[Firehol-support] Understanding firehole.conf

John Dalton John.Dalton at nunatak.com.au
Fri Aug 22 00:23:16 CEST 2003


Hi Richard,

> First I just want to say good work on a really cool tool that simplifies
> creating iptables rules.

I'll second that..

> That being said, I do have a few questions.
>
> First is on the example (I'll include it just to be complete):
[snip]

> router home2internet inface eth0 outface ppp+
> route all accept
>
>
> router internet2home inface ppp+ outface eth0


> The router configuration for home2internet is pretty clear, I think.  It
> basically allows machines on the home network to connect to any service on
> any machine on the internet.  This pretty much sets up NAT, right?

Your explanation of your ruleset is correct except for one thing - the
home2internet router definition does NOT set up NAT unless you tell it to.
Unfortunately that bit is after the line saying "This is it. We are done!"
in the tutorial. ;)

You need to add one extra line to your home2internet config:

router home2internet inface eth0 outface ppp+
  masquerade
  route all accept

That should get it working the way you want.

> I don't understand the last line, the router internet2home line.  Is this
> necessary for clients to get responses to their requests?  The tutorial
> says "it matches all requests from the internet to the home LAN."  I'm not
> sure what that really means, unless it's a case where the machines on the
> home LAN have routable IP addresses.  Is that it?

That's right - on a network using private address space, hosts on the
internet won't be able to make incoming connections unless you've set up
port forwarding or similar.

> On a separate note, I was wondering if anyone has done a translation of
> the rules specified in the IP tables tutorial for DMZs
> (http://www.faqs.org/docs/iptables/rcdmzfirewalltxt.html)?  I saw a
> server-dmz.conf in the examples, but the setup doesn't seem to be the same
> as most DMZs (it only has 2 interfaces instead of the traditional 3).

I'm using FireHOL this way, but haven't seen that tutorial.  Maybe I should
clean up my own config and make a tutorial out of that..

Good luck, hopefully this'll help you get everything working the way you
want it.

Yours,

John Dalton

---------------------------------------------------------------------------
  Nunatak Systems                          John Dalton - Systems Engineer
  http://www.nunatak.com.au/                          john at nunatak.com.au
  Phone: +61 3 6226 6247
  Fax:   +61 3 6226 6140





More information about the Firehol-support mailing list