[Firehol-support] How to allow traffic from an IP range?

Phil Whineray phil at firehol.org
Tue Jul 31 07:49:03 BST 2018


On Tue, Jul 31, 2018 at 08:24:45AM +0200, Wojtek Swiatek wrote:
> Le lun. 30 juil. 2018 à 22:20, Phil Whineray <phil at firehol.org> a écrit :
> 
> >
> > > > Firehol will stop logging if you include a catchall "server any drop"
> > as
> > > > the last rule in your interface.
> >
> > To just match the range, add a "src" parameter. Anything not matched will
> > go to the default rule.
> >
> >
> Unfortunately it did not help. I added the line as suggested (not sure why
> "server", in any case I tried "server" and "client"):
> 
> interface4 int0 internet
>     client all accept
>     server openvpn accept
>     server any drop src 192.168.0.0/24
> 
> I still get lines such as
> IN-internet:IN=int0 OUT= MAC=01:00:5e:7f:ff:fa:18:1e:78:82:e6:f5:08:00
> SRC=192.168.0.11 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0
> DF PROTO=2

It needs to be a server because the traffic is incoming to the firewall.
This is easier to understand if you imagine something on the linux
machine and you wanted to accept the traffic for it.

Apologies for it not working. I see that the PROTO is 2, which is IGMP,
so probably the connection tracker does not mark it as a connection.
Try this instead:

  server anystateless rest drop src 192.169.0.0/24

Note that you need to provide an additional name after anystateless.
It doesn't really matter what it is.

Cheers
Phil



More information about the Firehol-support mailing list