[Firehol-support] IPSec + Firehol

Phil Whineray phil at firehol.org
Wed Jul 11 22:30:26 BST 2018


On Tue, Jul 10, 2018 at 12:30:23PM +0100, Carlos Ferreira wrote:
> Thank you for the comprehensive information Phil!
> 
> So, if I wanted to configure Viktor ip rules for IPSEC, which he
> previously provided in this thread,
> 
> iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s
> 172.16.0.0/16 -j ACCEPT
> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp
> -d 172.16.0.0/16 -j ACCEPT
> 
> how would I do it in firehol?
> 
> Do i have to add a custom rule? I'm still unsure how to do this and I
> wanted to keep my firehol.conf as clean as possible.

In this particular case, it looks like you would need to just use the
iptables rules: unfortunately the "custom" parameter does not have any idea
of reversing parameters the way that happens for e.g. src and dst.

If you really want it somehow made more firehol-like then it would take
someone to add a new optional rule parameter, which would understand when
to generate "--dir in" and "--dir out". Copying and adapting srctype might
be a good starting point.

Having said that, I think that a few lines of plain iptables for specific
cases can be quite clear and are not really a problem so long as the
bulk of your needs are handled by the interface/router/client/server
style syntax.

Hope that helps
Phil



More information about the Firehol-support mailing list