[Firehol-support] vpn "kill switch" with firehol

Tsaousis, Costa costa at tsaousis.gr
Tue May 17 23:12:53 BST 2016

Hi Nikolay,

Check this: http://firehol.org/guides/firehol-welcome/

It says a simple rule: when you design your interfaces and routers, write
src and dst considering the requests you want to be protected from.

So in:

interface wlan1 internet dst "${white}"

dst "${white}" is matched on the first packet towards you. I guess it
should be: src "${white}".

In client and server statements, the same rule applies: focus on the first
packet you want to control. So in your case, you could remove dst
"${white}" from the interface and write:

interface wlan1 internet
    client all accept dst "${white}"
    server all accept src "${white}"

To understand what firehol does, you can use the "explain" feature. Just

firehol explain

and then enter one-by-one the configuration statements. firehol will
generate commented iptables statements for you to examine.

You can also use the "debug" feature - the configuration is parsed,
iptables statements are generated (commented, like in the "explain"
feature) but the firewall is not activated. It just prints the iptables
statements for your review.


On Mon, May 16, 2016 at 12:08 PM, Nikolay Kubarelov <admin at gramophon.com>

> Hello, All,
> First, thanks a lot for working on Firehol, its a very handy tool. I use
> it since its start to secure my desktop.
> I'm trying to rewrite those iptables rules
> (https://gist.github.com/aelveborn/e0faab9185256eeb86ad) to firehol.
> The rules are dropping all traffic which is not directed to the VPN
> server, which prevents leaks, when VPN is accidently disconnected.
> I've came up with something like this, but can't make it to work here:
> =============================
> version 5
> white = ""
> interface wlan1 internet dst ${white}
>         client all accept
>         server all accept
> interface tun0 vpn
>         server ssh accept
>         client all accept
> =============================
> I'm not really sure where I have to white list those ip - in interface,
> or in client?
> If somebody has the time to help me with those rules, I'll be happy to
> test.
> Thanks in advance!
> Nikolay
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list