On 02/12/16 15:53, Rick Stevens wrote:
The objective is to protect my
servers which I want connected to the
LAN
but not the internet. The firewall is
in the router, openwrt, I want to
set up.
As I said in another post, my guess is
that it affects TCP and UDP.
The rule you commented out would have
made it apply to TCP only. In
neither case does it affect ICMP
(which is what ping uses) and you
probably need to add a specific rule
for that.
I haven't played with openwrt. I did
play with ddwrt back in the day,
but looking at openwrt's website, by
default the protocol is "tcpudp"
as I surmised. The available choices are:
"Can be one of tcp, udp, tcpudp,
udplite, icmp, esp, ah, sctp, or all
or it can be a numeric value,
representing one of these protocols or
a different one. A protocol name from
/etc/protocols is also allowed. The
number 0 is equivalent to all."
So you could uncomment the "proto"
line and change it from "tcp" to
either "all" or "0" to block all
traffic, regardless of the underlying
protocol.
In some respects, you really don't
need to do any of this. According to
openwrt, the default firewall rules
block all _incoming_ traffic from
the WAN unless the traffic is related
to already established sessions or
NAT. You're pretty safe.
If you want to really block that one
server from ever talking to
anything except the LAN, then yeah,
add the rule above but include the
"option proto all" thing. Unless you
think someone has put some "dig up
info and leak it to some nefarious
site somewhere" software on that
server, I don't think it's necessary
but you know your situation much
better than I.
.
I'm not a very sophisticated user, this
is just mostly a home system. However I
have a number of other family members
storing data also and I owe it to them
to try and do things right.
I also need to add the ability to block
some users when my available usage
begins to run close to the limit.
Openwrt has a wiki with some examples
which am trying to adapt, that requires
more understanding than what I had. I
may even learn something doing this,
thanks much for the help.
Bob
--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10 FEDORA-23/64bit LINUX XFCE POP3
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org