[Modularit-users] Translation for firewall guide

Ben Jarenicz bjarenicz at me.com
Thu Feb 12 12:00:09 WET 2009 

Richard,

There is a lot in here I do not understand, please can you help me translate the remaining lines of Spanish.

Thank you.



h1. Firewall deployment guide

This document is under development. If you have any trouble, please get in contact with the ModularIT team through the mailing list.


h2. Preparation

* Prior to commencing, read the [[ModularITXen0DeploymentGuideEn|Dom0 deployment]] guide, ya que los firewall siempre se depliegan sobre hierro.
* Install the Firewall services

<pre>
  yum install dhcp squid bind ntp perl-Config-Simple libmcrypt screen vim-enhanced nmap  wireshark  vixie-cron at crontabs usbutils lshw iptraf telnet
</pre>

* Install the Shorewall from the ctktools repository

<pre>
  yum install --enablerepo=ctktools shorewall
</pre>

h2. Preparation and configuration of the PICA for Shorewall, dhcpd and server names

* Dado que estos tres servicios esta interelaccionados entres si los trataremos en este apartado
* ?The following configuration is recommended? Es importante tener un criterio, aunque sea arbitrario.. y el nuestro es:

<pre>
  eth0  is connected to the internet or in it's absence, the closest alternative
  eth1 to the intranet
  eth2 to the DMZ
</pre>

* En el fichero del pica bien en la parte del hosts si estamos ante una instalación con multiples sedes y un firewall por sede. Damos de alta las varibles

h3. Network

* ?Ensure that the file _/etc/sysctl.conf_ is configured to send packets between interfaces? tiene activado el reenvio de paquetes entre intefaces 

<pre>
  # Controls IP packet forwarding 
  net.ipv4.ip_forward = 1
</pre>

h3. Shorewall

* Add the machine to the _shorewall_ group
* Damos de alta dentro de la definición de maquina en pica

<pre>
  inet_iface = 'eth0';
  loc_iface = 'eth1';
</pre>

h3. Primary Nameserver and dhcp server

* Daremos de alta la maquina en el grupo _dnsdhcp_ en el caso de ser tanto Servidor de nombre principal, Servidor dhcp  dnsservers, dnsslaves dhcpservers
* Y las varibles que vamos a fijar dentro de la definición de la maquina son:
* The subnet, default gateway, name server and the Wins or NetBIOS that the dhcp server serves

<pre>
  netprefix = '192.168.100';
  router = '192.168.100.1';
  dnsservers = '192.168.100.1';
  nbservers = '192.168.100.1';
</pre>

* If you wish to dynamically update the DNS when the dhcp server assigns an ip you will need to generate a password, to do this connect to the name server and execute _dns-keygen_ 

<pre>
  ddns = 1;
  dhcpkey = 'XXXXXXXXXXXXXXXXXXXXXXXX';
  rndckey = 'XXXXXXXXXXXXXXXXXXXXXXXX';
</pre>

* En zona de variables comunes para este grupo se da alta del nombre de dominio:

<pre>
  domainname = 'example.com';
</pre>

* List the  _forwarders_, si queremos que los cambios sean propagados a otro servidores secundarios.

<pre>
  forwarders = '1.1.1.1 ; 2.2.2.2; ';

* distzonefiles : set this variable if you want to distribute the zone files using pica. If you do, you must create the zone files with the appropriate name (see below) in the PICA server.  If you don't use this feature, you have to create those files in the DNS server

  distzonefiles = 1;

   * Additional variables for splitdns:

  #splitdns : Set this variable if you want to generate a splitdns  configuration
  splitdns = 0;
  #dnsextmasters : list of master servers for the external zone
  #dnsextmasters = '217.126.206.5 ; ';
  # Set this if you want to distribute the zone files using pica
  #distzonefiles = 1;

   * Zone files, This modules assumes the zone files will be named:
      * ${domainname}.db : for the zone
      * ${domainname}-ext.db : for the EXTERNAL zone
      * ${netprefix}.db : for the reverse zone
      * You can use example.com.db and 192.168.1.db as a model to create your zone file
</pre>

* Launch the pica 

<pre>
  pica -iv +F ntp dhcp dnsserver shorewall+H ejemplo.fw
</pre>

h3. Configuration of the Nameserver in slave mode

* Una vez tengamos en un red un dns principal puede ser que nos interese instalar un dns segundario. Damos de alta el host en los grupos _dnsservers_, _dnsslaves_ _dhcpservers_.
* All parts of the _dhcp_ are identical to the previous example.
* Set the _dnsmaster_ variable in the common area:

<pre>
  dnsmasters = '192.168.1.1 ; ';
</pre>

* Launch the pica 

<pre>
  pica -iv +F ntp dhcp dnsserver shorewall+H ejemplo.fw
</pre>

h3 Preparation and configuration of PICA for the squid

* Create the machine in PICA
* Define the following variables in the _admingroup_:
** The _admindomain_ must have the same name as the pica group.
** Fijar _squid_visible_hostname_ , nombre con el que se anunciara la maquina al conectase y vera los usuarios cuando se produzca un error de navegación.
* Install the firewall objects

<pre>
  pica -iv +F squid +H ejemplo.fw
</pre>


h2. Preparation of the Squid service

* Edit the file _/etc/squid/squid.conf_ to revise the networks with which you can use the squid with by default:

<pre>
  acl our_networks src 192.168.130.0/24
  http_access allow our_networks
</pre>

More information about the Modularit-users mailing list