[Firehol-support] need some help setting up firehol.

Costa Tsaousis costa at tsaousis.gr
Wed Sep 21 22:13:10 BST 2005


Redeeman wrote:

>echo "1" > /proc/sys/net/ipv4/ip_forward
>it will forward traffic between interfaces, and then it might work, but as i said, i am not sure.. i would like your advice on how to do that, for now, it should just accept all traffic between the two interfaces.
>  
>
Please read the documentation. FireHOL creates firewalls that by default 
do not allow any traffic not specifically allowed. Enabling port 
forwarding will give you nothing. You have to configure FireHOL to allow 
router traffic (actually if you do that, FireHOL will also enable port 
forwarding for you).

>and now for the part i am most unsure about, port forwarding.. i need to forward ports from the ppp0 interface(internet) to both my workstation and pc's on the lan. i would like suggestions from you on how to do this. if there are several ways i would like to see them all.
>
>
>--------------------------------------------------
>this is what i have so far, its without port forwarding though, and without(unless nothing is needed) traffic between workstation and lan support:
>
>interface ppp0 internet
>	protection strong
>	server "http https smtp ftp ssh dns" accept
>	client "ftp ssh http https irc" accept
>
>interface eth0 redeeman
>	policy accept
>
>interface eth1 lan
>	protection strong
>	server "http https ssh ftp smtp imaps pop3s samba" accept
>
>router redeeman2internet inface eth0 outface ppp0
>	snat to 80.196.156.209 outface ppp0 src 192.168.0.0/24
>	route all accept
>
>router lan2internet inface eth1 outface ppp0
>	snat to 80.196.156.209 outface ppp0 src 192.168.0.1/24
>	route all accept
>
>  
>
NAT rules are helpers and should be used before any interface or router.
Also, what you need here is DNAT (i.e. change the DESTINATION of 
received packets).
If you want to forward packets to two other PCs in the LAN you also need 
to allocate public ports to them. If you want 2 internal PCs to use the 
same public IP and port, then you need an application (e.g. squid for 
HTTP traffic)  to do this for you since it will not be easy to 
accomplish this with a firewall.

>-------------------------------------------------------
>
>now a note:
>in the routers, in the snat statements, i saw i was supposed to give a dst too, but i dont know what, in my current firewall i do:
>iptables -t nat -A POSTROUTING -s $INT_SUBNET -o $EXT_IFACE -j SNAT --to $EXT_IP
>any help here would be apreciated
>
>  
>
This is about allowing your internal machines reaching the public 
internet. Use masquerade to make your life easy (it is expensive 
compared to snat, but it will not make a change for most home and office 
setups).

>a few questions:
>in the services, for example pop3, server ports are rcp/110, and client ports are default, does default in client ports mean the ports in server ports, just for outgoing traffic?
>
>  
>
default = ports 1024 up to 65535 or whatever your kernel is defined to use.

>for services, i see ntp, it listens on the same portnr, on udp and tcp, for server ports.... on client ports it just allows outgoing traffic on port 123, and default. what does this mean?
>
>if i have a router from lan to internet, where i router all, will pc's on the lan be limited by the client statements in my ppp0(internet) interface?
>  
>
Interface blocks have nothing to do with router traffic.

Please read the documentation...

Costa






More information about the Firehol-support mailing list