[Firehol-support] First install of Firehol

seekuel sandeil_tenebro at yahoo.com
Tue Aug 8 14:09:09 BST 2006


Yes, Server A is directly connected to a hub which is then connected to the internet. I intend to use firehol as the firewall for Server A which only have 1 LAN card and will serve as the mail server.

Yes, netcraf/dnsstuff.com can ping to the server.

A public proxy is a proxy server used to hide your ip while surfing the net and make use the public server as your front to the internet like in LAN which uses a proxy server to make acces to the internet. My purpose in using this service is for testing. I cannot explain more :D but this is the website for available public proxies http://www.publicproxyservers.com/page1.html

I'll check again... 



"Daniel L. Miller" <dmiller at amfes.com> wrote: Happy to help.  Try to keep your replies on-list so everyone can share.

I'm still trying to understand your setup.  Based on your diagram, it 
seems Server A is connected directly to the Internet (via a hub) - there 
is no firewall, gateway, or router.  Server B appears to be a gateway.  
If that is the case, then the script I provided would actually be more 
appropriate for Server B.  However - you said the problem is with Server A.

If there is no firewall of any kind running on Server A - does it work 
correctly?  My current understanding is you have an Internet connection 
shared between two machines via a hub.  One machine, without a firewall, 
is currently reachable via the Internet (Server B).  The other machine 
is not - you need to confirm if Server A works properly without a firewall.

You say you used netcraft/dnsstuff.com - does that mean they can ping 
Server A currently?

What do you mean by "public proxy"?

I think you need to explain a bit further exactly what you are trying to 


seekuel wrote:
> Hello Sir Daniel,
> To further illustrate:
> Server A with only 1 Ethernet card is connected to a HUB which is the 
> directly connected to the Internet with a public IP. No router.
> Server B's function as of now is for mail server. Yes the server can 
> be tested with the firewall test. But when using a public proxy the 
> server cannot be accessed further more at home I'm behind ADSL 
> Internet connection. Still I cannot connect to the server.
> I tried to check things from netcraft.net and dnsstuff.com then find 
> that the server is up.
>                                           |-------------|
>                                           | Internet |
>                                           |-------------|
>                                                  |
>                                                  |
>                                                  |
> |--------------| eth0                      |---------|               
> eth0|--------------| eth1     |--------|
> | Server A | ----------------------------| HUB |---------------------| 
> Server B |------------| LAN |
> |--------------|                             
> |---------|                     |--------------|            |--------|
> I'll try the script sir and I'll come back to update the result. Once 
> again thank you.
> ----
> Sandeil
> */"Daniel L. Miller" /* wrote:
>     seekuel wrote:
>     > Greetings!
>     >
>     > This is my first time to use firehole. The cohsen OS is CentOS.
>     >
>     > To make things clearer:
>     > Server A (firehole is used and is the mail server)
>     > Server B (firehole is not used and is the DNS server)
>     >
>     > The server A can send and receive mail. But the outside wold cannot
>     > access the server even if I use a public proxy.
>     >
>     > The servers A and B are connected to same hub, server B can
>     > access/browse the server A. Server B can be publicly access/browes.
>     >
>     > I already checked the DNS entry and I see nothing wrong.
>     >
>     > Attached is the firehol.conf I used. This was generated using
>     > /etc/init.d/firehol helpme > /tmp/firehol.conf added and removed
>     some
>     > services.
>     >
>     I'm not sure what you're asking. Are you saying your Server A
>     cannot be
>     seen from the internet? So from a remote site, or using a firewall
>     test
>     site, you cannot ping Server A?
>     You have no router statements. Is Server A supposed to be an internet
>     gateway for Server B?
>     Your configuration shows the same IP ( and connection
>     (eth0) for both your internal and external interfaces. That's not
>     gonna
>     work. Do you have two NIC's? Is there an actual LAN in place?
>     I'm going to give you a sample that you can customize further, but
>     you
>     may find this more maintainable. Using variables at the top of the
>     config lets you assign descriptive names to these numbers, and makes
>     changes easier, and helps with typing errors. I'm assuming you do
>     have
>     two NIC's, otherwise we'll need to change the interface names. Give
>     this a try:
>     firehol.conf
>     ---
>     version 5
>     LAN_IF="eth0"
>     LAN_NET=""
>     LAN_IP=""
>     LAN_DNS_IP="" (Server B's Address)
>     EXT_IF="eth1"
>     EXT_NET=""
>     EXT_IP=""
>     # Provide routing services to internal network for Internet access.
>     Router statements required below.
>     snat to "${EXT_IP}" outface "${EXT_IF}" src "${LAN_NET}"
>     # Allow access to DNS server from Internet. Router statements
>     required
>     below.
>     dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto tcp
>     dport "53"
>     dnat to "${LAN_DNS_IP}" inface "${EXT_IF}" dst "${EXT_IP}" proto udp
>     dport "53"
>     # Allow the internal network complete access to this computer.
>     # Allow this computer complete access to the internal network.
>     interface "${LAN_IF}" lan src "{$LAN_NET}"
>     policy accept
>     # Allow limited access from the Internet to this computer.
>     # Allow this computer complete access to the Internet.
>     interface "${EXT_IF}" internet src not "${UNROUTABLE_IPS} ${LAN_NET}"
>     dst "${EXT_IP}"
>     protection strong 100/sec 50
>     server ident reject with tcp-reset
>     server "ICMP imap imaps mysql pop3 pop3s smtp webmin" accept
>     client all accept
>     # Allow the internal network complete access to the Internet through
>     this computer.
>     router lan2ext inface "${LAN_IF}" outface "${EXT_IF}" src
>     "${LAN_NET}"
>     dst not "${UNROUTABLE_IPS}"
>     route all accept
>     # Allow limited access to the internal network from the Internet
>     through
>     this computer.
>     router ext2lan inface "${EXT_IF}" outface "${LAN_IF}"
>     protection strong 100/sec 50
>     route ident reject with tcp-reset
>     route "dns" accept
>     client all accept
>     --
>     Daniel

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
Firehol-support mailing list
Firehol-support at lists.sourceforge.net

Groups are talking. We´re listening. Check out the handy changes to Yahoo! Groups. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060808/dcee5597/attachment-0003.html>

More information about the Firehol-support mailing list