[Firehol-support] Re: whitelisting
Spike Spiegel
debianix at yahoo.it
Fri Jul 16 10:52:46 BST 2004
It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman yelling:
[cut]
> What you want is a construct something like this:
>
> interface lan eth0 src "192.168.100.1/24" dst "<my ip>"
> # only packets from the LAN addresses will be processed here.
> policy drop # silently discard the packets
> server ssh accept src "192.168.100.10" # only from the
> # "whitelisted" host.
> # everything else falls off the ruleset, so is 'drop'ed
> # note: no 'client' rules, so no connections *from* this machine.
>
> interface internet eth0 src not "192.168.100.1/24" dst "<my ip>"
> # only packets not from the LAN will be processed here.
> policy reject # or drop, as you please.
> server "ssh http icmp" accept
>
> client "whatever protocols you need" accept
> client all accept # if you don't care about being more specific.
>
>
Yes, this is *really* what I wanted, but got a question about it: why have
you added "dst '<my ip>'"? I can't get the meaning, and trying without it
goal is achieved anyway.
[cut]
> --
> This country has a deep fear and mistrust of strong, smart, accomplished,
> outspoken women unless they are sexy 22-year-olds killing vampires on
> television.
> -- Dennis Miller
nice sig :)
oh, wish to say thanks to others too.
tnx guys, bye
Spike
--
Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.
More information about the Firehol-support
mailing list