-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <5bf6502a-a6a1-9cf4-dce1-355b4d5b564b@Telcontar.valinor> Hi, (This is a thinking aloud post, so of course there is conflict in what I say) So I converted my miniserver to use firewalld instead of SuSEfirewalld, using "susefirewall2-to-firewalld" script. I added the rule to block incoming packets from the router. The resulting config is: Isengard:/etc/firewalld/zones # firewall-cmd --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: dns http https mountd nfs nfs3 ntp rpc-bind ssh ports: 12854/tcp 50000/tcp 12858/udp 47981/udp 38059/tcp 56517/udp 40399/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable reject-route required-option-missing source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option rich rules: rule family="ipv4" source address="192.168.1.55/32" port port="5556" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="2908" protocol="udp" accept rule family="ipv4" source address="192.168.1.129/32" port port="53" protocol="udp" accept rule family="ipv4" source address="192.168.1.57/32" accept rule family="ipv4" source address="192.168.1.14/32" port port="2049" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept rule family="ipv4" source address="192.168.1.5/32" protocol value="icmp" accept rule family="ipv4" source address="192.168.1.14/32" port port="514" protocol="udp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4080" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="4080" protocol="tcp" accept rule family="ipv4" source address="192.168.1.7/32" port port="137" protocol="tcp" accept rule family="ipv4" source address="172.26.0.0/16" protocol value="udp" accept rule family="ipv4" source address="192.168.1.126/32" port port="2049" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4243" protocol="tcp" accept rule family="ipv4" source address="192.168.1.54/32" port port="4243" protocol="tcp" accept rule family="ipv4" source address="192.168.1.129/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="192.168.1.7/32" protocol value="udp" accept rule family="ipv4" source address="192.168.1.7/32" port port="139" protocol="tcp" accept rule family="ipv4" source address="192.168.1.127/32" port port="873" protocol="tcp" accept rule family="ipv4" source address="192.168.1.1/32" port port="162" protocol="udp" accept rule family="ipv4" source address="192.168.1.55/32" accept rule family="ipv4" source address="192.168.1.0/24" port port="111" protocol="tcp" accept rule family="ipv4" source address="192.168.1.129/32" port port="5000" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="8080" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4001" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="25" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4000" protocol="tcp" accept rule family="ipv4" source address="192.168.1.1/32" port port="50000" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="445" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="5353" protocol="tcp" accept rule family="ipv4" source address="192.168.1.56/32" port port="5556" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="4120" protocol="udp" accept rule family="ipv4" source address="192.168.1.126/32" port port="873" protocol="tcp" accept rule family="ipv4" source address="192.168.1.0/24" port port="2049" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4242" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="4243" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="1252" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="4243" protocol="udp" accept rule family="ipv4" source address="192.168.1.14/32" port port="8081" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="9090" protocol="tcp" accept rule family="ipv4" source address="192.168.1.129/32" port port="2049" protocol="tcp" accept rule family="ipv6" source address="fc00::/64" port port="5353" protocol="udp" accept rule family="ipv4" source address="192.168.1.1/32" port port="514" protocol="udp" accept rule family="ipv4" source address="192.168.1.128/32" port port="1625" protocol="tcp" accept rule family="ipv4" source address="192.168.1.127/32" port port="2049" protocol="tcp" accept rule family="ipv4" source address="192.168.1.129/32" port port="4080" protocol="tcp" accept rule family="ipv4" source address="192.168.1.54/32" accept rule family="ipv4" source address="192.168.1.128/32" port port="137" protocol="udp" accept rule family="ipv4" source address="192.168.1.0/24" port port="2049" protocol="udp" accept rule family="ipv4" source address="192.168.1.7/32" port port="53" protocol="udp" accept rule family="ipv4" source address="192.168.1.129/32" port port="9090" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="162" protocol="udp" accept rule family="ipv4" source address="192.168.1.129/32" port port="4000" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="8000" protocol="tcp" accept rule family="ipv4" source address="192.168.1.50/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="192.168.1.0/24" port port="111" protocol="udp" accept rule family="ipv4" source address="192.168.1.7/32" port port="514" protocol="udp" accept rule family="ipv4" source address="192.168.1.5/32" port port="162" protocol="udp" accept rule family="ipv4" source address="192.168.1.14/32" port port="514" protocol="tcp" accept rule family="ipv4" source address="192.168.1.7/32" port port="5353" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="873" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" protocol value="icmp" accept rule family="ipv4" source address="192.168.1.128/32" port port="4754" protocol="udp" accept rule family="ipv4" source address="192.168.1.128/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="192.168.1.56/32" port