[Firehol-support] server per interface troubles

Costa Tsaousis costa at tsaousis.gr
Tue Dec 11 22:39:15 CET 2007


Sunny Dubey wrote:
> hey guys
>
> I have a server with eth0 and eth1, both have public IPs that fully work on 
> the Internet.  I have configured my webserver to listen only on eth1, and 
> have verified that it fully works.
>
> But the moment I attempt to use the following rules ... I can't reach my web 
> server anymore.  What gives ?
>
>
> interface "eth0 eth1" internet
>
>         # We allow some stuff in
>         server ssh accept
>         server smtp accept
>         server http accept inface eth1
>
> Any ideas ??
>
> Thanks!!!
>
>   
Sunny,

I guess your default gateway is on eth0.
Here is what is happening:

1. Request comes from eth1.
2. http server prepares a response and sends it.
3. The default gateway is on eth0, so the packet tries to go out on eth0.
4. Firehol blocks that because you only allow http traffic on eth1.

Firehol is stateful in both directions of the traffic, both in and out.

The simple solution is to allow both eth0 and eth1 at the firewall level 
and configure your web server not to listen on eth0.
The right solution should be to read the advanced routing howto and 
configure your routing so that the replies will go back the same way 
they come in, or that http replies will go out from eth1 only.

Costa





More information about the Firehol-support mailing list