[Firehol-support] Isolating HOST communications

Costa Tsaousis costa at tsaousis.gr
Tue Oct 18 21:02:07 BST 2005

Peter Farrell wrote:

>Question 1:
>Do you simply use 'src' and 'dst' with your 'server' and 'client' to
>specify which hosts are acceptable?
>Can you define a server by it's IP address in 'network definitions'
>then reference that with 'src' and 'dst' to control
>traffic to and from it?
Yes. Define whatever you like. FireHOL configuration files are BASH 
scripts. If you don't know BASH scripting the site has a few links to 
documentation for learning BASH scripting.

>Would you set up the server / client in firehol.conf as follows:
># Network definitions
>mysql_data="" 				#IP address of mysql MASTER
># Custom service definitions
># Local services this server should allow.
>local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"
># At what frequency to accept local requests?
># Interface No 1.
>interface eth0 zone2 src "${zone2_ips}" #dst
>        policy  reject
>        server  apcupsdnis    accept
>        server  ICMP            accept
>        server  mysql            accept src "${mysql_data}"
>        server  nrpe              accept
>        server  ntp               accept
>        server  ssh               accept
>        client  apcupsdnis      accept
>        client  nrpe               accept
>        client  mysql             accept dst "${mysql_data}"
>        client  ssh                accept
The above does not seem right.
On the mysql server do:


interface eth0 zone2 src "the.zone2.lan.definition" dst "my.zone2.ip  
    server mysql accept src "${valid_mysql_clients}"

Now, on the mysql clients do:


interface eth0 zone2 src "the.zone2.lan.definition" dst "my.zone2.ip  
    client mysql accept dst "${mysql_server}"

Pay attention to the use of 'src' and 'dst'. They always follow the 
REQUEST and as the documentation says, for FireHOL the server always 
accepts requests and the client always sends requests. The replies are 
handled automatically.

>Question 2:
>On the line for the interface:
>interface eth0 zone2 src "${zone2_ips}" dst
>When you keep the 'dst <address>' on the line, does that mean that any
>traffic bound for an address that isn't in that range gets dropped?
>If you left it open, (i.e. did not include any 'dst' statement) would
>it allow all traffic out, no matter the address?
>If you wanted to allow 'dst' traffic on more than one network, would
>you simply string them together on that line?
>Such as: interface eth0 zone2 src "${zone2_ips}" dst {
>If that is correct, could you just define it earlier in the config and
>reference it like I've done with the 'src = zone2_ips' ?
src matches the "source of requests"
dst matches the "destination of requests"

Lets now see what is happening on interfaces (think of it as a 'server'):

src matches the remote hosts that will send the requests to this interface
dst matches the interface itself, so it is the IPs this interface has

So assuming that I have my eth0 with IP on LAN, then 
my interface is:

interface eth0 myname src dst ""

Note that I have added the broadcast address to the address this host 
accept requests.

If now, via the same interface there is another foreign LAN 
that is accessible via some other router, I can have:

interface eth0 myname src "" dst ""
    client and server commands

or, if I want to have separate control on the access rights of the two LANs:

interface eth0 lan1 src "" dst ""
    client and server commands for

interface eth0 lan2 src "" dst ""
    client and server commands for

I hope you got the idea...


More information about the Firehol-support mailing list