[Firehol-support] Quick review of conf

Frederik Dannemare frederik at dannemare.net
Fri Nov 5 14:13:12 GMT 2004

Hi everybody,

I have recently started using firehol, and I'm certainly pleased with 
it. However, just to make sure I'm not doing anything utterly wrong 
security-wise, I'd like for firehol veteran eyes to quickly glance over 
my conf below.

Does it look somewhat sane, or am I missing something important?
Thanks in advance.


server_gnutella_ports="tcp/6346 udp/6346"


# Make gateway act as a source NAT (SNAT) router for the WLAN/LAN.
snat to "${PUBLIC_IP}" outface "${PUBLIC_IFACE}" src "${WLAN_NETWORK}" 
dst not "${UNROUTABLE_IPS}"
snat to "${PUBLIC_IP}" outface "${PUBLIC_IFACE}" src "${LAN_NETWORK}" 
dst not "${UNROUTABLE_IPS}"

# Forward gnutella and bittorrent traffic to internal machine.
dnat to inface "${PUBLIC_IFACE}" proto tcp dport 6346
dnat to inface "${PUBLIC_IFACE}" proto udp dport 6346
dnat to inface "${PUBLIC_IFACE}" proto tcp dport 6881:6889

# WLAN/LAN is trusted and therefore all connections from
# the WLAN/LAN to the gateway (and vice versa) are accepted.
interface "${WLAN_IFACE}" wlan
 policy accept

interface "${LAN_IFACE}" lan
 policy accept

# Only incoming http and ssh requests to the gateway are allowed.
interface "${PUBLIC_IFACE}" internet src not "${UNROUTABLE_IPS}" dst 
 protection  strong
 server  netbios_ns    drop
 server  netbios_ssn   drop
 server  netbios_dgm   drop
 server  microsoft_ds  drop
 server  ident         reject with tcp-reset
 server  http  accept
 server  ssh   accept
 client  dns   accept
 client  dhcp  accept
 client  ICMP  accept
 client  smtp  accept
 client  ssh   accept
 client  http  accept dst ""

# Allow WLAN/LAN clients to route requests through the gateway
# to any service on the Internet they may wish to access. And
# allow WLAN and LAN to communicate with each other in any way.
router wlan2internet inface "${WLAN_IFACE}" outface "${PUBLIC_IFACE}"
 route  all  accept

router lan2internet inface "${LAN_IFACE}" outface "${PUBLIC_IFACE}"
 route  all  accept

router wlan2lan inface "${WLAN_IFACE}" outface "${LAN_IFACE}"
 route  all  accept

router lan2wlan inface "${LAN_IFACE}" outface "${WLAN_IFACE}"
 route  all  accept

# Allow gnutella and bittorrent requests from the Internet to be routed
# through the gateway to the WLAN.
router internet2wlan inface "${PUBLIC_IFACE}" outface "${WLAN_IFACE}"
 route  gnutella  accept
 route  torrent   accept

Frederik Dannemare | mailto:frederik at dannemare.net
http://frederik.dannemare.net | http://www.linuxworlddomination.dk

More information about the Firehol-support mailing list