[Firehol-support] Isolating HOST communications

Costa Tsaousis costa at tsaousis.gr
Sat Oct 15 10:41:16 BST 2005 

Peter,

I am very sorry, but I got really confused. Could you please make more 
precise questions?

Keep in mind that FireHOL is just a packet filtering firewall, with a 
few helpers for NAT, etc. FireHOL does not change your routing (it 
doesn't even know it), does not set or get default gateways and does not 
care about routable or unroutable networks. If your network topology is 
right, FireHOL will just allow you to enforce a policy about the 
communication that is allowed or by utilizing NAT allow you to have 
networks talk to each other, that otherwise (by the topology design) 
they cannot.

Costa

Peter Farrell wrote:

>*Sorry - perhaps I didn't format it properly for the list previously?
>
>
>Hello:
>We are in the process of implementing FireHOL across our network.
>We have a tiered network / firewall structure.
>DMZ [hosts] Zone1 [hosts] Zone2 [hosts] Zone3 [hosts] Intranet
>Each host has interfaces that face opposite zones.
>eg. eth0:DMZ and eth1:ZONE1
>eg. eth0:ZONE1 and eth1:ZONE2
>etc.
>
>We're attempting to get Zone3 sorted out currently.
>We have nothing but a mysql master and several slaves in that zone.
>We want the master to be able to communicate to anywhere in Zone2 and
>anywhere in Zone3.
>We want the slaves to be a bit more locked down, and only accept mysql
>communications from the master, nagios communications from the nagios
>server in Zone2, ntpd sync info from a time server in Zone2, etc.
>Additionally, after this is sorted, to only accept incoming SSH
>connections from a valid 'jump-host' somewhere on the network as yet
>undetermined.
>
>*Final question:
>What is the line:
>interface eth1 interface2 src not "${UNROUTABLE_IPS} 192.168.3.0/24"
>dst 192.168.3.5/32
>Used for? Are you meant to put in double entries for all interfaces
>that act as the default gateway for each machine? If I leave the line
>out, is the net effect saying "allow traffic to this interface
>regardless if it is routable or not"?
>
>I think we're close in regards to the config, but could someone just
>have a look and chip in their advice as well?
>When we run the config w/ the commented out bits 'un-commented' the
>firewall fails to start.
>*Perhaps when I define 'mysql' as 'acceptable traffic' early on, it
>needs to be a different variable name, as there is already a client
>and server of that same name?
>The config file is from a SLAVE mysql server in Zone3
>
>Thanks in advance for your time.
>-Peter Farrell
>RedHat SysAdmin
>Scarce Skills Ltd.
>Newport, S. Wales - UK
>
>-------------------------------------------------------------------------------------------------------------------------
>#
>#!/etc/init.d/firehol
>#
>version 5
>#
>
># Network definitions
>zone2_ips="192.168.2.0/24"
>zone3_ips="192.168.3.0/24"
>
># Acceptable  HOST traffic addresses
>#apcupsd="192.168.2.1 192.168.1.3"
>#nagios="192.168.2.3 192.168.1.5"
>#mysql="192.168.3.4"
>#ssh="192.168.2.0/32 192.168.3.0/32"
>#
># These aren't working at all.
># We want to specify the hosts that can communicate w/ this machine.
># i.e. ONLY send/receive mysql from the mysql master, nagios info
># from the nagios host, etc.
>#
># Custom service definitions
>server_nrpe_ports="tcp/5666"
>client_nrpe_ports="default"
>
># Local services this server should allow.
>local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"
>
># At what frequency to accept local requests?
>local_requests="50/sec"
>
># Interface No 1.
>interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.2/32
>
>        # The default policy is DROP. You can be more polite with REJECT.
>        policy  reject
>
>        # Here are the services listening on eth0.
>        server  apcupsdnis     accept # src "${apcupsd}"
>        server  ICMP            accept
>        server  mysql            accept # src "${mysql}"
>        server  nrpe              accept # src "${nagios}"
>        server  ntp                accept
>        server  ssh                accept # src "${ssh}"
>
>        client  apcupsdnis      accept
>        client  nrpe                accept
>        client  mysql             accept
>        client  ssh                 accept
>
># Interface No 2.
>interface eth1 zone3 src "${zone3_ips}" #dst 192.168.3.0/32
>
>        # The default policy is DROP. You can be more polite with REJECT.
>        policy  reject
>
>        # Here are the services listening on eth1.
>        server  apcupsdnis      accept # src "${apcupsd}"
>        server  ICMP             accept
>        server  mysql             accept # src "${mysql}"
>        server  nrpe               accept # src "${nagios}"
>        server  ntp                 accept
>        server  ssh                 accept # src "${ssh}"
>
>        client  apcupsdnis       accept
>        client  nrpe                accept
>        client  mysql              accept
>        client  ssh                  accept
>--------------------------------------------------------------------------------------------------------------------
>
>
>--
>To contact me, please follow this link:
>http://public.xdi.org/=Peter.D.Farrell
>
>Thank you.
>Peter Farrell
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Firehol-support mailing list
>Firehol-support at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/firehol-support
>  
>

More information about the Firehol-support mailing list