[Firehol-support] dns?

Rick Marshall rjm at zenucom.com
Wed May 4 08:32:24 BST 2005


Goetz Bock wrote:

>On Wed, May 04 '05 at 12:29, Rick Marshall wrote:
>  
>
>>interface eth1 inet src "${access_ip}"
>>       protection strong 100/sec 200
>>       policy reject
>>       server "${services}" accept
>>       client all accept
>>
>>    
>>
>
>try this:
>
>interface eth1 inet
>       protection strong 100/sec 200
>       policy reject
>       server "${services}" accept src "${access_ip}"
>       client all accept
>  
>
<snip />

thanks for that - don't quite understand why it works better, but it does.

i've changed policy to drop - basically i don't want all those chinese 
hackers logged, don't want to tell them we're there, just want to ignore 
them. their problem if they have long timeouts ;)

behind the firewall is a small office network (192.168.5.0/24). it seems 
to work ok, but im still getting this in the logs:

May  4 15:25:31 china kernel: PASS-unknown:IN=eth0 OUT=eth1 
SRC=192.168.5.247 DST=65.54.194.118 LEN=40 TOS=0x00 PREC=0x00 TTL=127 
ID=53511 DF PROTO=TCP SPT=2854 DPT=80 WINDOW=16688 RES=0x00 ACK FIN URGP=0

which looks like someone trying to get a web page, but i checked with 
them and they can browse the internet ok.

i have:

router office2inet inface eth0 outface eth1
        route all accept

which i thought would pass all traffic?

rick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rjm.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050504/84c38bbe/attachment-0003.vcf>


More information about the Firehol-support mailing list