Dealing with a lot of network interfaces can quickly mess up your ruleset. One wait to avoid this is having an outbound perspective. Think about you are sitting on your router, holding a network packet in your hand that you want to place in one of your network interfaces send queue. This is where your router kicks in. For this example we assume a RIR has dedicated us a provider-independent IPv4 prefix 198.18.0.0/15 and an IPv6 prefix 2001:0002::/48 which we have to announce to our providers.
Let us think about an border router having three Internet uplinks attached and that is connected to your internal DMZ network by one NIC.
|ISP1||eth0||BGP||traffic to ISP2 may transit|
|ISP2||eth1||OSPF||traffic to ISP1 may transit|
|ISP3||ppp0||BGP||connect via phy. NIC eth2|
We will refer to this layout throughout.
Now it is time to start writing the FireHOL configuration file. Let us define the interface statements.
interface eth0 ISP1 # allow ping and neighbor discovery client icmp accept client ping accept server ping accept # BGP client bgp accept dst4 "$ISP1_PE_ROUTER" dst6 "$ISP1_PE_ROUTER_V6" server bgp accept src4 "$ISP1_PE_ROUTER" src6 "$ISP1_PE_ROUTER_V6" interface eth1 ISP2 # allow ping and neighbor discovery client icmp accept client ping accept server ping accept # OSPF client OSPF accept server OSPF accept interface ppp0 ISP3 # allow ping and neighbor discovery client icmp accept client ping accept server ping accept # BGP client4 bgp accept src "$ISP3_PE_ROUTER" server4 bgp accept dst "$ISP3_PE_ROUTER" client6 bgp accept dst "$ISP3_PE_ROUTER_V6" server6 bgp accept src "$ISP3_PE_ROUTER_V6" interface eth3 DSL # allow ping client ping accept client4 pptp accept dst "10.0.0.138" client4 GRE accept dst "10.0.0.138"
router ISP1_OUT outface eth0 route ping accept # ISP2 may transit via us group with inface eth1 route all accept group end # DMZ group with inface eth3 # client having an IPv4 & IPv6 address route all accept src4 "198.18.4.5" src6 "2001:0002::b00c" group end
router ISP2_OUT outface eth1 route ping accept # ISP1 may transit via us group with inface eth0 route all accept group end # DMZ group with inface eth3 # an outbound mail server with only an IPv4 address ipv4 group with src "198.18.0.25" ipv4 route smtp accept ipv4 group end group end
router ISP3_OUT outface ppp0 route ping accept # allow anything group with inface eth3 route all accept group end
router DMZ_OUT outface eth3 # only accept traffic to our PIs group with dst4 "198.18.0.0/15" dst6 "2001:0002::/48" route ping accept # inbound mail server group with dst4 "192.168.0.10" dst6 "2001:0002::aaaa" route smtp accept group end # ipv4 only webserver HTTP & HTTPS route4 "http https" accept dst "192.168.0.80" group end