[Firehol-support] First install of Firehol
Daniel L. Miller
dmiller at amfes.com
Tue Aug 8 04:56:47 BST 2006
Happy to help. Try to keep your replies on-list so everyone can share.
I'm still trying to understand your setup. Based on your diagram, it
seems Server A is connected directly to the Internet (via a hub) - there
is no firewall, gateway, or router. Server B appears to be a gateway.
If that is the case, then the script I provided would actually be more
appropriate for Server B. However - you said the problem is with Server A.
If there is no firewall of any kind running on Server A - does it work
correctly? My current understanding is you have an Internet connection
shared between two machines via a hub. One machine, without a firewall,
is currently reachable via the Internet (Server B). The other machine
is not - you need to confirm if Server A works properly without a firewall.
You say you used netcraft/dnsstuff.com - does that mean they can ping
Server A currently?
What do you mean by "public proxy"?
I think you need to explain a bit further exactly what you are trying to
accomplish.
--
Daniel
seekuel wrote:
> Hello Sir Daniel,
>
> To further illustrate:
> Server A with only 1 Ethernet card is connected to a HUB which is the
> directly connected to the Internet with a public IP. No router.
>
> Server B's function as of now is for mail server. Yes the server can
> be tested with the firewall test. But when using a public proxy the
> server cannot be accessed further more at home I'm behind ADSL
> Internet connection. Still I cannot connect to the server.
>
> I tried to check things from netcraft.net and dnsstuff.com then find
> that the server is up.
>
> |-------------|
> | Internet |
> |-------------|
> |
> |
> |
> |--------------| eth0 |---------|
> eth0|--------------| eth1 |--------|
> | Server A | ----------------------------| HUB |---------------------|
> Server B |------------| LAN |
> |--------------|
> |---------| |--------------| |--------|
>
> I'll try the script sir and I'll come back to update the result. Once
> again thank you.
>
> ----
> Sandeil
>
> */"Daniel L. Miller" <dmiller at amfes.com>/* wrote:
>
> seekuel wrote:
> > Greetings!
> >
> > This is my first time to use firehole. The cohsen OS is CentOS.
> >
> > To make things clearer:
> > Server A (firehole is used and is the mail server)
> > Server B (firehole is not used and is the DNS server)
> >
> > The server A can send and receive mail. But the outside wold cannot
> > access the server even if I use a public proxy.
> >
> > The servers A and B are connected to same hub, server B can
> > access/browse the server A. Server B can be publicly access/browes.
> >
> > I already checked the DNS entry and I see nothing wrong.
> >
> > Attached is the firehol.conf I used. This was generated using
> > /etc/init.d/firehol helpme > /tmp/firehol.conf added and removed
> some
> > services.
> >
> I'm not sure what you're asking. Are you saying your Server A
> cannot be
> seen from the internet? So from a remote site, or using a firewall
> test
> site, you cannot ping Server A?
>
> You have no router statements. Is Server A supposed to be an internet
> gateway for Server B?
>
> Your configuration shows the same IP (202.163.195.157) and connection
> (eth0) for both your internal and external interfaces. That's not
> gonna
> work. Do you have two NIC's? Is there an actual LAN in place?
>
> I'm going to give you a sample that you can customize further, but
> you
> may find this more maintainable. Using variables at the top of the
> config lets you assign descriptive names to these numbers, and makes
> changes easier, and helps with typing errors. I'm assuming you do
> have
> two NIC's, otherwise we'll need to change the interface names. Give
> this a try:
>
> firehol.conf
> ---
> version 5
> LAN_IF="eth0"
> LAN_NET="192.168.0.1/24"
> LAN_IP="192.168.0.1"
>
> LAN_DNS_IP="192.168.0.10" (Server B's Address)
>
> EXT_IF="eth1"
> EXT_NET="202.163.195.152/29"
> EXT_IP="202.163.195.157"
>
> # Provide routing services to internal network for Internet access.
> Router statements required below.
> snat to "${EXT_IP}" outface "${EXT_IF}" src "${LAN_NET}"
>
> # Allow access to DNS server from Internet. Router statements
> required
> below.
> dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto tcp
> dport "53"
> dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto udp
> dport "53"
>
> # Allow the internal network complete access to this computer.
> # Allow this computer complete access to the internal network.
> interface "${LAN_IF}" lan src "{$LAN_NET}"
> policy accept
>
> # Allow limited access from the Internet to this computer.
> # Allow this computer complete access to the Internet.
> interface "${EXT_IF}" internet src not "${UNROUTABLE_IPS} ${LAN_NET}"
> dst "${EXT_IP}"
> protection strong 100/sec 50
> server ident reject with tcp-reset
> server "ICMP imap imaps mysql pop3 pop3s smtp webmin" accept
> client all accept
>
> # Allow the internal network complete access to the Internet through
> this computer.
> router lan2ext inface "${LAN_IF}" outface "${EXT_IF}" src
> "${LAN_NET}"
> dst not "${UNROUTABLE_IPS}"
> route all accept
>
> # Allow limited access to the internal network from the Internet
> through
> this computer.
> router ext2lan inface "${EXT_IF}" outface "${LAN_IF}"
> protection strong 100/sec 50
> route ident reject with tcp-reset
> route "dns" accept
> client all accept
>
> --
> Daniel
>
More information about the Firehol-support
mailing list