Thanks Tom.
>> Suddenly I started getting Shorewall DROPs on my LAN members from >> various _public_ IPs to ports 80, 443, and so on! This has never >> happened in 10+ years of using Shorewall. I realized that it must be my >> Frontier Communications fiber ONT that has 10.1.1.1 and it's letting >> everyone and their brother into my LAN. > Internet hosts can't send requests to your local LAN members, without > there being DNAT somewhere along the line. Are you sure that you have > the correct DNAT rules in place since you have renumbered your local subnet? These are my only DNATs in the router: Web(DNAT) net dmz:10.1.10.2 - - - - 3/sec:10 Web(DNAT) local dmz:10.1.10.2 - - - ð0 DNAT net local:10.1.2.1 udp wgin - # WireGuard Port In ... and yet somehow several public IPs were trying 80 and 443 on 10.1.2.2, given the Shorewall DROPs on that machine. Maybe they were coming in through my phone on the VPN server? DNAT for that is above, and in the WG server: ACCEPT net:10.1.2.0/24,10.1.5.0/24 outWG tcp backups,dash,ftp,ftps,git,hkp,http,https,ircd,ircmoz,ircssl,imaps,radio,remote,rtsp,smtp,submission,svn,whois,xmpp-client - ACCEPT net:10.1.2.0/24,10.1.3.1/32,10.1.5.0/24 $FW udp domain,ntp - I had the phone's AFWall+ on with only relevant apps enabled. > >> So now I have to change everything to something else. But I also want >> to exclude any possibility of outsiders getting in. Studying the docs >> it seems the right way is in the router: >> >> ?SECTION ALL >> DROP all >> local:10.0.0.0/8,local:172.0.0.0/8,local:192.168.0.0/16 >> all all >> >> Am I on the right track here? > The above will break all connections that you allow from the net via > DNAT. What policy/rules do you currently have in place from the internet > zone to your local zone? lol, Ok so much for my ingenious interpretation of the docs... $FW all REJECT info(uid,tcp_options) net all DROP info(uid,tcp_options) inWG all DROP info(uid,tcp_options) outWG all DROP info(uid,tcp_options) #local all REJECT info(uid,tcp_options) all all REJECT info(uid,tcp_options) > Have you looked at these requests as they enter your firewall using a > packet sniffer (tcpdump -ni <interface> dst host 10.1.1.0/24)? If the > above produces no output while your local systems are logging DROPs, > then the problem is on your own firewall. I didn't. I immediately got on changing my subnets and trying to figure out how to block everything but.
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
