Carlos E. R. wrote:
It did not like this:
<rule family="ipv4"> <source address="192.168.0.0/16"/> <service name="ssh"/> <accept limit value="3/m" /> </rule>
Obviously - an experienced XML editor will spot that immediately :-)
rich rules: rule family="ipv4" source address="192.168.0.0/16" service name="https" accept rule family="ipv4" source address="192.168.1.128/32" port port="2908" protocol="udp" accept rule family="ipv4" source address="192.168.1.57/32" accept rule family="ipv4" source address="192.168.1.54/32" accept [snip 50 rules]
I have to admit, for a local network it certainly seems overly complex. You should be happy you only have a few machines ....
I have not dared to write comments, though.
As long as they were syntactically correct, they would have been fine, even if short-lived.
I want to change as many port numbers to services when I can. It is tyring.
I had to change the initial block to rules instead, in order to accept them only for IPv4:
<service name="ssh"/> <service name="dns"/> <service name="http"/> <service name="https"/> <service name="mountd"/> <service name="nfs"/> <service name="nfs3"/> <service name="rpc-bind"/> <service name="ntp"/>
This is based on a) the ipv6 firewall in your router not working, hence b) you need to block things on the local machines ? Why do you want to block ssh, dns, http/s and ntp? As for nfs, that also seems somewhat unnecessary when your nfs server presumably only exports to known ipv4 hosts.
I don't understand what the next block is. Do I really need it?
<icmp-block name="this-and-that"/>
I presume it was migrated from your SFW2 setup, so I guess you needed it previously. I have nothing like it - I don't know why you would need to block all of those, individually. If (!) there are some unwanted ICMPs, block those, then allow the rest. [snip 366 lines that might have been better put on paste.o.o] -- Per Jessen, Zürich (13.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes