#!/bin/sh #------------------------------------------------------------------------------ # /etc/rc.d/rc370.dmz - configure dmz # # Creation: jw5 # Last Update: $Id$ #------------------------------------------------------------------------------ case $OPT_DMZ in yes) begin_script DMZ "setting up dmz ..." if [ -z "$I" ] then # get helper functions . /etc/rc.d/fwrules-helper fi case "$DMZ_DO_DEBUG" in yes) FWRULES_DO_DEBUG=yes ;; esac # green - internal networks # dmz_orange - dmz network # red - inet interface red_dev=$DMZ_RED_DEV green= dmz_orange= for i in `seq 1 $IP_NET_N` do net=IP_NET_$i eval type=\$${net}_TYPE case $type in green) green="$green $net" ;; orange) dmz_orange=$net echo "dmz_orange=$net" >> /var/run/ip_net.conf ;; esac done # allow access from green to orange and snat connections if [ "$green" ]; then for i in $green; do add_rule filter dmz-fwd "$i $dmz_orange ACCEPT" ins_rule nat POSTROUTING "$i $dmz_orange SNAT:${dmz_orange}_IPADDR" done fi # allow orange to access selected ports on red [ 0"$DMZ_ORANGE_RED_N" -eq 0 ] || for i in `seq 1 $DMZ_ORANGE_RED_N` do eval rule=\$DMZ_ORANGE_RED_$i add_rule filter dmz-fwd "if:any:$red_dev $rule" done if [ "$DMZ_NAT" = yes ]; then target=MASQUERADE case $red_dev in IP_NET_*_DEV) ip_net=`echo $red_dev | sed -e 's/_DEV//'` eval net=\$$ip_net if [ "$net" ]; then target="SNAT:${ip_net}_IPADDR" fi ;; esac add_rule nat POSTROUTING "if:any:$red_dev $dmz_orange any $target" fi # allow orange to access selected ports on the router [ 0"$DMZ_ORANGE_ROUTER_N" -eq 0 ] || for i in `seq 1 $DMZ_ORANGE_ROUTER_N` do eval rule=\$DMZ_ORANGE_ROUTER_$i add_rule filter dmz-inp "$rule" done # close dmz-chains and reject everything case "$DMZ_LOG" in yes) add_rule filter dmz-fwd "if:${dmz_orange}_DEV:any LOG:dmz-fwd-out" add_rule filter dmz-fwd "if:any:${dmz_orange}_DEV LOG:dmz-fwd-in" add_rule filter dmz-inp " LOG:dmz-input" ;; esac add_rule filter dmz-fwd "REJECT NOLOG" add_rule filter dmz-inp "REJECT NOLOG" end_script ;; esac