On Friday 09 March 2018 10:18:23 Reco wrote: > Hi. > > On Fri, Mar 09, 2018 at 04:30:53PM +0200, Johann Spies wrote: > > For many years I have used my desktp as a network/firewall server > > with two interfaces one facing the internet (through ADSL) and the > > other the local network. > > > > Now I have a fibre connection and for a month both connections will > > be available in parallel. > > > > I have decided to use my Raspberry Pi3 as the firewall/network > > server in future but have after many hours failed to do so > > successfully. > > A suboptimal idea IMO. These Broadcom chipsets are only good for video > output, their 100Mbps "Ethernet" is actually hardwired to USB, and > their WiFi is a PITA (I used Raspberry Pi3 as WiFi AP for half a year. > Never again). They make good SPI programmers though. > > If you need a good Debian-friendly router, I suggest buying Linksys > ACM 1200, 1900 or 3200.
I will also highly recommend the higher end Buffalo's. I have a $70 mail order Netfinity, now quite a few years old, reprogrammed with the real dd-wrt. It has bounced every attack now for around 8 years. And I mean every. I do not have its radio enabled unless my boys are on site with their smartphones. And its not bridged to my local net anyway, only to the internet. > > First I have tried a similar Shorewall setup that I have on my > > desktop and after failing successful connections I tried ufw with no > > success. > > > > First ufw: > > > > $ sudo ufw status verbose > > Status: active > > Logging: on (low) > > Default: deny (incoming), allow (outgoing) > > New profiles: skip > > > > To Action From > > -- ------ ---- > > Anywhere ALLOW IN 192.168.0.0/24 > > > > Anywhere ALLOW OUT 192.168.0.0/24 > > 53/udp ALLOW OUT 192.168.0.0/24 > > 443/tcp ALLOW OUT 192.168.0.0/24 > > > > (Ihave added the last two lines which I thought should not be > > necessary). > > > > I get this in the log: > > > > Mar 9 12:14:15 pi3 kernel: [403782.469448] [UFW BLOCK] IN=eth0 > > OUT=eth1 > > MAC=b8:27:eb:63:94:ea:1c:5a:3e:e0:29:fe:08:00:45:00:00:3c:50:e8:40:0 > >0:3f:06:fb:f2 SRC=192.168.0.10 DST=207.36.95.10 LEN=60 TOS=0x00 > > PREC=0x00 TTL=63 ID=20712 DF PROTO=TCP SPT=53337 DPT=443 WINDOW=5840 > > RES=0x00 SYN URGP=0 > > An "iptables-save" output would be welcome. There are many frontends > to netfilter, but nothing beats the original "iptables". > > Reco -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
