Carlos E. R. wrote:
On 2023-04-28 09:04, Per Jessen wrote:
Carlos E. R. wrote:
It did not like this:
<rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept limit value="3/m" /> </rule>
Obviously - an experienced XML editor will spot that immediately :-)
Well, the manual wasn't clear for a non experienced editor.
Maybe recall a recent thread about the manual editing ... oh never mind :-)
I have to admit, for a local network it certainly seems overly complex. You should be happy you only have a few machines ....
A local network with a non working external firewall protecting it.
The latter should not affect the complexity, I would say. Most of your rich rules are unrelated to that. Afaict, you are restricting access internally?
I was right, old routers did not enable the firewall by default, they relied on NAT. Before them, modems did not have a firewall, but there was no LAN either.
We are talking quite a while back, late 1800s?
Why do you want to block ssh, dns, http/s and ntp? As for nfs, that also seems somewhat unnecessary when your nfs server presumably only exports to known ipv4 hosts.
I want to block them only on IPv6.
For example, http access the wrong apache virtual host, the internal one, from outside. For now, it is easier to block it rather than find out why. For ssh, well, the intranet is on password, not keys.
Oh I see.
I don't understand what the next block is. Do I really need it?
<icmp-block name="this-and-that"/>
I presume it was migrated from your SFW2 setup, so I guess you needed it previously.
I never wrote those. They must be default rules.
Maybe check one of your other machines still using SFW2. You ought to see a long list of rules targeting those icmps. -- Per Jessen, Zürich (16.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes