[Firehol-support] Open VPN and Ethernet Bridge

Joel Macklow joelm at webservices.net.nz
Thu Jul 22 06:33:48 BST 2004


Hello all

Have a rather complex setup here that I have been trying to get to work 
for 3 days now.  Am now starting to smack my head against the wall.  
Have taken the liberty of attaching a PDF to illustrate it a bit 
better.  Maybe I am doing this all wrong.  If so please tell me.

With the firehol service off, I can create a VPN connection and ping, so 
I know it works.  When I enable the firehol, the connection stays alive, 
because it uses UDP I'm guessing.  However, I can no longer ping 
anything past the firewall.

Any and all help appreciated very much.  Special thanks to Costa for all 
your hard work.  Sorry for all the verbose diagnostic to follow, but I 
really would like to nail this one.  I'll keep trying anyways.

GOAL: Internet gateway machine. 
eth0 = Internet, address 192.168.0.2 GW 192.168.0.1.
eth1 = Internal network, 192.168.2.2, provides DHCP/gateway for client 
PC's. 
eth2 = br0 (OpenVPN bridge to Internal Network). 

Machine runs dnsmasq to supply DHCP addresses for machines using eth1.  
VPN clients connect through tap0-4 devices and have static IP numbers in 
the eth1 range.

According to the OpenVPN tutorials this is all I need:

# Allow incoming OpenVPN packets
iptables -A INPUT -p udp --dport 5000 -j ACCEPT

# Allow packets from TUN/TAP devices.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT


# Allow packets from private subnets
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

See http://openvpn.sourceforge.net/bridge.html for more detail.

The reason for using a separate NIC for the br0 interface is because it 
appears that once a NIC becomes a bridge, I can no longer use it as a 
gateway.  I want to serve  port 80 from eth1 to clients coming in from 
eth0 you see, while having clients connecting through eth0 using 
openvpn, being terminated into tap devices, with the openvpn connections 
being bridged so that openvpn clients end up being in the same ip range.

Outputs Below:

ip route show
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.2
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.200
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.3
default via 192.168.0.1 dev eth0

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:1b:b3:d4:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::230:1bff:feb3:d4c0/64 scope link
       valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:1b:b3:cc:5f brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.2/24 brd 192.168.2.255 scope global eth1
    inet6 fe80::230:1bff:feb3:cc5f/64 scope link
       valid_lft forever preferred_lft forever
7: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:05:1c:13:83:06 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::205:1cff:fe13:8306/64 scope link
       valid_lft forever preferred_lft forever
8: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:ff:15:f7:eb:23 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ff:15ff:fef7:eb23/64 scope link
       valid_lft forever preferred_lft forever
9: tap1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:ff:0b:c6:ea:5c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ff:bff:fec6:ea5c/64 scope link
       valid_lft forever preferred_lft forever
10: tap2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:ff:94:96:92:d0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ff:94ff:fe96:92d0/64 scope link
       valid_lft forever preferred_lft forever
11: tap3: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:ff:ce:5c:a4:4a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ff:ceff:fe5c:a44a/64 scope link
       valid_lft forever preferred_lft forever
12: tap4: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:ff:99:36:f5:f8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ff:99ff:fe36:f5f8/64 scope link
       valid_lft forever preferred_lft forever
13: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:05:1c:13:83:06 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.200/24 brd 192.168.2.255 scope global br0
    inet6 fe80::205:1cff:fe13:8306/64 scope link
       valid_lft forever preferred_lft forever
14: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:1b:b3:d4:c0 brd ff:ff:ff:ff:ff:ff
6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:1b:b3:cc:5f brd ff:ff:ff:ff:ff:ff
7: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:05:1c:13:83:06 brd ff:ff:ff:ff:ff:ff
8: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:ff:15:f7:eb:23 brd ff:ff:ff:ff:ff:ff
9: tap1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:ff:0b:c6:ea:5c brd ff:ff:ff:ff:ff:ff
10: tap2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:ff:94:96:92:d0 brd ff:ff:ff:ff:ff:ff
11: tap3: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:ff:ce:5c:a4:4a brd ff:ff:ff:ff:ff:ff
12: tap4: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:ff:99:36:f5:f8 brd ff:ff:ff:ff:ff:ff
13: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:05:1c:13:83:06 brd ff:ff:ff:ff:ff:ff
14: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

cat /tmp/firehol.conf

#!/etc/init.d/firehol
# 
------------------------------------------------------------------------------
# This feature is under construction -- use it with care.
#             *** NEVER USE THIS CONFIG AS-IS ***
#
# : firehol.sh,v 1.191 2004/04/23 22:15:18 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa at tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net
#
# 
------------------------------------------------------------------------------
# FireHOL controls your firewall. You should want to get updates quickly.
# Subscribe (at the home page) to get notified of new releases.
# 
------------------------------------------------------------------------------
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
#
# Date: Fri Jul 23 05:05:09 NZST 2004 on host www
#
# The TODOs bellow, are YOUR to-dos!

