[Firehol-support] Firehol Status?
firehol firehol
firehol at gmail.com
Mon Dec 11 15:05:38 CET 2006
Hello, Everyone:
I've been looking at fireehol to configure the firewalls on my machines.
Is firehol still under active support and bugfixes?
I ask because I'm not sure firehol's configurations works correctly for DNS
and email servers.
When I use a config file like shown below, I found that packets returning
from DNS requests were sometimes being blocked, and incoming connections to
port 25 were also sometimes blocked. (Even when all rules had 'client all
accept' and 'server all accept'.)
Do people use this firewall on real, working mail and DNS servers? Am I
making some sort of mistake in my configs? I would love to get firehol
working for my purposes.
I look forward to hearing back.
-- jrobinson (configuration file follows)
-------------------------
Below is the config file I was using (with IPs changed):
--------------------
#!/etc/rc.d/init.d/firehol
#
# THREE RULESETS: dst-publicip, dst-privateip, dst-world
#
FIREHOL_LOG_MODE="ULOG"
#FIREHOL_LOG_OPTIONS=" --log-tcp-options --log-ip-options"
#FIREHOL_ULOG_OPTIONS=" --log-tcp-options --log-ip-options --ulog-cprange 0
"
#FIREHOL_LOG_OPTIONS="--log-level info --log-tcp-options --log-ip-options
-ll"
FIREHOL_LOG_OPTIONS="--ulog-cprange 0"
interface eth0 dst-publicip dst 205.22.12.74/32
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients
# add something like this.
# protection strong
# Here are the services listening on eth0.
server smtp accept
server ICMP accept
#server mysql accept
server ntp accept
server webmin accept
server http accept
server dns accept
server ssh accept
server pop3 accept
server imaps accept
server https accept
server all accept
client smtp accept
client dns accept
client ICMP accept
client ssh accept
client pop3 accept
client http accept
client imaps accept
client https accept
client ntp accept
client all accept
interface eth1 dst-privateip dst 192.168.1.3/32
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
#policy drop
policy reject
# If you don't trust the clients behind eth1 (net "192.168.1.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth1.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept
#server mysql accept
server ntp accept
server smtp accept
server webmin accept
server http accept
server dns accept
server ssh accept
server https accept
server all accept
client dns accept
client ICMP accept
client smtp accept
client ssh accept
client https accept
client all accept
interface eth0 dst-outside dst not "192.168.1.3 205.22.12.74"
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
#policy reject
# If you don't trust the clients behind eth1 (net "192.168.1.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth1.
# TODO: Normally, you will have to remove those not needed.
server ICMP accept
#server mysql accept
server ntp accept
server smtp accept
server webmin accept
server http accept
server dns accept
server ssh accept
server https accept
server imaps accept
server all accept
client ICMP accept
client dns accept
client smtp accept
client ssh accept
client https accept
client http accept
client imaps accept
client all accept
# for now, we let all traffic out
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20061211/359e341b/attachment.html>
More information about the Firehol-support
mailing list