Re: Firehol question

[Gian Piero Carrubba <gp-ml@rm-rf.it>]

Il giorno lun, 10-01-2005 alle 11:06 -0800, JM ha scritto:

> > interface eth0 internet src not "${UNROUTABLE_IPS}" \
> >      [ dst $ip ] # if your ip is static
> >
> >    policy reject
> >    protection strong
> 
> Thanks Gian, I am just running a website from by box at home and it is a
> dynamic ip address actually through DSL and an ip address of 192.168.0.138
> through a D-Link router.  So I will keep the <interface eth0 internet src
> not "${UNROUTABLE_IPS}"> and I will leave out the <[ dst $ip ] # if your
> ip is static>

Well, the router re-write the destination address to the one assigned to
your linux box (192.168.0.138, if i've understood correctly), so you can
keep the dst parameter (being itself an unroutable address, using the
dst parameter isn't strictly necessary, but i thing it can be useful at
least in order to notice a possible misconfiguration).
If you have a lan, i'd add another stanza listing different
"permissions" for internal lan communications:

interface eth0 lan dst 192.168.0.138/32 src 192.168.0.0/24 (I suppose)
	policy reject
	protection strong
	...

So, if for example the tcp/8080 is used by a proxy that should serve
only the lan, remove it from the previous stanza and add it into the
last one.
Another thing i've forgotten in the previous mail: "client all accept"
isn't recommended on a server, keep it as strict as you can.

Ciao,
Gian Piero.