Hi,
the same issue does occur, if I open a port by a rule in /etc/config/firewall:
config rule
option name 'Allow SSH Inbound'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
Port 22 is open, if I execute port scan from outside to the lan ipv6 address.
Regards,
Hartmut
Am 26.02.2017 um 11:08 schrieb e9hack:
> Hi,
>
> I add some rules to /etc/firewall.user to protect dropbear against ssh port
> scans:
>
> # SSH protection (ipv6)
> ip6tables -X ssh_scan
> ip6tables -N ssh_scan
>
> ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --update --seconds
> 1800 --reap -j RETURN
> ip6tables -A ssh_scan -m recent --name SSH_SCAN --rsource --set
> ip6tables -A ssh_scan -m recent --name SSH_SCAN --rsource ! --update
> --seconds 300 --hitcount 6 --reap -j ACCEPT
> ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --set -j LOG
> --log-level info --log-prefix "SSH_SCAN blocked: "
> ip6tables -A input_wan_rule -p tcp --dport 22 -m conntrack --ctstate NEW -j
> ssh_scan
>
> My router gets a ipv6 address and prefix from my provider. IPv6 of the lan
> interface is set to prefix::1. If I start a
> port 22 scan from
> http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php,
> I get an open port
> for both ip address's (lan and wan) at the first time. After a few scans,
> there is no response. In the log files, I see
> entries with 'SSH_SCAN blocked:' for the wan interface for both ip address's
> (lan and wan). I was the opinion, only the
> port scan for the wan ip address is handled by input_wan_rule and the access
> to the lan address is handled by
> zone_wan_forward and is blocked immediately.
>
> How can I avoid, that port 22 on the lan interface is reachable from the
> outside world if I add rules for the wan interface?
>
> Regards,
> Hartmut
>
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
