[Firehol-support] Isolating HOST communications

Peter Farrell peter.d.farrell at gmail.com
Fri Oct 14 13:55:58 BST 2005


*Sorry - perhaps I didn't format it properly for the list previously?


Hello:
We are in the process of implementing FireHOL across our network.
We have a tiered network / firewall structure.
DMZ [hosts] Zone1 [hosts] Zone2 [hosts] Zone3 [hosts] Intranet
Each host has interfaces that face opposite zones.
eg. eth0:DMZ and eth1:ZONE1
eg. eth0:ZONE1 and eth1:ZONE2
etc.

We're attempting to get Zone3 sorted out currently.
We have nothing but a mysql master and several slaves in that zone.
We want the master to be able to communicate to anywhere in Zone2 and
anywhere in Zone3.
We want the slaves to be a bit more locked down, and only accept mysql
communications from the master, nagios communications from the nagios
server in Zone2, ntpd sync info from a time server in Zone2, etc.
Additionally, after this is sorted, to only accept incoming SSH
connections from a valid 'jump-host' somewhere on the network as yet
undetermined.

*Final question:
What is the line:
interface eth1 interface2 src not "${UNROUTABLE_IPS} 192.168.3.0/24"
dst 192.168.3.5/32
Used for? Are you meant to put in double entries for all interfaces
that act as the default gateway for each machine? If I leave the line
out, is the net effect saying "allow traffic to this interface
regardless if it is routable or not"?

I think we're close in regards to the config, but could someone just
have a look and chip in their advice as well?
When we run the config w/ the commented out bits 'un-commented' the
firewall fails to start.
*Perhaps when I define 'mysql' as 'acceptable traffic' early on, it
needs to be a different variable name, as there is already a client
and server of that same name?
The config file is from a SLAVE mysql server in Zone3

Thanks in advance for your time.
-Peter Farrell
RedHat SysAdmin
Scarce Skills Ltd.
Newport, S. Wales - UK

-------------------------------------------------------------------------------------------------------------------------
#
#!/etc/init.d/firehol
#
version 5
#

# Network definitions
zone2_ips="192.168.2.0/24"
zone3_ips="192.168.3.0/24"

# Acceptable  HOST traffic addresses
#apcupsd="192.168.2.1 192.168.1.3"
#nagios="192.168.2.3 192.168.1.5"
#mysql="192.168.3.4"
#ssh="192.168.2.0/32 192.168.3.0/32"
#
# These aren't working at all.
# We want to specify the hosts that can communicate w/ this machine.
# i.e. ONLY send/receive mysql from the mysql master, nagios info
# from the nagios host, etc.
#
# Custom service definitions
server_nrpe_ports="tcp/5666"
client_nrpe_ports="default"

# Local services this server should allow.
local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"

# At what frequency to accept local requests?
local_requests="50/sec"

# Interface No 1.
interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.2/32

        # The default policy is DROP. You can be more polite with REJECT.
        policy  reject

        # Here are the services listening on eth0.
        server  apcupsdnis     accept # src "${apcupsd}"
        server  ICMP            accept
        server  mysql            accept # src "${mysql}"
        server  nrpe              accept # src "${nagios}"
        server  ntp                accept
        server  ssh                accept # src "${ssh}"

        client  apcupsdnis      accept
        client  nrpe                accept
        client  mysql             accept
        client  ssh                 accept

# Interface No 2.
interface eth1 zone3 src "${zone3_ips}" #dst 192.168.3.0/32

        # The default policy is DROP. You can be more polite with REJECT.
        policy  reject

        # Here are the services listening on eth1.
        server  apcupsdnis      accept # src "${apcupsd}"
        server  ICMP             accept
        server  mysql             accept # src "${mysql}"
        server  nrpe               accept # src "${nagios}"
        server  ntp                 accept
        server  ssh                 accept # src "${ssh}"

        client  apcupsdnis       accept
        client  nrpe                accept
        client  mysql              accept
        client  ssh                  accept
--------------------------------------------------------------------------------------------------------------------


--
To contact me, please follow this link:
http://public.xdi.org/=Peter.D.Farrell

Thank you.
Peter Farrell




More information about the Firehol-support mailing list