Dealing with a lot of network interfaces can quickly mess up your ruleset. One wait to avoid this is having an outbound perspective. Think about you are sitting on your router, holding a network packet in your hand that you want to place in one of your network interfaces send queue. This is where your router kicks in. For this example we assume a RIR has dedicated us a provider-independent IPv4 prefix 198.18.0.0/15 and an IPv6 prefix 2001:0002::/48 which we have to announce to our providers.
Let us think about an border router having three Internet uplinks attached and that is connected to your internal DMZ network by one NIC.
| Name | NIC | Peering | Note |
|---|---|---|---|
| ISP1 | eth0 | BGP | traffic to ISP2 may transit |
| ISP2 | eth1 | OSPF | traffic to ISP1 may transit |
| ISP3 | ppp0 | BGP | connect via phy. NIC eth2 |
| DMZ | eth3 |
We will refer to this layout throughout.
Now it is time to start writing the FireHOL configuration file. Let us define the interface statements.
interface eth0 ISP1
# allow ping and neighbor discovery
client icmp accept
client ping accept
server ping accept
# BGP
client bgp accept dst4 "$ISP1_PE_ROUTER" dst6 "$ISP1_PE_ROUTER_V6"
server bgp accept src4 "$ISP1_PE_ROUTER" src6 "$ISP1_PE_ROUTER_V6"
interface eth1 ISP2
# allow ping and neighbor discovery
client icmp accept
client ping accept
server ping accept
# OSPF
client OSPF accept
server OSPF accept
interface ppp0 ISP3
# allow ping and neighbor discovery
client icmp accept
client ping accept
server ping accept
# BGP
client4 bgp accept src "$ISP3_PE_ROUTER"
server4 bgp accept dst "$ISP3_PE_ROUTER"
client6 bgp accept dst "$ISP3_PE_ROUTER_V6"
server6 bgp accept src "$ISP3_PE_ROUTER_V6"
interface eth3 DSL
# allow ping
client ping accept
client4 pptp accept dst "10.0.0.138"
client4 GRE accept dst "10.0.0.138"
Router ISP1
router ISP1_OUT outface eth0
route ping accept
# ISP2 may transit via us
group with inface eth1
route all accept
group end
# DMZ
group with inface eth3
# client having an IPv4 & IPv6 address
route all accept src4 "198.18.4.5" src6 "2001:0002::b00c"
group end
Router ISP2
router ISP2_OUT outface eth1
route ping accept
# ISP1 may transit via us
group with inface eth0
route all accept
group end
# DMZ
group with inface eth3
# an outbound mail server with only an IPv4 address
ipv4 group with src "198.18.0.25"
ipv4 route smtp accept
ipv4 group end
group end
Router ISP3
router ISP3_OUT outface ppp0
route ping accept
# allow anything
group with inface eth3
route all accept
group end
Router DMZ
router DMZ_OUT outface eth3
# only accept traffic to our PIs
group with dst4 "198.18.0.0/15" dst6 "2001:0002::/48"
route ping accept
# inbound mail server
group with dst4 "192.168.0.10" dst6 "2001:0002::aaaa"
route smtp accept
group end
# ipv4 only webserver HTTP & HTTPS
route4 "http https" accept dst "192.168.0.80"
group end