[Firehol-support] need help
Tamer Higazi
th982a at googlemail.com
Fri Apr 2 20:42:35 BST 2010
Hi people!
I do have firehol and I have 2 NIC and I really need help. Because I am
not getting handled that the other CPU in my lan and I am not really an
firewall expert. Could anybody of you help me? How will I have to
configure firehol and the client behind it, that the client easily jumps
through IP-Masquerading in the internet?!
For any advise I would kindly thank you.
eth0: 192.168.1.2 Bcast:192.168.1.255 Maske:255.255.255.0
eth3: inet Adresse:192.168.2.1 Bcast:192.168.2.255 Maske:255.255.255.0
ppp0: inet Adresse:85.xxx.xxx.x P-z-P:213.191.64.102 Maske:255.255.255.255
and my firewall configuration
#!/etc/init.d/firehol
# : firehol.sh,v 1.273 2008/07/31 00:46:41 ktsaou Exp $
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
# YOU SHOULD NEVER USE THIS CONFIG AS-IS.
#
# Date: So 28. Mär 16:38:57 CEST 2010 on host tux
#
# IMPORTANT:
# The TODOs bellow, are *YOUR* to-dos!
#
# INFO: Processing interface 'eth0'
# INFO: Processing IP 192.168.1.2 of interface 'eth0'
# INFO: Is 192.168.1.2 part of network 192.168.1.0/24? yes
# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.1.2 (net: "192.168.1.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.1.2' if this is dynamically assigned.
interface eth0 interface1 src "192.168.1.0/24" dst 192.168.1.2
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy accept
# If you don't trust the clients behind eth0 (net "192.168.1.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server all accept
client all accept
# INFO: Processing interface 'eth3'
# INFO: Processing IP 192.168.2.1 of interface 'eth3'
# INFO: Is 192.168.2.1 part of network 192.168.2.0/24? yes
# Interface No 2.
# The purpose of this interface is to control the traffic
# on the eth3 interface with IP 192.168.2.1 (net: "192.168.2.0/24").
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.2.1' if this is dynamically assigned.
interface eth3 interface2 src "192.168.2.0/24" dst 192.168.2.1
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy accept
# If you don't trust the clients behind eth3 (net "192.168.2.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth3.
# TODO: Normally, you will have to remove those not needed.
server all accept
client all accept
# INFO: Processing interface 'ppp0'
# INFO: Processing IP 85.xxx.xxx.x of interface 'ppp0'
# INFO: Is 85.xxx.xxx.x part of network 213.191.64.102? no
# INFO: Is 213.191.64.102 part of network 213.191.64.102? yes
# INFO: Skipping ppp0 peer 213.191.64.102 only interface (default gateway).
# INFO: Is 213.191.64.102 part of network 213.191.64.102? yes
# INFO: Default gateway 213.191.64.102 is part of network 213.191.64.102
# Interface No 3.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 213.191.64.102 .
# TODO: Change "interface3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 85.xxx.xxx.x' if this is dynamically assigned.
interface ppp0 interface3 src not "${UNROUTABLE_IPS} " dst 85.xxx.xxx.x
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind ppp0 (net not
"${UNROUTABLE_IPS} "),
# add something like this.
protection strong
# Here are the services listening on ppp0.
# TODO: Normally, you will have to remove those not needed.
client all accept
# The above 3 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).
# Router No 1.
# Clients on eth0 (from "192.168.1.0/24") accessing servers on eth3 (to
"192.168.2.0/24").
# TODO: Change "router1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router1 inface eth0 outface eth3 src "192.168.1.0/24" dst
"192.168.2.0/24"
# If you don't trust the clients on eth0 (from "192.168.1.0/24"), or
# if you want to protect the servers on eth3 (to "192.168.2.0/24"),
# uncomment the following line.
# > protection strong
# To NAT client requests on the output of eth3, add this.
# > masquerade
# Alternatively, you can SNAT them by placing this at the top of
this config:
# > snat to 192.168.2.1 outface eth3 src "192.168.1.0/24" dst
"192.168.2.0/24"
# SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc
in order to
# NAT only some specific traffic.
# TODO: This will allow all traffic to pass.
# If you remove it, no REQUEST will pass matching this traffic.
route all accept
# Router No 2.
# Clients on eth0 (from "192.168.1.0/24") accessing servers on ppp0 (to
not "${UNROUTABLE_IPS} ").
