On 2023-04-28 14:34, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-28 09:04, Per Jessen wrote:
Carlos E. R. wrote:
It did not like this:
<rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept limit value="3/m" /> </rule>
Obviously - an experienced XML editor will spot that immediately :-)
Well, the manual wasn't clear for a non experienced editor.
Maybe recall a recent thread about the manual editing ... oh never mind :-)
I have to admit, for a local network it certainly seems overly complex. You should be happy you only have a few machines ....
A local network with a non working external firewall protecting it.
The latter should not affect the complexity, I would say. Most of your rich rules are unrelated to that. Afaict, you are restricting access internally?
The default is, I believe, all ports closed, except those explicitly opened. So I open those I need. Or needed, I don't remember what those ports were needed for.
I was right, old routers did not enable the firewall by default, they relied on NAT. Before them, modems did not have a firewall, but there was no LAN either.
We are talking quite a while back, late 1800s?
Year 1800? :-D
Why do you want to block ssh, dns, http/s and ntp? As for nfs, that also seems somewhat unnecessary when your nfs server presumably only exports to known ipv4 hosts.
I want to block them only on IPv6.
For example, http access the wrong apache virtual host, the internal one, from outside. For now, it is easier to block it rather than find out why. For ssh, well, the intranet is on password, not keys.
Oh I see.
I don't understand what the next block is. Do I really need it?
<icmp-block name="this-and-that"/>
I presume it was migrated from your SFW2 setup, so I guess you needed it previously.
I never wrote those. They must be default rules.
Maybe check one of your other machines still using SFW2. You ought to see a long list of rules targeting those icmps.
Oh, I have the file of this machine intact. Isengard:/etc/firewalld/zones # grep -i address-unreachable /etc/sysconfig/SuSEfirewall2 Isengard:/etc/firewalld/zones # The reference is not there, it has to be some default. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)