This table shows how the goals you need to achieve can be easily translated into FireHOL rules:
|I have a Linux host with two network interfaces.
|To the internet my Linux provides:
|My Linux is also a workstation, I want to run any client I wish.
|My LAN is trusted.
If a server is running on my Linux I want my LAN PCs to use it.
|I would like my LAN PCs to use
this Linux as a gateway.
They will connecting, as clients, to the internet for all the services they wish.
|My LAN PCs have private IPs, unroutable to the Internet.
I need to masquerade somehow their IP addresses for internet access.
This is it! The firewall is ready. Only the request needs to be specified, FireHOL handles the replies automatically and produces the iptables statements to exactly match what is allowed in both directions and nothing more.
If for example we remove the client all accept from the internet interface, our Linux will not be able to do anything with its PPP device except to send replies matching the server statements within this interface; no pings, no DNS, no web browsing, no nothing!
The complete configuration file (a little bit enriched) of the above example could be:
# Require release 5 of FireHOL configuration directives
# A space separated list of all the IPs on the internet, I trust
# The IP address of this Linux and LAN for the rest of the world
# My LAN. Everything is allowed here.
interface eth0 lan
policy accept # The default is 'drop'.
# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface ppp+ internet src not "$UNROUTABLE_IPS" dst "$public_ip"
# Protect me from various kinds of attacks.
# Public servers.
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"
# Make sure idents do not timeout.
server ident reject with tcp-reset
# This is also a workstation.
client all accept
# Route the LAN requests to the internet.
router lan2internet inface eth0 outface ppp+
# Masquerading on outface.
# Route all requests from inface to outface
# and their replies back.
route all accept
FireHOL is completely dynamic, since with its language you can describe any firewall configuration you wish using simple commands.