[Firehol-support] Re: whitelisting

Spike Spiegel debianix at yahoo.it
Fri Jul 16 10:52:46 BST 2004

It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman yelling:

> What you want is a construct something like this:
> interface lan eth0 src "" dst "<my ip>"
>     # only packets from the LAN addresses will be processed here.
>     policy drop    # silently discard the packets
>     server ssh accept src ""  # only from the
>                                             # "whitelisted" host.
>     # everything else falls off the ruleset, so is 'drop'ed
>     # note: no 'client' rules, so no connections *from* this machine.
> interface internet eth0 src not "" dst "<my ip>"
>     # only packets not from the LAN will be processed here.
>     policy reject  # or drop, as you please.
>     server "ssh http icmp" accept
>     client "whatever protocols you need" accept
>     client all accept # if you don't care about being more specific.

Yes, this is *really* what I wanted, but got a question about it: why have
you added "dst '<my ip>'"? I can't get the meaning, and trying without it
goal is achieved anyway.

> -- 
> This country has a deep fear and mistrust of strong, smart, accomplished,
> outspoken women unless they are sexy 22-year-olds killing vampires on
> television.
>         -- Dennis Miller

nice sig :)

oh, wish to say thanks to others too.

tnx guys, bye


Excess ain't rebellion.
You're drinking what they're selling.
Your self-destruction doesn't hurt them.
Your chaos won't convert them.
They're so happy to rebuild it.
You'll never really kill it.

More information about the Firehol-support mailing list