1. <strike id="j329m"></strike>
    2. <big id="j329m"><sup id="j329m"></sup></big>

    3. <code id="j329m"></code>

        FireHOL Configuration by Goal

        This table shows how the goals you need to achieve can be easily translated into FireHOL rules:

        Thoughts... In FireHOL
        I have a Linux host with two network interfaces.
        • The first is eth0 that connects to my LAN
        • The other is a PPP device that connects to the internet
        interface eth0 lan
            
        interface ppp+ internet
        To the internet my Linux provides:
        • a MAIL server
        • a WEB server
        • a FTP server
        • a SSH server, but only for my office computer
        office="my-office-pc.example.com"
        
        interface eth0 lan
            
        interface ppp+ internet
            server smtp accept
            server http accept
            server ftp  accept
            server ssh  accept src $office
        My Linux is also a workstation, I want to run any client I wish.
        office="my-office-pc.example.com"
        
        interface eth0 lan
            
        interface ppp+ internet
            server smtp accept
            server http accept
            server ftp  accept
            server ssh  accept src $office
        
            client all  accept
        My LAN is trusted.
        If a server is running on my Linux I want my LAN PCs to use it.
        office="my-office-pc.example.com"
        
        interface eth0 lan
            policy accept
            
        interface ppp+ internet
            server smtp accept
            server http accept
            server ftp  accept
            server ssh  accept src $office
        
            client all  accept
        I would like my LAN PCs to use this Linux as a gateway.
        They will connecting, as clients, to the internet for all the services they wish.
        office="my-office-pc.example.com"
        
        interface eth0 lan
            policy accept
            
        interface ppp+ internet
            server smtp accept
            server http accept
            server ftp  accept
            server ssh  accept src $office
        
            client all  accept
        
        router lan2internet inface eth0 outface ppp+
            route all accept
        My LAN PCs have private IPs, unroutable to the Internet.
        I need to masquerade somehow their IP addresses for internet access.
        office="my-office-pc.example.com"
        
        interface eth0 lan
            policy accept
            
        interface ppp+ internet
            server smtp accept
            server http accept
            server ftp  accept
            server ssh  accept src $office
        
            client all  accept
        
        router lan2internet inface eth0 outface ppp+
            masquerade
            route all accept

        This is it! The firewall is ready. Only the request needs to be specified, FireHOL handles the replies automatically and produces the iptables statements to exactly match what is allowed in both directions and nothing more.

        If for example we remove the client all accept from the internet interface, our Linux will not be able to do anything with its PPP device except to send replies matching the server statements within this interface; no pings, no DNS, no web browsing, no nothing!

        The complete configuration file (a little bit enriched) of the above example could be:

        # Require release 5 of FireHOL configuration directives
        version 5
          
        # A space separated list of all the IPs on the internet, I trust
        office="my-office-pc.example.com"
          
        # The IP address of this Linux and LAN for the rest of the world
        public_ip="198.51.100.1"
          
          
        # My LAN. Everything is allowed here.
        interface eth0 lan
            policy accept  # The default is 'drop'.
          
          
        # Make sure the traffic coming in, comes from valid Internet IPs,
        # and that is targeting my public IP
        interface ppp+ internet src not "$UNROUTABLE_IPS" dst "$public_ip"
            # Protect me from various kinds of attacks.
            protection strong
            
            # Public servers.
            server smtp accept
            server http accept
            server ftp  accept
            server ssh  accept src "$office"
            
            # Make sure idents do not timeout.
            server ident reject with tcp-reset
            
            # This is also a workstation.
            client all  accept
            
          
        # Route the LAN requests to the internet.
        router lan2internet inface eth0 outface ppp+
            
            # Masquerading on outface.
            masquerade
            
            # Route all requests from inface to outface
            # and their replies back.
            route all accept

        FireHOL is completely dynamic, since with its language you can describe any firewall configuration you wish using simple commands.

        1比1现金棋牌