[Firehol-support] fireHOL on Debian and further improvement ideas

[Costa Tsaousis]

Hi Bernhard,

This is the new 'panic':
When activating panic mode, FireHOL checks for the existance of the
SSH_CLIENT shell environment variable (set by SSH). If it finds this, then
panic mode will allow the established SSH connection specified in this
variable to operate. Notice that in order for this to work, you should
have su without the minus (-) sign, since su - overwrites the shell
variables and therefore the SSH_CLIENT variable is lost.

Alternativelly, after the panic argument you can specify an IP address in
which case all established (only the established) connections between this
IP address and the host in panic will be allowed.

For the socks, do you know the possible client ports or I should allow any
client port?

Costa


Bernhard Gruen said:
> Hello Costa,
>
> It seems that all your changes work correctly on my system. I have
> removed all my changes to services and the iptables init-script.
> The panic function also works great! But I think that this function
> could be really dangerous on a server that is only available by SSH (for
>  example a leased web server). I think that additionally there should be
>  a command to set to minimal rules (only one ssh connection at a time,
> from one special host for example).
>
> I have also a socks daemon running on my server. At the moment I need a
> special custom configuration. I think that a socks server is nothing
> special and should be available as a standard service. Socks uses the
> port 1080 both udp and tcp. This port defined in the standard services
> from debian.
>
>
> Thank you for your great software!
>
> Bernhard
>
>
> Costa Tsaousis schrieb:
>
>>FireHOL now has a numeric definition of squid.
>>
>>Could you please download the latest CVS version and check it on your
>> systems?
>>
>>Thank you again for reporting all these.
>>
>>Costa
>>
>>
>>