Initial revision

examples/home-router.conf

@@ -0,0 +1,68 @@
+version 1
+
+# ----------------------------------------------------------
+# Custom Rules
+
+# This is needed because I run a transparent cache.
+# The command is not executed right away, it will be processed
+# when the firewall will be activated.
+# HINT: This is a normal iptables command. Nothing fancy.
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 ! -d 1.1.1.1 -j REDIRECT --to-port 3128
+
+
+# ----------------------------------------------------------
+# Some definitions, you can define whatever you like...
+# ----------------------------------------------------------
+# The IP address space on our LAN
+tsaousis="1.1.1.1/28"
+
+# The tructed IPs from our office
+secure="2.2.2.2/32"
+
+
+# ----------------------------------------------------------
+# IMPORTANT NOTE:
+# ----------------------------------------------------------
+# This script has a very simple rule:
+# INPUT or SOURCE (inface, src, etc) always refers to the CLIENT.
+# OUTPUT or DESTINATION (outface, dst, etc) always refers to the SERVER.
+#
+# So, when you say:
+#                 interface ppp0 myname src x.y.z.w/m
+# you are matching all CLIENTS comming from ppp0, AND from the x.y.z.w/m network.
+#
+# Similarly, when you say:
+#               router myclients inface eth0 outface ppp0
+# you are matching all CLIENTS on eth0 trying to use services from ppp0
+# while, with:
+#               router myservers inface ppp0 outface eth0
+# you are matching all CLIENTS on ppp0 trying to use services from eth0
+# ----------------------------------------------------------
+
+# Give the name "internet" to everything comming from ppp+
+# making sure they don't have our LAN IP addresses.
+interface ppp+ internet src not "${tsaousis}"
+	policy drop			# This is also the default
+	protection strong 1/sec 1	# Also, limit incoming reqs to 1/sec
+	
+	# Public Services
+	server smtp	accept		# Yes, we run a mailer
+	server ident	reject		# Speed-up idents by rejecting them
+	
+	# Trusted Services
+	server ssh	accept src "${secure}"
+	
+	# This is a workstation
+	client all	accept		# This machine can ask anything
+					# For correct accounting, put this last
+	
+# Give the name "home" to our local LAN
+interface eth0 home
+	policy accept			# Accept everything from/to home
+	
+
+# Give the name "router" to all requests comming from eth0 AND our local IP
+# address space, and going out to ppp+
+router router inface eth0 outface ppp+ src "${tsaousis}"
+	policy		drop		# This is also the default
+	route all	accept		# Accept all client from eth0 to ppp+

