[Firehol-support] All or nothing?

Costa Tsaousis costa at tsaousis.gr
Sat Jun 30 22:22:10 BST 2007


Daniel L. Miller wrote:
> I'm taking advantage of firehol to simplify things on an internal 
> machine - that previously I did not consider needed security.  Since 
> firehol by default blocks everything not opened, my current config opens 
> everything back up, plus the simple DNAT.
>
> transparent_squid 8080 "root proxy" src 192.168.0.0/24 dst not 
> 192.168.0.0/24 inface "eth2 br1"
> interface any ALLNICS
>         policy accept
> router ALLROUTES
>         policy accept
>
> I've added a VPN interface to this machine, and I want to limit the 
> rights of that interface.  My question is can I do this by simply adding 
> interface/router stanzas - probably before the "any and all" stanzas?  
> Or do I now need to individually define every interface?  I'm currently 
> thinking of something like:
>
> transparent_squid 8080 "root proxy" src 192.168.0.0/24 dst not 
> 192.168.0.0/24 inface "eth2 br1"
> interface tun0
>         client all accept
> interface any ALLNICS
>         policy accept
> router vpn2lan inface tun0
>         client all accept
> router ALLROUTES
>         policy accept
>
>   
Daniel,

The default policy on interfaces is "drop", so that if the interface 
statement matches the traffic but the rules do not allow it, the traffic 
will be dropped. This means that the interfaces you set above are correct.

However, the default policy on routers is "return". This means that your 
tun0 router  will match the traffic, but then the traffic will continue 
to be matched against the next router (ALLROUTES). If you change the 
default policy on tun0 to "drop" you should be ok.

Costa







More information about the Firehol-support mailing list