This sort of restriction is actually one of the reasons I’ve given up on Firehol, for achieving this I found the easiest way was to configure the service as a deny on the interface, and use firehol’s ability to have pure iptables rules in the config file to first configure explicit allows for those IPs required.

After a couple of years wrestling with rather bulky config files for firehol, I found that I could achieve the same result with a lot less rules just managing my iptables directly (for comparable security and functionality I’ve had a couple of routing boxes go from 500+ rules to under 60). It can be really great for a simple endpoint, but throw anything complex at it and it starts getting very messy, and in some cases the rules it generated were counter-intuitive to the config files declarations (when dealing with more then 2 interfaces and routing paths this becomes a huge limitation) – I’m currently leaning very strongly towards shorewall as an option, I suppose it could almost be considered there third step after ufw and firehol – it has a steepish learning curve, but a hell of a lot of power and handles complex situations as you’d expect based on configuration.

I do not know how to do that. Firehol configuration files are Bash scripts, though, so it may be possible to do what you want by redirecting input or using a loop of some sort to read the file.

I Love firehol. Would you by any change know how i can block a range of client ip address form acessing a service.

e.g. “client accept src “/etc/firehol/accept.list”

Any clues? I would like to make it easy to add ip address to the allowed / denied list for certain services.