gmane.comp.security.firewalls.firehol.user

Question about virtual interface

Tony Peña — 2013-04-26T22:46:35

Hi,...
I'm wondering how can i setup a firehol.conf with 1 physical and virtual at
same time
I got now a server outside of my country and is very difficult if i try to
setup iptables security and lost my conex...

I used firehol before, with normal ethernets... eth0 and eth1, but never
with eth0:1,...

So..

i got this...

eth0 and eth0:1 to into server from

internet.......cisco....[real-wan-ip] nat inside eth0....10.x.y.z
internet.......same cisco [real-wan-ip+1] nat inside eth0:1 ....10.x.y.z+1

if i try

interface eth0 phy-net
     policy drop
     server icmp accept
     server ssh accept
     cliente all accept

interface eth0:1 virt-net
    policy drop
    server icmp accept
    server ssh accept
    client all accept


i can't hit with icmp / ssh ping to eth0 or eth0:1...

for other reason i need to use this eth0:1 to can use other service running
on there.
any help will be appreciated...
my server is only supported now by fail2ban, to try keeping out attacks...
missing my firehol.conf to defender more harder..

question: if I type firehol try, and still can't commit the changes.. is
very secure to recover my conex if before my ssh is restore because have
now 0 rules applied ?

Thanxs in advance

firehol death?!

Tamer Higazi — 2013-02-18T11:55:10

Hi people!
I just have asked myself if firehol is death?!

I am using firehol successfully on gentoo kernel 3.0.8. But if I install
on a higher kernel release firehol, I am getting always errors. why is
that?!
I am using  firehol for many years successfully and I am very happy with
it. If I can donate some money over the time to keep this project alife
I would do it....




Tamer

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

nat redirect-to

Tony Peña — 2012-09-05T14:58:10

hi.  i'm trying to redirecting udp packaets from RADIUS NAS to other server
for test new version.

i try to put this into my server with old-radius to can redirect all thouse
packages to back a new server version
and the syntaxs is ok because firehol try works fine.. but i see in the old
server continues packages comming as nothing happend..

so, .. some data to can help more easy this is my situation

many NAS (16 ips)

NAS_IPS='w.x.y.z'

older version normal

interface eth0 inet
     policy drop
     server radius accept src "$NAS_IPS"
     client all accept

now my problem.

nat redirect-to 1812 inface eth0 src "$NAS_IPS" proto udp
new.radius.server.ip dport 1812
nat redirect-to 1813 inface eth0 src "$NAS_IPS" proto udp
new.radius.server.ip dport 1813

interface eth0 inet
    policy drop
   #server radius accept src "$NAS_IPS"
   client all accept

and nothing happens,..
remember 1812 is for autorization/authentication and 1813 is accounting. so
need redirecto both ports to new server.

thanxs in advance.

iptables: Protocol wrong type for socket.

Hugo Vanwoerkom — 2012-08-07T01:37:08

Hi,

I installed Firehol on Debian Sid with a kernel that I configured myself.

When Firehol is started I get many 'iptables: Protocol wrong type for socket.' messages. Obviously I do not have iptables configured right in the kernel.

Googling for that message there are many hits, but try what may the message keeps appearing.

Anyone have an idea of what configuration I am missing?

I enclose the error output.

Hugo------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

LinkedIn password change confirmation

LinkedIn Password — 2012-07-25T03:26:27

LinkedIn
------------

Hi Rick,

You've successfully changed your password.

Thank you,
The LinkedIn Team
---
This email was intended for Rick Marshall, BSc,BE. Follow this link to learn why we include this information.

http://www.linkedin.com/e/w1ylsj-h51uqdvj-2/plh/http%3A%2F%2Fhelp%2Elinkedin%2Ecom%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F4788/-GXI/?hs=false&tok=3123gaCSUeBRk1

(c) 2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

nat/redirect problem

Les Stott — 2012-06-27T10:07:15

Ok a weird one.....or I don't know what I'm doing ;}

network A - 192.168.1.0/24
Default Gateway on Network A is 192.168.1.254 - where firehol sits
Recently added a 10mb/10mb symmetrical link and its linked to Network A by a cisco router on 192.168.1.252. The link goes to Network B which is 10.0.0.0/16.
Network B has a default gateway which is the 10mb/10mb link.
The firewall has a route for 10.0.0.0/16 to go via 192.168.1.252

If a machine in Network A (192.168.1.5) tried to ping a machine in Network B (10.0.1.118) it works (and I've verified that it bounces through the firewall first (or the firewall tells it to send via 192.168.1.252).

