[Firehol-support] Add rule for localhost
Phil Whineray
phil at firehol.org
Thu Jan 3 18:51:27 GMT 2019
Hi
On Thu, Jan 03, 2019 at 12:19:54PM +0000, Rich wrote:
> I have a service (elasticsearch) running on localhost:9200 and I only want
> local user wilma to be able to access it (the service is not listening on
> anything other than localhost).
>
> I saw that firehol has a uid option
> https://firehol.org/firehol-manual.html#firehol-params5
I've not used it personally and it probably depends on having the
appropriate kernel module.
> But the docs also seem to imply that firehol leaves localhost stuff alone
>
> > "FireHOL handles this automatically. You don't have to do anything about
> > |lo|."
> > https://firehol.org/tutorial/firehol-new-user/
>
> So is it possible to this?
You probably don't want to add a stateful deny-by-default firewall to
"lo" because many things expect to be able to communicate locally
without interference.
Your could try to insert a plain iptables rule directly, before the
generic ACCEPT entries produced by FireHOL. This would drop or deny
traffic you know you don't want.
If you are not too familiar with iptables, you should be able to use
firehol to create the rule on a regular interface, then look at the output
of "debug" to create your custom line.
Hope that helps
Phil
More information about the Firehol-support
mailing list