# TODO: Change "router2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router2 inface eth0 outface ppp0 src "192.168.1.0/24" dst not
"${UNROUTABLE_IPS} "
# If you don't trust the clients on eth0 (from "192.168.1.0/24"), or
# if you want to protect the servers on ppp0 (to not
"${UNROUTABLE_IPS} "),
# uncomment the following line.
# > protection strong
# To NAT client requests on the output of ppp0, add this.
# > masquerade
# Alternatively, you can SNAT them by placing this at the top of
this config:
# > snat to 85.xxx.xxx.x outface ppp0 src "192.168.1.0/24" dst not
"${UNROUTABLE_IPS} "
# SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc
in order to
# NAT only some specific traffic.
# TODO: This will allow all traffic to pass.
# If you remove it, no REQUEST will pass matching this traffic.
route all accept
# Router No 3.
# Clients on eth3 (from "192.168.2.0/24") accessing servers on eth0 (to
"192.168.1.0/24").
# TODO: Change "router3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router3 inface eth3 outface eth0 src "192.168.2.0/24" dst
"192.168.1.0/24"
# If you don't trust the clients on eth3 (from "192.168.2.0/24"), or
# if you want to protect the servers on eth0 (to "192.168.1.0/24"),
# uncomment the following line.
# > protection strong
# To NAT client requests on the output of eth0, add this.
# > masquerade
# Alternatively, you can SNAT them by placing this at the top of
this config:
# > snat to 192.168.1.2 outface eth0 src "192.168.2.0/24" dst
"192.168.1.0/24"
# SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc
in order to
# NAT only some specific traffic.
# TODO: This will allow all traffic to pass.
# If you remove it, no REQUEST will pass matching this traffic.
route all accept
# Router No 4.
# Clients on eth3 (from "192.168.2.0/24") accessing servers on ppp0 (to
not "${UNROUTABLE_IPS} ").
# TODO: Change "router4" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router4 inface eth3 outface ppp0 src "192.168.2.0/24" dst not
"${UNROUTABLE_IPS} "
# If you don't trust the clients on eth3 (from "192.168.2.0/24"), or
# if you want to protect the servers on ppp0 (to not
"${UNROUTABLE_IPS} "),
# uncomment the following line.
# > protection strong
# To NAT client requests on the output of ppp0, add this.
# > masquerade
# Alternatively, you can SNAT them by placing this at the top of
this config:
# > snat to 85.xxx.xxx.x outface ppp0 src "192.168.2.0/24" dst not
"${UNROUTABLE_IPS} "
# SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc
in order to
# NAT only some specific traffic.
# TODO: This will allow all traffic to pass.
# If you remove it, no REQUEST will pass matching this traffic.
masquerade
route all accept
# Router No 5.
# Clients on ppp0 (from not "${UNROUTABLE_IPS} ") accessing servers on
eth0 (to "192.168.1.0/24").
# TODO: Change "router5" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router5 inface ppp0 outface eth0 src not "${UNROUTABLE_IPS} " dst
"192.168.1.0/24"
# If you don't trust the clients on ppp0 (from not
"${UNROUTABLE_IPS} "), or
# if you want to protect the servers on eth0 (to "192.168.1.0/24"),
# uncomment the following line.
# > protection strong
# To NAT client requests on the output of eth0, add this.
# > masquerade
# Alternatively, you can SNAT them by placing this at the top of
this config:
# > snat to 192.168.1.2 outface eth0 src not "${UNROUTABLE_IPS} "
dst "192.168.1.0/24"
# SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc
in order to
# NAT only some specific traffic.
# TODO: This will allow all traffic to pass.
# If you remove it, no REQUEST will pass matching this traffic.
route all accept
# Router No 6.
# Clients on ppp0 (from not "${UNROUTABLE_IPS} ") accessing servers on
eth3 (to "192.168.2.0/24").
# TODO: Change "router6" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
router router6 inface ppp0 outface eth3 src not "${UNROUTABLE_IPS} " dst
"192.168.2.0/24"
# If you don't trust the clients on ppp0 (from not
"${UNROUTABLE_IPS} "), or
# if you want to protect the servers on eth3 (to "192.168.2.0/24"),
# uncomment the following line.
# > protection strong
# To NAT client requests on the output of eth3, add this.
# > masquerade
# Alternatively, you can SNAT them by placing this at the top of
this config:
# > snat to 192.168.2.1 outface eth3 src not "${UNROUTABLE_IPS} "
dst "192.168.2.0/24"
# SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc
in order to
# NAT only some specific traffic.
# TODO: This will allow all traffic to pass.
# If you remove it, no REQUEST will pass matching this traffic.
route all accept
More information about the Firehol-support
mailing list