Shorewall (more appropriately the Shoreline Firewall) is an open sourcefirewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes.
Using an analogy understandable to programmers: Shorewall is to iptables, what C is to assembly language. It provides a higher level of abstraction for describing rules using text files.
II/INSTALL
1/ download all packages *.rpm of shorewall(http://rpm.pbone.net/ if You use Fedora can use yum ) and install with command rpm -ivh *.rpm
2/Configure Shorewall
I Configure shorewall with 3 interface and 3 zone:net,DMZ,Local
2.1/in file /etc/shorewall/zone add all lines
fw firewall net ipv4 # loc ipv4 #
dmz ipv4 #
2.2/ In file /etc/shorewall/interfaces add all lines
net eth1 #interface of zone net
loc eth0 # interface of Zone loc
dmz eth2 #interface of Zone dmz 2.3/In File /etc/shorewall/masq add all lines (This file use for NAT outbound)
This guide will show you how to integrate Active Directory/LDAP into Postfix and Dovecot. In this page, you will learn how to enable Postfix to lookup email addresses in LDAP and how to enable Dovecot to authenticate to an LDAP server.
We will be using the following attributes
samaccountname or uid – User Name for Active Directory or OpenLDAP respectively.
mail – Email Address. For Active Directory users, you need to fill-up the E-mail field of the User.
othermailbox – For Active Directory only. We will use this field to store email aliases. Use ADSI Edit to update this field.
Create the Virtual Mail User Account
Since the Active Directory/OpenLDAP user names are not part of the Linux system, we will have to create a user that will be the owner for all the files belonging to the LDAP user names.
1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in.
2. Take note of the User ID and Home Directory of vmail(example 502).
3. Now note down the Group ID of vmail. We’ll be needing all of them later.
Postfix Active Directory/LDAP Integration
1. Create the file /etc/postfix/ldap-users.cf containing the lines below
server_host = dc.test.vn search_base = dc=test,dc=vn version = 3 query_filter = (&(objectclass=person)(mail=%s)) result_attribute = samaccountname #Account from DC result_format = %s/Maildir/
If you are connecting to an Active Directory server and would like to have email alias capability, change the query filter to (&(objectclass=person)(|(mail=%s)(othermailbox=%s))) to include the othermailbox field in the search.
Change samaccountname to uid if you will be connecting to an Active Directory server. If your server requires authentication, add the lines below
virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.
Make sure $mydomain in mydestination has been removed, otherwise the lookup will not work and you will get a “User unknown in local recipient table” error.
4. Restart the Postfix
5. You should now be able to send email to addresses found in your LDAP server. sing LDAP email addresses instead of the system user names.
Dovecot Active Directory/LDAP Integration
1. Create the file /etc/dovecot-ldap.conf containing the lines below
pfSense is a FreeBSD-based firewall tailored for use as a firewall and router. The project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall.
Common Deployments
Although mainly deployed as a perimeter firewall, pfSense is versatile enough to fill many types of deployments. Here is a short list of common deployments:
Perimeter Firewall - As discused earlier, this is by far the most common deployment for pfSense.
Router - Due to the ability to load balance connections and provide failover capabilities, pfSense makes for an ideal choice for a DIY Router for the SMB market.
Wireless Access Point - With the ability of Captive Portal within it, pfSense can easily be deployed as a wireless hotspot solution.
Special purpose appliance - Some users have decided to utilize pfSense in a unique way to helpfulfill their unique needs.
VPN Appliance
Sniffer Appliance
Dedicated DHCP server
Dedicated DNS server
Features
pfSense includes almost all the features in expensive commercial firewalls, and more in many cases. Here is a list of features taken from the pfSense Features page.
