[Firehol-support] whitelisting

Daniel L. Miller dmiller at amfes.com
Thu Jul 15 19:45:06 CEST 2004


>I've setup firehol (debian sarge pkg) on a box here on my private lan.
>Goal is to isolate that box from the rest of the lan, but let a specific
>box access it via ssh, meanwhile let internet access some services I'm
>hosting there. To do this I've used blacklist helper as
>"blacklist full 192.168.1.0/24". This works as expected and I can't even
>ping the machine in question from inside the lan. Then I looked into
>documentation to find a way to open only ssh for a certain ip but couldn't
>get a working config.  Current firehol.conf follows:
>
>version 5
>
>blacklist full 192.168.1.0/24
>
>interface eth0 ethlan
>	protection full 10/sec 10
>	policy drop
>	server "ssh icmp http" accept
>	client all accept
>
>I tryed to add "server ssh accept src 192.168.1.10", but it didn't work.
>
>In general, is there a reason why whitelisting isn't implemented as
>blacklist is? I expected to find a helper like "whitelist full... ips",
>adding iptables rules before blacklist ones.
>  
>
I'm still feeling my way through Firehol myself - but I'll give this a 
shot (besides, there's no better way to learn than to try to help 
someone else).

Firehol works a bit differently than other solutions.  The basic premise 
is to block everything - then only allow in what you want.  Since I've 
never used the blacklist command - I'm not certain how it works, but 
it's probably overkill for your needs.

Also, the policy reject command is (I think) redundant.

I would try, instead, something like this:

interface eth0 ethlan src 192.168.1.10
    protection full 10/sec 10
    server "ssh icmp http" accept
    client all accept

Try that and see if it gives you the functionality you need - meanwhile 
I'm sure someone else will chime in and tell me where I'm wrong.

Daniel




More information about the Firehol-support mailing list