[Firehol-support] Drop original port of redirect/forwarding
Alexander Schomburg
script.acc at alex.schomb.org
Mon Mar 7 18:40:41 GMT 2016
Hello there,
I recently discovered FireHOL (which is awesome by the way, thanks!) and just setup my first FireHOL firewall on a router. Most things work great, although it is a pity that there are no v2+ packages available in Debian stable repositories.
I’m experiencing a configuration issue I don’t know how to solve. How can I drop IPv4 packages for an interface if there are packages being redirected to the same port that should be allowed?
Let’s look at this example: I’m running SSHd on localhost:22. I want my LAN clients (eth0) to be able to access the SSHd via the default port 22, but all Internet clients (ppp+) should reach the daemon only via port 22222.
This is my current config that does work, but still allows Internet clients (ppp+) to access SSHd via both the default port and port 22222. How can I drop packages to port 22 that were not redirected from port 22222? Specifying dport on the „server ssh accept“ will be ignored by FireHOL, probably because it doesn’t know about the destination port anymore after redirecting.
##############################
version 5
redirect to 22 inface ppp+ proto tcp dport 22222
interface eth0 lan src 192.168.0.0/24
policy accept
interface ppp+ internet src not „192.168.0.0/24 ${UNROUTABLE_IPS}"
protection strong
server ssh accept
server ident reject with tcp-reset
client all accept
router internet2lan inface ppp+ outface eth0 dst 192.168.0.0/24
protection strong
server ident reject with tcp-reset
client all accept
masquerade reverse
##############################
Thanks for your help and best regards,
Alex
More information about the Firehol-support
mailing list