[Firehol-support] Aliased external interface

Costa Tsaousis costa at tsaousis.gr
Mon Jun 28 21:26:07 BST 2004


look in your mail for comments.

> I'm trying to add a second external interface for a new domain.
> Utilizing ifconfig eth1:1 (the primary is of course just eth1) with its
> own ip address - which does exist and is assigned to me.  The first
> thing I need to allow in is DNS traffic since I'm hosting my own site
> (or trying to).

What do you mean "allow in is DNS". Requests or replies?

>  Then I'll need to segregate incoming http requests
> based on the target IP address.

To do this, just add 'dst "IP"' to your nat to-destination statements and
of course add statements for both your IPs.

> version 5
> intnet="amfeslan.local"
> intnet_ip=""
> WWWIP=""
> AMFESUS_IP="#.#.#.125/27"
> AMFESLAN_IP="#.#.#.126/27"

> interface eth0 lan src "${intnet_ip}"
>         policy accept
>         server squid accept

The squid statement is not needed. The policy is "accept".
Add 'dst "IP"' to tighten security.

> interface eth1 dmz src not "${intnet_ip}" dst "$AMFESLAN_IP"
>         protection strong 100/sec 50
>         client all accept
>         server dcc accept log "accepting dcc server"
>         client dcc accept log "accepting dcc client"
>         server smtp accept log "accepting smtp server"
>         client smtp accept log "accepting smtp client"
>         server ssh accept log "accepting ssh server"

Since you have the 'client all accept' first in this list, all the client
statements bellow it, will match nothing.
Also, for correct accounting (if you need it), place the client statements
bellow the server ones and the 'client all accept' last.

> interface eth1 amfes.us src not "${intnet_ip}" dst "$AMFESUS_IP"
>         protection strong 100/sec 50
>         server dns accept log "dns serv - amfes.us"
>         client dns accept log "dns client - amfes.us"
> #       server all accept log "globals let it in"
> #       client all accept log "globalc let it in"

This interface will never be matched since AMFESUS_IP is included in
AMFESLAN_IP (both have a /27 mask and therefore both are matching from
x.x.x.96 to x.x.x.127, and since your dmz interface is first and it does
not have a 'policy RETURN', all the traffic that enters it but is not
matched by any server/client, is dropped). To specify a single IP you
should either ommit /27 or make it /32.

> router lan2dmz inface eth0 outface eth1
>         masquerade
>         route all accept

don't use masquerade for static IPs. It is by far more complicated and
slow than SNAT. Use SNAT.
Specify src/dst to tighten security.

> router dmz2lan inface eth1 outface eth0
>         protection strong 100/sec 50
>         server http accept
>         server webmin accept
>         server imaps accept

Specify src/dst to tighten security.

If you like variables, I suggest to use this as a template:

NAME_IF="physical interface"
NAME_LAN="IP address space of the LAN behind an interface"
NAME_IP="the IP of this host on this LAN"

then use it like this:

interface NAME "${NAME_IF}" src "${NAME_LAN}" dst "${NAME_IP}"


router NAME-to-NAME2 inface "${NAME_IF}" outface "${NAME2_IF}" src
"${NAME_LAN}" dst "${NAME2_LAN}"

This way you always know that _IF is the interface, _LAN is the IP subnet
behind the interface, _IP is the IP of this host on the interface. Only
NAME varies from interface to interface.

Hope these help.


More information about the Firehol-support mailing list