[Firehol-support] Isolating HOST communications

Peter Farrell peter.d.farrell at gmail.com
Fri Oct 14 10:32:23 BST 2005 

Hello:
We are in the process of implementing FireHOL across our network.
We have a tiered network / firewall structure.
DMZ [hosts] Zone1 [hosts] Zone2 [hosts] Zone3 [hosts] Intranet
Each host has interfaces that face opposite zones.
eg. eth0:DMZ and eth1:ZONE1
eg. eth0:ZONE1 and eth1:ZONE2
etc.

We're attempting to get Zone3 sorted out currently.
We have nothing but a mysql master and several slaves in that zone.
We want the master to be able to communicate to anywhere in Zone2 and
anywhere in Zone3.
We want the slaves to be a bit more locked down, and only accept mysql
communications from the master, nagios communications from the nagios
server in Zone2, ntpd sync info from a time server in Zone2, etc.
Additionally, after this is sorted, to only accept incoming SSH
connections from a valid 'jump-host' somewhere on the network as yet
undetermined.

I think we're close in regards to the config, but could someone just
have a look and chip in their advice as well?
When we run the config w/ the commented out bits 'un-commented' the
firewall fails to start.
The config file is from a SLAVE mysql server in Zone3

Thanks in advance for your time.
-Peter Farrell
RedHat SysAdmin
Scarce Skills Ltd.
Newport, S. Wales - UK

-------------------------------------------------------------------------------------------------------------------------
#
#!/etc/init.d/firehol
#
version 5
#

# Network definitions
zone2_ips="192.168.2.0/24"
zone3_ips="192.168.3.0/24"

# Acceptable  HOST traffic addresses
#apcupsd="192.168.2.1 192.168.1.3"
#nagios="192.168.2.3 192.168.1.5"
#mysql="192.168.3.4"
#ssh="192.168.2.0/32 192.168.3.0/32"
#
# These aren't working at all.
# We want to specify the hosts that can communicate w/ this machine.
# i.e. ONLY send/receive mysql from the mysql master, nagios info
# from the nagios host, etc.
#
# Custom service definitions
server_nrpe_ports="tcp/5666"
client_nrpe_ports="default"

# Local services this server should allow.
local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"

# At what frequency to accept local requests?
local_requests="50/sec"

# Interface No 1.
interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.2/32

        # The default policy is DROP. You can be more polite with REJECT.
        policy  reject

        # Here are the services listening on eth0.
        server  apcupsdnis     accept # src "${apcupsd}"
        server  ICMP            accept
        server  mysql            accept # src "${mysql}"
        server  nrpe              accept # src "${nagios}"
        server  ntp                accept
        server  ssh                accept # src "${ssh}"

        client  apcupsdnis      accept
        client  nrpe		    accept
        client  mysql             accept
        client  ssh		    accept

# Interface No 2.
interface eth1 zone3 src "${zone3_ips}" #dst 192.168.3.0/32

        # The default policy is DROP. You can be more polite with REJECT.
        policy  reject

        # Here are the services listening on eth1.
        server  apcupsdnis    	accept # src "${apcupsd}"
        server  ICMP             accept
        server  mysql             accept # src "${mysql}"
        server  nrpe               accept # src "${nagios}"
        server  ntp                 accept
        server  ssh                 accept # src "${ssh}"

        client  apcupsdnis       accept
        client  nrpe                accept
        client  mysql              accept
        client  ssh                  accept
--------------------------------------------------------------------------------------------------------------------

More information about the Firehol-support mailing list