[Firehol-support] whitelisting

Costa Tsaousis costa at tsaousis.gr
Fri Jul 16 02:05:46 CEST 2004


Hi all,

As Daniel said, FireHOL drops everything by default. The idea is to use
the interface commands to ALLOW only what is needed. There is no limit in
how many "virtual" interfaces you can define. You can reuse the same
physical interface if you pay attention to "policy" or to limit the "src"
IP they match.

Example 1:
----------
You have only one ethernet for both LAN and internet. Allow pings from the
internet and all client requests to the internet, allow SSH from the LAN.


HOME_LAN="192.168.0.0/24"

interface eth0 lan src "${HOME_LAN}"
   server ssh accept

interface eth0 internet src not "${HOME_LAN}"
   server ping accept
   client all accept


Example 2:
----------
Again one ethernet, allow pings from everywhere and all client requests to
everywhere, but also allow all the above + ssh from the LAN except hosts
192.168.0.1 and 192.168.0.120.

HOME_LAN="192.168.0.0/24"
BLACKLIST="192.168.0.1 192.168.0.120"

interface eth0 world
   policy return

   server ping accept
   client all accept

interface eth0 lan src "${HOME_LAN}"
   server ssh accept src not "${BLACKLIST}"


The above can also be expressed as:

HOME_LAN="192.168.0.0/24"
BLACKLIST="192.168.0.1 192.168.0.120"

interface eth0 world
   policy return # if not matched in this interface, try bellow...

   server ping accept
   client all accept

interface eth0 blacklist src "${BLACKLIST}"
   # nothing here. Traffic entering this interface
   # will be dropped.

interface eth0 lan src "${HOME_LAN}"
   server ssh accept


The blacklist helper, on the other hand, acts like another filter in front
of the firewall: it blocks completely and unconditionally access from or
from/to the given IPs.

I hope you got the idea...


Costa







More information about the Firehol-support mailing list