[Firehol-support] True whitelist
Daniel Goering
g_daniel at gmx.net
Wed Feb 3 10:21:53 GMT 2010
Hi!
Suggestion for a workaround:
Define a new interface above the one you currently use [traffic will
first be matched against these rules] and try something like this
interface any hole_in_my_firewall src <src> dst <dst>
policy allow
client all accept
server all accept
interface any real_firewall
protection strong
policy drop
...
I didn't try it, but I'm quite confident it will work ;-)
Cheers
Daniel
WJP wrote:
> Hello!
>
> I have seen some discussion around this but no clear solution:
>
> Is there a way to tell Firehol to do NO filtering (including "NEW TCP w/o
> SYN") to/from an IP/range?
> I am troubleshooting a specific connectivity issue and am seeing some of
> this in the logs:
>
> NEW TCP w/o SYN:'IN=eth1 OUT= MAC=<mac> SRC=<src> DST=<dst> LEN=89 TOS=0x00
> PREC=0x00 TTL=50 ID=33540 DF PROTO=TCP SPT=51672 DPT=443 WINDOW=33285
> RES=0x00 ACK PSH URGP=0
>
> I'd like to stop all filtering on all ports on all protocols between <src>
> and <dst>. Is there a way to achieve this with Firehol?
>
> Thanks!
> WP
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20100203/911154dc/attachment-0001.sig>
More information about the Firehol-support
mailing list