I've recently changed all my LAN addresses from 192.168.111.0/24 to 10.1.1.0/24, for simplicity and refinement.
One odd thing I found was that I could not assign 10.1.1.1 because it said some MAC address already had that. So I worked around that. Suddenly I started getting Shorewall DROPs on my LAN members from various _public_ IPs to ports 80, 443, and so on! This has never happened in 10+ years of using Shorewall. I realized that it must be my Frontier Communications fiber ONT that has 10.1.1.1 and it's letting everyone and their brother into my LAN. So now I have to change everything to something else. But I also want to exclude any possibility of outsiders getting in. Studying the docs it seems the right way is in the router: ?SECTION ALL DROP all local:10.0.0.0/8,local:172.0.0.0/8,local:192.168.0.0/16 all all Am I on the right track here? Also I have IPV6 disabled. Frontier doesn't support it and I've made several failed attempts to tunnel it. Assuming I have it turned off in shorewall.conf and in sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 ... am I good there? I can't exclude all public IPs as remote VPN clients will be coming in from all directions. They'll be connecting to the public IP of the router, which then port-forwards that port to the WireGuard server inside the LAN.
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
