[Firehol-support] Re: whitelisting

Spike Spiegel debianix at yahoo.it
Fri Jul 16 10:52:46 BST 2004


It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman yelling:

[cut]
> What you want is a construct something like this:
> 
> interface lan eth0 src "192.168.100.1/24" dst "<my ip>"
>     # only packets from the LAN addresses will be processed here.
>     policy drop    # silently discard the packets
>     server ssh accept src "192.168.100.10"  # only from the
>                                             # "whitelisted" host.
>     # everything else falls off the ruleset, so is 'drop'ed
>     # note: no 'client' rules, so no connections *from* this machine.
> 
> interface internet eth0 src not "192.168.100.1/24" dst "<my ip>"
>     # only packets not from the LAN will be processed here.
>     policy reject  # or drop, as you please.
>     server "ssh http icmp" accept
> 
>     client "whatever protocols you need" accept
>     client all accept # if you don't care about being more specific.
> 
> 

Yes, this is *really* what I wanted, but got a question about it: why have
you added "dst '<my ip>'"? I can't get the meaning, and trying without it
goal is achieved anyway.


[cut]
> -- 
> This country has a deep fear and mistrust of strong, smart, accomplished,
> outspoken women unless they are sexy 22-year-olds killing vampires on
> television.
>         -- Dennis Miller

nice sig :)


oh, wish to say thanks to others too.

tnx guys, bye

Spike

-- 
Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.




More information about the Firehol-support mailing list