### DEBUG: Processing interface 'br0'
### DEBUG: Processing IP 192.168.2.200/32 of interface 'br0'
### DEBUG: Is 192.168.2.200/32 part of network 192.168.2.0/24? yes

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the br0 interface with IP 192.168.2.200/32 (net: "192.168.2.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.2.200/32' if this is dynamically assigned.
interface br0 interface1 src "192.168.2.0/24" dst 192.168.2.200/32

        # The default policy is DROP. You can be more polite with REJECT.
        # Prefer to be polite on your own clients to prevent timeouts.
        policy drop

        # If you don't trust the clients behind br0 (net "192.168.2.0/24"),
        # add something like this.
        # > protection strong

        # Here are the services listening on br0.
        # TODO: Normally, you will have to remove those not needed.
        server dhcp accept
        server dns accept
        server ICMP accept
        server smtp accept
        server sunrpc accept

        # The following br0 server ports are not known by FireHOL:
        #  udp/32768
        # TODO: If you need any of them, you should define new services.
        #       (see Adding Services at the web site - 
http://firehol.sf.net).

        # The following means that this machine can REQUEST anything via 
br0.
        # TODO: On production servers, avoid this and allow only the
        #       client services you really need.
        client all accept

### DEBUG: Processing interface 'eth0'
### DEBUG: Processing IP 192.168.0.3/32 of interface 'eth0'
### DEBUG: Is 192.168.0.3/32 part of network 192.168.0.0/24? yes

# Interface No 2.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.0.3/32 (net: "192.168.0.0/24").
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.0.3/32' if this is dynamically assigned.
interface eth0 interface2 src "192.168.0.0/24" dst 192.168.0.3/32

        # The default policy is DROP. You can be more polite with REJECT.
        # Prefer to be polite on your own clients to prevent timeouts.
        policy drop

        # If you don't trust the clients behind eth0 (net "192.168.0.0/24"),
        # add something like this.
        # > protection strong

        # Here are the services listening on eth0.
        # TODO: Normally, you will have to remove those not needed.
        server dhcp accept
        server dns accept
        server ICMP accept
        server smtp accept
        server sunrpc accept

        # The following eth0 server ports are not known by FireHOL:
        #  udp/32768
        # TODO: If you need any of them, you should define new services.
        #       (see Adding Services at the web site - 
http://firehol.sf.net).

        # The following means that this machine can REQUEST anything via 
eth0.
        # TODO: On production servers, avoid this and allow only the
        #       client services you really need.
        client all accept

### DEBUG: Is 192.168.0.1/32  part of network 192.168.0.0/24? yes
### DEBUG: Default gateway 192.168.0.1/32  is part of network 192.168.0.0/24

# Interface No 3.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 192.168.0.1/32 .
# TODO: Change "interface3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.0.3/32' if this is dynamically assigned.
interface eth0 interface3 src not "${UNROUTABLE_IPS} 192.168.0.0/24" dst 
192.168.0.3/32

        # The default policy is DROP. You can be more polite with REJECT.
        # Prefer to be polite on your own clients to prevent timeouts.
        policy drop

        # If you don't trust the clients behind eth0 (net not 
"${UNROUTABLE_IPS} 192.168.0.0/24"),
        # add something like this.
        # > protection strong

        # Here are the services listening on eth0.
        # TODO: Normally, you will have to remove those not needed.
        server dhcp accept
        server dns accept
        server ICMP accept
        server smtp accept
        server sunrpc accept

        # The following eth0 server ports are not known by FireHOL:
        #  udp/32768
        # TODO: If you need any of them, you should define new services.
        #       (see Adding Services at the web site - 
http://firehol.sf.net).

        # The following means that this machine can REQUEST anything via 
eth0.
        # TODO: On production servers, avoid this and allow only the
        #       client services you really need.
        client all accept

### DEBUG: Processing interface 'eth1'
### DEBUG: Processing IP 192.168.2.2/32 of interface 'eth1'
### DEBUG: Is 192.168.2.2/32 part of network 192.168.2.0/24? yes

# Interface No 4.
# The purpose of this interface is to control the traffic
# on the eth1 interface with IP 192.168.2.2/32 (net: "192.168.2.0/24").
# TODO: Change "interface4" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.2.2/32' if this is dynamically assigned.
interface eth1 interface4 src "192.168.2.0/24" dst 192.168.2.2/32

        # The default policy is DROP. You can be more polite with REJECT.
        # Prefer to be polite on your own clients to prevent timeouts.
        policy drop

        # If you don't trust the clients behind eth1 (net "192.168.2.0/24"),
        # add something like this.
        # > protection strong

        # Here are the services listening on eth1.
        # TODO: Normally, you will have to remove those not needed.
        server dhcp accept
        server dns accept
        server ICMP accept
        server smtp accept
        server sunrpc accept

        # The following eth1 server ports are not known by FireHOL:
        #  udp/32768
        # TODO: If you need any of them, you should define new services.
        #       (see Adding Services at the web site - 
http://firehol.sf.net).

