updates for shorewall configs

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
Jessica Frazelle 2015-07-28 04:13:26 -07:00
parent 38c04d1758
commit ae2529386d
4 changed files with 12 additions and 10 deletions

View File

@ -11,5 +11,5 @@
############################################################################### ###############################################################################
#ZONE INTERFACE OPTIONS #ZONE INTERFACE OPTIONS
- lo ignore - lo ignore
dock docker0 dock docker0 bridge
net all dhcp,physical=+,routeback net all dhcp,physical=+

View File

@ -9,5 +9,4 @@
################################################################################################################ ################################################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
# GROUP DEST # GROUP DEST
#eth0 172.17.0.0/16 #net 172.17.0.0/16
#wlan0 172.17.42.1/24

View File

@ -7,11 +7,13 @@
# http://www.shorewall.net/manpages/shorewall-policy.html # http://www.shorewall.net/manpages/shorewall-policy.html
# #
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK # LEVEL BURST MASK
dock all ACCEPT dock net ACCEPT
# on a server you would obviously want to accept dock fw ACCEPT
net dock DROP net dock DROP
net all DROP net all DROP
fw net ACCEPT fw net ACCEPT
fw dock ACCEPT fw dock ACCEPT

View File

@ -16,7 +16,8 @@
?SECTION UNTRACKED ?SECTION UNTRACKED
?SECTION NEW ?SECTION NEW
Invalid(DROP) net $FW tcp Invalid(DROP) net $FW tcp
# on a server you would obiously want to accept here Invalid(DROP) net dock tcp
SSH(DROP) net $FW Invalid(DROP) net dock udp
#SSH(ACCEPT) net $FW
# on a server you would obviously want to accept here # on a server you would obviously want to accept here
Ping(DROP) net $FW #Ping(ACCEPT) net $FW