Now, if a pc in Network B (10.0.1.145) tries to ping 192.168.1.5 it doesn't work and I see this in /var/log/messages....
Jun 25 11:54:47 gateway kernel: 'PASS-unknown:'IN=eth0 OUT=eth0 SRC=192.168.1.5 DST=10.0.1.145 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40547 PROTO=ICMP TYPE=0 CODE=0 ID=21016 SEQ=773
If the pc has a static route to send traffic for 10.0.0.0/16 via 192.168.1.252 the ping works when it originates from Network B.

That tells me that the ping packet from 10.0.1.145 made it through to 192.168.1.5 but the return traffic never got "redirected" by the firewall.

Now, I know I should add permanent static routes, and I have done that for all pc's (pushed out via group policy) in the 192.168.1.0/24 range, but I am trying to fathom out why it works if the ping originates from Network A, but it doesn't work when the ping originates from Network B.

I have also tried (possible incorrect usage) the following and it hasn't helped.....

PRIVATE="192.168.0.0/16 10.0.0.0/16"
masquerade ppp+ src "$PRIVATE" dst not "$PRIVATE"
# above interface rules, but after masquerade rules
nat to-destination 192.168.1.252 inface eth0 dst "10.0.0.0/16"

and also tried a router rule like so....

router redirects inface eth0 outface eth0
        route all accept

Nothing has worked though.

Can someone explain what I'm doing wrong and guide me as to whether the above can be made to work without adding static routes to all pc's?
I cant add static routes to printers and Network B wants to print directly to Printers in Network A. At the moment I'm using a print server in Network A but I need to be able to give some reason why it won't work directly.

Thanks in advance.


Regards

Les

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

LinkedIn Password Reset Notification

LinkedIn Password — 2012-06-09T04:09:02

LinkedIn
------------

Hi Rick,

Your LinkedIn password has been reset successfully.

Thank you,
The LinkedIn Team
---
This email was intended for Rick Marshall, BSc,BE. Follow this link to learn why we include this information.

http://www.linkedin.com/e/w1ylsj-h385zyxf-1j/plh/http%3A%2F%2Fhelp%2Elinkedin%2Ecom%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F4788/-GXI/?hs=false&tok=2Gf9fU8IZVB5g1

(c) 2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

Changing activation policy

Phil Whineray — 2012-05-19T16:53:15

For sanewall I think I should change the activation policy for the
FORWARD chain from ACCEPT TO DROP.

Could people please let me know if this will adversely affect them and
if possible test what effect it has?

Just add to the top of your config:
  SANEWALL_FORWARD_ACTIVATION_POLICY=DROP

If you are using firehol the equivalent would be to add:
  FIREHOL_FORWARD_ACTIVATION_POLICY=DROP

There are two other policies for INPUT and OUTPUT, also set to ACCEPT
during activation. This as-designed, to avoid intefering with establish
connections whilst restarting and eliminated the risk that the host becomes
inaccessible to the admin if something goes wrong whilst restarting the
firewall remotely.

However, when using the "all" service the rules generated for the reverse
direction of flow ACCEPT any related packet, thus:
  route all accept
for an outgoing router creates a firewall which permits any _incoming_ traffic
for a connection which has already been established. As is necessary to
make the rule work.

In combination though, there is a short window when the firewall is being
constructed during which external hosts will be able to connect to a local
server and that that connection will not be severed once the firewall is
complete.

Individually specified services do not suffer from this problem because they
perform a check on the related traffic to ensure it belongs to an accepted
service, so the connection will be severed shortly after it was started,
which is how FireHOL is documented as working.

If anyone (me at home, for instance) is using "route all accept" on a
gateway this adds a same risk for ingress traffic. The FireHOL documentation
warns against using "client all" on production servers but not "route all".

By changing the forward activation policy I hope to close this gap where
it matters most (on gateway firewalls) but not add to the risk of failure
(since to restart the firewall remotely the connection in question must
have its traffic matched by INPUT and OUTPUT).

