[Firehol-support] Drop original port of redirect/forwarding

Tsaousis, Costa costa at tsaousis.gr
Mon Mar 7 19:26:29 GMT 2016


Hi Alexander, the easiest way is to send tcp/22 to the discard port:

redirect to 7 inface ppp+ proto tcp dport 22

There are also more "exotic" ways, like marking the incoming packets on
tcp/22222 and accepting only the marked packets on `server ssh accept`. But
stick to simplicity, send the illegal packets to the discard port.

Costa


On Mon, Mar 7, 2016 at 8:40 PM, Alexander Schomburg <
script.acc at alex.schomb.org> wrote:

> Hello there,
>
> I recently discovered FireHOL (which is awesome by the way, thanks!) and
> just setup my first FireHOL firewall on a router. Most things work great,
> although it is a pity that there are no v2+ packages available in Debian
> stable repositories.
>
> I’m experiencing a configuration issue I don’t know how to solve. How can
> I drop IPv4 packages for an interface if there are packages being
> redirected to the same port that should be allowed?
>
> Let’s look at this example: I’m running SSHd on localhost:22. I want my
> LAN clients (eth0) to be able to access the SSHd via the default port 22,
> but all Internet clients (ppp+) should reach the daemon only via port 22222.
>
> This is my current config that does work, but still allows Internet
> clients (ppp+) to access SSHd via both the default port and port 22222. How
> can I drop packages to port 22 that were not redirected from port 22222?
> Specifying dport on the „server ssh accept“ will be ignored by FireHOL,
> probably because it doesn’t know about the destination port anymore after
> redirecting.
>
> ##############################
> version 5
>
> redirect to 22 inface ppp+ proto tcp dport 22222
>
> interface eth0 lan src 192.168.0.0/24
>   policy accept
>
> interface ppp+ internet src not „192.168.0.0/24 ${UNROUTABLE_IPS}"
>   protection strong
>   server ssh accept
>   server ident reject with tcp-reset
>   client all accept
>
> router internet2lan inface ppp+ outface eth0 dst 192.168.0.0/24
>   protection strong
>   server ident reject with tcp-reset
>   client all accept
>   masquerade reverse
> ##############################
>
> Thanks for your help and best regards,
>
> Alex
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list