Re: [Shorewall-users] Traffic to service running on firewall

Tue, 17 Oct 2017 09:22:55 -0700 

Sorry, REDIRECT doesn't have to change port numbers (but it can change them).  
My
example doesn't change the port.

Bill

On 10/17/2017 11:54 AM, Bill Shirley wrote:

You shouldn't REDIRECT.  Instead use ACCEPT:
ACCEPT    net:123.346.789.0/24    fw tcp    3333

REDIRECT is for changing port numbers:
?COMMENT ntp redirect
REDIRECT        lan       ntp             tcp,udp ntp
Anything on the 'lan' doing ntp will be redirected to the firewall.

Bill

On 10/17/2017 3:29 AM, Joaquim Homrighausen wrote:



What is the "correct procedure" for accepting/handling traffic to services 
running on the firewall?
I have a two interface set-up with three zones: net/fw/loc
if1 is net, DHCP address assigned by my supplier
if0 is loc, 10.10.10.1

I want to allow SSH on port 3333 to access SSH server running on FW, if source 
matches 123.456.789.0/24
And I want to allow RDP on port 3389 to access RDP server running on FW, if 
source matches 123.456.789.0/24
At the moment, I'm using this construct which is working, but it feels like I should be using DNAT, which I could not get working. 

REDIRECT:debug    net:123.456.789.0/24    3333    tcp 3333
DROP                    net    all    tcp    3333
REDIRECT:debug net:123.456.789.0/24 3389    tcp    3389
DROP                     net    all    tcp    3389


(the two DROP entries are only so I can enable logging quickly for dropped 
packets)

I'm using Shorewall 5.0.4 on an Ubuntu 16.04.LTS system, and Webmin to manage 
it.

-joho



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to