I have a router which is a KVM VM running CentOS7. Then I have a LibreSwan
gateway, which is another VM in the LAN, also running CentOS7.
There are 100,00000 bots out there trying to get in to any and all ports, ready
and armed with the right known vulns and 0-days for the normal ports, so I'd
like to change ipsec 500 to something else. (changing 4500 is inadvisable for
kernel reasons)
Libreswan can't change listening ports so am I on the right track in the router
doing it like this?
DNAT net loc:192.168.1.15:500 udp 63500 ð0
(the ipsec gateway is 192.168.1.15, and the outside interface of the router is
eth0)
Reason I ask is in the docs, that 63500 column is labeled DPORT, whereas it's
the source port from the router's PoV. ... although it's the destination port
from the initiator's PoV.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
