[Firehol-support] whitelisting

Spike Spiegel debianix at yahoo.it
Thu Jul 15 19:39:46 BST 2004


It was a dark and stormy night on 2004/07/15 when I heard Daniel L. Miller yelling:

[cut]
> I would try, instead, something like this:
> 
> interface eth0 ethlan src 192.168.1.10
>    protection full 10/sec 10
>    server "ssh icmp http" accept
>    client all accept
> 
> Try that and see if it gives you the functionality you need - meanwhile 
> I'm sure someone else will chime in and tell me where I'm wrong.
> 

ok, here I need to discuss this subject a bit further 'cause I'm getting
confused.

First of all, lemme try to explain it why I added the blacklist helper:
with "client all accept" you let the host talk to the rest of the world,
(and this is necessary or nothing will work), other hosts on the lan
included, so I added the blacklist to prevent this.

about your solution:
adding src 192.168.1.10 let .10 box to access the firewalled box, and
vice-versa, but will stop anything else to work, internet included, cause
all the other hosts with an ip different than 192.168.1.10 will get
connection refused (actually timed out).

so I'm back to initial condition:
1) DROP everything,
2) accept incoming connections for ssh icmp http BUT from blacklisted hosts
3) accept outgoing connections originated on the host BUT to blacklisted
hosts
- NEED to add at the end of  2) and 3) EXCLUDED specific-ip (what I called
  whitelisting)

hope we can sort out a solution and most important hope I'll be able to
understand how firehol works, since it's a great tool and I would like to
be able to use it properly.

tnx Daniel.

bye

Spike

-- 
Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.




More information about the Firehol-support mailing list