[Firehol-support] True whitelist

Daniel Goering g_daniel at gmx.net
Wed Feb 3 10:21:53 GMT 2010


Suggestion for a workaround:

Define a new interface above the one you currently use [traffic will
first be matched against these rules] and try something like this

interface any hole_in_my_firewall src <src> dst <dst>
	policy allow
	client all accept
	server all accept

interface any real_firewall
	protection strong
	policy drop

I didn't try it, but I'm quite confident it will work ;-)


WJP wrote:
> Hello!
> I have seen some discussion around this but no clear solution:
> Is there a way to tell Firehol to do NO filtering (including "NEW TCP w/o
> SYN") to/from an IP/range?
> I am troubleshooting a specific connectivity issue and am seeing some of
> this in the logs:
> NEW TCP w/o SYN:'IN=eth1 OUT= MAC=<mac> SRC=<src> DST=<dst> LEN=89 TOS=0x00
> PREC=0x00 TTL=50 ID=33540 DF PROTO=TCP SPT=51672 DPT=443 WINDOW=33285
> I'd like to stop all filtering on all ports on all protocols between <src>
> and <dst>. Is there a way to achieve this with Firehol?
> Thanks!
> WP
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> ------------------------------------------------------------------------
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20100203/911154dc/attachment-0001.sig>

More information about the Firehol-support mailing list