From: Bill S. <bi...@ul...> - 2017-10-17 16:20:42
|
Sorry, REDIRECT doesn't have to change port numbers (but it can change them). My example doesn't change the port. Bill On 10/17/2017 11:54 AM, Bill Shirley wrote: > You shouldn't REDIRECT. Instead use ACCEPT: > ACCEPT net:123.346.789.0/24 fw tcp 3333 > > REDIRECT is for changing port numbers: > ?COMMENT ntp redirect > REDIRECT lan ntp tcp,udp ntp > Anything on the 'lan' doing ntp will be redirected to the firewall. > > Bill > > On 10/17/2017 3:29 AM, Joaquim Homrighausen wrote: >> >> >> What is the "correct procedure" for accepting/handling traffic to services running on the firewall? >> I have a two interface set-up with three zones: net/fw/loc >> if1 is net, DHCP address assigned by my supplier >> if0 is loc, 10.10.10.1 >> >> I want to allow SSH on port 3333 to access SSH server running on FW, if source matches 123.456.789.0/24 >> And I want to allow RDP on port 3389 to access RDP server running on FW, if source matches 123.456.789.0/24 >> >> At the moment, I'm using this construct which is working, but it feels like I should be using DNAT, which I could not get >> working. >> >> REDIRECT:debug net:123.456.789.0/24 3333 tcp 3333 >> DROP net all tcp 3333 >> REDIRECT:debug net:123.456.789.0/24 3389 tcp 3389 >> DROP net all tcp 3389 >> >> >> (the two DROP entries are only so I can enable logging quickly for dropped packets) >> >> I'm using Shorewall 5.0.4 on an Ubuntu 16.04.LTS system, and Webmin to manage it. >> >> -joho >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Sho...@li... >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users |