[Firehol-support] Aliased external interface

Costa Tsaousis costa at tsaousis.gr
Sun Jul 4 13:48:56 BST 2004


I also suggest to add to the variables template:

NAME_BCAST="the broadcast IP of a LAN"

this will be used in bellow.

You should use src/dst to tighten the security of your systems. The rules
for using src/dst are simple:

Interfaces connected to the public internet should have:

src not "${UNROUTABLE_IPS}"
this will guarantee that you will not serve requests and not attempt to
send replies to fake IP addresses.

dst "Your internet IPs"
this will ensure that packets entering this interface target the IPs you
consider public.

Interfaces connected to private (or well known) LANs should have:

src "The LAN subnet"
dst "The linux LAN IP and LAN Broadcast IP"
This will ensure that packets served by this interface come from the right
LAN and target you valid IPs. Note that linux has the notion of "me" or
"self". So, for example, if a packet from the LAN A (eth0) targets the
linux IP on the LAN B (eth1), without this src/dst matching, linux will
serve it, matching the interface rules from interface A (not B) and
without a router definition, which of course may result in security
problems if the application running on the different interfaces is
different too.

Routers that one of their end is the Internet
The src or dst that is connected to the LAN, should have the LAN definition.
The other should be matching 'not "${UNROUTABLE IPS} or other non-fake LAN
definitions served by other interfaces".

Example: eth0 is the internet, eth1 is the LAN
router lan2net inface eth1 outface eth0 src "${lan_LAN}" dst not

and if I also had eth2 that served the non fake IP address space
x.x.x.x/24, I should define:
router lan2net inface eth1 outface eth0 src "${lan_LAN}" dst not
"${UNROUTABLE_IPS} x.x.x,x/24"

Routers that both their ends are private (or well known) LANS
src/dst should have the subnet definitions of the LANS.

Hope these help

More information about the Firehol-support mailing list