Re: Block connection in firewall -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/12/16 15:53, Rick Stevens wrote:
The objective is to protect my servers which I want connected to the LAN but not the internet. The firewall is in the router, openwrt, I want to 
set up.
As I said in another post, my guess is that it affects TCP and UDP. The rule you commented out would have made it apply to TCP only. In neither case does it affect ICMP (which is what ping uses) and you probably need to add a specific rule for that.
I haven't played with openwrt. I did play with ddwrt back in the day, but looking at openwrt's website, by default the protocol is "tcpudp" 
as I surmised. The available choices are:
"Can be one of tcp, udp, tcpudp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all."
So you could uncomment the "proto" line and change it from "tcp" to either "all" or "0" to block all traffic, regardless of the underlying 
protocol.
In some respects, you really don't need to do any of this. According to openwrt, the default firewall rules block all _incoming_ traffic from the WAN unless the traffic is related to already established sessions or 
NAT. You're pretty safe.
If you want to really block that one server from ever talking to anything except the LAN, then yeah, add the rule above but include the "option proto all" thing. Unless you think someone has put some "dig up info and leak it to some nefarious site somewhere" software on that server, I don't think it's necessary but you know your situation much better than I. 
.
I'm not a very sophisticated user, this is just mostly a home system. However I have a number of other family members storing data also and I owe it to them to try and do things right.
I also need to add the ability to block some users when my available usage begins to run close to the limit. Openwrt has a wiki with some examples which am trying to adapt, that requires more understanding than what I had. I may even learn something doing this, thanks much for the help. 

Bob


--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10  FEDORA-23/64bit LINUX XFCE POP3

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux