[Firehol-support] Firewall on DMZ

Tsaousis, Costa costa at tsaousis.gr
Thu Apr 30 16:07:04 BST 2015


Tony,

Could you please post the iptables log line of the failed request?
Replace $trusted_ip if you don't want us to know the IP.
Where do you get log line? On the web server or the router?

Costa




On Thu, Apr 30, 2015 at 4:39 PM, Tony Peña <emperor.cu at gmail.com> wrote:
> Hi
> I want to stop flood syn traffic over http from external ip but I have only
> eth0 on linux
>
> I have the linux on dmz with ip 192.168.7.1 and only eth0
> I have setup the snat from public ip from the router to linux to 80 and 443
>
> But when i set on firehol
>
> -------------------------
> version 5
>
> Trusted_ip="other ip trusted"
>
> blacklist full "list black ip"
>
> Interface eth0 ethernet
>   Policy drop
>   Server "http https" accept src "$trusted_ip"
>   Client all accept
> ------------------------------------
>
> Can't access from my trust ip to apache
>
> On the /var/log/messages i can see request failed of kernel from any
> including my trusted ip.
>
>
> My question is how can i set firehol if on my server is on dmz and have
> only 1 ethernet access?
>
> from internet --> router (SNAT any to --> eth0 linux
> from lan (192.168.0.1/24) --> routing to --> eth0 linux
>
> when firehol is active nobody access to http and https
>
> Any idea?
>
> Thanxs in advace
>
> --
> Antonio Peña
> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
> <https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list