        # The following means that this machine can REQUEST anything via 
eth1.
        # TODO: On production servers, avoid this and allow only the
        #       client services you really need.
        client all accept

### DEBUG: Processing interface 'eth2'

# Ignoring interface 'eth2' because does not have an IP or route.

### DEBUG: Processing interface 'sit0'

# Ignoring interface 'sit0' because does not have an IP or route.

### DEBUG: Processing interface 'tap0'

# Ignoring interface 'tap0' because does not have an IP or route.

### DEBUG: Processing interface 'tap1'

# Ignoring interface 'tap1' because does not have an IP or route.

### DEBUG: Processing interface 'tap2'

# Ignoring interface 'tap2' because does not have an IP or route.

### DEBUG: Processing interface 'tap3'

# Ignoring interface 'tap3' because does not have an IP or route.

### DEBUG: Processing interface 'tap4'

# Ignoring interface 'tap4' because does not have an IP or route.


# The above 4 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).


# Router No 1.
# Clients on br0 (from "192.168.2.0/24") accessing servers on eth0 (to 
"192.168.0.0/24").
# TODO: Change "router1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router1 inface br0 outface eth0 src "192.168.2.0/24" dst 
"192.168.0.0/24"

        # If you don't trust the clients on br0 (from "192.168.2.0/24"), or
        # if you want to protect the servers on eth0 (to "192.168.0.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.0.3/32 outface eth0 src "192.168.2.0/24" dst 
"192.168.0.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 2.
# Clients on br0 (from "192.168.2.0/24") accessing servers on eth0 (to 
not "${UNROUTABLE_IPS} 192.168.0.0/24").
# TODO: Change "router2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router2 inface br0 outface eth0 src "192.168.2.0/24" dst not 
"${UNROUTABLE_IPS} 192.168.0.0/24"

        # If you don't trust the clients on br0 (from "192.168.2.0/24"), or
        # if you want to protect the servers on eth0 (to not 
"${UNROUTABLE_IPS} 192.168.0.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.0.3/32 outface eth0 src "192.168.2.0/24" dst 
not "${UNROUTABLE_IPS} 192.168.0.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 3.
# Clients on br0 (from "192.168.2.0/24") accessing servers on eth1 (to 
"192.168.2.0/24").
# TODO: Change "router3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router3 inface br0 outface eth1 src "192.168.2.0/24" dst 
"192.168.2.0/24"

        # If you don't trust the clients on br0 (from "192.168.2.0/24"), or
        # if you want to protect the servers on eth1 (to "192.168.2.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth1, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.2.2/32 outface eth1 src "192.168.2.0/24" dst 
"192.168.2.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 4.
# Clients on eth0 (from "192.168.0.0/24") accessing servers on br0 (to 
"192.168.2.0/24").
# TODO: Change "router4" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router4 inface eth0 outface br0 src "192.168.0.0/24" dst 
"192.168.2.0/24"

        # If you don't trust the clients on eth0 (from "192.168.0.0/24"), or
        # if you want to protect the servers on br0 (to "192.168.2.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of br0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.2.200/32 outface br0 src "192.168.0.0/24" 
dst "192.168.2.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 5.
# Clients on eth0 (from "192.168.0.0/24") accessing servers on eth0 (to 
not "${UNROUTABLE_IPS} 192.168.0.0/24").
# TODO: Change "router5" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router5 inface eth0 outface eth0 src "192.168.0.0/24" dst not 
"${UNROUTABLE_IPS} 192.168.0.0/24"

        # If you don't trust the clients on eth0 (from "192.168.0.0/24"), or
        # if you want to protect the servers on eth0 (to not 
"${UNROUTABLE_IPS} 192.168.0.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.0.3/32 outface eth0 src "192.168.0.0/24" dst 
not "${UNROUTABLE_IPS} 192.168.0.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 6.
# Clients on eth0 (from "192.168.0.0/24") accessing servers on eth1 (to 
"192.168.2.0/24").
# TODO: Change "router6" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router6 inface eth0 outface eth1 src "192.168.0.0/24" dst 
"192.168.2.0/24"

