[Firehol-support] All or nothing?
Costa Tsaousis
costa at tsaousis.gr
Sat Jun 30 22:22:10 BST 2007
Daniel L. Miller wrote:
> I'm taking advantage of firehol to simplify things on an internal
> machine - that previously I did not consider needed security. Since
> firehol by default blocks everything not opened, my current config opens
> everything back up, plus the simple DNAT.
>
> transparent_squid 8080 "root proxy" src 192.168.0.0/24 dst not
> 192.168.0.0/24 inface "eth2 br1"
> interface any ALLNICS
> policy accept
> router ALLROUTES
> policy accept
>
> I've added a VPN interface to this machine, and I want to limit the
> rights of that interface. My question is can I do this by simply adding
> interface/router stanzas - probably before the "any and all" stanzas?
> Or do I now need to individually define every interface? I'm currently
> thinking of something like:
>
> transparent_squid 8080 "root proxy" src 192.168.0.0/24 dst not
> 192.168.0.0/24 inface "eth2 br1"
> interface tun0
> client all accept
> interface any ALLNICS
> policy accept
> router vpn2lan inface tun0
> client all accept
> router ALLROUTES
> policy accept
>
>
Daniel,
The default policy on interfaces is "drop", so that if the interface
statement matches the traffic but the rules do not allow it, the traffic
will be dropped. This means that the interfaces you set above are correct.
However, the default policy on routers is "return". This means that your
tun0 router will match the traffic, but then the traffic will continue
to be matched against the next router (ALLROUTES). If you change the
default policy on tun0 to "drop" you should be ok.
Costa
More information about the Firehol-support
mailing list