[Firehol-support] How to allow traffic from an IP range?
Wojtek Swiatek
w at swtk.info
Tue Jul 31 09:57:24 BST 2018
Phil,
It works, than you for all your help (I sent an extra email about the wrong
config file I was editing). And thank you for this great tool.
Le mar. 31 juil. 2018 à 08:49, Phil Whineray <phil at firehol.org> a écrit :
> On Tue, Jul 31, 2018 at 08:24:45AM +0200, Wojtek Swiatek wrote:
> > Le lun. 30 juil. 2018 à 22:20, Phil Whineray <phil at firehol.org> a écrit
> :
> >
> > >
> > > > > Firehol will stop logging if you include a catchall "server any
> drop"
> > > as
> > > > > the last rule in your interface.
> > >
> > > To just match the range, add a "src" parameter. Anything not matched
> will
> > > go to the default rule.
> > >
> > >
> > Unfortunately it did not help. I added the line as suggested (not sure
> why
> > "server", in any case I tried "server" and "client"):
> >
> > interface4 int0 internet
> > client all accept
> > server openvpn accept
> > server any drop src 192.168.0.0/24
> >
> > I still get lines such as
> > IN-internet:IN=int0 OUT= MAC=01:00:5e:7f:ff:fa:18:1e:78:82:e6:f5:08:00
> > SRC=192.168.0.11 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0
> > DF PROTO=2
>
> It needs to be a server because the traffic is incoming to the firewall.
> This is easier to understand if you imagine something on the linux
> machine and you wanted to accept the traffic for it.
>
> Apologies for it not working. I see that the PROTO is 2, which is IGMP,
> so probably the connection tracker does not mark it as a connection.
> Try this instead:
>
> server anystateless rest drop src 192.169.0.0/24
>
> Note that you need to provide an additional name after anystateless.
> It doesn't really matter what it is.
>
> Cheers
> Phil
>
More information about the Firehol-support
mailing list