[Firehol-support] whitelisting

Daniel L. Miller dmiller at amfes.com
Thu Jul 15 21:16:58 CEST 2004 

Spike Spiegel wrote:

>It was a dark and stormy night on 2004/07/15 when I heard Daniel L. Miller yelling:
>
>[cut]
>  
>
>>I would try, instead, something like this:
>>
>>interface eth0 ethlan src 192.168.1.10
>>   protection full 10/sec 10
>>   server "ssh icmp http" accept
>>   client all accept
>>
>>Try that and see if it gives you the functionality you need - meanwhile 
>>I'm sure someone else will chime in and tell me where I'm wrong.
>>
>>    
>>
>
>ok, here I need to discuss this subject a bit further 'cause I'm getting
>confused.
>
>First of all, lemme try to explain it why I added the blacklist helper:
>with "client all accept" you let the host talk to the rest of the world,
>(and this is necessary or nothing will work), other hosts on the lan
>included, so I added the blacklist to prevent this.
>
>about your solution:
>adding src 192.168.1.10 let .10 box to access the firewalled box, and
>vice-versa, but will stop anything else to work, internet included, cause
>all the other hosts with an ip different than 192.168.1.10 will get
>connection refused (actually timed out).
>
>so I'm back to initial condition:
>1) DROP everything,
>2) accept incoming connections for ssh icmp http BUT from blacklisted hosts
>3) accept outgoing connections originated on the host BUT to blacklisted
>hosts
>- NEED to add at the end of  2) and 3) EXCLUDED specific-ip (what I called
>  whitelisting)
>
>hope we can sort out a solution and most important hope I'll be able to
>understand how firehol works, since it's a great tool and I would like to
>be able to use it properly.
>
>tnx Daniel.
>
>bye
>
>Spike
>
>  
>
I think we can solve this - but I need clarification:

1.  How many physical interfaces does this box have?
2.  How is this box connected to the internet?

Now to verify:
a.  You want this box to make any outgoing connection EXCEPT to
blacklisted IPs.
b.  You want the internet to be able to make incoming connections for
specific services.
c.  You want a particular host to be able to make an incoming SSH
connection.

-- 
Daniel Miller
VP - Engineering
AM Fire & Electronic Services, Inc. (AMFES)
4655 Quality Court, Suite E
Las Vegas, NV  89103
www.amfes.com
(702) 312-5276
(702) 312-5279 fax
dmiller at amfes.com

More information about the Firehol-support mailing list