[Firehol-support] locking down a dual stack bridging firewall with firehol

Phineas Gage phineas919 at gmail.com
Wed Nov 12 21:38:22 GMT 2014 

I’m converting my firewall to a transparent bridge, and have a basic config working for IPv4 and IPv6. Our environment is simple:

LAN <=> (eth0) Linux Firewall (eth1) [br0 bridges eth0 and eth1] <=> ADSL modem

I would like to let all client traffic out but nothing in. But for some reason, I need this router line accepting all traffic from the Internet side interface , otherwise clients lose their DHCP v4 addresses a few seconds after they get them:

router46 internet2lan physin eth1 physout eth0
    route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds

Now, I think it may be covered by my “int2br” rule, which rejects everything but some needed IPv6 traffic, but I would like to make the above line cleaner.

Does anyone know how to make this better, or does anyone spot any other holes in this configuration I’ve missed?

Hopefully what I’ve got so far helps someone...

----
version 6

# The lan network
lan_net=“redacted"
lan6_net=“redacted"

interface46 eth0 lan
    policy reject
    tcpmss auto
    server "ipv6error ipv6neigh ipv6router" accept
    server "ssh icmp icmpv6" accept
    client "ipv6neigh ipv6router" accept
    client all accept
    server all reject

interface46 eth1 internet
    protection strong 10/sec 10
    tcpmss auto
    server "ipv6error ipv6neigh" accept
    server "icmp icmpv6" accept
    client "ipv6neigh ipv6router" accept
    client all accept
    server all reject

interface46 br0 bridge
    server "ipv6error ipv6neigh ipv6router" accept
    server "ssh icmp icmpv6" accept
    server all reject
    client all accept

router46 lan2internet physin eth0 physout eth1
    route all accept

router46 internet2lan physin eth1 physout eth0
    route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds

router46 br2int inface br0 outface br0 physin eth0 physout eth1
    route ipv6neigh accept
    route ipv6router accept
    route ipv6error accept
    route all accept

router46 int2br inface br0 outface br0 physin eth1 physout eth0
    route ipv6neigh accept
    route ipv6error accept
    route all reject
----

More information about the Firehol-support mailing list