[Firehol-support] Firewall logic
Daniel Heckl
daniel.heckl at gmail.com
Wed Jan 6 11:59:32 GMT 2016
Hi all,
first, thanks for the great FireHOL.
On my server mainly asterisk and an monitoring server is running. Because of the sip server, it is very important that no unauthorized has access to sip port.
I have only one NIC card, which is connected to the lan and to the internet (behind an NAT Router, without port forwarding).
It is logical correct with my division in two interfaces (see below)? Does it make sense for you? Do you see any vulnerabilities?
Thanks for help,
Daniel
# Require release 6 of FireHOL configuration directives
version 6
# webrtc
server_webrtc_ports="tcp/8088"
client_webrtc_ports="default"
# isymphony
server_isymphony_ports="tcp/58080"
client_isymphony_ports="default"
# NIC connected with internet and lan
nic="eth0"
# IPs
lan="10.0.1.0/24"
telekom="217.0.0.0/13"
sipgate_sip="217.10.79.9"
sipgate_rtp="217.10.64.0/20 217.116.112.0/20 212.9.32.0/19"
openvpn="10.3.0.0/24"
l2tp="10.2.0.0/24"
interface "${nic}" lan src4 "${lan} ${openvpn} ${l2tp}" src6 fc00::/7
server ipv6error accept
client ipv6neigh accept
server ipv6neigh accept
server ssh accept
server http accept
server https accept
server isymphony accept
server ICMP accept
server ICMPV6 accept
server webrtc accept
server sip accept
server rtp accept
client all accept
interface "${nic}" internet
server ipv6error accept
client ipv6neigh accept
server ipv6neigh accept
client ipv6router accept
server4 sip accept src "${telekom} ${sipgate_sip}"
server4 rtp accept src "${telekom} ${sipgate_rtp}"
client4 all accept dst "${telekom} ${sipgate_sip} ${sipgate_rtp}"
client submission accept
client smtp accept
client smtps accept
client ICMP accept
client ICMPV6 accept
client http accept
client https accept
client snmp accept
client ftp accept
client ssh accept
More information about the Firehol-support
mailing list