home *** CD-ROM | disk | FTP | other *** search
- #
- # $Id: server-dmz.conf,v 1.2 2003/01/07 02:03:09 ktsaou Exp $
- #
- # CASE:
- # Configuration file for a dual path server.
- #
- # The first network interface is connected to the internet to accept
- # requests for services running on this server.
- #
- # The second network interface is connected to a private LAN, through
- # which a number of similar servers communicate with each other.
- #
- # The server will only be allowed to accept and send specific traffic
- # matching the servers and clients defined.
-
- version 5
-
- # ----------------------------------------------------------------------
-
- # The Ethernet interface this server is connected to the Internet.
- # You can use more than one (space separated) and if your server
- # has many aliases for the same interface, you can use the plus sign
- # to match them all (e.g. eth0+).
- internet_interface="eth0+"
-
- # Enter here all the IPs your server accepts requests from the internet.
- # This variable accepts a space separated list of IPs, hostnames, etc.
- # You can leave this empty if you don't want to restrict the IPs traffic
- # was targeting.
- internet_ips=""
-
- # The servers you wish to run on the internet side of this host.
- internet_servers="http smtp"
-
- # The clients you wish to run on the internet side of this host.
- internet_clients="dns"
-
- # At what frequency to accept requests from the internet?
- internet_requests="100/sec"
-
- # ----------------------------------------------------------------------
-
- # Similar to the internet_interface, but this time for the private one.
- private_interface="eth1+"
-
- # Similar to the internet_ips, but this time for the private.
- private_ips=""
-
- # The address space of all the servers this host might communicate with,
- # in the private LAN.
- # Leaving this empty will not check the IPs of the private LAN.
- private_subnet=""
-
- # The servers you wish to run on the private side of this host.
- private_servers="ssh"
-
- # The clients you wish to run on the private side of this host.
- private_clients="http dns icmp"
-
- # At what frequency to accept requests from the private LAN?
- private_requests="20/sec"
-
-
- # ----------------------------------------------------------------------
- # Normally, you don't have to edit anything bellow.
- # ----------------------------------------------------------------------
-
- # A trick that adds "dst" in front of internet_ips only if it is not
- # empty. Otherwise, this does nothing.
- unset internet_params
- test ! -z "${internet_ips}" && internet_params=(dst "${internet_ips}")
-
- # Internet interface
- interface "${internet_interface}" internet \
- src not "${UNROUTABLE_IPS}" "${internet_params[@]}"
-
- protection strong ${internet_requests}
-
- # The internet servers
- server "${internet_servers}" accept
-
- # The internet clients
- client "${internet_clients}" accept
-
- # Speed up idents by rejecting them
- server ident reject with tcp-reset
-
-
- # ----------------------------------------------------------------------
-
- # Fix also the parameters for the private network.
- unset private_params
- test ! -z "${private_subnet}" && private_params=(src "${private_subnet}")
-
- unset private_params2
- test ! -z "${private_ips}" && private_params2=(dst "${private_ips}")
-
- # Private interface
- interface "${private_interface}" private \
- "${private_params[@]}" "${private_params2[@]}"
-
- protection strong ${private_requests}
-
- # The private servers
- server "${private_servers}" accept
-
- # The private clients
- client "${private_clients}" accept
-
- # Speed up idents by rejecting them
- server ident reject with tcp-reset
-
-