This will interfere with existing connections but my hope is that DROPing
will mean that the packets are retried as normal (for TCP, anyway) so
things should not be too badly affected.

The truly paranoid may want to set:
  SANEWALL/FIREHOL_INPUT_ACTIVATION_POLICY=DROP
  SANEWALL/FIREHOL_OUTPUT_ACTIVATION_POLICY=DROP
to be sure.

Regards
Phil

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Drop traffic from a single IP

Mauricio Tavares — 2012-03-13T14:22:50

      What is the best way to drop any traffic coming from a specific
known IP? Would

blacklist offending_ip

be the best way to do it?

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

(fwd) Re: what comes after firehol?

Paul Fox — 2012-03-13T13:56:49

phil -- count me in.  firehol is a nice piece of work, and
i'm happy to help.

just to remind folks -- costa did send a message to this list last
june (below).  i assume phil has tried to contact him at the address
he used then, and i've cc'ed him again now, just in case.  but clearly
costa no longer has the time to devote to firehol.

it would clearly be preferable for phil to be able to take over
maintenance of firehol directly if costa were willing, but if we can't
even get in touch, then a fork is the next best thing.

paul

costa wrote:
 > Date:    Wed, 29 Jun 2011 12:33:48 +0300
 > To:      Phil Whineray <phil.whineray< at >gmail.com>
 > cc:      firehol-support< at >lists.sourceforge.net
 > From:    Costa Tsaousis <costa< at >tsaousis.gr>
 > Subject: Re: [Firehol-support] what comes after firehol?
 > 
 > Hi all,
 > 
 > I am very pleased by your comments. Thank you very much.
 > 
 > As you have noticed it has been 3 years since the last release of
 > firehol. Although I have done enough commits fixing various bugs and
 > extending firehol, I did not manage to release anything. There are two
 > reasons for this:
 > 
 > a. Every new release needs an effort in documentation. I tried to
 > prepare a release once or twice during these 3 years, but I was unable
 > to complete the task.
 > 
 > b. Every new release attracts new users, demanding support, which
 > unfortunately I cannot provide to the extend required.
 > 
 > 
 > Currently firehol has 3 major issues:
 > 
 > 1. There is no ipv6 support
 > 
 > 2. It is very slow on very big firewalls (I have one with 10.000 rules,
 > that needs around 3 mins to get activated). There is a patch supplied at
 > sourceforge. It requires however extended testing.
 > 
 > 3. It should not depend on BASH. ASH is faster, lighter, runs on
 > embedded systems and could be used by firehol. ASH however lacks arrays,
 > a key feature for firehol. To run under ASH, firehol would need a
 > re-write of its core. Again, this would require extended testing.
 > 
 > Unfortunately, I cannot do all the work by myself.
 > 
 > If you would like to help, please send me a note. Firehol needs help to
 > stay alive.
 > 
 > In the mean time, I keep the cvs version of firehol always stable. I
 > suggest to use the cvs version instead of the released one. I always
 > update the CVS log properly too, so you can review what has changed or
 > fixed. I also fix bugs as soon as I get notified about them or add minor
 > features that do not require a major rewrite. These are the minimum
 > required to have a well maintained and secure firewall (firehol is
 > always well maintained - it is not "well released" though).
 > 
 > Regards,
 > 
 > Costa
 > 
 >  
 > 
 > 
 > part 2     text/plain                 377
 > ------------------------------------------------------------------------------
 > All of the data generated in your IT infrastructure is seriously valuable.
 > Why? It contains a definitive record of application performance, security 
 > threats, fraudulent activity, and more. Splunk takes this data and makes 
 > sense of it. IT sense. And common sense.
 > http://p.sf.net/sfu/splunk-d2d-c2part 3     text/plain                 176
 > _______________________________________________
 > Firehol-support mailing list
 > Firehol-support< at >lists.sourceforge.net
 > https://lists.sourceforge.net/lists/listinfo/firehol-support

=---------------------
 paul fox, pgf< at >foxharp.boston.ma.us (arlington, ma, where it's 48.2 degrees)

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

iptables to firehol

Nikolay Kubarelov — 2011-11-28T09:40:35

Hello, Firehol list,


I'm trying to translate this iptables rules to firehol:

iptables -t nat -A PREROUTING -p tcp --dport 1664 -j DNAT 
--to-destination 10.8.0.48
iptables -A FORWARD -s 10.8.0.48 -p tcp --dport 1664 -j ACCEPT

And I'm trying to use it in firehol like this:

nat to-destination 10.8.0.48 inface eth0 proto tcp dport 1664

Is this snippet okay?

