[Firehol-support] Stateless rules

Guillaume Lacroix gl at worldline.fr
Wed Nov 26 15:40:34 GMT 2014 

Hi Costa,

Thanks a lot, I could make it work as expected. One last thing tho, is there a possibility to open all the routes from the DMZ to the internet and not the other way round ?  

More specifically, I have open some route from the internet to my web server (IP 123.123.123.123) :

router internet_to_web inface any outface any dst 123.123.123.123
route anystateless myhttp accept dport 80 proto tcp
route anystateless myhttps accept dport 443 proto tcp

route all deny

With that, only http and https traffic is allowed to hit the web server. Now, I would like to allow the web to connect to the internet with no restrictions (DNS, mail, NTP, whatever…). So, before the previous command, I have add :

router web_to_internet inface any outface any src 123.123.123.123
        route anystateless myext accept  

router internet_to_web…. (same as before)

In a statefull mode, this works as expected, but in a stateless mode, this opens symmetrically all the routes in and out, so the restriction on http/https is no more used.

Is there any workaround or the only choice is to set the web_to_internet in a statefull mode (and use conntrack sync mechanism) ?

Thx and regards,
Guillaume


Le mercredi 19 novembre 2014 à 19:17, Tsaousis, Costa a écrit :

> Yes, it works for both interfaces and routers.
>  
> Costa
>  
> On Wed, Nov 19, 2014 at 7:12 PM, Guillaume Lacroix <gl at worldline.fr (mailto:gl at worldline.fr)> wrote:
> > Hi Costa,
> >  
> > Thanks a lot for the tip. Does it work as well with route ? Something like :
> >  
> > router in_to_web inface myin outface myout dst 123.123.123.123
> > route anystateless myhttp accept dport 80 proto tcp
> > route anystateless myhttp accept dport 80 proto tcp
> >  
> > The reason is that I use different FWs on different routers for redundancy.
> > Each router is connected to a different ISP within a same BGP session, so a
> > request may arrive to any of the FWs and so the router should not keep a
> > track of the session (the other solution would have been to update the
> > contrack on the different FWs but I don’t want to do that).
> >  
> > Thanks,
> > Guillaume
> >  
> > Le mercredi 19 novembre 2014 à 18:01, Tsaousis, Costa a écrit :
> >  
> > Hi Guillaume,
> >  
> > Why do you want to do this? Are you facing any issues with the
> > netfilter state machine?
> >  
> > Anyway, if your really want to do it, use this:
> >  
> > server anystateless myhttp accept dport 80
> > server anystateless myhttps accept dport 443
> >  
> > Costa
> >  
> >  
> >  
> > On Wed, Nov 19, 2014 at 3:56 PM, Guillaume Lacroix <gl at worldline.fr (mailto:gl at worldline.fr)> wrote:
> >  
> > Hello,
> >  
> > I have gone through the FH configuration, but I couldn’t find a way to
> > specify some rules statelessly (I can only set a destination stateless using
> > « anystateless » command).
> >  
> > Is there a way, for example, to set set a route stateless for HTTP/HTTPS
> > only ?
> >  
> > Thanks and regards,
> > Guillaume
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.firehol.org (mailto:Firehol-support at lists.firehol.org)
> > http://lists.firehol.org/mailman/listinfo/firehol-support
> >  
>  
>  
>

More information about the Firehol-support mailing list