[Firehol-support] Drop original port of redirect/forwarding

Alexander Schomburg script.acc at alex.schomb.org
Mon Mar 7 18:40:41 GMT 2016


Hello there,

I recently discovered FireHOL (which is awesome by the way, thanks!) and just setup my first FireHOL firewall on a router. Most things work great, although it is a pity that there are no v2+ packages available in Debian stable repositories.

I’m experiencing a configuration issue I don’t know how to solve. How can I drop IPv4 packages for an interface if there are packages being redirected to the same port that should be allowed?

Let’s look at this example: I’m running SSHd on localhost:22. I want my LAN clients (eth0) to be able to access the SSHd via the default port 22, but all Internet clients (ppp+) should reach the daemon only via port 22222.

This is my current config that does work, but still allows Internet clients (ppp+) to access SSHd via both the default port and port 22222. How can I drop packages to port 22 that were not redirected from port 22222? Specifying dport on the „server ssh accept“ will be ignored by FireHOL, probably because it doesn’t know about the destination port anymore after redirecting.

##############################
version 5

redirect to 22 inface ppp+ proto tcp dport 22222

interface eth0 lan src 192.168.0.0/24
  policy accept

interface ppp+ internet src not „192.168.0.0/24 ${UNROUTABLE_IPS}"
  protection strong
  server ssh accept
  server ident reject with tcp-reset
  client all accept

router internet2lan inface ppp+ outface eth0 dst 192.168.0.0/24
  protection strong
  server ident reject with tcp-reset
  client all accept
  masquerade reverse
##############################

Thanks for your help and best regards,

Alex


More information about the Firehol-support mailing list