Daniel L. Miller
dmiller at amfes.com
Thu Jul 15 21:29:26 BST 2004
Daniel L. Miller wrote:
> Spike Spiegel wrote:
>> It was a dark and stormy night on 2004/07/15 when I heard Daniel L.
>> Miller yelling:
>>> I would try, instead, something like this:
>>> interface eth0 ethlan src 192.168.1.10
>>> protection full 10/sec 10
>>> server "ssh icmp http" accept
>>> client all accept
>>> Try that and see if it gives you the functionality you need -
>>> meanwhile I'm sure someone else will chime in and tell me where I'm
>> ok, here I need to discuss this subject a bit further 'cause I'm getting
>> First of all, lemme try to explain it why I added the blacklist helper:
>> with "client all accept" you let the host talk to the rest of the world,
>> (and this is necessary or nothing will work), other hosts on the lan
>> included, so I added the blacklist to prevent this.
>> about your solution:
>> adding src 192.168.1.10 let .10 box to access the firewalled box, and
>> vice-versa, but will stop anything else to work, internet included,
>> all the other hosts with an ip different than 192.168.1.10 will get
>> connection refused (actually timed out).
>> so I'm back to initial condition:
>> 1) DROP everything,
>> 2) accept incoming connections for ssh icmp http BUT from blacklisted
>> 3) accept outgoing connections originated on the host BUT to blacklisted
>> - NEED to add at the end of 2) and 3) EXCLUDED specific-ip (what I
>> hope we can sort out a solution and most important hope I'll be able to
>> understand how firehol works, since it's a great tool and I would
>> like to
>> be able to use it properly.
>> tnx Daniel.
> I think we can solve this - but I need clarification:
> 1. How many physical interfaces does this box have?
> 2. How is this box connected to the internet?
> Now to verify:
> a. You want this box to make any outgoing connection EXCEPT to
> blacklisted IPs.
> b. You want the internet to be able to make incoming connections for
> specific services.
> c. You want a particular host to be able to make an incoming SSH
Without Maybe this (I like using variables):
BLACK_IPS = "192.168.1.0/24"
ADMIN_IPS = "192.168.1.10 192.168.1.7" #Just to show you how to add
INTERNET_IP = "you.fill.in.here"
interface eth0 ethlan src 192.168.1.10
protection full 10/sec 10
server "icmp http ssh" accept src not $BLACK_IPS
server ssh accept src $ADMIN_IP
client all accept dst not $BLACK_IPS
I showed the SSH two ways so you would see some flexibility.
More information about the Firehol-support