[Firehol-support] Aliased external interface

Daniel Miller dmiller at amfes.com
Wed Jun 30 08:54:06 BST 2004 

Thank you very much for your reply.  This cleared up MOST of my 
confusion - though I still have a few questions.  My modified config is 
attached.

For DNS, I want to allow the necessary traffic to allow internet clients 
to reach my internal DNS server - I don't know if that translates to 
requests, replies, or both.  What I have now seems to be working fine - 
but maybe there are some further adjustments I should make?

I THINK I'm on the right track with my IP addresses - please tell me if 
they make sense.

The reason I used masquerade instead of SNAT was I couldn't get SNAT to 
work!  Masquerade was easy.  I've added a manual nat line to the top of 
the script - I still can't get the SNAT command to work for me - I've 
left my line commented in the router section (where it seems to me it 
should go, though error messages inform me otherwise).

Your variable template makes sense - I've tried to implement it 
accordingly.  Since it's working - I assume I got the IP addresses and 
subnets right.

**

version 5

FIREHOL_LOG_MODE="ULOG"

AMFESLAN_IF="eth0"
AMFESLAN_LAN="x.x.x.0/24"
AMFESLAN_IP="x.x.x.1"

AMFESEXT_IF="eth1"
AMFESEXT_LAN="y.y.y.y/27"
AMFESEXT_IP="y.y.y.y"

AMFESUS_IF="eth1"
AMFESUS_LAN="z.z.z.z/27"
AMFESUS_IP="z.z.z.z"

BASTION_IP="x.x.x.2"

nat to-destination $BASTION_IP inface "${AMFESEXT_IF}" dst 
"${AMFESEXT_IP}" proto tcp dport 80 log "forwarding http"
nat to-destination $BASTION_IP inface "${AMFESEXT_IF}" dst 
"${AMFESEXT_IP}" proto tcp dport 10000 log "forwarding webmin"
nat to-destination $BASTION_IP inface "${AMFESEXT_IF}" dst 
"${AMFESEXT_IP}" proto tcp dport 993 log "forwarding imaps"

# This SNAT line works - but I'd prefer to use firehol syntax.
nat to-source $AMFESEXT_IP outface "${AMFESEXT_IF}" src "${AMFESLAN_LAN}"

# I don't know what to set dst to for increased security here.  Just 
<not "${AMFESLAN_LAN}">?
interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
        policy accept

interface "${AMFESEXT_IF}" internet src not "${AMFESLAN_LAN}" dst 
"${AMFESEXT_IP}"
        protection strong 100/sec 50
        server dcc accept log "DCC server"
        server smtp accept log "SMTP server"
        server ssh accept log "SSH inbound"
        server custom s_ipnat udp/4500 any accept log "IPSEC_NAT inbound"
        server isakmp accept log "ISAKMP inbound"
        server ESP accept log "ESP inbound"
        server AH accept log "AH inbound"
        client all accept

interface "${AMFESUS_IF}" amfes-us src not "${AMFESLAN_LAN}" dst 
"${AMFESUS_IP}"
        protection strong 100/sec 50
        server dns accept log "dns serv - amfes.us"
        client dns accept log "dns client - amfes.us"

# Here, what should I set src/dst to?  <${AMFESLAN_LAN}> and <not 
${AMFESLAN_LAN}>?
router lan2internet inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}"
#       masquerade
#       snat to "${AMFESEXT_IP}" outface "${AMFESEXT_IF}"
        route all accept

# Here, what should I set src/dst to?  <not ${AMFESLAN_LAN}> and 
<${AMFESLAN_LAN}>?
router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
        protection strong 100/sec 50
        server http accept
        server webmin accept
        server imaps accept

More information about the Firehol-support mailing list