[Firehol-support] Isolating HOST communications
Costa Tsaousis
costa at tsaousis.gr
Sat Oct 15 10:41:16 BST 2005
Peter,
I am very sorry, but I got really confused. Could you please make more
precise questions?
Keep in mind that FireHOL is just a packet filtering firewall, with a
few helpers for NAT, etc. FireHOL does not change your routing (it
doesn't even know it), does not set or get default gateways and does not
care about routable or unroutable networks. If your network topology is
right, FireHOL will just allow you to enforce a policy about the
communication that is allowed or by utilizing NAT allow you to have
networks talk to each other, that otherwise (by the topology design)
they cannot.
Costa
Peter Farrell wrote:
>*Sorry - perhaps I didn't format it properly for the list previously?
>
>
>Hello:
>We are in the process of implementing FireHOL across our network.
>We have a tiered network / firewall structure.
>DMZ [hosts] Zone1 [hosts] Zone2 [hosts] Zone3 [hosts] Intranet
>Each host has interfaces that face opposite zones.
>eg. eth0:DMZ and eth1:ZONE1
>eg. eth0:ZONE1 and eth1:ZONE2
>etc.
>
>We're attempting to get Zone3 sorted out currently.
>We have nothing but a mysql master and several slaves in that zone.
>We want the master to be able to communicate to anywhere in Zone2 and
>anywhere in Zone3.
>We want the slaves to be a bit more locked down, and only accept mysql
>communications from the master, nagios communications from the nagios
>server in Zone2, ntpd sync info from a time server in Zone2, etc.
>Additionally, after this is sorted, to only accept incoming SSH
>connections from a valid 'jump-host' somewhere on the network as yet
>undetermined.
>
>*Final question:
>What is the line:
>interface eth1 interface2 src not "${UNROUTABLE_IPS} 192.168.3.0/24"
>dst 192.168.3.5/32
>Used for? Are you meant to put in double entries for all interfaces
>that act as the default gateway for each machine? If I leave the line
>out, is the net effect saying "allow traffic to this interface
>regardless if it is routable or not"?
>
>I think we're close in regards to the config, but could someone just
>have a look and chip in their advice as well?
>When we run the config w/ the commented out bits 'un-commented' the
>firewall fails to start.
>*Perhaps when I define 'mysql' as 'acceptable traffic' early on, it
>needs to be a different variable name, as there is already a client
>and server of that same name?
>The config file is from a SLAVE mysql server in Zone3
>
>Thanks in advance for your time.
>-Peter Farrell
>RedHat SysAdmin
>Scarce Skills Ltd.
>Newport, S. Wales - UK
>
>-------------------------------------------------------------------------------------------------------------------------
>#
>#!/etc/init.d/firehol
>#
>version 5
>#
>
># Network definitions
>zone2_ips="192.168.2.0/24"
>zone3_ips="192.168.3.0/24"
>
># Acceptable HOST traffic addresses
>#apcupsd="192.168.2.1 192.168.1.3"
>#nagios="192.168.2.3 192.168.1.5"
>#mysql="192.168.3.4"
>#ssh="192.168.2.0/32 192.168.3.0/32"
>#
># These aren't working at all.
># We want to specify the hosts that can communicate w/ this machine.
># i.e. ONLY send/receive mysql from the mysql master, nagios info
># from the nagios host, etc.
>#
># Custom service definitions
>server_nrpe_ports="tcp/5666"
>client_nrpe_ports="default"
>
># Local services this server should allow.
>local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"
>
># At what frequency to accept local requests?
>local_requests="50/sec"
>
># Interface No 1.
>interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.2/32
>
> # The default policy is DROP. You can be more polite with REJECT.
> policy reject
>
> # Here are the services listening on eth0.
> server apcupsdnis accept # src "${apcupsd}"
> server ICMP accept
> server mysql accept # src "${mysql}"
> server nrpe accept # src "${nagios}"
> server ntp accept
> server ssh accept # src "${ssh}"
>
> client apcupsdnis accept
> client nrpe accept
> client mysql accept
> client ssh accept
>
># Interface No 2.
>interface eth1 zone3 src "${zone3_ips}" #dst 192.168.3.0/32
>
> # The default policy is DROP. You can be more polite with REJECT.
> policy reject
>
> # Here are the services listening on eth1.
> server apcupsdnis accept # src "${apcupsd}"
> server ICMP accept
> server mysql accept # src "${mysql}"
> server nrpe accept # src "${nagios}"
> server ntp accept
> server ssh accept # src "${ssh}"
>
> client apcupsdnis accept
> client nrpe accept
> client mysql accept
> client ssh accept
>--------------------------------------------------------------------------------------------------------------------
>
>
>--
>To contact me, please follow this link:
>http://public.xdi.org/=Peter.D.Farrell
>
>Thank you.
>Peter Farrell
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Firehol-support mailing list
>Firehol-support at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/firehol-support
>
>
More information about the Firehol-support
mailing list