[Firehol-support] locking down a dual stack bridging firewall with firehol

Phineas Gage phineas919 at gmail.com
Thu Nov 13 23:33:51 GMT 2014

Hi Phil,

> On Nov 13, 2014, at 8:25 PM, Phil Whineray <phil at sanewall.org <mailto:phil at sanewall.org>> wrote:
> I take it that the DHCP server runs on the ADSL modem in this setup?


> The explanation and formatting at this link needs a tidy up (another thing
> to add to my todo list) but hopefully is good enough to explain what
> might be happening:
> http://firehol.org/firehol-manual/firehol-services/#service-dhcp <http://firehol.org/firehol-manual/firehol-services/#service-dhcp>
> In summary I think you may be falling foul of the fact that DHCP uses
> source and destination IP on request that don't match the response, so
> we need stateless rules to match them. The result is that the
> "route all accept" in your "lan2internet" section does not allow the
> response to a DHCP request that you might expect.
> As I think Costa mentioned elsewhere you should be able to see blocked
> packets in the log. If you indeed see DHCP response packets being
> blocked, I think you may just need to add an explicit rule for DHCP.

Ok, that’s it, thanks. I didn’t notice any drop messages in the log, but got it working with the rules below.

I also thought I could add “route all reject” after “route dhcp accept” in my int2lan rule, but that doesn’t work. Starting with “policy reject” then leaving out the final “route all reject” at the end works, and finally I at least can’t ping from the external interface to internal devices, which is good.

Note: I removed the lan2internet and internet2lan rules from my previous email and renamed br2int and int2br to lan2int and int2lan, respectively, so this config is simpler than before.

I do notice these messages in the syslog repeated many times when I run firehol:

xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.

But I’m only using physin and physout on my bridge interface br0, so not sure why I’m seeing this, and would like to figure out how to fix it.

> I too have never used a bridge setup like this but I have been
> considering it for similar reasons, so I'm interested in your results.

I’m starting to like this setup a lot for its simplicity, particularly with dual stack support. No more running radvd for IPv6 and having special IPv6 settings in sysctl.conf to get router advertisements working for IPv6 autoconfiguration. No more separate subnet for the external and internal interfaces, and theoretically I should be able to start doing QoS on my external interface again. I was doing it on the internal interface so that srcmac and dstmac matching would work to handle both the IPv4 and IPv6 cases, but it is a bit counterintuitive.

There’s also probably more locking down I can do (for example, restricting src and dst IP addresses), so before making it a Wiki example I would attempt that.

I also need to audit the packet classification more closely in FireQOS, because some packets aren’t classified quite the same way as they used to, but I can hopefully track that down with “fireqos tcpdump”, and maybe it will clear up when I move back to QoS on the external interface.

Thanks for your help guys...

# Simplified config of what I’m actually using
version 6

interface46 eth0 lan
   policy reject
   tcpmss auto
   server "ipv6error ipv6neigh ipv6router" accept
   server “ssh icmp icmpv6” accept
   client "ipv6neigh ipv6router" accept
   client all accept
   server all reject

interface46 eth1 internet
   protection strong 10/sec 10
   tcpmss auto
   server "ipv6error ipv6neigh" accept
   server “icmp icmpv6" accept
   client "ipv6neigh ipv6router" accept
   client all accept
   server all reject   

interface46 br0 bridge
   server "ipv6error ipv6neigh ipv6router" accept
   server “ssh icmp icmpv6" accept
   client "ipv6neigh ipv6router" accept
   client all accept
   server all reject

router46 lan2int inface br0 outface br0 physin eth0 physout eth1
  route "ipv6neigh ipv6router ipv6error" accept
  route all accept

router46 int2lan inface br0 outface br0 physin eth1 physout eth0
  policy reject
  route "ipv6neigh ipv6error” accept
  route dhcp accept

More information about the Firehol-support mailing list