debianix at yahoo.it
Thu Jul 15 14:00:25 BST 2004
I've setup firehol (debian sarge pkg) on a box here on my private lan.
Goal is to isolate that box from the rest of the lan, but let a specific
box access it via ssh, meanwhile let internet access some services I'm
hosting there. To do this I've used blacklist helper as
"blacklist full 192.168.1.0/24". This works as expected and I can't even
ping the machine in question from inside the lan. Then I looked into
documentation to find a way to open only ssh for a certain ip but couldn't
get a working config. Current firehol.conf follows:
blacklist full 192.168.1.0/24
interface eth0 ethlan
protection full 10/sec 10
server "ssh icmp http" accept
client all accept
I tryed to add "server ssh accept src 192.168.1.10", but it didn't work.
In general, is there a reason why whitelisting isn't implemented as
blacklist is? I expected to find a helper like "whitelist full... ips",
adding iptables rules before blacklist ones.
Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.
More information about the Firehol-support