[Firehol-support] Basic lan gateway

Marcus Williams marcus at quintic.co.uk
Thu Jun 23 11:34:54 BST 2005

Hi -

I set up a new machine last week with firehol as a basic lan gateway. 
The config I used was (standard tutorial tweaked for certain services 
and from ppp to eth1 for internet):

	version 5
	# The network of our eth0 LAN.
	interface eth0 home src "${home_ips}"
		policy reject
		server "dns ssh icmp"	accept
		client "icmp"	accept
	interface eth1 internet src not "${home_ips} ${UNROUTABLE_IPS}"
		protection strong 10/sec 10		
		server ident reject with tcp-reset		
		client all		accept
	router internet2home inface eth1 outface eth0
		masquerade reverse
		client all	accept
		server ident	reject with tcp-reset

eth1 gets a private IP of via dhcp from the adsl router. DNS 
is running on this box serving as a dns cache for external dns, and as 
standard dns for internal dns requests if you see what I mean. You can 
do both internal and external DNS requests from this box with no 
problems and internet access works fine.

This was working all week until the machine got rebooted this morning 
and the routing of external dns queries has just stopped. LAN machines 
can query internal machine hostnames  from this box, but external 
queries just break very quickly with cannot connect to server errors. 
You can ping an external IP so the masq seems to be working. DNS appears 
to be knackered though from the internal LAN.

If I watch the traffic on eth1 with tcpdump dns queries are occuring but 
they've already timed out on the querying machine (it comes back with 
the error pretty fast). I'm wondering if I'm missing something in the 
config? Perhaps the protection limits are breaking things?

Any ideas?



Marcus Williams -- http://www.cad-schroer.co.uk
CAD Schroer UK, 39 Newnham Road, Cambridge, UK

More information about the Firehol-support mailing list