[Firehol-support] First install of Firehol

Daniel L. Miller dmiller at amfes.com
Mon Aug 7 18:21:06 BST 2006

seekuel wrote:
> Greetings!
> This is my first time to use firehole. The cohsen OS is CentOS.
> To make things clearer:
> Server A (firehole is used and is the mail server)
> Server B (firehole is not used and is the DNS server)
> The server A  can send and receive mail. But the outside wold cannot 
> access the server even if I use a public proxy.
> The servers A and B are connected to same hub, server B can 
> access/browse the server A. Server B can be publicly access/browes.
> I already checked the DNS entry and I see nothing wrong.
> Attached is the firehol.conf I used. This was generated using 
> /etc/init.d/firehol helpme > /tmp/firehol.conf added and removed some 
> services.
I'm not sure what you're asking.  Are you saying your Server A cannot be 
seen from the internet?  So from a remote site, or using a firewall test 
site, you cannot ping Server A?

You have no router statements.  Is Server A supposed to be an internet 
gateway for Server B?

Your configuration shows the same IP ( and connection 
(eth0) for both your internal and external interfaces.  That's not gonna 
work.  Do you have two NIC's?  Is there an actual LAN in place?

I'm going to give you a sample that you can customize further, but you 
may find this more maintainable.  Using variables at the top of the 
config lets you assign descriptive names to these numbers, and makes 
changes easier, and helps with typing errors.  I'm assuming you do have 
two NIC's, otherwise we'll need to change the interface names.  Give 
this a try:

version 5

LAN_DNS_IP=""         (Server B's Address)


# Provide routing services to internal network for Internet access.  
Router statements required below.
snat to "${EXT_IP}" outface "${EXT_IF}" src "${LAN_NET}"

# Allow access to DNS server from Internet.  Router statements required 
dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto tcp 
dport "53"
dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto udp 
dport "53"

# Allow the internal network complete access to this computer.
# Allow this computer complete access to the internal network.
interface "${LAN_IF}" lan src "{$LAN_NET}"
    policy accept

# Allow limited access from the Internet to this computer.
# Allow this computer complete access to the Internet.
interface "${EXT_IF}" internet src not "${UNROUTABLE_IPS} ${LAN_NET}" 
dst "${EXT_IP}"
    protection strong 100/sec 50
    server ident reject with tcp-reset
    server "ICMP imap imaps mysql pop3 pop3s smtp webmin" accept
    client all accept

# Allow the internal network complete access to the Internet through 
this computer.
router lan2ext inface "${LAN_IF}" outface "${EXT_IF}" src "${LAN_NET}" 
dst not "${UNROUTABLE_IPS}"
    route all accept

# Allow limited access to the internal network from the Internet through 
this computer.
router ext2lan inface "${EXT_IF}" outface "${LAN_IF}"
    protection strong 100/sec 50
    route ident reject with tcp-reset
    route "dns" accept
    client all accept


More information about the Firehol-support mailing list