[Firehol-support] Firehol and bridge

Aleksey Serba aleksey at caj.spb.ru
Fri Jul 30 11:31:13 BST 2004 

    Hello!

    I have some troubles with setting up firewall for a bit complex network.
    Any help will be greatly appreciated.
    
    The topoly of my network:
                                        Internet
                                           |
                                           |
                                    ---------------
                                   |               |
                                   |   ISP Server  |
                                   |               |
                                    ---------------
                                           | X.X.X.1
                                           |
                                           |
                                           |
                                           | eth1 ( X.X.X.2 )
                                           |
                                    ---------------
                                   |               |
                                   |    server     |
                                   |               |
                                    ---------------
                                           |
                                           | eth0 ( X.X.X.2 + 192.168.0.1 )
                                           |
                                          LAN
                                           |
                  ---------------------------------------------------------
                  |                 |                       |             |
                  |                 |                       |             |
             192.168.0.2       192.168.0.3   ...         X.X.X.3       X.X.X.4

    1. I have several routable and several NAT-ed computers in the network.
    2. I need bridge for routable PCs ( X.X.X. ) to firewall network traffic.
    3. I need NAT/Masquerade for unroutable PCs ( 192.168.0. )

    Server - Debian GNU/Linux 2.6.7-1-k7
    Interfaces - br0 ( eth0, eth1 ) with routable X.X.X.2 IP.

    The questions:
    1. How to set up unroutable ip 192.168.0.1 on eth0?
       Or maybe i need one more ethernet card ( eth2 )?
    2. How to manage bridged traffic to routable IPs?
       Should i use "router" construction in firehol configuration?

    The possible firehol configuration ( without NAT-ing ):
-------------------------------------------------------
PUBLIC_MYIP="X.X.X.2"
PUBLIC_SERVICES="ssh ICMP http ftp https webcache dns"
PUBLIC_LAN="X.X.X.0/24"

# Accept all services to server from lan network
interface br0 lan physin eth0
    policy reject
    server "${INTERNAL_SERVICES}" accept
    client all accept

# Accept public services to server from internet
interface br0 inet physin eth1 src not "${UNROUTABLE_IPS}"
    policy reject
    server "${PUBLIC_SERVICES}" accept
    client all accept
    
# Accept all services from lan to internet
router lan2inet inface br0 physin eth0 outface br0 physout eth1 src "${PUBLIC_LAN}" dst not "${UNROUTABLE_IPS}"
    route all accept

# Accept public services to lan from internet
router inet2lan inface br0 physin eth1 outface br0 physout eth0 src not "${UNROUTABLE_IPS}" dst "${PUBLIC_LAN}"
    route "${PUBLIC_SERVICES}" accept
-------------------------------------------------------
       
    How to add settings for NAT-ing unroutable PCs?

    Thanks in advance.


    Regards,
            Aleksey

More information about the Firehol-support mailing list