Here is my full firehol.conf

-------------------------
version 5

# Accept all client traffic on any interface
#interface any world
#    client all accept


#nat to-source "${ppp_interface_ip}" outface ppp+
#nat to-destination "${home_interface_ip}" inface ppp+

#nat to-source 10.8.0.3 outface eth0 proto "tcp udp" dport 80
#nat to-destination 10.8.0.48 inface eth0 proto "tcp udp" dport 80
nat to-destination 10.8.0.48 inface eth0 proto tcp dport 1664
nat to-destination 10.8.0.48 inface eth0 proto udp dport 1664

#dnat 10.8.0.3:80 inface tap0

server_ovpn_ports="udp/1194"
client_ovpn_ports="default"

server_openservice_ports="tcp/1604 udp/1664"
client_openservice_ports="default 1664"

interface eth0 world
     server ssh accept
     server http accept
     server ovpn accept
     server openservice accept
     client all accept

interface tap0 vpn
     server openservice accept
     server icmp accept
     server http accept
     client all accept

router vpn2world inface tap0 outface eth0
     masquerade
     server openservice accept
     server http accept
     route all accept

-------------------------


I'm trying to forward port 1664 from eth0 to a client (10.8.0.48) 
connected to tap0


Thanks in advance for the help!

Nikolay Kubarelov


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Reminder about your invitation from theodorekouassi

theodore kouassi (LinkedIn Invitations — 2011-09-20T09:06:19

This is a reminder that on September 17, theodore kouassi sent you an invitation to become part of their professional network at LinkedIn.

Accept theodore kouassi's Invitation

----------
On September 17, theodore kouassi wrote:


----------

You are receiving Reminder emails for pending invitations. Click to unsubscribe:
http://www.linkedin.com/e/w1ylsj-gssnt947-2/hrvCuqcuFoXW9TxHhOGZrqsI-wzjqZ_HV5FZc1smbWXiuTloE2ATb3I/goo/firehol-support%40lists%2Esourceforge%2Enet/20060/I1467759538_1/?hs=false&tok=1cFLMJ4l92PAU1

(c) 2011 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

Invitation à se connecter sur LinkedIn

theodore kouassi — 2011-09-17T12:28:53

J'aimerais vous inviter à rejoindre mon réseau professionnel en ligne, sur le site LinkedIn.

theodore

theodore kouassi
Chef de projet at SNDI
Cote D&apos;Ivoire (Ivory Coast)

Confirm that you know theodore kouassi:
https://www.linkedin.com/e/w1ylsj-gsokq6tp-5h/isd/4246785890/t7uC7asp/?hs=false&tok=1yV_NJ3SEILAU1

--
You are receiving Invitation to Connect emails. Click to unsubscribe:
http://www.linkedin.com/e/w1ylsj-gsokq6tp-5h/hrvCuqcuFoXW9TxHhOGZrqsI-wzjqZ_HV5FZc1smbWXiuTloE2ATb3I/goo/firehol-support%40lists%2Esourceforge%2Enet/20061/I1467759538_1/?hs=false&tok=3FR5RZ9OEILAU1

(c) 2011 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

Success story with IPv6-firehol

Klaus Kruse — 2011-07-27T09:03:27

Hello Firehol-users,

My last weekend-project was to make my small home network IPv6-ready
with a SIXXS-tunnel . Needless to say, the needed firewallng should
integrate well into my existing firehol configuration. So, I give Phil
Whinerays IPv6-enhanced firehol version [2] a try. And...it just
works! If any needs IPv6-support for his firehol configuration, you
should go with this.

