<html>

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1250">


<meta name=Generator content="Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:Arial;}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {font-family:Arial;
        color:windowtext;}
@page Section1
        {size:595.3pt 841.9pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>Hi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>I’ve been running with an unchanged Firehol config for a couple
of years but have suddenly come across a problem trying to send email to one particular
server.  To try to identify the cause of the problem I’ve run telnet
to that server on port 25.  this is what I get in the log: (I’ve
overwritten my IP addresses to protect the innocent)</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>Nov 29 </span></font><font size=2><span lang=EN-GB style='font-size:
 10.0pt'>10:08:25</span></font><font size=2><span lang=EN-GB style='font-size:
10.0pt'> mail kernel: OUT-unknown:IN= OUT=eth1 SRC=public_ip DST=77.75.72.32
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=39033 DF PROTO=TCP SPT=54822 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0 </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>Nov 29 </span></font><font size=2><span lang=EN-GB style='font-size:
 10.0pt'>10:08:28</span></font><font size=2><span lang=EN-GB style='font-size:
10.0pt'> mail kernel: OUT-unknown:IN= OUT=eth1 SRC=public_ip DST=77.75.72.32
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=39034 DF PROTO=TCP SPT=54822 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>This doesn’t happen when I telnet to other SMTP servers and I can
connect perfectly OK when Firehol is switched off.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>Any ideas on what might be wrong here?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>The complete config is :</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>FIREHOL_LOG_LEVEL=error</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># $Id: lan-gateway.conf,v 1.1 2003/10/12 </span></font><font size=2><span lang=EN-GB style='font-size:10.0pt'>13:43:42</span></font><font size=2><span
lang=EN-GB style='font-size:10.0pt'> ktsaou Exp $</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Configuration file for a LAN router with one ethernet interface
(eth0)</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># for the LAN and a PPP interface for connecting to the Internet.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># The LAN works with private IP addresses.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># This script will also setup a transparent cache for all the PCs on
the</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># local LAN.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># CUSTOM SERVICES</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># ----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># See the section "Adding Services" in the documentation</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Example service x, listening on port TCP/z</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># > server_x_ports="tcp/z"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># > client_x_ports="default"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># ----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># STOP UDP 2222 MESSAGES FLOODING SYSLOG</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>server_office_ports="udp/2222"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>client_office_ports="any"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># ----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># NETWORK DEFINITIONS - Normally, only these are to be touched by you.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># You can define anything you like, assuming you are using it later.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- HOME ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># The definition of our HOME LAN.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>HOME_MYIP="home_ip"                        #
The IP on our HOME LAN</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>HOME_MYIF="eth0"                  #
The HOME LAN interface</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>HOME_BCAST="home_ip"         #
The HOME LAN broadcast</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>HOME_LAN="home_ip/24"                     #
The HOME LAN</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>HOME_SERVICES="all"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Do we run a DHCP server on the HOME LAN?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>HOME_DHCP=1                                    #
Set to 0 to disable</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- PUBLIC ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># The definition of our PUBLIC interface.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>PUBLIC_MYIP="public_ip"                                  #
Leave empty for dynamic IP</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>PUBLIC_MYIF="eth1"                #
The public interface</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>PUBLIC_SERVICES="smtp ftp imap pptp"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Is the PPP interface a DIAL-ON-DEMAND?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>DIAL_ON_DEMAND=0               #
Set to 0 to disable</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- TRUSTED ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Hosts in the internet I trust for accessing private services</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Empty these to disable.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>TRUSTED_IPS=""</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>TRUSTED_SERVICES=""</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- TRANSPARENT CACHE ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Run a transparent cache?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>SQUID_PORT=""                       #
Leave empty to disable SQUID</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>SQUID_USERS=""                     #
Users to be excluded from the cache</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>SQUID_EXCLUDE=""                 #
Web Server IPs to be excluded from the cache</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- BLACKLIST ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># A space-separated list of IPs to be blocked.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>blacklist=""</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># HELPERS</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Block all traffic from/to certain IPs</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>if [ ! -z "${blacklist}" ]</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>then</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            blacklist
full "${blacklist}"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>fi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Setup a transparent squid, only if SQUID_PORT is set.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>if [ ! -z "${SQUID_PORT}" ]</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>then</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            transparent_squid
"${SQUID_PORT}" "${SQUID_USERS}"            \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>             
inface "${HOME_MYIF}" src "${HOME_LAN}"                 \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>             
`test ! -z "${SQUID_EXCLUDE}" && echo "dst not
'${SQUID_EXCLUDE}'"`</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>fi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># NETWORK ADDRESS TRANSLATION</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># ----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Change the source/destination of packets...</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Should we do SNAT or MASQUERADE?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>if [ ! -z "${PUBLIC_MYIP}" ]</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>then</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            snat
to "${PUBLIC_MYIP}"                                              \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>                        outface
"${PUBLIC_MYIF}"                                 \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>                        src
"${HOME_LAN}" dst not "${UNROUTABLE_IPS}"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>else</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            masquerade
"${PUBLIC_MYIF}"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>fi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># To have some public service hit an internal machine, do this:</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># (the example redirects external port TCP/26 to internal IP 10.0.0.2
port 25)</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># > dnat to 10.0.0.2:25                                                               \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># >       inface
"${PUBLIC_MYIF}"                                                           \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># >       src not "${HOME_LAN}
${UNROUTABLE_IPS}"                            \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># >       proto tcp dport 26</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># For each such statement, the router at the end has to support it.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># PROTECT SELF</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Protect the firewall host...</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- HOME ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Protect us from the HOME LAN</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>interface "${HOME_MYIF}" home src "${HOME_LAN}" dst
"${HOME_MYIP} ${HOME_BCAST}"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            policy
reject</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            server
"${HOME_SERVICES}" accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            client
all accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># DHCP needs 0.0.0.0/255.255.255.255 access.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>if [ ${HOME_DHCP} -eq 1 ]</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>then</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            interface
"${HOME_MYIF}" dhcp</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>                        server
dhcp accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>               
server office drop</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>fi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># --- PUBLIC ---</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Protect us from the PUBLIC</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>interface "${PUBLIC_MYIF}" internet                                            \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            src
not "${UNROUTABLE_IPS}"                                      \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            `test
! -z "${PUBLIC_MYIP}" && echo "dst
'${PUBLIC_MYIP}'"`</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            protection
strong</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            policy
drop</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            #
Are there any trusted PCs/services?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            if [
! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            then</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>                        server
"${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            fi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            server
"${PUBLIC_SERVICES}" accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            server
custom rvw tcp/some_port default accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>        </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            client
all accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>if [ ${DIAL_ON_DEMAND} -eq 1 ]</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>then</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            interface
"${PUBLIC_MYIF}" dialup</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>                        client
all accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>fi</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># PROTECT ROUTING</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Protect the LAN...</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># Route traffic for the clients on the LAN</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>router internet2lan inface "${PUBLIC_MYIF}" outface
"${HOME_MYIF}"      \</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            src
not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            #
route all client traffic</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            client
all accept</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            # For
the dnat example above, this is needed:</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            #
> server smtp accept dst 10.0.0.2</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>            </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#----------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'># SET LOG OPTIONS</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#
---------------------------------------------------------------------------</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>#FIREHOL_LOG_LEVEL="error"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>FIREHOL_LOG_FREQUENCY="1/minute"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'>FIREHOL_LOG_BURST="5"</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt'> </span></font></p>

