On 2023-04-25 11:23, Andrei Borzenkov wrote:
On Tue, Apr 25, 2023 at 11:02 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine.
And goalposts have been shifted again. First you wanted ports open to LAN but not WAN. Next you wanted ports open to WAN and LAN. And now you want ports opened to one specific address only.
I don't change goalposts, I simply realize I forget some thing, or talk about different machines. On the Beta machine, I only need to close to the WAN. On the "server" machine, I also need some ports open to the WAN. On my normally machine, I simply remembered that, when possible, I open ports not to the entire LAN, but to specific addresses in the LAN.
I'd like to know if there is a similar trick with firewalld.
Yes.
Yes, I have found that "susefirewall2-to-firewalld" is converting them.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
You apparently indulge in beating the dead horse. Anybody forces you to use IPv6 at all? They took away IPv4 and it is no longer functional?
I'm just commenting on the hypothetical case of wanting to create such a rule for IPv6. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)