[Firehol-support] Re: whitelisting

Daniel Pittman daniel at rimspace.net
Fri Jul 16 11:30:02 BST 2004


On 16 Jul 2004, Spike Spiegel wrote:
> It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman
> 	yelling:
>
> [cut]
>> What you want is a construct something like this:
>>
>> interface lan eth0 src "192.168.100.1/24" dst "<my ip>"
>> # only packets from the LAN addresses will be processed here.
>> policy drop    # silently discard the packets
>> server ssh accept src "192.168.100.10"  # only from the
>> # "whitelisted" host.
>> # everything else falls off the ruleset, so is 'drop'ed
>> # note: no 'client' rules, so no connections *from* this machine.
>>
>> interface internet eth0 src not "192.168.100.1/24" dst "<my ip>"
>> # only packets not from the LAN will be processed here.
>> policy reject  # or drop, as you please.
>> server "ssh http icmp" accept
>>
>> client "whatever protocols you need" accept
>> client all accept # if you don't care about being more specific.
>
> Yes, this is *really* what I wanted, 

Glad to hear that it works for you now. :)

> but got a question about it: why have you added "dst '<my ip>'"? I
> can't get the meaning, and trying without it goal is achieved anyway.

Force of habit, mainly. This way the firewall rules will be secure by
default if I add a second IP address, or a VPN tunnel, or whatever, to
the host.

    Daniel
-- 
I am not caused by my history--my parents, my childhood and development. These
are mirrors in which I may catch glimpses of my image.
        -- James Hillman





More information about the Firehol-support mailing list