On 01/03/2018 12:55 PM, Colony.three via Shorewall-users wrote: > I have a router which is a KVM VM running CentOS7. Then I have a > LibreSwan gateway, which is another VM in the LAN, also running CentOS7. > > There are 100,00000 bots out there trying to get in to any and all > ports, ready and armed with the right known vulns and 0-days for the > normal ports, so I'd like to change ipsec 500 to something else. > (changing 4500 is inadvisable for kernel reasons) > > Libreswan can't change listening ports so am I on the right track in the > router doing it like this? > DNAT net loc:192.168.1.15:500 udp 63500 ð0 > (the ipsec gateway is 192.168.1.15, and the outside interface of the > router is eth0) > > Reason I ask is in the docs, that 63500 column is labeled DPORT, > whereas it's the source port from the router's PoV. ... although it's > the destination port from the initiator's PoV.
There is an SPORT column between DPORT and ORIGDEST. If it is actually the source port, then you need '-' in the DEST column and 63500 in the SPORT column. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