port="5558" protocol="tcp" accept rule family="ipv4" source address="192.168.1.128/32" port port="53" protocol="udp" accept rule family="ipv4" source address="192.168.1.129/32" port port="4001" protocol="tcp" accept rule family="ipv4" source address="192.168.1.15/32" port port="2049" protocol="tcp" accept rule family="ipv4" source address="192.168.1.1/32" protocol value="udp" accept rule family="ipv4" source address="192.168.1.0/24" port port="22" protocol="tcp" accept rule family="ipv4" source address="192.168.1.14/32" port port="6666" protocol="udp" accept rule family="ipv4" source address="192.168.1.54/32" port port="5558" protocol="tcp" accept rule family="ipv6" source address="fe80::/64" port port="5353" protocol="udp" accept rule family="ipv4" source address="192.168.1.50/32" port port="53" protocol="udp" accept rule family="ipv4" source address="192.168.1.7/32" port port="3553" protocol="udp" accept rule family="ipv4" source address="192.168.1.54/32" port port="5556" protocol="tcp" accept rule family="ipv4" source address="192.168.1.1/32" protocol value="icmp" accept rule family="ipv4" source address="192.168.1.7/32" port port="515" protocol="tcp" accept rule family="ipv4" source address="192.168.1.5/32" port port="514" protocol="udp" accept rule family="ipv4" source address="192.168.1.128/32" port port="138" protocol="udp" accept rule family="ipv4" source address="192.168.1.56/32" accept rule family="ipv4" source address="192.168.1.128/32" port port="139" protocol="tcp" accept rule family="ipv4" source address="192.168.1.55/32" port port="5558" protocol="tcp" accept rule family="ipv4" source address="192.168.1.129/32" port port="8081" protocol="tcp" accept rule priority="10" source mac="ROUTER_MAC" reject Isengard:/etc/firewalld/zones # So, I want to try the access to apache and ssh from outside. I connect via ssh to a Friend's machine, and try. Ipv4 first. carlos@Friend:~ $ curl http://isengard_rmt_dns ^C carlos@Friend:~ $ No response on port 80, good. carlos@Friend:~ $ curl http://isengard_rmt_dns:50000 <html><body><h1>Hola tio.</h1></body></html>carlos@Friend:~ $ Correct response on a high port. carlos@Friend:~ $ ssh cer@isengard_rmt_dns ^C carlos@Friend:~ $ No response on port 22, correct. carlos@Friend:~ $ ssh -p 51000 cer@isengard_rmt_dns The authenticity of host '[isengard_rmt_dns]:51000 ([IPv4_ADDR]:51000)' can't be established. ECDSA key fingerprint is SHA256:ILyba.... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[isengard_rmt_dns]:51000,[IPv4_ADDR]:51000' (ECDSA) to the list of known hosts. cer@isengard_rmt_dns: Permission denied (publickey). carlos@Friend:~ $ Expected response on a high port. Notice that on IPv4 the router intervenes with translations (virtual server). Incoming to port 51000 is sent to Isengard on LAN, port 22. Incoming to port 50000 is sent to port Isengard on LAN, port 50000. (not the actual ports, I edited them for privacy; but close). The Virtual Server config of the router doesn't work on IPv6 - correct, it is a NAT hack. Apache on IPv6 and high port: carlos@Friend:~ $ curl http://[Ipv6_ADDR]:50000 <html><body><h1>Hola tio.</h1></body></html>carlos@Friend:~ $ This is correct. carlos@Friend:~ $curl http://[Ipv6_ADDR] <html><body> <h1>Welcome to Isengard</a></h1> <h3>Letras: \ | @ # € </h3> <h2> <a href="/ficheros" title="Ficheros">[ficheros]</a> <br> <a href="/ficheros/mirrors" title="Mirrors">[Mirrors]</a> <br> <a href="/data/hoard/TheHoard/jd">[Shared J]</a> <br> <a href="/data/hoard/">[Data]</a> <br> <a href="/data/waterhoard/Fusion/Videos">[Fusion]</a> <br> <a href="/data/My_Book/Fusion/Videos">[Fusion MyBook]</a> <br> <!-- <a href="/usr/share/doc">Doc</a> <br> --> <!-- Ver Alias y Directory en "/etc/apache2/httpd.conf.local" para dar acceso a nuevos directorios --> </h2> </body></html> carlos@Friend:~ $ Now, this is not correct, it is the response expected INSIDE the LAN. That means a problem in the Apache configuration for virtual hosts, but also that port 80 is not closed on IPv6. ssh on IPv6 and default port: carlos@Friend:~ $ ssh cer@Ipv6_ADDR The authenticity of host 'Ipv6_ADDR (Ipv6_ADDR)' can't be established. ECDSA key fingerprint is SHA256:ILyba. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'Ipv6_ADDR' (ECDSA) to the list of known hosts. cer@Ipv6_ADDR: Permission denied (publickey). carlos@Friend:~ $ Well, this is not correct, it should be denied by the rich rule. Obviously, computers have their own mind, but I'm not familiar with the firewalld "mind". And I'm getting a headache. There is this rule: rule family="ipv4" source address="192.168.1.1/32" port port="50000" protocol="tcp" accept which might conflict with: rule priority="10" source mac="ROUTER_MAC" reject but it is for Ipv4 only, so it shouldn't. It seems that: services: dns http https mountd nfs nfs3 ntp rpc-bind ssh takes precedence over the rich rule denying packets via router. [headache] Obviously, being a server, both ssh and http have to be open even if the packet is incoming from the router, but not on the 22 and 80 ports, but on the high ports only. So maybe I have to remove the line services: dns http https mountd nfs nfs3 ntp rpc-bind ssh move all that to rich rules that open those ports on IPv4 only, and open generically ports 50000 and 51000 only. Wait, ssh comes from the router on port 22, it is translated. Making sshd listen on 51000 is not that easy. So, generically open port 50000. Open port 22 on IPv4, close on IPv6? Or open generically. Ideas? (Can I write comments in xml file /etc/firewalld/zones/external.xml?) - -- Cheers Carlos E. R. (from 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEg+2Rwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVN8kAnjDt2n+lyVtMRz7zT+Ih EiOCzJ8mAJ4pxKkBZj3nxuRjOT9DM7TClL87Tg== =tCZ9 -----END PGP SIGNATURE-----