[Firehol-support] whitelisting
Costa Tsaousis
costa at tsaousis.gr
Fri Jul 16 01:05:46 BST 2004
Hi all,
As Daniel said, FireHOL drops everything by default. The idea is to use
the interface commands to ALLOW only what is needed. There is no limit in
how many "virtual" interfaces you can define. You can reuse the same
physical interface if you pay attention to "policy" or to limit the "src"
IP they match.
Example 1:
----------
You have only one ethernet for both LAN and internet. Allow pings from the
internet and all client requests to the internet, allow SSH from the LAN.
HOME_LAN="192.168.0.0/24"
interface eth0 lan src "${HOME_LAN}"
server ssh accept
interface eth0 internet src not "${HOME_LAN}"
server ping accept
client all accept
Example 2:
----------
Again one ethernet, allow pings from everywhere and all client requests to
everywhere, but also allow all the above + ssh from the LAN except hosts
192.168.0.1 and 192.168.0.120.
HOME_LAN="192.168.0.0/24"
BLACKLIST="192.168.0.1 192.168.0.120"
interface eth0 world
policy return
server ping accept
client all accept
interface eth0 lan src "${HOME_LAN}"
server ssh accept src not "${BLACKLIST}"
The above can also be expressed as:
HOME_LAN="192.168.0.0/24"
BLACKLIST="192.168.0.1 192.168.0.120"
interface eth0 world
policy return # if not matched in this interface, try bellow...
server ping accept
client all accept
interface eth0 blacklist src "${BLACKLIST}"
# nothing here. Traffic entering this interface
# will be dropped.
interface eth0 lan src "${HOME_LAN}"
server ssh accept
The blacklist helper, on the other hand, acts like another filter in front
of the firewall: it blocks completely and unconditionally access from or
from/to the given IPs.
I hope you got the idea...
Costa
More information about the Firehol-support
mailing list