[Firehol-support] First install of Firehol

Daniel L. Miller dmiller at amfes.com
Tue Aug 8 04:56:47 BST 2006


Happy to help.  Try to keep your replies on-list so everyone can share.

I'm still trying to understand your setup.  Based on your diagram, it 
seems Server A is connected directly to the Internet (via a hub) - there 
is no firewall, gateway, or router.  Server B appears to be a gateway.  
If that is the case, then the script I provided would actually be more 
appropriate for Server B.  However - you said the problem is with Server A.

If there is no firewall of any kind running on Server A - does it work 
correctly?  My current understanding is you have an Internet connection 
shared between two machines via a hub.  One machine, without a firewall, 
is currently reachable via the Internet (Server B).  The other machine 
is not - you need to confirm if Server A works properly without a firewall.

You say you used netcraft/dnsstuff.com - does that mean they can ping 
Server A currently?

What do you mean by "public proxy"?

I think you need to explain a bit further exactly what you are trying to 
accomplish.

--
Daniel


seekuel wrote:
> Hello Sir Daniel,
>
> To further illustrate:
> Server A with only 1 Ethernet card is connected to a HUB which is the 
> directly connected to the Internet with a public IP. No router.
>
> Server B's function as of now is for mail server. Yes the server can 
> be tested with the firewall test. But when using a public proxy the 
> server cannot be accessed further more at home I'm behind ADSL 
> Internet connection. Still I cannot connect to the server.
>
> I tried to check things from netcraft.net and dnsstuff.com then find 
> that the server is up.
>
>                                           |-------------|
>                                           | Internet |
>                                           |-------------|
>                                                  |
>                                                  |
>                                                  |
> |--------------| eth0                      |---------|               
> eth0|--------------| eth1     |--------|
> | Server A | ----------------------------| HUB |---------------------| 
> Server B |------------| LAN |
> |--------------|                             
> |---------|                     |--------------|            |--------|
>
> I'll try the script sir and I'll come back to update the result. Once 
> again thank you.
>
> ----
> Sandeil
>
> */"Daniel L. Miller" <dmiller at amfes.com>/* wrote:
>
>     seekuel wrote:
>     > Greetings!
>     >
>     > This is my first time to use firehole. The cohsen OS is CentOS.
>     >
>     > To make things clearer:
>     > Server A (firehole is used and is the mail server)
>     > Server B (firehole is not used and is the DNS server)
>     >
>     > The server A can send and receive mail. But the outside wold cannot
>     > access the server even if I use a public proxy.
>     >
>     > The servers A and B are connected to same hub, server B can
>     > access/browse the server A. Server B can be publicly access/browes.
>     >
>     > I already checked the DNS entry and I see nothing wrong.
>     >
>     > Attached is the firehol.conf I used. This was generated using
>     > /etc/init.d/firehol helpme > /tmp/firehol.conf added and removed
>     some
>     > services.
>     >
>     I'm not sure what you're asking. Are you saying your Server A
>     cannot be
>     seen from the internet? So from a remote site, or using a firewall
>     test
>     site, you cannot ping Server A?
>
>     You have no router statements. Is Server A supposed to be an internet
>     gateway for Server B?
>
>     Your configuration shows the same IP (202.163.195.157) and connection
>     (eth0) for both your internal and external interfaces. That's not
>     gonna
>     work. Do you have two NIC's? Is there an actual LAN in place?
>
>     I'm going to give you a sample that you can customize further, but
>     you
>     may find this more maintainable. Using variables at the top of the
>     config lets you assign descriptive names to these numbers, and makes
>     changes easier, and helps with typing errors. I'm assuming you do
>     have
>     two NIC's, otherwise we'll need to change the interface names. Give
>     this a try:
>
>     firehol.conf
>     ---
>     version 5
>     LAN_IF="eth0"
>     LAN_NET="192.168.0.1/24"
>     LAN_IP="192.168.0.1"
>
>     LAN_DNS_IP="192.168.0.10" (Server B's Address)
>
>     EXT_IF="eth1"
>     EXT_NET="202.163.195.152/29"
>     EXT_IP="202.163.195.157"
>
>     # Provide routing services to internal network for Internet access.
>     Router statements required below.
>     snat to "${EXT_IP}" outface "${EXT_IF}" src "${LAN_NET}"
>
>     # Allow access to DNS server from Internet. Router statements
>     required
>     below.
>     dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto tcp
>     dport "53"
>     dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto udp
>     dport "53"
>
>     # Allow the internal network complete access to this computer.
>     # Allow this computer complete access to the internal network.
>     interface "${LAN_IF}" lan src "{$LAN_NET}"
>     policy accept
>
>     # Allow limited access from the Internet to this computer.
>     # Allow this computer complete access to the Internet.
>     interface "${EXT_IF}" internet src not "${UNROUTABLE_IPS} ${LAN_NET}"
>     dst "${EXT_IP}"
>     protection strong 100/sec 50
>     server ident reject with tcp-reset
>     server "ICMP imap imaps mysql pop3 pop3s smtp webmin" accept
>     client all accept
>
>     # Allow the internal network complete access to the Internet through
>     this computer.
>     router lan2ext inface "${LAN_IF}" outface "${EXT_IF}" src
>     "${LAN_NET}"
>     dst not "${UNROUTABLE_IPS}"
>     route all accept
>
>     # Allow limited access to the internal network from the Internet
>     through
>     this computer.
>     router ext2lan inface "${EXT_IF}" outface "${LAN_IF}"
>     protection strong 100/sec 50
>     route ident reject with tcp-reset
>     route "dns" accept
>     client all accept
>
>     --
>     Daniel
>




More information about the Firehol-support mailing list