I'm defining my stoppedrules
I set up a simple one to only allow SSH/VPN access from my HomeIPs
/stoppedrules
#ACTION SOURCE DEST PROTO DEST
SOURCE
# PORT(S)
PORT(S)
ACCEPT EXT_IF:my.home.ip.x/29 $FW tcp 22
ACCEPT EXT_IF:my.home.ip.x/29 $FW tcp,udp 1194
1194
After restart
systemctl start shorewall-lite.service
systemctl stop shorewall-lite.service
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- my.home.ip.x/29 0.0.0.0/0
multiport dports 22
ACCEPT tcp -- my.home.ip.x/29 0.0.0.0/0
tcp spt:1194 dpt:1194
ACCEPT udp -- my.home.ip.x/29 0.0.0.0/0
udp spt:1194 dpt:1194
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
I notice INPUT from the entire net is allowed
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
I thought all traffic OTHER than what's explictily enabled in stoppedrules is
implicitly denied.
I want to (keep) open ONLY traffic for SSH/VPN.
Did I misunderstand or misconfigure?
Jerry
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
