[Firehol-support] Re: whitelisting

Daniel Pittman daniel at rimspace.net
Fri Jul 16 11:30:02 BST 2004

On 16 Jul 2004, Spike Spiegel wrote:
> It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman
> 	yelling:
> [cut]
>> What you want is a construct something like this:
>> interface lan eth0 src "" dst "<my ip>"
>> # only packets from the LAN addresses will be processed here.
>> policy drop    # silently discard the packets
>> server ssh accept src ""  # only from the
>> # "whitelisted" host.
>> # everything else falls off the ruleset, so is 'drop'ed
>> # note: no 'client' rules, so no connections *from* this machine.
>> interface internet eth0 src not "" dst "<my ip>"
>> # only packets not from the LAN will be processed here.
>> policy reject  # or drop, as you please.
>> server "ssh http icmp" accept
>> client "whatever protocols you need" accept
>> client all accept # if you don't care about being more specific.
> Yes, this is *really* what I wanted, 

Glad to hear that it works for you now. :)

> but got a question about it: why have you added "dst '<my ip>'"? I
> can't get the meaning, and trying without it goal is achieved anyway.

Force of habit, mainly. This way the firewall rules will be secure by
default if I add a second IP address, or a VPN tunnel, or whatever, to
the host.

I am not caused by my history--my parents, my childhood and development. These
are mirrors in which I may catch glimpses of my image.
        -- James Hillman

More information about the Firehol-support mailing list