examples/office.conf

@@ -0,0 +1,162 @@
+# ----------------------------------------------------------
+# FireHOL Configuration
+# 
+# Instructions
+# ------------
+# 
+# 1. General
+# This file is a normal BASH script that gets executed, as any other script.
+# You can use all BASH features, including functions, variables, loops, traps,
+# etc.
+# Please do not use the EXIT trap since the calling script uses it for cleaning
+# up temporary files. Also, do not exit from this script using the exit command.
+#
+#  
+# 2. Primary Commands
+# The following primary commands are supported:
+# 
+# i. interface <real machine interface> <name> [optional rule parameters]
+#    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# 
+# The interface command creates an INPUT/OUTPUT firewall on the given interface.
+# By default the policy is DROP, so that if no subcommands are given, the
+# firewall will just DROP all incoming and outgoing packets using this
+# interface.
+# 
+# 
+# ii. router <name> [optional rule parameters]
+#     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# 
+# The router command creates a FORWARD firewall.
+#
+#
+# 3. Sub-Commands
+# The following sub-commands can be applied to any primary command.
+# 
+# i. policy <policy name>
+#    ~~~~~~~~~~~~~~~~~~~~
+#
+# Policy sets the default policy for the primary command. The default policy is
+# DROP. Other policies can include ACCEPT, REJECT, DENY and RETURN.
+# 
+# ii. server <server name> <policy> [optional rule parameters]
+#     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# 
+# server is only valid in interfaces, not routers.
+#
+#
+# iii. client <client name> <policy> [optional rule parameters]
+#      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# client is only valid in interfaces, not routers.
+#
+#
+# iv.  route <route name> <policy> [optional rule parameters]
+#      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# 
+# route is only valid in routers.
+#
+# 4. Rule parameters
+# Most commands and subcommands (where noted) support a set of optional rule
+# parameters. The parameters include:
+#
+# i.   src <one or more IPs, subnets, hostnames enclosed in double quotes>
+#	src defines THE SOURCE OF THE REQUEST. So, for the server subcommand in
+#	an interface command,src defines the remote clients, while for the
+#	client subcommmand of the same command, it defines the local system.
+#	So, SRC matches the hosts that send the requests.
+#
+# ii.  dst <one or more IPs, subnets, hostnames enclosed in double quotes>
+#	dst matches the hosts that receive the requests and send the replies.
+#
+# iii. inface <one or more real machines interfaces, in double quotes>
+#	inface matches the interfaces the requests are received from.
+#	inface must not be used in interfaces since the program automatically
+#	generates this.
+#
+# iv.  outface <one or more real machines interfaces, in double quotes>
+#	outface matches the interfaces the replies are sent to.
+#	outface must not be used in interfaces since the program automatically
+#	generate this.
+#
+
+version 1
+
+home="1.1.1.1/28"
+home_servers="ssh http imap icmp pptp telnet"
+
+intranet="10.0.0.0/16"
+itnet="10.0.70.0/24"
+personal="10.0.70.33 10.0.70.65 10.0.70.69"
+
+# Define the real eth0 interface.
+# Later we will define two logical on the same physical interface.
+
+# Give the name ethernet to eth0
+interface eth0 ethernet
+	policy return # don't drop whatever not matched here, just continue
+	protection strong
+	
+	# Public services
+	server ident	reject # prevent timeout on idents
+	server smtp	accept # a mailer
+	server dhcp	accept # a dhcp server
+
+	
+# Give the name intranet to request comming in/replies going out on eth0
+# where src/dst (respectivelly) is the intranet LAN.
+interface eth0 intranet src "${intranet}"
+	policy reject # be friendly to the intranet to prevent timeouts
+	
+	# Allow all ICMP
+	server icmp	accept # the intranet can ping us.
+	
+	# Intranet Services
+	server dns	accept # the intranet can use our DNS server
+	server http	accept # the web server
+	server samba	accept # the SMB file server
+	
+	# IT Services, IT is our department
+	server pop3	accept src "${itnet}"
+	server imap	accept src "${itnet}"
+	server ssh 	accept src "${itnet}"
+	server lpd	accept src "${itnet}"
+	server portmap	accept src "${itnet}"
+	server nfs	accept src "${itnet}"
+	
+	# Personal Services
+	server mysql	accept src "${personal}"
+	
+	# This is an Intranet workstation
+	client all	accept	# To have good accounting, this should be last.
+	
+
+# Give the name internet to all traffic on eth0 not matching the intranet LAN	
+interface eth0 internet src not "${intranet}"
+	policy drop # this is also the default
+	
+	server lpd	accept src "3.3.3.3/32" # we print spool for this host
+	
+	# From my home
+	for x in ${home_servers}
+	do
+		server ${x} accept src "${home}"
+	done
+	
+	# This is an Internet workstation too
+	client all	accept	# To have good accounting, this should be last.
+	
+
+# Well, I use PPTP to connect to this machine from my home.
+# So, I want to use my home services on this interface too.
+interface ppp+ home
+	for x in ${home_servers}
+	do
+		server ${x} accept
+	done
+	
+# And when I use PPTP, I want this machine to route me in the intranet	
+router homerouter inface ppp+ outface eth0
+	route	all	accept # route all client requests (and their replies back)
+	
+