Firewall
State Table
NAT
Redundancy
CARP- CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
pfsync - pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
Outbound and Inbound load balancing
VPN - IPsec, OpenVPN, PPTP
PPPoE Server
RRD Graphs Reporting
Real Time Information - Using AJAX
Dynamic DNS
Captive portal
DHCP Server and Relay
Live CD Version Available
II/INSTALL
Step 1:Install Pfsense from CD
Step 2:enable vlan or no(I choose "no")
Step 3:enter the lan interface name
Step 4:enter the wan interface name
Step 5: enter
Step 6 type "y"
Step 7: setup ip adrress as Diagram III/LOAD BALANCE WEB
Step 8:Set up Load Balancing Pool
The first thing to do is create a pool (Services > Load Balancer > Add).
Step 9:Set up virtual server
Adding a new Virtual Server (Services > Load balancer > Virtual Servers > Add )
Step 10: Set up virtual ip address
Adding a new Virtual IP (Firewall > Virtual IPs > Add )
Step 11:Create Nat(Firewall > Nat > Add)
Note: open port 80 from Internet access to 192.168.0.5 and 192.168.0.6
Step 12:Access to http://192.168.20.204/ and check status load balance
Step 13:Disconnect 192.168.0.5 Access to http://192.168.20.204/ and check status load balance
IV/CLUSTER FAILOVER
As LOAD balance but choose Failover
Besides pfsense can create cluster fail over firewall and load balance outbound
Pen offers fault tolerance by automatically rerouting traffic from servers that are offline. But what if the load balancer goes down? Using VRRP, it is possible to run two load balancers in an active-passive failover configuration
1. uncompress the source 2. cd in the directory 3. type 'make'(Please install gcc* before type make by "yum -y install gcc*") [root@ ~] cp vrrpd /usr/sbin/vrrpd
Install pen and vrrpd on the two load balancer hosts. Start pen on both load balancers and check that both work by surfing to http://102.168.0.1/ and http://102.168.0.2/.
Now start vrrpd like this on both load balancers:
[root@ ~]vrrpd -i eth1 -v 1 192.168.0.3
Now try surfing to http://192.168.0.3/. One of the load balancers will be active and respond at that address
This is pen, a load balancer for "simple" tcp based protocols such as http or smtp. It allows several servers to appear as one to the outside and automatically detects servers that are down and distributes clients among the available servers. This gives high availability and scalable performance.
The load balancing algorithm keeps track of clients and will try to send them back to the server they visited the last time. The client table has a number of slots (default 2048, settable through command-line arguments). When the table is full, the least recently used one will be thrown out to make room for the new one.
This is superior to a simple round-robin algorithm, which sends a client that connects repeatedly to different servers. Doing so breaks applications that maintain state between connections in the server, including most modern web applications.
When pen detects that a server is unavailable, it scans for another starting with the server after the most recently used one. That way we get load balancing and "fair" failover for free.
Correctly configured, pen can ensure that a server farm is always available, even when individual servers are brought down for maintenance or reconfiguration. The final single point of failure, pen itself, can be eliminated by running pen on several servers, using vrrp to decide which is active.
# This will make pen save its stats kill -USR1 `cat $PIDFILE` # We don't know how long it will take; wait a few seconds sleep 2 # And display the results echo "Content-type: text/html" echo cat $WEBFILE
[root@lan ~]#/etc/rc.d/init.d/pen restart Stopping pen:[ OK ] Starting pen:[ OK ] [root@lan ~]#chmod 755 /usr/local/bin/penstats [root@lan ~]#/usr/local/bin/penstats# run [root@lan ~]#crontab -e
*/1 * * * * /usr/local/bin/penstats
3/Access to Pen server with web browser. A backend server answers normally like below.
a/First Request
b/Second request
4/ Stop httpd on a server now and access to pen server again. Another backend server answers normally like below.
a/ Stop http in 192.168.20.203
b/ Stop http in 192.168.20.83
Note:you need configure Apache listen port 81:
change listen port 80 to 81 Besides Pen can loadbalance other service (FTP,HTTPS,SMTP,POP3...)
