[Firehol-support] Re: whitelisting

Daniel Pittman daniel at rimspace.net
Fri Jul 16 02:12:46 BST 2004

On 16 Jul 2004, Daniel L. Miller wrote:


> I'm still feeling my way through Firehol myself - but I'll give this a
> shot (besides, there's no better way to learn than to try to help
> someone else).
> Firehol works a bit differently than other solutions. The basic premise
> is to block everything - then only allow in what you want.  

That "basic premise" is correct, in that it is the basic action of
firehol -- as well as the way that you *should* build a firewall.

That isn't different from other solutions, though. Pretty much every
firewall out there works this way, by default, and you should be pretty
suspicious of anything that doesn't...

> Since I've never used the blacklist command - I'm not certain how it
> works, but it's probably overkill for your needs.

It is. It causes that address range to be "null routed", or effectively
non-existent, before any other operations happen.

Since this isn't actually what the OP wanted, he isn't happy with the
solution. He actually wants to block everything but SSH from one
address, so 'blacklist' is inappropriate.

> Also, the policy reject command is (I think) redundant.

That depends. Firehol can do two things with packets: drop and reject.

'drop' means throw the packet away and do nothing more. A silent
failure, effectively, with no indication to the sender that anything
happened at all.

'reject' means to tell the sender that they were not permitted to
connect, which is much nicer to them.

There is nothing men more readily give themselves to than pushing their own
beliefs. When ordinary means fail, they add commandment, violence, fire and
        -- Michel Eyquem de Montaigne, _Essays_, Book. I, Ch. 39 (1580)

More information about the Firehol-support mailing list