Daniel L. Miller
dmiller at amfes.com
Thu Jul 15 20:16:58 BST 2004
Spike Spiegel wrote:
>It was a dark and stormy night on 2004/07/15 when I heard Daniel L. Miller yelling:
>>I would try, instead, something like this:
>>interface eth0 ethlan src 192.168.1.10
>> protection full 10/sec 10
>> server "ssh icmp http" accept
>> client all accept
>>Try that and see if it gives you the functionality you need - meanwhile
>>I'm sure someone else will chime in and tell me where I'm wrong.
>ok, here I need to discuss this subject a bit further 'cause I'm getting
>First of all, lemme try to explain it why I added the blacklist helper:
>with "client all accept" you let the host talk to the rest of the world,
>(and this is necessary or nothing will work), other hosts on the lan
>included, so I added the blacklist to prevent this.
>about your solution:
>adding src 192.168.1.10 let .10 box to access the firewalled box, and
>vice-versa, but will stop anything else to work, internet included, cause
>all the other hosts with an ip different than 192.168.1.10 will get
>connection refused (actually timed out).
>so I'm back to initial condition:
>1) DROP everything,
>2) accept incoming connections for ssh icmp http BUT from blacklisted hosts
>3) accept outgoing connections originated on the host BUT to blacklisted
>- NEED to add at the end of 2) and 3) EXCLUDED specific-ip (what I called
>hope we can sort out a solution and most important hope I'll be able to
>understand how firehol works, since it's a great tool and I would like to
>be able to use it properly.
I think we can solve this - but I need clarification:
1. How many physical interfaces does this box have?
2. How is this box connected to the internet?
Now to verify:
a. You want this box to make any outgoing connection EXCEPT to
b. You want the internet to be able to make incoming connections for
c. You want a particular host to be able to make an incoming SSH
VP - Engineering
AM Fire & Electronic Services, Inc. (AMFES)
4655 Quality Court, Suite E
Las Vegas, NV 89103
(702) 312-5279 fax
dmiller at amfes.com
More information about the Firehol-support