[Firehol-support] Isolating HOST communications
Costa Tsaousis
costa at tsaousis.gr
Tue Oct 18 21:02:07 BST 2005
Peter Farrell wrote:
>Question 1:
>Do you simply use 'src' and 'dst' with your 'server' and 'client' to
>specify which hosts are acceptable?
>Can you define a server by it's IP address in 'network definitions'
>then reference that with 'src' and 'dst' to control
>traffic to and from it?
>
>
Yes. Define whatever you like. FireHOL configuration files are BASH
scripts. If you don't know BASH scripting the site has a few links to
documentation for learning BASH scripting.
>Would you set up the server / client in firehol.conf as follows:
>
>==========================================================
># Network definitions
>zone2_ips="192.168.2.2/24"
>
>mysql_data="192.168.3.4" #IP address of mysql MASTER
>
># Custom service definitions
>server_nrpe_ports="tcp/5666"
>client_nrpe_ports="default"
>
># Local services this server should allow.
>local_services="apcupsdnis ICMP nrpe ntp mysqld ssh"
>
># At what frequency to accept local requests?
>local_requests="50/sec"
>
># Interface No 1.
>interface eth0 zone2 src "${zone2_ips}" #dst 192.168.2.0/32
>
> policy reject
>
> server apcupsdnis accept
> server ICMP accept
> server mysql accept src "${mysql_data}"
> server nrpe accept
> server ntp accept
> server ssh accept
>
> client apcupsdnis accept
> client nrpe accept
> client mysql accept dst "${mysql_data}"
> client ssh accept
>
>============================================
>
>
>
The above does not seem right.
On the mysql server do:
valid_mysql_clients="1.1.1.1 1.1.1.2 1.1.1.3"
interface eth0 zone2 src "the.zone2.lan.definition" dst "my.zone2.ip
my.broadcast.of.zone2"
...
server mysql accept src "${valid_mysql_clients}"
...
Now, on the mysql clients do:
mysql_server="the.ip.of.the.mysql.server"
interface eth0 zone2 src "the.zone2.lan.definition" dst "my.zone2.ip
my.broadcast.of.zone2"
...
client mysql accept dst "${mysql_server}"
...
Pay attention to the use of 'src' and 'dst'. They always follow the
REQUEST and as the documentation says, for FireHOL the server always
accepts requests and the client always sends requests. The replies are
handled automatically.
>Question 2:
>On the line for the interface:
>interface eth0 zone2 src "${zone2_ips}" dst 192.168.2.0/32
>
>When you keep the 'dst <address>' on the line, does that mean that any
>traffic bound for an address that isn't in that range gets dropped?
>If you left it open, (i.e. did not include any 'dst' statement) would
>it allow all traffic out, no matter the address?
>If you wanted to allow 'dst' traffic on more than one network, would
>you simply string them together on that line?
>Such as: interface eth0 zone2 src "${zone2_ips}" dst {192.168.0.0/32
>192.168.1.0/32 192.168.2.0/32 192.168.3.0/32}
>If that is correct, could you just define it earlier in the config and
>reference it like I've done with the 'src = zone2_ips' ?
>
>
src matches the "source of requests"
dst matches the "destination of requests"
Lets now see what is happening on interfaces (think of it as a 'server'):
src matches the remote hosts that will send the requests to this interface
dst matches the interface itself, so it is the IPs this interface has
So assuming that I have my eth0 with IP 1.1.1.1 on LAN 1.1.1.0/24, then
my interface is:
interface eth0 myname src 1.1.1.0/24 dst "1.1.1.1 1.1.1.255"
Note that I have added the broadcast address to the address this host
accept requests.
If now, via the same interface there is another foreign LAN 2.2.2.0/24
that is accessible via some other router, I can have:
interface eth0 myname src "1.1.1.0/24 2.2.2.0/24" dst "1.1.1.1 1.1.1.255"
...
client and server commands
...
or, if I want to have separate control on the access rights of the two LANs:
interface eth0 lan1 src "1.1.1.0/24" dst "1.1.1.1 1.1.1.255"
...
client and server commands for 1.1.1.0/24
...
interface eth0 lan2 src "2.2.2.0/24" dst "1.1.1.1 1.1.1.255"
...
client and server commands for 2.2.2.0/24
...
I hope you got the idea...
Costa
More information about the Firehol-support
mailing list