[Firehol-support] IPSec + Firehol
Phil Whineray
phil at firehol.org
Wed Jul 11 22:30:26 BST 2018
On Tue, Jul 10, 2018 at 12:30:23PM +0100, Carlos Ferreira wrote:
> Thank you for the comprehensive information Phil!
>
> So, if I wanted to configure Viktor ip rules for IPSEC, which he
> previously provided in this thread,
>
> iptables -I INPUT --match policy --pol ipsec --dir in --proto esp -s
> 172.16.0.0/16 -j ACCEPT
> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp
> -d 172.16.0.0/16 -j ACCEPT
>
> how would I do it in firehol?
>
> Do i have to add a custom rule? I'm still unsure how to do this and I
> wanted to keep my firehol.conf as clean as possible.
In this particular case, it looks like you would need to just use the
iptables rules: unfortunately the "custom" parameter does not have any idea
of reversing parameters the way that happens for e.g. src and dst.
If you really want it somehow made more firehol-like then it would take
someone to add a new optional rule parameter, which would understand when
to generate "--dir in" and "--dir out". Copying and adapting srctype might
be a good starting point.
Having said that, I think that a few lines of plain iptables for specific
cases can be quite clear and are not really a problem so long as the
bulk of your needs are handled by the interface/router/client/server
style syntax.
Hope that helps
Phil
More information about the Firehol-support
mailing list