[Firehol-support] IPSec + Firehol

Carlos Ferreira carlosmf.pt at gmail.com
Tue Jul 10 12:30:23 BST 2018


Thank you for the comprehensive information Phil!

So, if I wanted to configure Viktor ip rules for IPSEC, which he
previously provided in this thread,

iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s
172.16.0.0/16 -j ACCEPT
iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp
-d 172.16.0.0/16 -j ACCEPT

how would I do it in firehol?

Do i have to add a custom rule? I'm still unsure how to do this and I
wanted to keep my firehol.conf as clean as possible.

My best regards,
Carlos


On 10 July 2018 at 07:05, Phil Whineray <phil at firehol.org> wrote:
> On Mon, Jul 09, 2018 at 08:43:13PM +0200, Sebastiano Pilla wrote:
>> On 09/07/18 13:07, Viktor Remennik wrote:
>> > According to the docs, the 'firehol.conf' file is executed by the
>> > firehol as a shell script, so, any shell command can be added there. The
>> > problem is, that this workaround is not a firehol functionality and it's
>> > not possible to configure such things using firehol itself. Furthermore,
>> > it looks like the firehol is not supported anymore. That's why, I
>> > suppose, the best solution is to get rid of it. Dunno, probably in this
>> > situation it's better to move to the raw iptables.
>>
>> What makes you say that? Is there any web page which explicitly states that
>> firehol isn't supported anymore?
>
> Indeed not. Firehol is an iptables generator (as are most firewall solutions),
> so unless it stops doing what you want or makes it harder to understand,
> I can't see any reason to prefer plain iptables.
>
> You can use custom parameters [1] in most cases where there is no explicit
> syntax in firehol itself.
>
> If you need an actual iptables(8) command, they are explicitly supported
> as a method to inject custom requirements [2].
>
> If these are not easy to find, maybe they should be added as a FAQ...
>
> Cheers
> Phil
>
> [1]: https://firehol.org/firehol-manual/firehol-params/#custom
> [2]: https://firehol.org/firehol-manual/firehol-iptables/
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



-- 

Carlos Miguel Ferreira
Researcher at Telecommunications Institute
Aveiro - Portugal
Work E-mail - cmf at av.it.pt
Skype & GTalk -> carlosmf.pt at gmail.com
LinkedIn -> http://www.linkedin.com/in/carlosmferreira


More information about the Firehol-support mailing list