        # If you don't trust the clients on eth0 (from "192.168.0.0/24"), or
        # if you want to protect the servers on eth1 (to "192.168.2.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth1, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.2.2/32 outface eth1 src "192.168.0.0/24" dst 
"192.168.2.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 7.
# Clients on eth0 (from not "${UNROUTABLE_IPS} 192.168.0.0/24") 
accessing servers on br0 (to "192.168.2.0/24").
# TODO: Change "router7" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router7 inface eth0 outface br0 src not "${UNROUTABLE_IPS} 
192.168.0.0/24" dst "192.168.2.0/24"

        # If you don't trust the clients on eth0 (from not 
"${UNROUTABLE_IPS} 192.168.0.0/24"), or
        # if you want to protect the servers on br0 (to "192.168.2.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of br0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.2.200/32 outface br0 src not 
"${UNROUTABLE_IPS} 192.168.0.0/24" dst "192.168.2.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 8.
# Clients on eth0 (from not "${UNROUTABLE_IPS} 192.168.0.0/24") 
accessing servers on eth0 (to "192.168.0.0/24").
# TODO: Change "router8" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router8 inface eth0 outface eth0 src not "${UNROUTABLE_IPS} 
192.168.0.0/24" dst "192.168.0.0/24"

        # If you don't trust the clients on eth0 (from not 
"${UNROUTABLE_IPS} 192.168.0.0/24"), or
        # if you want to protect the servers on eth0 (to "192.168.0.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.0.3/32 outface eth0 src not 
"${UNROUTABLE_IPS} 192.168.0.0/24" dst "192.168.0.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 9.
# Clients on eth0 (from not "${UNROUTABLE_IPS} 192.168.0.0/24") 
accessing servers on eth1 (to "192.168.2.0/24").
# TODO: Change "router9" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router9 inface eth0 outface eth1 src not "${UNROUTABLE_IPS} 
192.168.0.0/24" dst "192.168.2.0/24"

        # If you don't trust the clients on eth0 (from not 
"${UNROUTABLE_IPS} 192.168.0.0/24"), or
        # if you want to protect the servers on eth1 (to "192.168.2.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth1, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.2.2/32 outface eth1 src not 
"${UNROUTABLE_IPS} 192.168.0.0/24" dst "192.168.2.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 10.
# Clients on eth1 (from "192.168.2.0/24") accessing servers on br0 (to 
"192.168.2.0/24").
# TODO: Change "router10" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router10 inface eth1 outface br0 src "192.168.2.0/24" dst 
"192.168.2.0/24"

        # If you don't trust the clients on eth1 (from "192.168.2.0/24"), or
        # if you want to protect the servers on br0 (to "192.168.2.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of br0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.2.200/32 outface br0 src "192.168.2.0/24" 
dst "192.168.2.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 11.
# Clients on eth1 (from "192.168.2.0/24") accessing servers on eth0 (to 
"192.168.0.0/24").
# TODO: Change "router11" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router11 inface eth1 outface eth0 src "192.168.2.0/24" dst 
"192.168.0.0/24"

        # If you don't trust the clients on eth1 (from "192.168.2.0/24"), or
        # if you want to protect the servers on eth0 (to "192.168.0.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.0.3/32 outface eth0 src "192.168.2.0/24" dst 
"192.168.0.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept


# Router No 12.
# Clients on eth1 (from "192.168.2.0/24") accessing servers on eth0 (to 
not "${UNROUTABLE_IPS} 192.168.0.0/24").
# TODO: Change "router12" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router12 inface eth1 outface eth0 src "192.168.2.0/24" dst not 
"${UNROUTABLE_IPS} 192.168.0.0/24"

        # If you don't trust the clients on eth1 (from "192.168.2.0/24"), or
        # if you want to protect the servers on eth0 (to not 
"${UNROUTABLE_IPS} 192.168.0.0/24"),
        # uncomment the following line.
        # > protection strong

        # To NAT client requests on the output of eth0, add this.
        # > masquerade
        # Alternatively, you can SNAT them by placing this at the top of 
this config:
        # > snat to 192.168.0.3/32 outface eth0 src "192.168.2.0/24" dst 
not "${UNROUTABLE_IPS} 192.168.0.0/24"
        # SNAT commands can be enhanced using 'proto', 'sport', 'dport', 
etc in order to
        # NAT only some specific traffic.

        # TODO: This will allow all traffic to pass.
        # If you remove it, no REQUEST will pass matching this traffic.
        route all accept
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firehol and openvpn.pdf
Type: application/pdf
Size: 67964 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20040722/dea053d1/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: joelm.vcf
Type: text/x-vcard
Size: 326 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20040722/dea053d1/attachment-0002.vcf>


More information about the Firehol-support mailing list