[Firehol-support] Quick review of conf

Frederik Dannemare frederik at dannemare.net
Fri Nov 5 14:13:12 GMT 2004


Hi everybody,

I have recently started using firehol, and I'm certainly pleased with 
it. However, just to make sure I'm not doing anything utterly wrong 
security-wise, I'd like for firehol veteran eyes to quickly glance over 
my conf below.

Does it look somewhat sane, or am I missing something important?
Thanks in advance.



PUBLIC_IFACE="eth1"
PUBLIC_IP="83.88.170.xxx"
WLAN_IFACE="wlan0"
LAN_IFACE="eth0"
WLAN_NETWORK="192.168.11.0/24"
LAN_NETWORK="192.168.1.0/24"




server_gnutella_ports="tcp/6346 udp/6346"
client_gnutella_ports="default"

server_torrent_ports="tcp/6881:6889"
client_torrent_ports="default"




# Make gateway act as a source NAT (SNAT) router for the WLAN/LAN.
#
snat to "${PUBLIC_IP}" outface "${PUBLIC_IFACE}" src "${WLAN_NETWORK}" 
dst not "${UNROUTABLE_IPS}"
snat to "${PUBLIC_IP}" outface "${PUBLIC_IFACE}" src "${LAN_NETWORK}" 
dst not "${UNROUTABLE_IPS}"




# Forward gnutella and bittorrent traffic to internal machine.
#
dnat to 192.168.11.4 inface "${PUBLIC_IFACE}" proto tcp dport 6346
dnat to 192.168.11.4 inface "${PUBLIC_IFACE}" proto udp dport 6346
dnat to 192.168.11.4 inface "${PUBLIC_IFACE}" proto tcp dport 6881:6889




# WLAN/LAN is trusted and therefore all connections from
# the WLAN/LAN to the gateway (and vice versa) are accepted.
#
interface "${WLAN_IFACE}" wlan
 policy accept

interface "${LAN_IFACE}" lan
 policy accept




# Only incoming http and ssh requests to the gateway are allowed.
#
interface "${PUBLIC_IFACE}" internet src not "${UNROUTABLE_IPS}" dst 
"${PUBLIC_IP}"
 protection  strong
 server  netbios_ns    drop
 server  netbios_ssn   drop
 server  netbios_dgm   drop
 server  microsoft_ds  drop
 server  ident         reject with tcp-reset
 server  http  accept
 server  ssh   accept
 client  dns   accept
 client  dhcp  accept
 client  ICMP  accept
 client  smtp  accept
 client  ssh   accept
 client  http  accept dst "130.230.54.99 194.109.137.218"




# Allow WLAN/LAN clients to route requests through the gateway
# to any service on the Internet they may wish to access. And
# allow WLAN and LAN to communicate with each other in any way.
#
router wlan2internet inface "${WLAN_IFACE}" outface "${PUBLIC_IFACE}"
 route  all  accept

router lan2internet inface "${LAN_IFACE}" outface "${PUBLIC_IFACE}"
 route  all  accept

router wlan2lan inface "${WLAN_IFACE}" outface "${LAN_IFACE}"
 route  all  accept

router lan2wlan inface "${LAN_IFACE}" outface "${WLAN_IFACE}"
 route  all  accept




# Allow gnutella and bittorrent requests from the Internet to be routed
# through the gateway to the WLAN.
#
router internet2wlan inface "${PUBLIC_IFACE}" outface "${WLAN_IFACE}"
 route  gnutella  accept
 route  torrent   accept





-- 
Frederik Dannemare | mailto:frederik at dannemare.net
http://qa.debian.org/developer.php?login=Frederik+Dannemare
http://frederik.dannemare.net | http://www.linuxworlddomination.dk




More information about the Firehol-support mailing list