewall.
    5 
    6   If you installed Vuurmuur from remote (eg via ssh) do not log out or you will be locked out: Vuurmuur by default allows related and established connections (which your ssh session is, of course) but no new connections.
    75
    86There are some simple steps you have to go through:
     
    1816== Interfaces ==
    1917
    20 Interfaces in Vuurmuur correspond to real interfaces in your firewall machine. Those interfaces consist of a name, an ip address and the real interface name.
    21 You may use dynamic interfaces (address is provided by a DHCP server) as well; Vuurmuur then tries to read it from the system.
    22 For more advanced networks you might specify virtual interfaces as well (eg eth0:0, eth0:1).
     18Interfaces in Vuurmuur correspond to real network devices in your firewall machine. Those interfaces consist of a name, an ip address and the real interface name. You may use dynamic interfaces (address is provided by a DHCP server) as well; Vuurmuur then will read it from the system. For more advanced networks you might specify [wiki:VirtualInterfaces virtual interfaces] as well (eg eth0:0, eth0:1).
    2319
    24   but watch out: ":" is not allowed to be used in interface names. You might want to rename the interface to something like eth0-0, eth0-1 or even name them after their ip (this is for advanced configuration only!)
     20  Note ":" is not allowed to be used in interface names.
    2521
    26 The name you specify for an interface is up to you. It should help you to see things more clearly and to avoid confusion. You might, of course, use real interface names like eth0 and eth1 if you are used to that, you might name them after the NICs chipset (rtl, 3c90x, ...), name them 'ext' and 'int' (be careful not to confuse zones and interfaces later!) or however you like.
     22The name you specify for an interface is up to you. It should help you to see things more clearly and to avoid confusion. You might, of course, use real interface names like eth0 and eth1 if you are used to that, you might name them after the NICs chipset (rtl, 3c90x, ...), name them 'ext' and 'int' (be careful not to confuse zones and interfaces later!) or however you like. On this site we use the name 'inet-nic' for the internet facing interface, and 'lan-nic' for the lan interface.
    2723
    2824== Zones, Networks, Hosts and Groups ==
    2925
    30 A zone is a container for networks and a network is a container for hosts. With groups you may group hosts together (within one network). And a host is a single machine one network.
    31 Choosing names for zones, networks and hosts is a quite difficult job because you will be confronted with your choices everywhere in Vuurmuur: every host is displayed as: hostname.networkname.zonename. Knowing this makes life alot easier: You can define zones like 'int', 'ext' and probably 'dmz' and add apropriate network names or choose your naming or use 'lan', 'world' and 'inet'. The choice is entirely up to you. For a more detailed explanation, see Concepts introduced by Vuurmuur.
     26A zone is a container for networks and a network is a container for hosts. With groups you may group hosts together (within one network). And a host is a single machine one network. Choosing names for zones, networks and hosts is a quite difficult job because you will be confronted with your choices everywhere in Vuurmuur: every host is displayed as: hostname.networkname.zonename. Knowing this makes life a lot easier: You can define zones like 'int', 'ext' and probably 'dmz' and add appropriate network names or choose your naming or use 'lan', 'world' and 'inet'. The choice is entirely up to you. For a more detailed explanation, see [wiki:Concepts Concepts introduced by Vuurmuur].
    3227
    33 You need to attach at least one interface to every network. By attaching an interface to a network, you tell Vuurmuur which interface belongs to a network. Normally every network will have one interface, but more are possible as well, for example when you have more than one connection to the internet. In the most simple case this could be eth0 for 'world.inet' and eth1 for 'local.lan'.
     28You need to attach at least one interface to every network. By attaching an interface to a network, you tell Vuurmuur which interface belongs to a network. Normally every network will have one interface, but more are possible as well, for example when you have more than one connection to the internet. In the most simple case this could be 'inet-nic' for 'world.inet' and 'lan-nic' for 'local.lan'.
    3429
    3530== Rules ==
     
    6055accept service ssh from local.lan to firewall options log,logprefix="incoming ssh"
    6156}}}
    62 For more informantion on creating rules see Rule Basics and NAT rules.
     57For more informantion on creating rules see [wiki:Rules Rule Basics] and [wiki:RulesNAT NAT rules].
    6358
    64 The logviewer and the connection viewer can be used to see what rules you need. In the logviewer you can see that the logprefix that is set in the rules will make it clear which rule causes which logline.
     59The logviewer and the connection viewer can be used to see what rules you need. In the logviewer you can see that the logprefix that is set in the rules will make it clear which rule causes which log line.
    6560
    66   After you are done configuring your rules, be sure to apply the changes to the system, so the new rules will get into effect!
     61  After you are done configuring your rules, be sure to [wiki:ApplyChanges apply the changes] to the system, so the new rules will get into effect!
    6762
    6863----