[Firehol-support] FireHOL Config Blacklist and Whitelists
chris.gilroy at gmail.com
Fri Oct 9 02:22:38 BST 2015
Thanks for the replies, I just download the 3.0.0-rc.2 version from the
I do have one quick additional question too. When using hash:net, should
184.108.40.206/24 return with ipset saying 1 IP or am I doing something wrong and
it should know how many IPs are in that mask?
ipv4 ipset create whitelistednets hash:net
ipv4 ipset addfile whitelistednets nets /etc/firehol/whitelistednets
If I add a single IP (220.127.116.11) and then run: firehol ipset_update_from_file
whitelistednets nets /etc/firehol/whitelistednets, I get: FireHOL: Updating
ipset 'whitelistednets' with options: nets /etc/firehol/whitelistednets...
OK (0 IPs)
If I make the IP (18.104.22.168/32) it then says: FireHOL: Updating ipset
'whitelistednets' with options: nets /etc/firehol/whitelistednets... OK
(1 IPs), hence my confusion.
Note: I do see a small difference between how you run:
ipset4 create blocked hash:net
ipset4 addfile blocked /etc/firehol/blocked
-and- my way would be (probably wrong):
ipv4 ipset create blocked hash:net
ipv4 ipset addfile blocked nets /etc/firehol/blocked
On Thu, Oct 8, 2015 at 4:51 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi Christopher.
> > 1) I believe the blacklisted ipset lists are all correct in that
> > of what server is configured below, those IPs will still get dropped?
> > 2) I believe that the wan interface is, currently, dropping all packets
> > from the blacklists, and only allowing those IPs contained in the
> > whitelistednets ipset list to have full access to the server?
> almost true. You are dropping all packets from and TO the blacklisted IPs.
> If you want to block only new connections FROM the blacklists, change
> the 'full' keyword to 'input'.
> Using 'input' you will be able to initiate connections to the
> blacklisted IPs, but the blacklisted IPs will not be able to initiate
> connections to you.
> > 3.) All other traffic not contained in the blacklist or whitelist lists
> > dropped, because I don't have any other services configured?
> Keep in mind that if you are using a v3+ kernel and the github version
> of firehol, you can have 'net' ipsets containing both IPs and subnets,
> like this:
> ipset4 create blocked hash:net
> ipset4 addfile blocked /etc/firehol/blocked
> The file '/etc/firehol/blocked' can contain both IPs and subnets.
> Also, the github version of firehol will use the 'iprange' tool
> included in its contrib directory (cd contrib; make install), to
> reduce the lookups made by the kernel for hash:net ipsets.
-Chris A. Gilroy
More information about the Firehol-support