[Firehol-support] IPSec + Firehol
Carlos Ferreira
carlosmf.pt at gmail.com
Wed Jul 11 23:24:17 BST 2018
Thank you for the assistance Phil.
I'll just add the iptables rules to the firehol.conf then. Since they
are only two and they are simple, it will not be of any trouble.
My regards,
Carlos
On 11 July 2018 at 22:30, Phil Whineray <phil at firehol.org> wrote:
> On Tue, Jul 10, 2018 at 12:30:23PM +0100, Carlos Ferreira wrote:
>> Thank you for the comprehensive information Phil!
>>
>> So, if I wanted to configure Viktor ip rules for IPSEC, which he
>> previously provided in this thread,
>>
>> iptables -I INPUT --match policy --pol ipsec --dir in --proto esp -s
>> 172.16.0.0/16 -j ACCEPT
>> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp
>> -d 172.16.0.0/16 -j ACCEPT
>>
>> how would I do it in firehol?
>>
>> Do i have to add a custom rule? I'm still unsure how to do this and I
>> wanted to keep my firehol.conf as clean as possible.
>
> In this particular case, it looks like you would need to just use the
> iptables rules: unfortunately the "custom" parameter does not have any idea
> of reversing parameters the way that happens for e.g. src and dst.
>
> If you really want it somehow made more firehol-like then it would take
> someone to add a new optional rule parameter, which would understand when
> to generate "--dir in" and "--dir out". Copying and adapting srctype might
> be a good starting point.
>
> Having said that, I think that a few lines of plain iptables for specific
> cases can be quite clear and are not really a problem so long as the
> bulk of your needs are handled by the interface/router/client/server
> style syntax.
>
> Hope that helps
> Phil
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list