[Firehol-support] Re: Understanding firehole.conf

Daniel Pittman daniel at rimspace.net
Mon Aug 25 02:55:10 BST 2003

On Fri, 22 Aug 2003, Costa Tsaousis wrote:


>>> On a separate note, I was wondering if anyone has done a translation
>>> of the rules specified in the IP tables tutorial for DMZs
>>> (http://www.faqs.org/docs/iptables/rcdmzfirewalltxt.html)? I saw a
>>> server-dmz.conf in the examples, but the setup doesn't seem to be
>>> the same as most DMZs (it only has 2 interfaces instead of the
>>> traditional 3).
>> I'm using FireHOL this way, but haven't seen that tutorial. Maybe I
>> should clean up my own config and make a tutorial out of that..
> In general (as I understand it - and correct me if I am wrong) DMZ is
> the procedure of placing some servers behind an unroutable network and
> having a box doing NAT to forward the traffic to them. 

Nope. The term DMZ is refers to a branch of th network where your
servers live that is has a firewall between it and the Internet, and a
firewall between it and the "client" or "inside" machines.

NAT, etc, is not actually needed for it, and usually the DMZ machines
are on routable Internet addresses, while the client machines are not.


> Last, I strongly suggest to use the 'helpme' feature (of the latest
> CVS version - http://firehol.sf.net/firehol.tar.gz) as a guide for the
> configuration, as this will automatically produce all the combinations
> for routed traffic for YOUR setup and will correctly detect reuse of
> the same interface for more than 1 LANs (only the dnat/snat rules will
> be missing - the rest would be a mutliple choice ;-).

Hrm. It would be really good to have that mentioned somewhere a lot more
prominent in the documentation. I will have to check my hand-written
script against the output of that for my firewall at home.


Youth is happy because it has the capacity to see beauty. Anyone who keeps the
ability to see beauty never grows old.
        -- Franz Kafka

More information about the Firehol-support mailing list