[Firehol-support] Multiple Ip Allows - Denigh rest of subnet

James Bean james at hdcs.com.au
Fri Nov 28 23:41:50 GMT 2003


Hi,
 
Just downloaded Firehol for the first time and can't find an example
with what I am trying to do, so i thought i would ask :-).
 
I am running 3 ethernet interfaces, eth0 - ADSL, eth1 - LAN, eth2 -
Cable, and I only want a few of my internet machines to have internet
access, the rest I want to be denighed access, I need to keep them on
the same subnet, with a default of denigh.
 
Would be it easier to do it by mac address, I have all the mac addresses
of the machines I want to give access to.
 
The list can grow upto 20 machines, is the an easier way to list them,
so that I can # out the ones I don't want access at certain times?
 
e.g.
accepted_ips="
192.168.2.96 
192.168.2.42 
#192.168.2.54 
192.168.2.66 
192.168.2.174"
 
 
What I have come up with is as follows.
 
--------------------------------------------------
# Require release 5 of FireHOL configuration directives

version 5

# Transparent Proxy

transparent_squid 8080 "squid root" inface eth1

# Internal Network IP Address

lan_ips="192.168.2.0/24"

accepted_ips="192.168.2.96 192.168.2.42 192.168.2.54 192.168.2.66
192.168.2.174"

# LAN

interface eth1 lan src "${lan_ips}"

policy reject

server dns accept

server squid accept

server ssh accept

server http accept

server ftp accept

server smtp accept

 

interface "eth0 eth2" internet src not "${lan_ips} ${UNROUTABLE_IPS}"

protection strong 10/sec 10

server ssh accept

server http accept

server ident reject with tcp-reset

client all accept

 

router lan2internet inface eth1 outface eth0

masquerade

route ${accepted_ips} accept

 

router internet2lan inface eth0 outface eth1

masquerade reverse

client all accept

server ident reject with tcp-reset

-----------------------------------------------------------------

Any help would be very much appreciated.

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20031129/d7b6c0ca/attachment-0002.html>


More information about the Firehol-support mailing list