[Firehol-support] Aliased external interface

Daniel Miller dmiller at amfes.com
Mon Jun 28 05:13:50 BST 2004 

Hi!

I'm a newbie to firehol - and linux in general.  However, I'm quite 
impressed with the ease at which I got a basic firewall setup utilizing 
firehol.  Thanx for the great work!

I would appreciate some help with tweaking my configuration - I'm not 
getting quite what I want.  First, what I have working:
1.  Everything outbound from my network works fine.
2.  Inbound connections from the internet on the AMFESLAN_IP interface
    to my network for http, smtp, imap, webmin, and ssh work just fine.

I currently have a forwarding dns server running on this firewall 
machine - works just great.  Also Squid for proxying outbound http - 
also fine.  Now the trouble.

I'm trying to add a second external interface for a new domain.  
Utilizing ifconfig eth1:1 (the primary is of course just eth1) with its 
own ip address - which does exist and is assigned to me.  The first 
thing I need to allow in is DNS traffic since I'm hosting my own site 
(or trying to).  Then I'll need to segregate incoming http requests 
based on the target IP address.  I THOUGHT I set it up right - obviously 
I haven't.  Can some kind soul please clue me in where I goofed?

P.S.  Any general suggestions would also be appreciated - if there's 
anything I should do to tighten security, please let me know.  Thanx.


The text of my config below:

version 5
FIREHOL_LOG_MODE="ULOG"
intnet="amfeslan.local"
intnet_ip="192.168.0.0/24"
WWWIP="192.168.0.2"
AMFESUS_IP="#.#.#.125/27"
AMFESLAN_IP="#.#.#.126/27"

server_dcc_ports="tcp/6277"
client_dcc_ports="6277"

nat to-destination $WWWIP inface eth1 proto tcp dport 80 log "forwarding 
http"
nat to-destination $WWWIP inface eth1 proto tcp dport 10000 log 
"forwarding webmin"
nat to-destination $WWWIP inface eth1 proto tcp dport 993 log 
"forwarding imaps"

interface eth0 lan src "${intnet_ip}"
        policy accept
        server squid accept

interface eth1 dmz src not "${intnet_ip}" dst "$AMFESLAN_IP"
        protection strong 100/sec 50
        client all accept
        server dcc accept log "accepting dcc server"
        client dcc accept log "accepting dcc client"
        server smtp accept log "accepting smtp server"
        client smtp accept log "accepting smtp client"
        server ssh accept log "accepting ssh server"

interface eth1 amfes.us src not "${intnet_ip}" dst "$AMFESUS_IP"
        protection strong 100/sec 50
        server dns accept log "dns serv - amfes.us"
        client dns accept log "dns client - amfes.us"
#       server all accept log "globals let it in"
#       client all accept log "globalc let it in"

router lan2dmz inface eth0 outface eth1
        masquerade
        route all accept

router dmz2lan inface eth1 outface eth0
        protection strong 100/sec 50
        server http accept
        server webmin accept
        server imaps accept


--

Daniel

More information about the Firehol-support mailing list