[Firehol-support] Understanding firehole.conf

Costa Tsaousis costa at tsaousis.gr
Fri Aug 22 02:37:11 BST 2003

Hi all,

> Unfortunately that bit is after the line saying "This is it. We are done!"
> in the tutorial. ;)

Thanks for pointing. Fixed it in CVS.

>> On a separate note, I was wondering if anyone has done a translation of
>> the rules specified in the IP tables tutorial for DMZs
>> (http://www.faqs.org/docs/iptables/rcdmzfirewalltxt.html)?  I saw a
>> server-dmz.conf in the examples, but the setup doesn't seem to be the
>> same
>> as most DMZs (it only has 2 interfaces instead of the traditional 3).
> I'm using FireHOL this way, but haven't seen that tutorial.  Maybe I
> should
> clean up my own config and make a tutorial out of that..

In general (as I understand it - and correct me if I am wrong) DMZ is the
procedure of placing some servers behind an unroutable network and having
a box doing NAT to forward the traffic to them. Having said that, to
design a N-interfaces DMZ firewall, you just have to focus and understand
the 'dnat', 'snat' and 'router' statements of FireHOL.

Currently I run a few 2-interfaces DMZ systems and just one with 4. No 3
at all... ;-) So, If, John, you want to contribute one with 3-interfaces
I'll gladly include it in the examples directory.

Last, I strongly suggest to use the 'helpme' feature (of the latest CVS
version - http://firehol.sf.net/firehol.tar.gz) as a guide for the
configuration, as this will automatically produce all the combinations for
routed traffic for YOUR setup and will correctly detect reuse of the same
interface for more than 1 LANs (only the dnat/snat rules will be missing -
the rest would be a mutliple choice ;-).


More information about the Firehol-support mailing list