[Firehol-support] How to allow traffic from an IP range?

Phil Whineray phil at firehol.org
Mon Jul 30 20:02:17 BST 2018


Hi

On Mon, 30 Jul 2018, 19:48 Wojtek Swiatek, <w at swtk.info> wrote:

> Hello everyone
>
> I have a working installation of firehol (which replaced with success
> shorewall) and there is one element missing. The topology is the following
>
> fiber -- internet box (192.168.0.11) -- TV box (192.168.0.15)
>                                                        -- PC (interface
> int0 = 192.168.0.10)
>
> I get a lot of messages telling me that the box is sending some packets
> which are dropped at int0:
>
> IN-internet:IN=int0 OUT= MAC=01:00:5e:7f:ff:fa:18:1e:78:82:e6:f5:08:00
> SRC=192.168.0.11 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0
> DF PROTO=2
>
> They re dropped correctly as there is no reason for them to wander in the
> networks behind int0 but the logging is annoying and useless.
>
> Is there a way to state: "packets coming from 192.168.0.0/24 and which are
> blocked should not be logged"?
>

Firehol will stop logging if you include a catchall "server any drop" as
the last rule in your interface.

It works by preventing the packet going through to the default handling
(i.e. log and drop).

Hope that helps

Phil



More information about the Firehol-support mailing list