[Firehol-support] Syntax for many Interfaces

Costa Tsaousis costa at tsaousis.gr
Sat May 31 20:11:54 BST 2008


O/H Sim ??????:
> Hi Costa, hi to all!
> I have Linux box with many many many VLAN (interfaces)
>
> Can I reduce syntax as in simple example?
>
> ############################
>
>  ETH0 192.168.0.1 /24
>  ETH1 172.16.10.1 /24
>  ETH2 172.16.11.1 /24
>
> ############################
>
> interface eth0 all2fw
>
> 	policy drop
> 	protection strong
>
> 	server ICMP accept
> 	server "ssh" accept
>
> 	client all accept
>
> interface eth1 in2fw
>
> 	policy drop
> 	protection strong
>
> 	server ICMP accept
>
> 	client all accept
>
> interface eth2 other2fw
>
> 	policy drop
> 	protection strong
>
> 	server ICMP accept
>
> 	client all accept
>
>
> ############################
>
> router all2one outface eth1 dst "172.16.10.1/24"
> 	route "smtp pop3" accept
>
> router all2two outface eth2 dst "172.16.11.1/24"
> 	route "http" accept
>
> ############################
>
> router in2test outface eth0 dst "10.0.0.0/24"
> 	route "telnet" accept
>
> router in2out outface eth0 dst "192.168.0.0/24"
> 	route ICMP accept
>
> router in2all outface eth0 dst "${UNROUTABLE_IPS} 192.168.0.0/24"
> 	route "all" accept
>
>
> Another question is:
>
> - Can I create a special (router in2test outface eth0 dst
> "10.0.0.0/24") router for a network not in my class?
>  Is it essential to define it before (router in2all outface eth0 dst
> "${UNROUTABLE_IPS} 192.168.0.0/24") ?
>
> Very thanks!
>   

Sim,

Example:

Customer A has if0, if1, if2 with subnets 10.0.1.0/24, 10.0.2.0/24 and 
10.0.3.0/24
Customer B has if3, if4, if5 with subnets 10.0.4.0/24, 10.0.5.0/24 and 
10.0.6.0/24

This means you can define firehol as follows:

INTERNET_IF="eth0"

CUSTOMER_A_IFS="if0 if1 if2"
CUSTOMER_A_IPS="10.0.1.0/24 10.0.2.0/24 10.0.3.0/24"

CUSTOMER_B_IFS="if3 if4 if5"
CUSTOMER_B_IPS="10.0.4.0/24 10.0.5.0/24 10.0.6.0/24"

interface "${INTERNET_IF}" internet
<rules for controlling internet access to this host>

interface "${CUSTOMER_A_IFS} ${CUSTOMER_B_IFS}" customers src 
"${CUSTOMER_A_IPS} ${CUSTOMER_B_IPS}"
<rules for customers access to this host>

# allow traffic to flow between all customer A networks
router A2A inface "${CUSTOMER_A_IFS}" outface "${CUSTOMER_A_IFS}" src 
"${CUSTOMER_A_IPS}" dst "${CUSTOMER_A_IPS}"
policy accept

# internet access for customer A
router intet2custA inface "${INTERNET_IF}" outface "${CUSTOMER_A_IFS}" 
src not "${UNROUTABLE_IPS}" dst "${CUSTOMER_A_IPS}"
client all accept
# put server statements to allow incoming requests for customer A

# allow traffic to flow between all customer B networks
router B2B inface "${CUSTOMER_B_IFS}" outface "${CUSTOMER_B_IFS}" src 
"${CUSTOMER_B_IPS}" dst "${CUSTOMER_B_IPS}"
policy accept

# internet access for customer B
router inet2custB inface "${INTERNET_IF}" outface "${CUSTOMER_B_IFS}" 
src not "${UNROUTABLE_IPS}" dst "${CUSTOMER_B_IPS}"
client all accept
# put server statements to allow incoming requests for customer B

You can use a tool named "flim" to shorten the list of IPs for each 
customer. This tool will produce "strange" subnet masks (e.g. 
10.0.0.0/23) in order to have the minimum firehol rules.
If you know some BASH scripting you can easily do this:

1. create a directory /etc/firehol/customers/
2. Put there a file for each customer containing something like:

if0 10.0.1.0/24
if1 10.0.2.0/24
if2 10.0.3.0/24

3. read all this files using BASH scripting in firehol.conf
4. call interface and router statements within a loop, to create all the 
interfaces and routers for all customers.

This way, you can have just edit/create/delete files in 
/etc/firehol/customers and by just starting firehol you will have your 
firewall activated.

About the spoofing: If you use firehol the way I have it above, you (and 
your customers) are not vulnerable to spoofing.

About the test route: yes you can create whatever you can imagine at the 
firewall level. There is no need to have the interface attached or the 
routing table in place. But keep in mind that firehol does NOT control 
your routing table. You should also have your routes setup properly.

About the priority of definitions: you can mix interfaces and routers in 
firehol in any order you like - the interfaces are isolated from routers 
in iptables, so that an interface never interferes with a router and 
vice versa (think of it as two completely separate traffic flows). Keep 
in mind however that all the interfaces have the default policy "DROP", 
which means that if some traffic is matched by an interface and is not 
explicitly allowed or dropped by the rules within the interface, it will 
be dropped at the end of this interface (so priority does matter between 
interfaces), while routers have the default policy "RETURN" which means 
that if some traffic is matched by a router, if that traffic is not 
matched by the rules within that router, it will continue to the next 
router until the end of all routers.
Of course, by changing the policy of interfaces and routers you can 
control how they operate.


I hope that helps...

Costa






More information about the Firehol-support mailing list