Here's my (simplified) config:

version 5

interface eth0 homenetwork
policy reject
server "blablabla" accept
server ipv6error accept
client ipv6neigh accept
server ipv6neigh accept
client ipv6router accept
server ipv6router accept
ipv6 server ping accept
client all accept

interface eth1 guestwifi
policy reject
server "bla" accept
server ipv6error accept
        client ipv6neigh accept
        server ipv6neigh accept
        client ipv6router accept
        server ipv6router accept
ipv6 server ping accept
client all accept

interface tun0 internet
policy drop
protection strong
server "bla" accept
client all accept

interface sixxs ipv6
policy drop
protection strong
server ipv6error accept
client ipv6neigh accept
server ipv6neigh accept
client ipv6router accept
server ipv6router accept
ipv6 server ping accept
client all accept

router homenetwork2internet inface eth0 outface tun0
ipv4 masquerade
route all accept

router homenetwork2internet inface eth1 outface tun0
ipv4 masquerade
route all accept

router homenetwork2guestwifi inface eth0 outface eth1
ipv4 masquerade
route all accept

router homenetwork2ipv6 inface eth0 outface sixxs
route all accept

router guestwifi2ipv6 inface eth1 outface sixxs
route all accept


You probably need aiccu and radvd well configured. In my case, I used
a AYIYA tunnel and radvd listens on eth0 & eth1 [3].

Greets,
Klaus


[1] http://www.sixxs.net/
[2] http://sourceforge.net/mailarchive/message.php?msg_id=27014139
[3] Tons of howtos available in the internet. Some of them didn't
mention, that you have to manually give your routers network interface
an adress from your subnet or the routing won't work.

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

Adding custom iptables rules to firehol config

Daniel L. Miller — 2011-06-21T18:57:11

I wanted to try some "simple" iptables rules to see if they have an 
effect on my traffic.  I found these on some of the traffic shaping 
sites.  Do I simply add these at the top of my script before any other 
firehol commands - or is there a better way?

(firehol.conf)
version 5
FIREHOL_LOG_MODE="ULOG"
source /etc/firehol/shaper.conf

# Adjust TOS flags to ensure speedy ssh
iptables -t mangle -N tosfix
iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j RETURN
iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j RETURN
iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A tosfix -j RETURN
iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay -j 
tosfix

# Tune ack packets
iptables -t mangle -N ack
iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN
iptables -t mangle -A ack -p tcp -m length --length 0:128 \
   -j TOS --set-tos Minimize-Delay
iptables -t mangle -A ack -p tcp -m length --length 128: \
   -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A ack -j RETURN
iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK 
ACK -j ack

[...]
snat
dnat
interface
[...]

what comes after firehol?

Paul Fox — 2011-06-12T02:52:46

so, i really like firehol:  both the philosophy behind it and the
implementation, which seems to work pretty well.

i've used it to protect individual hosts for years, and recently made
some changes to let it create the firewall script for my openwrt
router, without needing to actually run on the openwrt box.

but i also like my firewall maintenance tools to be currently
maintained.  :-/ :-)  that doesn't seem to be happening -- the last
release was almost three years ago.

are there any other tools similar to firehol i should be aware of?

i've used fwbuilder in the past, and while it works well, and is
clearly supported, i always feel like it's way more sophisticated than
i need, and i usually forget how to use its UI in between usages.

my requirements aren't too special, though i do need support for
multiple interfaces -- i have different filtering rules for traffic
going between wan <-> lan, wan <-> wlan, and lan <-> wlan.  and i'm
starting to think about ipv6, but have no concrete need for that yet.

is firehol still the right answer for simple firewall creation?

paul
=---------------------
 paul fox, pgf< at >foxharp.boston.ma.us (arlington, ma, where it's 49.1 degrees)

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

IPv6 support

Phil Whineray — 2011-02-05T12:32:50

Hi

This list has the occasional question about ipv6 support for firehol, which
is not in the official tree.

I created a few patches a while back which got it working well enough for my
purposes. To try to make life a bit easier, so people don't have to apply the
patches themselves, I've created a git reposiory with the changes applied.

You can grab it from:
  git://repo.or.cz/fireholvi.git
or
  http://repo.or.cz/r/fireholvi.git.

The starting point is the CVS verision of firehol, last commit was from
Thu Apr 8 22:27:18; I can't update past that currently since Sourceforge
CVS access is currently disabled.

