View Single Post
  #2  
Old 27th February 2008, 15:27
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

After changing the firehol.conf as output by ' /etc/init.d/firehol helpme > /tmp/firehol.conf', I could get access to the internet, but it does NOT seem broadcasting (using dnsmasq) dhcp address to the localnet using eth0:0 How can I identify a reason why the DHCP is not broadcasted? wondering)

[QUOTE][# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.yyy.zzz.aaa * 255.255.255.192 U 0 0 0 eth0
192.168.7.0 * 255.255.255.0 U 0 0 0 eth0
default gw.mydomain.tld 0.0.0.0 UG 0 0 0 eth0
/QUOTE]

The firehol.conf looks like this now:

Quote:

#!/sbin/firehol
# ------------------------------------------------------------------------------
# This feature is under construction -- use it with care.
# *** NEVER USE THIS CONFIG AS-IS ***
#
# : firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net
#
# ------------------------------------------------------------------------------
# FireHOL controls your firewall. You should want to get updates quickly.
# Subscribe (at the home page) to get notified of new releases.
# ------------------------------------------------------------------------------
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
#
# Date: Wed Feb 27 14:25:37 CET 2008 on host multiwork
#
# The TODOs bellow, are YOUR to-dos!

### DEBUG: Processing interface 'eth0'
### DEBUG: Processing IP 192.168.7.2 of interface 'eth0'
### DEBUG: Is 192.168.7.2 part of network 192.168.7.0/24? yes
### DEBUG: Is 192.168.7.2 part of network xxx.yyy.zzz.128/26? no

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.7.2 (net: "192.168.7.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.7.2' if this is dynamically assigned.
interface eth0 interface1 src "192.168.7.0/24" dst 192.168.7.2

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy reject

# If you don't trust the clients behind eth0 (net "192.168.7.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network 192.168.7.0/24? no
### DEBUG: Processing IP xxx.yyy.zzz.157 of interface 'eth0'
### DEBUG: Is xxx.yyy.zzz.157 part of network 192.168.7.0/24? no
### DEBUG: Is xxx.yyy.zzz.157 part of network xxx.yyy.zzz.128/26? yes

# Interface No 2.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP xxx.yyy.zzz.157 (net: "xxx.yyy.zzz.128/26").
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface2 src "xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net "xxx.yyy.zzz.128/26"),
# add something like this.
protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network xxx.yyy.zzz.128/26? yes
### DEBUG: Default gateway xxx.yyy.zzz.190 is part of network xxx.yyy.zzz.128/26

# Interface No 3.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway xxx.yyy.zzz.190 .
# TODO: Change "interface3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface3 src not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept


# The above 3 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).



# No router statements have been produced, because your server
# is not configured for forwarding traffic.

Any suggestion welcome! Thanks
Reply With Quote