Sorry, REDIRECT doesn't have to change port numbers (but it can change them).
My
example doesn't change the port.
Bill
On 10/17/2017 11:54 AM, Bill Shirley wrote:
You shouldn't REDIRECT. Instead use ACCEPT:
ACCEPT net:123.346.789.0/24 fw tcp 3333
REDIRECT is for changing port numbers:
?COMMENT ntp redirect
REDIRECT lan ntp tcp,udp ntp
Anything on the 'lan' doing ntp will be redirected to the firewall.
Bill
On 10/17/2017 3:29 AM, Joaquim Homrighausen wrote:
What is the "correct procedure" for accepting/handling traffic to services
running on the firewall?
I have a two interface set-up with three zones: net/fw/loc
if1 is net, DHCP address assigned by my supplier
if0 is loc, 10.10.10.1
I want to allow SSH on port 3333 to access SSH server running on FW, if source
matches 123.456.789.0/24
And I want to allow RDP on port 3389 to access RDP server running on FW, if
source matches 123.456.789.0/24
At the moment, I'm using this construct which is working, but it feels like I should be using DNAT, which I could not get
working.
REDIRECT:debug net:123.456.789.0/24 3333 tcp 3333
DROP net all tcp 3333
REDIRECT:debug net:123.456.789.0/24 3389 tcp 3389
DROP net all tcp 3389
(the two DROP entries are only so I can enable logging quickly for dropped
packets)
I'm using Shorewall 5.0.4 on an Ubuntu 16.04.LTS system, and Webmin to manage
it.
-joho
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users