Hi,

I installed Firestarter 1.0 on our mail server running a FC2 platform. But before I did that, I disabled the built-in firewall of FC2 and the IPTables service. The installation was successfull. By default, Firestarter 1.0 is restrictive on inbound traffics and permissive in outbound traffic. So I created policies for the inbound traffics. The first policy I created is to allow all SMTP inbound traffic on port 25 from any hosts. The second policy I created is to allow SSH inbound traffic on port 22 from a certain private IP address. I tested the second policy by establishing a SSH connection on the mail server from the machine using the private IP address I specified on the policy. As a result of the test, the firewall still blocked the SSH connection. Initially, without the firewall running, I was able to establish that very same SSH connection so as expected the policy should work but it didn't. I already restarted Firestarter but same problem persists. The server has to NIC namely eth0 and eth1. I configured Firestarter on eth0 (Internet and LAN) because eth1 is really not in use. The logs shows that the connection was blocked under eth0 despite the fact that I already applied the policy for that type of connection and even restarted the firewall. Any help would be appreciated. Thank you. :)

i could be wrong because i am not a security expert :) however i think you still need iptables running, you can turn off the built in firewall but if you want to be able to run any type of firewall iptables or ipchains controlls the rules of what is allowed and what is not

I believe that is correct as well.

i could be wrong because i am not a security expert :) however i think you still need iptables running, you can turn off the built in firewall but if you want to be able to run any type of firewall iptables or ipchains controlls the rules of what is allowed and what is not

I already did maintained the IPTables service running along with Firestarter, however problem stil persists. As mentioned, the server has one public IP address on eth0. I assinged eth0 on both NAT and LAN.

Policy works for inbound traffic coming from public IP address but not on private IP address. I'm not sure if once you set public IP address on on an interface and have Firestarter running, it would only accept traffic from hosts with public IP address.

Do anyone of you knows how to resolved this kind of problem?

Hi guys,

I was able to resolve the problem already by removing the CIDR entry of the private IP address I was using to connect to our mail server under the file /etc/firestarter/non-routables. This file contains the list of private addresses in CIDR format which makes firestarter more intelligent. However, the drawback of this is that if you remove any CIDR IP address entry, IP spoofing is possible. So I suggest that you create a policy that would only allow the specific private IP address you want. Thanks for you replies.