[Firehol-support] whitelisting
Spike Spiegel
debianix at yahoo.it
Thu Jul 15 15:00:25 CEST 2004
Hi all,
I've setup firehol (debian sarge pkg) on a box here on my private lan.
Goal is to isolate that box from the rest of the lan, but let a specific
box access it via ssh, meanwhile let internet access some services I'm
hosting there. To do this I've used blacklist helper as
"blacklist full 192.168.1.0/24". This works as expected and I can't even
ping the machine in question from inside the lan. Then I looked into
documentation to find a way to open only ssh for a certain ip but couldn't
get a working config. Current firehol.conf follows:
version 5
blacklist full 192.168.1.0/24
interface eth0 ethlan
protection full 10/sec 10
policy drop
server "ssh icmp http" accept
client all accept
I tryed to add "server ssh accept src 192.168.1.10", but it didn't work.
In general, is there a reason why whitelisting isn't implemented as
blacklist is? I expected to find a helper like "whitelist full... ips",
adding iptables rules before blacklist ones.
any hint?
tia
Spike
--
Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.
More information about the Firehol-support
mailing list