FireHOL Configuration by Goal

This table shows how the goals you need to achieve can be easily translated into FireHOL rules:

Thoughts... In FireHOL
I have a Linux host with two network interfaces.
  • The first is eth0 that connects to my LAN
  • The other is a PPP device that connects to the internet 
interface eth0 lan
    
interface ppp+ internet
To the internet my Linux provides:
  • a MAIL server
  • a WEB server
  • a FTP server
  • a SSH server, but only for my office computer
 
office="my-office-pc.example.com"

interface eth0 lan
    
interface ppp+ internet
    server smtp accept
    server http accept
    server ftp  accept
    server ssh  accept src $office
My Linux is also a workstation, I want to run any client I wish. 
office="my-office-pc.example.com"

interface eth0 lan
    
interface ppp+ internet
    server smtp accept
    server http accept
    server ftp  accept
    server ssh  accept src $office

    client all  accept
My LAN is trusted.
If a server is running on my Linux I want my LAN PCs to use it. 
office="my-office-pc.example.com"

interface eth0 lan
    policy accept
    
interface ppp+ internet
    server smtp accept
    server http accept
    server ftp  accept
    server ssh  accept src $office

    client all  accept
I would like my LAN PCs to use this Linux as a gateway.
They will connecting, as clients, to the internet for all the services they wish. 
office="my-office-pc.example.com"

interface eth0 lan
    policy accept
    
interface ppp+ internet
    server smtp accept
    server http accept
    server ftp  accept
    server ssh  accept src $office

    client all  accept

router lan2internet inface eth0 outface ppp+
    route all accept
My LAN PCs have private IPs, unroutable to the Internet.
I need to masquerade somehow their IP addresses for internet access. 
office="my-office-pc.example.com"

interface eth0 lan
    policy accept
    
interface ppp+ internet
    server smtp accept
    server http accept
    server ftp  accept
    server ssh  accept src $office

    client all  accept

router lan2internet inface eth0 outface ppp+
    masquerade
    route all accept

This is it! The firewall is ready. Only the request needs to be specified, FireHOL handles the replies automatically and produces the iptables statements to exactly match what is allowed in both directions and nothing more.

If for example we remove the client all accept from the internet interface, our Linux will not be able to do anything with its PPP device except to send replies matching the server statements within this interface; no pings, no DNS, no web browsing, no nothing!

The complete configuration file (a little bit enriched) of the above example could be: 

# Require release 5 of FireHOL configuration directives
version 5
  
# A space separated list of all the IPs on the internet, I trust
office="my-office-pc.example.com"
  
# The IP address of this Linux and LAN for the rest of the world
public_ip="198.51.100.1"
  
  
# My LAN. Everything is allowed here.
interface eth0 lan
    policy accept  # The default is 'drop'.
  
  
# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface ppp+ internet src not "$UNROUTABLE_IPS" dst "$public_ip"
    # Protect me from various kinds of attacks.
    protection strong
    
    # Public servers.
    server smtp accept
    server http accept
    server ftp  accept
    server ssh  accept src "$office"
    
    # Make sure idents do not timeout.
    server ident reject with tcp-reset
    
    # This is also a workstation.
    client all  accept
    
  
# Route the LAN requests to the internet.
router lan2internet inface eth0 outface ppp+
    
    # Masquerading on outface.
    masquerade
    
    # Route all requests from inface to outface
    # and their replies back.
    route all accept

FireHOL is completely dynamic, since with its language you can describe any firewall configuration you wish using simple commands.