[Firehol-support] How can I target all of the 10.67. network EXCEPT my LAN on 10.67.5.?

Rich forums at artfulrobot.uk
Wed Feb 25 15:06:01 GMT 2015


 

Hi 

(thanks to all who replied to my previous post - I've compiled v3rc from
source on one of my Debian Wheezy boxes) 

I'm roughly trying to do this: 

interface4 eth1 my_lan src "10.67.5.0/24 " dst 10.67.5.1
 policy accept 

interface4 eth1 tslan src "10.67.0.0/16" src not "10.67.5.0/24" dst
10.67.5.1
 policy reject
 server ssh accept 

interface4 eth1 interweb src not "${UNROUTABLE_IPS} 10.67.0.0/16 " dst
10.67.5.1
 policy reject
 server ssh accept
 server openvpn accept 

In words: my server sits on a VLAN, 10.67.5.0/24 and provides a bunch of
services to others on that VLAN. The server is not the gateway for the
VLAN. There are other VLANs under 10.67.0.0/16 and I want to restrict
access to the server from them. Then there's the rest of the internet,
and I need to give it access to openvpn that runs on the server. 

WITH THIS SET UP I'M WARNED (TWICE, ONCE CREATING INPUT ONCE CREATING
OUTPUT): 

WHY    : OVERWRITING PARAM: SRC4 '10.67.5.0/24' BECOMES '10.67.0.0/16'

HOW CAN I TARGET ALL OF THE 10.67. NETWORK EXCEPT MY LAN ON 10.67.5.? 

I also get: 

--------------------------------------------------------------------------------
WARNING : This might or might not affect the operation of your firewall.
WHAT : A runtime command failed to execute (returned error 255).
SOURCE : FIN
COMMAND : /sbin/sysctl -w net.netfilter.nf_conntrack_helper=1 
OUTPUT : 

SYSCTL: CANNOT STAT /PROC/SYS/NET/NETFILTER/NF_CONNTRACK_HELPER: NO SUCH
FILE OR DIRECTORY 

Any reason for that and do I need to worry? 

Thanks, 

Rich 
 


More information about the Firehol-support mailing list