> On 01/03/2018 12:55 PM, Colony.three via Shorewall-users wrote:
>
>> I have a router which is a KVM VM running CentOS7. Then I have a
>> LibreSwan gateway, which is another VM in the LAN, also running CentOS7.
>> There are 100,00000 bots out there trying to get in to any and all
>> ports, ready and armed with the right known vulns and 0-days for the
>> normal ports, so I'd like to change ipsec 500 to something else.
>> (changing 4500 is inadvisable for kernel reasons)
>> Libreswan can't change listening ports so am I on the right track in the
>> router doing it like this?
>> DNAT net loc:192.168.1.15:500 udp 63500 ð0
>> (the ipsec gateway is 192.168.1.15, and the outside interface of the
>> router is eth0)
>> Reason I ask is in the docs, that 63500 column is labeled DPORT,
>> whereas it's the source port from the router's PoV. ... although it's
>> the destination port from the initiator's PoV.
>
> There is an SPORT column between DPORT and ORIGDEST. If it is actually
> the source port, then you need '-' in the DEST column and 63500 in the
> SPORT column.
>
> -Tom
Oh, Ok thanks.
DNAT net loc:192.168.1.15:500 udp - 63500 ð0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
