[Firehol-support] Re: whitelisting
daniel at rimspace.net
Fri Jul 16 02:19:06 BST 2004
On 16 Jul 2004, Spike Spiegel wrote:
> It was a dark and stormy night on 2004/07/15 when I heard Daniel L. Miller
>> I would try, instead, something like this:
>> interface eth0 ethlan src 192.168.1.10
>> protection full 10/sec 10
>> server "ssh icmp http" accept
>> client all accept
>> Try that and see if it gives you the functionality you need - meanwhile
>> I'm sure someone else will chime in and tell me where I'm wrong.
> ok, here I need to discuss this subject a bit further 'cause I'm getting
> First of all, lemme try to explain it why I added the blacklist helper:
> with "client all accept" you let the host talk to the rest of the world,
> (and this is necessary or nothing will work),
Wrong. You certainly don't have to include 'client all accept', and I
don't on a number of my systems here.
> other hosts on the lan included, so I added the blacklist to prevent
The problem is that you don't want to blacklist the lan, you want to
partially restrict access to it.
> so I'm back to initial condition:
> 1) DROP everything,
> 2) accept incoming connections for ssh icmp http BUT from blacklisted hosts
> 3) accept outgoing connections originated on the host BUT to blacklisted
> - NEED to add at the end of 2) and 3) EXCLUDED specific-ip (what I called
What you want is a construct something like this:
interface lan eth0 src "192.168.100.1/24" dst "<my ip>"
# only packets from the LAN addresses will be processed here.
policy drop # silently discard the packets
server ssh accept src "192.168.100.10" # only from the
# "whitelisted" host.
# everything else falls off the ruleset, so is 'drop'ed
# note: no 'client' rules, so no connections *from* this machine.
interface internet eth0 src not "192.168.100.1/24" dst "<my ip>"
# only packets not from the LAN will be processed here.
policy reject # or drop, as you please.
server "ssh http icmp" accept
client "whatever protocols you need" accept
client all accept # if you don't care about being more specific.
Note: no blacklist, because that isn't what you wanted to achieve.
Also, you can specify a limited set of protocols, if you wish, in the
> hope we can sort out a solution and most important hope I'll be able to
> understand how firehol works, since it's a great tool and I would like to
> be able to use it properly.
Well, basically, your problem was that you thought you wanted a
blacklisted address range, but you really wanted a heavily ruleset for
one block of addresses, and a lighter ruleset for another.
The best way to achieve that in firehol is using more than one
This country has a deep fear and mistrust of strong, smart, accomplished,
outspoken women unless they are sexy 22-year-olds killing vampires on
-- Dennis Miller
More information about the Firehol-support