[Firehol-support] How can I target all of the 10.67. network EXCEPT my LAN on 10.67.5.?
Rich
forums at artfulrobot.uk
Wed Feb 25 16:06:01 CET 2015
Hi
(thanks to all who replied to my previous post - I've compiled v3rc from
source on one of my Debian Wheezy boxes)
I'm roughly trying to do this:
interface4 eth1 my_lan src "10.67.5.0/24 " dst 10.67.5.1
policy accept
interface4 eth1 tslan src "10.67.0.0/16" src not "10.67.5.0/24" dst
10.67.5.1
policy reject
server ssh accept
interface4 eth1 interweb src not "${UNROUTABLE_IPS} 10.67.0.0/16 " dst
10.67.5.1
policy reject
server ssh accept
server openvpn accept
In words: my server sits on a VLAN, 10.67.5.0/24 and provides a bunch of
services to others on that VLAN. The server is not the gateway for the
VLAN. There are other VLANs under 10.67.0.0/16 and I want to restrict
access to the server from them. Then there's the rest of the internet,
and I need to give it access to openvpn that runs on the server.
WITH THIS SET UP I'M WARNED (TWICE, ONCE CREATING INPUT ONCE CREATING
OUTPUT):
WHY : OVERWRITING PARAM: SRC4 '10.67.5.0/24' BECOMES '10.67.0.0/16'
HOW CAN I TARGET ALL OF THE 10.67. NETWORK EXCEPT MY LAN ON 10.67.5.?
I also get:
--------------------------------------------------------------------------------
WARNING : This might or might not affect the operation of your firewall.
WHAT : A runtime command failed to execute (returned error 255).
SOURCE : FIN
COMMAND : /sbin/sysctl -w net.netfilter.nf_conntrack_helper=1
OUTPUT :
SYSCTL: CANNOT STAT /PROC/SYS/NET/NETFILTER/NF_CONNTRACK_HELPER: NO SUCH
FILE OR DIRECTORY
Any reason for that and do I need to worry?
Thanks,
Rich
More information about the Firehol-support
mailing list