[Firehol-support] whitelisting

Daniel L. Miller dmiller at amfes.com
Thu Jul 15 21:29:26 BST 2004


Daniel L. Miller wrote:

> Spike Spiegel wrote:
>
>> It was a dark and stormy night on 2004/07/15 when I heard Daniel L. 
>> Miller yelling:
>>
>> [cut]
>>  
>>
>>> I would try, instead, something like this:
>>>
>>> interface eth0 ethlan src 192.168.1.10
>>>   protection full 10/sec 10
>>>   server "ssh icmp http" accept
>>>   client all accept
>>>
>>> Try that and see if it gives you the functionality you need - 
>>> meanwhile I'm sure someone else will chime in and tell me where I'm 
>>> wrong.
>>>
>>>   
>>
>>
>> ok, here I need to discuss this subject a bit further 'cause I'm getting
>> confused.
>>
>> First of all, lemme try to explain it why I added the blacklist helper:
>> with "client all accept" you let the host talk to the rest of the world,
>> (and this is necessary or nothing will work), other hosts on the lan
>> included, so I added the blacklist to prevent this.
>>
>> about your solution:
>> adding src 192.168.1.10 let .10 box to access the firewalled box, and
>> vice-versa, but will stop anything else to work, internet included, 
>> cause
>> all the other hosts with an ip different than 192.168.1.10 will get
>> connection refused (actually timed out).
>>
>> so I'm back to initial condition:
>> 1) DROP everything,
>> 2) accept incoming connections for ssh icmp http BUT from blacklisted 
>> hosts
>> 3) accept outgoing connections originated on the host BUT to blacklisted
>> hosts
>> - NEED to add at the end of  2) and 3) EXCLUDED specific-ip (what I 
>> called
>>  whitelisting)
>>
>> hope we can sort out a solution and most important hope I'll be able to
>> understand how firehol works, since it's a great tool and I would 
>> like to
>> be able to use it properly.
>>
>> tnx Daniel.
>>
>> bye
>>
>> Spike
>>
>>  
>>
> I think we can solve this - but I need clarification:
>
> 1.  How many physical interfaces does this box have?
> 2.  How is this box connected to the internet?
>
> Now to verify:
> a.  You want this box to make any outgoing connection EXCEPT to
> blacklisted IPs.
> b.  You want the internet to be able to make incoming connections for
> specific services.
> c.  You want a particular host to be able to make an incoming SSH
> connection.
>
Without Maybe this (I like using variables):
BLACK_IPS = "192.168.1.0/24"
ADMIN_IPS = "192.168.1.10 192.168.1.7"   #Just to show you how to add 
multiple IP's
INTERNET_IP = "you.fill.in.here"

interface eth0 ethlan src 192.168.1.10
    protection full 10/sec 10
    server "icmp http ssh" accept src not $BLACK_IPS
    server ssh accept src $ADMIN_IP
    client all accept dst not $BLACK_IPS

I showed the SSH two ways so you would see some flexibility.

Daniel




More information about the Firehol-support mailing list