On 02/12/2016 12:28 PM, Bob Goodwin wrote:
On 02/12/16 15:10, Rick Stevens wrote:
Not sure which firewall you're using. Judging by your description of its
behavior, the odds are that the (unless otherwise specified) default
protocol the rules affect is TCP. If that's the case, yes, your rules
would prevent TCP-based activity (telnet, ssh, web, etc.) from working,
but would NOT prevent UDP-based traffic (normal DNS queries for
instance) or ICMP-based traffic (such as ping, traceroute, etc.).
There's a whole lot of protocols that come under the "IP" umbrella.
Dump out the content of /etc/protocols if you want to see a (fairly
complete, but not exhaustive) list of what's out there.
.
The example I chose had an entry for protocol in it but I removed that
thinking I did not want to limit it to one, false logic I guess?
config rule
option src lan
option src_ip 192.168.1.7
option dest wan
# option proto tcp
option target REJECT
The objective is to protect my servers which I want connected to the LAN
but not the internet. The firewall is in the router, openwrt, I want to
set up.
As I said in another post, my guess is that it affects TCP and UDP.
The rule you commented out would have made it apply to TCP only. In
neither case does it affect ICMP (which is what ping uses) and you
probably need to add a specific rule for that.
I haven't played with openwrt. I did play with ddwrt back in the day,
but looking at openwrt's website, by default the protocol is "tcpudp"
as I surmised. The available choices are:
"Can be one of tcp, udp, tcpudp, udplite, icmp, esp, ah, sctp, or all or
it can be a numeric value, representing one of these protocols or a
different one. A protocol name from /etc/protocols is also allowed. The
number 0 is equivalent to all."
So you could uncomment the "proto" line and change it from "tcp" to
either "all" or "0" to block all traffic, regardless of the underlying
protocol.
In some respects, you really don't need to do any of this. According to
openwrt, the default firewall rules block all _incoming_ traffic from
the WAN unless the traffic is related to already established sessions or
NAT. You're pretty safe.
If you want to really block that one server from ever talking to
anything except the LAN, then yeah, add the rule above but include the
"option proto all" thing. Unless you think someone has put some "dig up
info and leak it to some nefarious site somewhere" software on that
server, I don't think it's necessary but you know your situation much
better than I.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
