[Firehol-support] Understanding firehole.conf

Richard Wallace rwallace at a--i--m.com
Thu Aug 21 21:12:47 BST 2003


First I just want to say good work on a really cool tool that simplifies
creating iptables rules.  That being said, I do have a few questions.

First is on the example (I'll include it just to be complete):

	version 5

	interface eth0 home
		server dns	accept
		server ftp	accept
		server samba	accept
		server squid	accept
		server dhcp	accept
		server http	accept
		server ssh	accept
		server icmp	accept

		client samba	accept
		client icmp	accept

	interface ppp+ internet
		server smtp	accept
		server http	accept
		server ftp	accept

		client all	accept

	router home2internet inface eth0 outface ppp+
		route all accept

	router internet2home inface ppp+ outface eth0

If I understand things correctly the rules for eth0 basically say that any
connections coming from interface eth0 (the internal network) for dns,
ftp, samba, squid, dhcp http, ssh, or icmp will be accepted.  So a machine
on the internal network can use the machine acting as a firewall as a dns
server.  It also says that the machine the firewall is run on can be a
client to machines on the internal (home) network.  So it can ping and
browse other machines samba shares.

For ppp+, machines on the internet can connect to smtp, http, and ftp
services running on the firewall machine.  The firewall machine can be a
client for any type of service.

The router configuration for home2internet is pretty clear, I think.  It
basically allows machines on the home network to connect to any service on
any machine on the internet.  This pretty much sets up NAT, right?  I
don't understand the last line, the router internet2home line.  Is this
necessary for clients to get responses to their requests?  The tutorial
says "it matches all requests from the internet to the home LAN."  I'm not
sure what that really means, unless it's a case where the machines on the
home LAN have routable IP addresses.  Is that it?

On a separate note, I was wondering if anyone has done a translation of
the rules specified in the IP tables tutorial for DMZs
(http://www.faqs.org/docs/iptables/rcdmzfirewalltxt.html)?  I saw a
server-dmz.conf in the examples, but the setup doesn't seem to be the same
as most DMZs (it only has 2 interfaces instead of the traditional 3).

Thanks for a great tool,

More information about the Firehol-support mailing list