[Firehol-support] Aliased external interface
Daniel Miller
dmiller at amfes.com
Mon Jun 28 05:13:50 BST 2004
Hi!
I'm a newbie to firehol - and linux in general. However, I'm quite
impressed with the ease at which I got a basic firewall setup utilizing
firehol. Thanx for the great work!
I would appreciate some help with tweaking my configuration - I'm not
getting quite what I want. First, what I have working:
1. Everything outbound from my network works fine.
2. Inbound connections from the internet on the AMFESLAN_IP interface
to my network for http, smtp, imap, webmin, and ssh work just fine.
I currently have a forwarding dns server running on this firewall
machine - works just great. Also Squid for proxying outbound http -
also fine. Now the trouble.
I'm trying to add a second external interface for a new domain.
Utilizing ifconfig eth1:1 (the primary is of course just eth1) with its
own ip address - which does exist and is assigned to me. The first
thing I need to allow in is DNS traffic since I'm hosting my own site
(or trying to). Then I'll need to segregate incoming http requests
based on the target IP address. I THOUGHT I set it up right - obviously
I haven't. Can some kind soul please clue me in where I goofed?
P.S. Any general suggestions would also be appreciated - if there's
anything I should do to tighten security, please let me know. Thanx.
The text of my config below:
version 5
FIREHOL_LOG_MODE="ULOG"
intnet="amfeslan.local"
intnet_ip="192.168.0.0/24"
WWWIP="192.168.0.2"
AMFESUS_IP="#.#.#.125/27"
AMFESLAN_IP="#.#.#.126/27"
server_dcc_ports="tcp/6277"
client_dcc_ports="6277"
nat to-destination $WWWIP inface eth1 proto tcp dport 80 log "forwarding
http"
nat to-destination $WWWIP inface eth1 proto tcp dport 10000 log
"forwarding webmin"
nat to-destination $WWWIP inface eth1 proto tcp dport 993 log
"forwarding imaps"
interface eth0 lan src "${intnet_ip}"
policy accept
server squid accept
interface eth1 dmz src not "${intnet_ip}" dst "$AMFESLAN_IP"
protection strong 100/sec 50
client all accept
server dcc accept log "accepting dcc server"
client dcc accept log "accepting dcc client"
server smtp accept log "accepting smtp server"
client smtp accept log "accepting smtp client"
server ssh accept log "accepting ssh server"
interface eth1 amfes.us src not "${intnet_ip}" dst "$AMFESUS_IP"
protection strong 100/sec 50
server dns accept log "dns serv - amfes.us"
client dns accept log "dns client - amfes.us"
# server all accept log "globals let it in"
# client all accept log "globalc let it in"
router lan2dmz inface eth0 outface eth1
masquerade
route all accept
router dmz2lan inface eth1 outface eth0
protection strong 100/sec 50
server http accept
server webmin accept
server imaps accept
--
Daniel
More information about the Firehol-support
mailing list