header_access X-Forwarded-For deny all header_access Via deny all header_access Cache-Control deny all
[root@lan ~]#/etc/rc.d/init.d/squid start init_cache_dir /var/spool/squid... Starting squid:[ OK ] [root@lan ~]#chkconfig squid on II/PROXY WITH ANTI VIRUS
Configure Proxy in order to scan download files to protect from virus. Install clamav first
1/Install clamd
[root@lan ~]#yum -y install clamd ( Or download from http://rpm.pbone.net/) [root@lan ~]#vim /etc/clamd.conf
[root@lan ~]#/etc/rc.d/init.d/squid restart Stopping squid: .............[ OK ] Starting squid: .[ OK ]
2/Try to access to Yahoo set as prohibited domain in . Anyway, this redirect setting is an example to show action of this squidGuard, but please make your own original redirect page because it's meaningless to redirect to google like this example.
Now we create a dump of the existing database and transfer it to system 2.
mysql -u root -p
USE vmail; FLUSH TABLES WITH READ LOCK; SHOW MASTER STATUS; +------------------+----------+--------------+------------------+| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |+------------------+----------+--------------+------------------+| mysql-bin.000007 | 30330 | vmail,vmail | |+------------------+----------+--------------+------------------+1 row in set (0.00 sec)
Open a second terminal for system 1, create the dump and transfer it to system 2. Don't leave the MySQL-shell at this point - otherwise you'll loose the read-lock.
Afterwards close the second terminal and switch back to the first. Remove the read-lock and leave the MySQL-shell.
UNLOCK TABLES; quit;
Step 6: Import MySQL Dump On System 2
Time to import the database dump on system 2.
mysqladmin --user=root --password=123 stop-slave cd /tmp/ mysql -u root -p123 vmail <>
Step 7:System 2 As Master
Now we need information about the master status on system 2.
mysql -u root -p USE vmail; FLUSH TABLES WITH READ LOCK; SHOW MASTER STATUS;
The output should look like this. Note down the file and the position - you'll need both later.
+------------------+----------+---------------------+------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | +------------------+----------+---------------------+------------------+ | mysql-bin.000009 | 28816 | vmail,vmail | | +------------------+----------+---------------------+------------------+ 1 row in set (0.00 sec)
Afterwards remove the read-lock.
UNLOCK TABLES;
At this point we're ready to become the master for system 1. Replace %mysql_slaveuser_password% with the password you choose and be sure that you replace the values for MASTER_LOG_FILE and MASTER_LOG_POS with the values that you noted down at step 5!
CHANGE MASTER TO MASTER_HOST='192.168.20.203', MASTER_USER='system', MASTER_PASSWORD='123', MASTER_LOG_FILE='mysql-bin.000007', MASTER_LOG_POS=30330;
Now start the slave ...
START SLAVE;
quit;
Step 8:System 1 As Master
Open a MySQL-shell on system 1 ...
mysql -u root -p
... and stop the slave.
STOP SLAVE;
At this point we're ready to become the master for system 2. Replace %mysql_slaveuser_password% with the password you choose and be sure that you replace the values for MASTER_LOG_FILE and MASTER_LOG_POS with the values that you noted down at step 7!
CHANGE MASTER TO MASTER_HOST='192.168.20.83', MASTER_USER='system', MASTER_PASSWORD='123', MASTER_LOG_FILE='mysql-bin.000009', MASTER_LOG_POS=28816;
Now start the slave ...
START SLAVE;
quit;
Step 10:Test
create mailbox Test1@test.vn and add in mailist ug@test.vn in system1:192.168.20.203
Check in system 2:192.168.20.83
create mailbox Test2@test.vn and add in mailist ug@test.vn in system2:192.168.20.83
Check in system 1:192.168.20.203
Now i can login 2 Accounts in system1 and system 2
Beside you need replicate other DB:mysql ,policyd, roundcubemail.
http://192.168.20.204/ and check status load balance
