Technical data
3. Base configuration
Instead of using an IP address we use an entry from the HOST_%_NAME-array. dynamic tells the
fli4l to forward all ports from the internet interface.
The second rule forwards the https-protocol to a webserver in a DMZ (Demilitarized Zone).
No let’s have a look at PF_INPUT:
PF_INPUT_N='3'
PF_INPUT_1='if:IP_NET_1_DEV:any ACCEPT'
PF_INPUT_2='if:pppoe:any prot:tcp 113 ACCEPT'
PF_INPUT_3='if:br0:any tmpl:dns @xbox IP_NET_1_IPADDR ACCEPT'
The first rule allows access to the router for everyone from the net defined in IP_NET_1. The
second rule opens the ident-port needed for package oident. The third rule allows the xbox
to access fli4l’s DNS server. Notice the use of a host alias here.
PF_FORWARD and PF_POSTROUTING do not provide tmpl-specific content.
Figure 3.2.: Directory Structure fli4l
It is also possible to create templates yourself or for other packages to provide their own
ones. To create a template you only need to create a text file with the rules in it and name it
like the template. For a private template file use the directory etc/fwrules.tmpl (create it if
necessary) under your config directory as shown in picture 3.2. Package developers or users
needing templates for more than one configuration may place their template files directly in
opt/etc/fwrules.tmpl. The templates in the user’s config directory override other settings,
though. The templates included in fli4l will be interpreted as the last ones. This enables you
to „override“ fli4l’s templates when providing templates by the same name in your config-
directory.
If, for example you like to create the template vpn_friends, create a file by the name
vpn_friends. The template should contain the services ssh, smtp, dns and samba. Hence you
write the following to vpn_friends:
51