<p class=MsoNormal><font size=3 color=navy face=Arial><span lang=EN-GB
style='font-size:12.0pt;color:navy'>****************************************************<br>
</span></font><font color=navy><span lang=EN-GB style='color:navy'>Richard
 Williams</span></font><font color=navy><span lang=EN-GB style='color:navy'><br>
email:</span><span lang=EN-GB> <a href="mailto:richard@everything4it.co.uk">richard@everything4it.co.uk</a></span></font><font
color=navy><span lang=EN-GB style='color:navy'> </span><span lang=EN-GB><br>
</span></font><font color=navy><span lang=EN-GB style='color:navy'>mobile:
07981 734697</span></font></p>

<p class=MsoNormal><font size=3 color=navy face=Arial><span lang=EN-GB
style='font-size:12.0pt;color:navy'>web: <a
href="http://www.everything4it.co.uk">http://www.everything4it.co.uk</a> <br>
**************************************************** </span><span lang=EN-GB><br>
</span></font><font size=2 color=black><span lang=EN-GB style='font-size:10.0pt;
color:black'>The contents of this email message and any attachments are
confidential and are intended solely for addressee. The </span></font><font
 size=2 color=black><span lang=EN-GB style='font-size:10.0pt;color:black'>info</span></font><font
size=2 color=black><span lang=EN-GB style='font-size:10.0pt;color:black'>rmation
may also be legally privileged. This transmission is sent in trust, for the
sole purpose of delivery to the intended recipient. If you have received this
transmission in error, any use, reproduction or dissemination of this
transmission is strictly prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email or at +44(0)7981 734697 and
delete this message and its attachments, if any</span></font><font size=2
color=black><span lang=EN-GB style='font-size:10.0pt;color:black'>.</span></font></p>

<p class=MsoNormal><font size=3 face=Arial><span lang=EN-GB style='font-size:
12.0pt'> </span></font></p>

</div>

</body>

</html>
<BR>

<P><FONT SIZE=2>No virus found in this outgoing message.<BR>
Checked by AVG Free Edition.<BR>
Version: 7.5.503 / Virus Database: 269.16.9/1158 - Release Date: 28/11/2007 21:11<BR>
</FONT> </P>