There is a README.ipv6 included which should be enough to get you started.
The big caveat emptor is that to fully achieve the same ease of use to
security balance icmpv6 needs work. Specifically a good hard look at:
   http://tools.ietf.org/html/rfc4890
is highly recommended.

Regards
Phil

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

¡Tiene nuevas visitas en Badoo!

Badoo — 2011-01-31T18:24:04

¡Tienes nuevas visitas en Badoo!

1 persona más visitaron tu perfil y puede que estén interesados en ti.

Más gente que también te está esperando:
Maguy

Descubre su perfil y fotos:
http://eu1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=50&m=47

Si al hacer click sobre el enlace, no funciona, copia y pega la dirección en tu barra del navegador.

Este email es parte de la entrega de un mensaje enviado por Anais desde el sistema. Si has recibido este email por error, por favor, ignóralo. Tras un corto periodo de tiempo el mensaje será eliminado del sistema.

¡Diviértete!
El Equipo de Badoo


Este mensaje es automático. Las respuestas a este mensaje no serán leídas o respondidas.
Has recibido este mensaje como usuario de Badoo,
para controlar que correos recibes, por favor cambia tus preferencias: 
http://eu1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=49&pref_lang=7------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

¡Tiene nuevas visitas en Badoo!

Badoo — 2011-01-30T20:32:05

¡Tienes nuevas visitas en Badoo!

15 personas más visitaron tu perfil y puede que estén interesados en ti.

Más gente que también te está esperando:
Satou
Fatou
Marème
Anabelle
Bineta

Descubre sus perfiles y fotos:
http://us1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=50&m=47

Si al hacer click sobre el enlace, no funciona, copia y pega la dirección en tu barra del navegador.

Este email es parte de la entrega de un mensaje enviado por Anais desde el sistema. Si has recibido este email por error, por favor, ignóralo. Tras un corto periodo de tiempo el mensaje será eliminado del sistema.

¡Diviértete!
El Equipo de Badoo

Este mensaje es automático. Las respuestas a este mensaje no serán leídas o respondidas.
Has recibido este mensaje como usuario de Badoo,
para controlar que correos recibes, por favor cambia tus preferencias:
http://us1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=49&pref_lang=7------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

Tienes 1 nuevo mensaje...

Badoo — 2011-01-27T19:11:23

Tienes 1 nuevo mensaje...

El mensaje y la persona que lo envió solo te será mostrado a ti y puedes borrarlo en cualquier momento. Puedes responder a través del chat de Badoo. Para ver 1 nuevo mensaje de 1 contacto, sigue este link:
http://us1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=19&pref_lang=7&m=44



Si al pulsar el enlace de este mensaje no funciona, copia y pégalo en la barra de tu navegador.

Este email es parte del procedimiento del sistema para el envío de mensajes y comentarios. Si no te gusto lo que te fue enviado, ignora este email.

¡Diviertete!
El Equipo de Badoo 



Este mensaje es automático. Las respuestas a este mensaje no serán leídas o respondidas.
Has recibido este mensaje como usuario de Badoo,
para controlar que correos recibes, por favor cambia tus preferencias: 
http://us1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=49&pref_lang=7------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support

¡Tiene nuevas visitas en Badoo!

Badoo — 2011-01-27T17:01:30

¡Tienes nuevas visitas en Badoo!

2 personas más visitaron tu perfil y puede que estén interesados en ti.

Más gente que también te está esperando:
Marie
Ami

Descubre sus perfiles y fotos:
http://eu1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=50&m=47

Si al hacer click sobre el enlace, no funciona, copia y pega la dirección en tu barra del navegador.

Este email es parte de la entrega de un mensaje enviado por Anais desde el sistema. Si has recibido este email por error, por favor, ignóralo. Tras un corto periodo de tiempo el mensaje será eliminado del sistema.

¡Diviértete!
El Equipo de Badoo


Este mensaje es automático. Las respuestas a este mensaje no serán leídas o respondidas.
Has recibido este mensaje como usuario de Badoo,
para controlar que correos recibes, por favor cambia tus preferencias: 
http://eu1.badoo.com/access.phtml?UID=1103641448&secret=QUmHzPj7Ly&g=49&pref_lang=7------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d_______________________________________________
Firehol-support mailing list
Firehol-support< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support