[Firehol-support] whitelisting

Spike Spiegel debianix at yahoo.it
Thu Jul 15 14:00:25 BST 2004


Hi all,

I've setup firehol (debian sarge pkg) on a box here on my private lan.
Goal is to isolate that box from the rest of the lan, but let a specific
box access it via ssh, meanwhile let internet access some services I'm
hosting there. To do this I've used blacklist helper as
"blacklist full 192.168.1.0/24". This works as expected and I can't even
ping the machine in question from inside the lan. Then I looked into
documentation to find a way to open only ssh for a certain ip but couldn't
get a working config.  Current firehol.conf follows:

version 5

blacklist full 192.168.1.0/24

interface eth0 ethlan
	protection full 10/sec 10
	policy drop
	server "ssh icmp http" accept
	client all accept

I tryed to add "server ssh accept src 192.168.1.10", but it didn't work.

In general, is there a reason why whitelisting isn't implemented as
blacklist is? I expected to find a helper like "whitelist full... ips",
adding iptables rules before blacklist ones.

any hint?

tia

Spike

-- 
Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.




More information about the Firehol-support mailing list