[Firehol-support] Firehol Status?

firehol firehol firehol at gmail.com
Mon Dec 11 14:05:38 GMT 2006


Hello, Everyone:

I've been looking at fireehol to configure the firewalls on my machines.

Is firehol still under active support and bugfixes?

I ask because I'm not sure firehol's configurations works correctly for DNS
and email servers.

When I use a config file like shown below, I found that packets returning
from DNS requests were sometimes being blocked, and incoming connections to
port 25 were also sometimes blocked. (Even when all rules had  'client all
accept' and 'server all accept'.)

Do people use this firewall on real, working mail and DNS servers?  Am I
making some sort of mistake in my configs? I would love to get firehol
working for my purposes.

I look forward to hearing back.
 -- jrobinson (configuration file follows)

-------------------------
Below is the config file I was using (with IPs changed):
--------------------

#!/etc/rc.d/init.d/firehol
#
# THREE RULESETS: dst-publicip, dst-privateip, dst-world
#

FIREHOL_LOG_MODE="ULOG"
#FIREHOL_LOG_OPTIONS=" --log-tcp-options --log-ip-options"
#FIREHOL_ULOG_OPTIONS=" --log-tcp-options --log-ip-options  --ulog-cprange 0
"
#FIREHOL_LOG_OPTIONS="--log-level info --log-tcp-options --log-ip-options
-ll"
FIREHOL_LOG_OPTIONS="--ulog-cprange 0"


interface eth0 dst-publicip dst 205.22.12.74/32

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    policy drop

    # If you don't trust the clients
    # add something like this.
    # protection strong

    # Here are the services listening on eth0.
    server smtp accept
    server ICMP accept
    #server mysql accept
    server ntp accept
    server webmin accept
    server http accept
    server dns accept
    server ssh accept
    server pop3 accept
    server imaps accept
    server https accept
    server all accept

    client smtp accept
    client dns accept
    client ICMP accept
    client ssh accept
    client pop3 accept
    client http accept
    client imaps accept
    client https accept
    client ntp accept

    client all accept

interface eth1 dst-privateip dst 192.168.1.3/32

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    #policy drop
    policy reject

    # If you don't trust the clients behind eth1 (net "192.168.1.0/24"),
    # add something like this.
    # > protection strong

    # Here are the services listening on eth1.
    # TODO: Normally, you will have to remove those not needed.
    server ICMP accept
    #server mysql accept
    server ntp accept
    server smtp accept
    server webmin accept
    server http accept
    server dns accept
    server ssh accept
    server https accept
    server all accept

    client dns accept
    client ICMP accept
    client smtp accept
    client ssh accept
    client https accept

    client all accept


interface eth0 dst-outside dst not "192.168.1.3 205.22.12.74"

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    policy drop
    #policy reject

    # If you don't trust the clients behind eth1 (net "192.168.1.0/24"),
    # add something like this.
    # > protection strong

    # Here are the services listening on eth1.
    # TODO: Normally, you will have to remove those not needed.
    server ICMP accept
    #server mysql accept
    server ntp accept
    server smtp accept
    server webmin accept
    server http accept
    server dns accept
    server ssh accept
    server https accept
    server imaps accept
    server all accept

    client ICMP accept
    client dns accept
    client smtp accept
    client ssh accept
    client https accept
    client http accept
    client imaps accept

    client all accept
    # for now, we let all traffic out
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20061211/359e341b/attachment-0002.html>


More information about the Firehol-support mailing list