[Firehol-support] FireHOL Config Blacklist and Whitelists

Christopher Gilroy chris.gilroy at gmail.com
Thu Oct 8 03:06:40 BST 2015

Ok guys, so I have a collection of blacklists I want to use via ipset, and
I also have a collection of whitelist ips that I want to be able to access
the entire server. I'm wondering if this is "doing" that?

1) I believe the blacklisted ipset lists are all correct in that regardless
of what server is configured below, those IPs will still get dropped?

2) I believe that the wan interface is, currently, dropping all packets
from the blacklists, and only allowing those IPs contained in the
whitelistednets ipset list to have full access to the server?

3.) All other traffic not contained in the blacklist or whitelist lists are
dropped, because I don't have any other services configured?

version 6

ipv4 ipset create whitelistednets hash:net
ipv4 ipset addfile whitelistednets nets /etc/firehol/whitelistednets

# Our CUSTOM Blocks
ipv4 ipset create blockedips hash:ip
ipv4 ipset addfile blockedips ips /etc/firehol/blockedips

ipv4 ipset create blockednets hash:net
ipv4 ipset addfile blockednets nets /etc/firehol/blockednets

ipv4 blacklist full inface eth1 log BLOCKEDIPS ipset:blockedips except src
ipv4 blacklist full inface eth1 log BLOCKEDNETBLOCKS ipset:blockednets
except src ipset:whitelistednets

# BOGON Blocks
ipv4 ipset create bogonblocks hash:net
ipv4 ipset addfile bogonblocks nets /etc/firehol/bogon-bn-agg.txt

ipv4 blacklist full inface eth1 log BOGONBLOCKS ipset:bogonblocks except
src ipset:whitelistednets

# Level1 Blocks
ipv4 ipset create leveloneblocks hash:net
ipv4 ipset addfile leveloneblocks nets /etc/firehol/firehol_level1.netset

ipv4 blacklist full inface eth1 log LEVEL1BLOCKS ipset:leveloneblocks
except src ipset:whitelistednets

# Level2 Blocks
ipv4 ipset create leveltwoblocks hash:net
ipv4 ipset addfile leveltwoblocks nets /etc/firehol/firehol_level2.netset

ipv4 blacklist full inface eth1 log LEVEL2BLOCKS ipset:leveltwoblocks
except src ipset:whitelistednets

# Level3 Blocks
ipv4 ipset create levelthreeblocks hash:net
ipv4 ipset addfile levelthreeblocks nets /etc/firehol/firehol_level3.netset

ipv4 blacklist full inface eth1 log LEVEL3BLOCKS ipset:levelthreeblocks
except src ipset:whitelistednets

# Anonymizing Blocks
ipv4 ipset create anonymizingblocks hash:net
ipv4 ipset addfile anonymizingblocks nets

ipv4 blacklist full inface eth1 log ANONYMIZERBLOCKS
ipset:anonymizingblocks except src ipset:whitelistednets

# Proxy Server Blocks
ipv4 ipset create proxyblocks hash:net
ipv4 ipset addfile proxyblocks nets /etc/firehol/firehol_proxies.netset

ipv4 blacklist full inface eth1 log PROXYBLOCKS ipset:proxyblocks except
src ipset:whitelistednets

# LAN, everything is allowed
interface eth0 lan
policy accept

interface eth1 wan
server all accept src ipset:whitelistednets
client all accept

More information about the Firehol-support mailing list