summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--INSTALL.md35
1 files changed, 35 insertions, 0 deletions
diff --git a/INSTALL.md b/INSTALL.md
index 95b0320..3d3830a 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -38,4 +38,39 @@ locate this (likely almost last) line:
add builtin network interface like this:
INTERFACESv4="eth0"
+## Install and setup firewall service
+
+Install package firewalld:
+
+ apt install firewalld
+
+Adapt firewalld to match our network topology
+(press the actual [TAB] key where mentioned, to autocomplete):
+
+ firewall-cmd --set-default-zone=external
+ firewall-cmd --add-interface=en[TAB]
+ firewall-cmd --add-service=dhcpv6-client
+ firewall-cmd --add-service=mosh
+ firewall-cmd --zone=internal --remove-service=samba-client
+ firewall-cmd --zone=internal --remove-service=dhcpv6-client
+ firewall-cmd --zone=internal --add-interface=eth0
+ firewall-cmd --zone=internal --add-service=dhcp
+ firewall-cmd --zone=internal --add-service=dhcpv6
+ firewall-cmd --zone=internal --add-service=dns
+ firewall-cmd --add-forward-port=proto=tcp:toaddr=192.168.222.250:port=80
+ firewall-cmd --add-forward-port=proto=tcp:toaddr=192.168.222.250:port=443
+ firewall-cmd --runtime-to-permanent
+
+Edit file /etc/firewalld/firewalld.conf;
+locate this (likely almost last) line:
+ FirewallBackend=iptables
+changing the line to use backend "nftables", like this:
+ FirewallBackend=nftables
+
+Edit file /etc/systemd/network/10-eth0.network;
+locate in section [Network] these options
+ IPMasquerade=yes
+ IPForward=yes
+Remove both options if they exist (handled by firewalld now).
+
reboot the system.