[Firehol-support] How to allow traffic from an IP range?

Wojtek Swiatek w at swtk.info
Mon Jul 30 20:24:20 BST 2018


Le lun. 30 juil. 2018 à 21:02, Phil Whineray <phil at firehol.org> a écrit :

> Hi
>
> On Mon, 30 Jul 2018, 19:48 Wojtek Swiatek, <w at swtk.info> wrote:
>
> > Hello everyone
> >
> > I have a working installation of firehol (which replaced with success
> > shorewall) and there is one element missing. The topology is the
> following
> >
> > fiber -- internet box (192.168.0.11) -- TV box (192.168.0.15)
> >                                                        -- PC (interface
> > int0 = 192.168.0.10)
> >
> > I get a lot of messages telling me that the box is sending some packets
> > which are dropped at int0:
> >
> > IN-internet:IN=int0 OUT= MAC=01:00:5e:7f:ff:fa:18:1e:78:82:e6:f5:08:00
> > SRC=192.168.0.11 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0
> > DF PROTO=2
> >
> > They re dropped correctly as there is no reason for them to wander in the
> > networks behind int0 but the logging is annoying and useless.
> >
> > Is there a way to state: "packets coming from 192.168.0.0/24 and which
> are
> > blocked should not be logged"?
> >
>
> Firehol will stop logging if you include a catchall "server any drop" as
> the last rule in your interface.
>
> It works by preventing the packet going through to the default handling
> (i.e. log and drop).
>
>
Thanks for the information. Wouldn't that stop all logging, though? I would
like to just stop logging dropped  packets from range 192.168.0.0/24.



More information about the Firehol-support mailing list