[Firehol-support] Re: whitelisting

Daniel Pittman daniel at rimspace.net
Fri Jul 16 02:19:06 BST 2004

On 16 Jul 2004, Spike Spiegel wrote:
> It was a dark and stormy night on 2004/07/15 when I heard Daniel L. Miller
> 	yelling:
> [cut]
>> I would try, instead, something like this:
>> interface eth0 ethlan src
>> protection full 10/sec 10
>> server "ssh icmp http" accept
>> client all accept
>> Try that and see if it gives you the functionality you need - meanwhile
>> I'm sure someone else will chime in and tell me where I'm wrong.
> ok, here I need to discuss this subject a bit further 'cause I'm getting
> confused.
> First of all, lemme try to explain it why I added the blacklist helper:
> with "client all accept" you let the host talk to the rest of the world,


> (and this is necessary or nothing will work), 

Wrong. You certainly don't have to include 'client all accept', and I
don't on a number of my systems here.

> other hosts on the lan included, so I added the blacklist to prevent
> this.

The problem is that you don't want to blacklist the lan, you want to
partially restrict access to it.


> so I'm back to initial condition:
> 1) DROP everything,
> 2) accept incoming connections for ssh icmp http BUT from blacklisted hosts
> 3) accept outgoing connections originated on the host BUT to blacklisted
> hosts
> - NEED to add at the end of  2) and 3) EXCLUDED specific-ip (what I called
> whitelisting)

What you want is a construct something like this:

interface lan eth0 src "" dst "<my ip>"
    # only packets from the LAN addresses will be processed here.
    policy drop    # silently discard the packets
    server ssh accept src ""  # only from the
                                            # "whitelisted" host.
    # everything else falls off the ruleset, so is 'drop'ed
    # note: no 'client' rules, so no connections *from* this machine.

interface internet eth0 src not "" dst "<my ip>"
    # only packets not from the LAN will be processed here.
    policy reject  # or drop, as you please.
    server "ssh http icmp" accept

    client "whatever protocols you need" accept
    client all accept # if you don't care about being more specific.

Note: no blacklist, because that isn't what you wanted to achieve.
Also, you can specify a limited set of protocols, if you wish, in the
client statements...

> hope we can sort out a solution and most important hope I'll be able to
> understand how firehol works, since it's a great tool and I would like to
> be able to use it properly.

Well, basically, your problem was that you thought you wanted a
blacklisted address range, but you really wanted a heavily ruleset for
one block of addresses, and a lighter ruleset for another.

The best way to achieve that in firehol is using more than one
'interface' statement.


This country has a deep fear and mistrust of strong, smart, accomplished,
outspoken women unless they are sexy 22-year-olds killing vampires on
        -- Dennis Miller

More information about the Firehol-support mailing list