[Firehol-support] whitelisting
Daniel L. Miller
dmiller at amfes.com
Thu Jul 15 18:45:06 BST 2004
>I've setup firehol (debian sarge pkg) on a box here on my private lan.
>Goal is to isolate that box from the rest of the lan, but let a specific
>box access it via ssh, meanwhile let internet access some services I'm
>hosting there. To do this I've used blacklist helper as
>"blacklist full 192.168.1.0/24". This works as expected and I can't even
>ping the machine in question from inside the lan. Then I looked into
>documentation to find a way to open only ssh for a certain ip but couldn't
>get a working config. Current firehol.conf follows:
>
>version 5
>
>blacklist full 192.168.1.0/24
>
>interface eth0 ethlan
> protection full 10/sec 10
> policy drop
> server "ssh icmp http" accept
> client all accept
>
>I tryed to add "server ssh accept src 192.168.1.10", but it didn't work.
>
>In general, is there a reason why whitelisting isn't implemented as
>blacklist is? I expected to find a helper like "whitelist full... ips",
>adding iptables rules before blacklist ones.
>
>
I'm still feeling my way through Firehol myself - but I'll give this a
shot (besides, there's no better way to learn than to try to help
someone else).
Firehol works a bit differently than other solutions. The basic premise
is to block everything - then only allow in what you want. Since I've
never used the blacklist command - I'm not certain how it works, but
it's probably overkill for your needs.
Also, the policy reject command is (I think) redundant.
I would try, instead, something like this:
interface eth0 ethlan src 192.168.1.10
protection full 10/sec 10
server "ssh icmp http" accept
client all accept
Try that and see if it gives you the functionality you need - meanwhile
I'm sure someone else will chime in and tell me where I'm wrong.
Daniel
More information about the Firehol-support
mailing list