[Firehol-support] firehol and snat

Costa Tsaousis costa at tsaousis.gr
Fri Oct 5 17:29:55 BST 2007


O/H rich at thevillas.eclipse.co.uk έγραψε:
>
>
>
>
>
> *On Thu Oct 4 0:02 , Costa Tsaousis sent:
>
> *
>
>     O/H rich at thevillas.eclipse.co.uk
>     <javascript:top.opencompose('rich at thevillas.eclipse.co.uk','','','')>
>     έγραψε:
>     >
>     > Interestingly, I can't seem to ssh to the external address of the
>     > firewall from the LAN either. I'm wondering whether there is a rule
>     > that is dropping all traffic hitting the PUBLIC_MYIP if it
>     originates
>     > from the LAN?
>     >
>     If firehol is dropping traffic there should be some logs about it.
>     Check it.
>
>     You could also append
>
>     ... log "text to be logged"
>
>     to the dnat and snat rules (or any other). This will make the rule
>     log
>     the "text to be logged" when a packet matches it.
>
>      thanks. So, ive' taken a reverse approach with looking at the logs.
>
>     i have a snat rule:
>
>
>         snat to "${HOME_MYIP}" \
>             outface "${HOME_MYIF}" \
>             src "${HOME_LAN}" dst "${WEBSERVER}" log "websnatted" level 7
>
>     Nothing gets logged. The other snat rule for all general traffic
>     going out logs fine:
>
>          snat to "${PUBLIC_MYIP}"                 \
>             outface "${PUBLIC_MYIF}"             \
>             src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}" log
>     "snatted" level 7
>
>      
>
>     So, moving on to dnat:
>
>      dnat to ${WEBSERVER}:80                        \
>         inface "${PUBLIC_MYIF}"                    \
>         src not "${UNROUTABLE_IPS}"            \
>         proto tcp dport 80 log "webdnatted" level 7
>
>      This doesn't log if the traffic is coming from the lan.
>
>     I thought the  next section causing the problem could be:
>
>     # Protect us from the HOME LAN
>     interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
>     ${HOME_BCAST}" log "lanprotect" level 7
>         policy reject
>        
>         server "${HOME_SERVICES}" accept
>        
>         client all accept
>
>
>      This logs when i try to connect to the firewall external
>     ${PUBLIC_MYIP} with ssh but not http.
>
>     The only other section i think could be causing the problem is
>     below but nothing gets logged for these rules for traffic from the LAN
>
>      
>
>      # Protect us from the PUBLIC
>     interface "${PUBLIC_MYIF}" internet                \
>         src not "${UNROUTABLE_IPS}"                \
>         `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
>     log "publicprotect" level 7
>         
>         protection strong
>         policy drop
>         
>         # Are there any trusted PCs/services?
>         if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
>         then
>             server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
>         fi
>         
>         server "${PUBLIC_SERVICES}" accept
>         
>         client all accept
>
>      
>
>     Thanks again,
>
>     Rich 
>
You need both nats:

dnat to ${WEBSERVER}:80       \
    inface "${HOME_MYIF}"       \
    src "${HOME_LAN}"             \
    dst "${PUBLIC_MYIP}" proto tcp dport 80


snat to "${HOME_MYIP}"    \
    outface "${HOME_MYIF}" \
    src "${HOME_LAN}" dst "${WEBSERVER}"

and a router:

router lan2lan inface "${HOME_MYIF}" outface "${HOME_MYIF}" src 
"${HOME_LAN}" dst "${HOME_LAN}"
    server http accept


Costa





More information about the Firehol-support mailing list