[Firehol-support] Re: Opening specific (custom) port

Daniel Pittman daniel at rimspace.net
Mon Jul 19 01:10:47 BST 2004

On 19 Jul 2004, Spike Spiegel wrote:
> It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman
> 	yelling:
> [cut]
>>>> interface lan eth0 src "" dst "<my ip>"
>>>> # only packets from the LAN addresses will be processed here.
>>>> policy drop    # silently discard the packets
>>>> server ssh accept src ""  # only from the
>>>> # "whitelisted" host.
>>>> # everything else falls off the ruleset, so is 'drop'ed
>>>> # note: no 'client' rules, so no connections *from* this machine.
>>>> interface internet eth0 src not "" dst "<my ip>"
>>>> # only packets not from the LAN will be processed here.
>>>> policy reject  # or drop, as you please.
>>>> server "ssh http icmp" accept
>>>> client "whatever protocols you need" accept
>>>> client all accept # if you don't care about being more specific.
> Sorry for bothering you some more... but I got another question (as
> specified in subject) and thought of using this thread since my
> config is based on the schema above.

No problem. I am glad that the template helped other people. :)

> Actually I needed to open access to port 8080. After some reading about
> "how to add services" I ended adding this line:
> server custom http_proxy tcp/8080 default accept
> right above the "client all accept" line.
> This did the trick, but since I'm still in the process of learning I was
> wondering if that's the best way to accomplish such task.

Obviously, that works for declaring the service "inline" to your rules.

I usually use the 'new service definition' stuff, even for simply
services, adding something like this at the top of the script:


This is how all the "simple" services are defined by firehol anyway, and
means you can then write:

    server http_proxy accept ...

The mines of knowledge are often laid bare by the hazel-wand of chance.
        -- Martin Farquhar Tupper

More information about the Firehol-support mailing list