[Firehol-support] FireHOL Config Blacklist and Whitelists
Tsaousis, Costa
costa at tsaousis.gr
Thu Oct 8 22:51:57 CEST 2015
Hi Christopher.
> 1) I believe the blacklisted ipset lists are all correct in that regardless
> of what server is configured below, those IPs will still get dropped?
true
> 2) I believe that the wan interface is, currently, dropping all packets
> from the blacklists, and only allowing those IPs contained in the
> whitelistednets ipset list to have full access to the server?
almost true. You are dropping all packets from and TO the blacklisted IPs.
If you want to block only new connections FROM the blacklists, change
the 'full' keyword to 'input'.
Using 'input' you will be able to initiate connections to the
blacklisted IPs, but the blacklisted IPs will not be able to initiate
connections to you.
> 3.) All other traffic not contained in the blacklist or whitelist lists are
> dropped, because I don't have any other services configured?
true
Keep in mind that if you are using a v3+ kernel and the github version
of firehol, you can have 'net' ipsets containing both IPs and subnets,
like this:
ipset4 create blocked hash:net
ipset4 addfile blocked /etc/firehol/blocked
The file '/etc/firehol/blocked' can contain both IPs and subnets.
Also, the github version of firehol will use the 'iprange' tool
included in its contrib directory (cd contrib; make install), to
reduce the lookups made by the kernel for hash:net ipsets.
Costa
More information about the Firehol-support
mailing list