[Firehol-support] Re: Opening specific (custom) port
daniel at rimspace.net
Mon Jul 19 01:10:47 BST 2004
On 19 Jul 2004, Spike Spiegel wrote:
> It was a dark and stormy night on 2004/07/16 when I heard Daniel Pittman
>>>> interface lan eth0 src "192.168.100.1/24" dst "<my ip>"
>>>> # only packets from the LAN addresses will be processed here.
>>>> policy drop # silently discard the packets
>>>> server ssh accept src "192.168.100.10" # only from the
>>>> # "whitelisted" host.
>>>> # everything else falls off the ruleset, so is 'drop'ed
>>>> # note: no 'client' rules, so no connections *from* this machine.
>>>> interface internet eth0 src not "192.168.100.1/24" dst "<my ip>"
>>>> # only packets not from the LAN will be processed here.
>>>> policy reject # or drop, as you please.
>>>> server "ssh http icmp" accept
>>>> client "whatever protocols you need" accept
>>>> client all accept # if you don't care about being more specific.
> Sorry for bothering you some more... but I got another question (as
> specified in subject) and thought of using this thread since my
> config is based on the schema above.
No problem. I am glad that the template helped other people. :)
> Actually I needed to open access to port 8080. After some reading about
> "how to add services" I ended adding this line:
> server custom http_proxy tcp/8080 default accept
> right above the "client all accept" line.
> This did the trick, but since I'm still in the process of learning I was
> wondering if that's the best way to accomplish such task.
Obviously, that works for declaring the service "inline" to your rules.
I usually use the 'new service definition' stuff, even for simply
services, adding something like this at the top of the script:
This is how all the "simple" services are defined by firehol anyway, and
means you can then write:
server http_proxy accept ...
The mines of knowledge are often laid bare by the hazel-wand of chance.
-- Martin Farquhar Tupper
More information about the Firehol-support