On 1/20/19 11:17 AM, C. Cook wrote: > I've recently changed all my LAN addresses from 192.168.111.0/24 to > 10.1.1.0/24, for simplicity and refinement.
A better choice would be 10.<random1>.<random2>.0/24 where <random1> and <random2> are random numbers in the range 0-255. > > One odd thing I found was that I could not assign 10.1.1.1 because it > said some MAC address already had that. So I worked around that. That happens when there is another host *on the same LAN* that has that IP address. > > Suddenly I started getting Shorewall DROPs on my LAN members from > various _public_ IPs to ports 80, 443, and so on! This has never > happened in 10+ years of using Shorewall. I realized that it must be my > Frontier Communications fiber ONT that has 10.1.1.1 and it's letting > everyone and their brother into my LAN. Internet hosts can't send requests to your local LAN members, without there being DNAT somewhere along the line. Are you sure that you have the correct DNAT rules in place since you have renumbered your local subnet? > > So now I have to change everything to something else. But I also want > to exclude any possibility of outsiders getting in. Studying the docs > it seems the right way is in the router: > > ?SECTION ALL > DROP all > local:10.0.0.0/8,local:172.0.0.0/8,local:192.168.0.0/16 > all all > > Am I on the right track here? The above will break all connections that you allow from the net via DNAT. What policy/rules do you currently have in place from the internet zone to your local zone? Have you looked at these requests as they enter your firewall using a packet sniffer (tcpdump -ni <interface> dst host 10.1.1.0/24)? If the above produces no output while your local systems are logging DROPs, then the problem is on your own firewall. > > Also I have IPV6 disabled. Frontier doesn't support it and I've made > several failed attempts to tunnel it. Assuming I have it turned off in > shorewall.conf and in sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1 > > ... am I good there? Yes. > > I can't exclude all public IPs as remote VPN clients will be coming in > from all directions. They'll be connecting to the public IP of the > router, which then port-forwards that port to the WireGuard server > inside the LAN. > -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
