From: Bill S. <bi...@ul...> - 2017-10-17 15:54:45
|
You shouldn't REDIRECT. Instead use ACCEPT: ACCEPT net:123.346.789.0/24 fw tcp 3333 REDIRECT is for changing port numbers: ?COMMENT ntp redirect REDIRECT lan ntp tcp,udp ntp Anything on the 'lan' doing ntp will be redirected to the firewall. Bill On 10/17/2017 3:29 AM, Joaquim Homrighausen wrote: > > > What is the "correct procedure" for accepting/handling traffic to services running on the firewall? > I have a two interface set-up with three zones: net/fw/loc > if1 is net, DHCP address assigned by my supplier > if0 is loc, 10.10.10.1 > > I want to allow SSH on port 3333 to access SSH server running on FW, if source matches 123.456.789.0/24 > And I want to allow RDP on port 3389 to access RDP server running on FW, if source matches 123.456.789.0/24 > > At the moment, I'm using this construct which is working, but it feels like I should be using DNAT, which I could not get working. > > REDIRECT:debug net:123.456.789.0/24 3333 tcp 3333 > DROP net all tcp 3333 > REDIRECT:debug net:123.456.789.0/24 3389 tcp 3389 > DROP net all tcp 3389 > > > (the two DROP entries are only so I can enable logging quickly for dropped packets) > > I'm using Shorewall 5.0.4 on an Ubuntu 16.04.LTS system, and Webmin to manage it. > > -joho > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users |