On 2023-04-28 09:04, Per Jessen wrote:
Carlos E. R. wrote:
It did not like this:
<rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept limit value="3/m" /> </rule>
Obviously - an experienced XML editor will spot that immediately :-)
Well, the manual wasn't clear for a non experienced editor. Still, that was the single error, and I reduced the file from 12812 to 9609 bytes :-)
rich rules: rule family="ipv4" source address="192.168.0.0/16" service name="https" accept rule family="ipv4" source address="192.168.1.128/32" port port="2908" protocol="udp" accept rule family="ipv4" source address="192.168.1.57/32" accept rule family="ipv4" source address="192.168.1.54/32" accept [snip 50 rules]
I have to admit, for a local network it certainly seems overly complex. You should be happy you only have a few machines ....
A local network with a non working external firewall protecting it. I initially did it, long ago, for learning and because I did not trust the Telefónica firewall. I was right, old routers did not enable the firewall by default, they relied on NAT. Before them, modems did not have a firewall, but there was no LAN either.
I have not dared to write comments, though.
As long as they were syntactically correct, they would have been fine, even if short-lived.
I may write them; I can use the software to create some new rule, see what change they wrote to the file, then enact the old file with edited new rules instead. Some of the comments may come from the old SuSEfirewall2 file.
I want to change as many port numbers to services when I can. It is tyring.
I had to change the initial block to rules instead, in order to accept them only for IPv4:
<service name="ssh"/> <service name="dns"/> <service name="http"/> <service name="https"/> <service name="mountd"/> <service name="nfs"/> <service name="nfs3"/> <service name="rpc-bind"/> <service name="ntp"/>
This is based on
a) the ipv6 firewall in your router not working, hence b) you need to block things on the local machines ?
Right.
Why do you want to block ssh, dns, http/s and ntp? As for nfs, that also seems somewhat unnecessary when your nfs server presumably only exports to known ipv4 hosts.
I want to block them only on IPv6. For example, http access the wrong apache virtual host, the internal one, from outside. For now, it is easier to block it rather than find out why. For ssh, well, the intranet is on password, not keys. nfs, yes, right, only exports to some hosts. The others, I simply have not checked. Easier to block rather than check. The external nmap revealed opened ports. Later, I can open to IPv6 things that I know I need/want I'm still debating myself whether I want: rule priority="10" source mac="CC:..." reject with or without priority.
I don't understand what the next block is. Do I really need it?
<icmp-block name="this-and-that"/>
I presume it was migrated from your SFW2 setup, so I guess you needed it previously.
I never wrote those. They must be default rules.
I have nothing like it - I don't know why you would need to block all of those, individually. If (!) there are some unwanted ICMPs, block those, then allow the rest.
Me neither.
[snip 366 lines that might have been better put on paste.o.o]
Oops. That many? Well, only 26 Kb total. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)