I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
_x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s) And LAN's can access Local by default. Lonnie > On Sep 8, 2019, at 10:57 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Thanks Lonnie. > > Just wondering how I could use Deny LAN->Local when I actually want to allow > onsite local LAN traffic to access the system admin interface? > I really need a Pass LAN->Local to do this! > > Regards > Michael Knill > > On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > > >> On Sep 8, 2019, at 8:46 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Hi Group >> >> I am seeing lots of hacking attempts on my systems as they have found my non >> standard SSH port. Although there is no issue as I have SSH Key access only, >> I'm sick of the long list of addresses in the Adaptive Ban list and I'm >> thinking I should be adding another line of defence in my security anyway. >> As such, along with implementing Geoblocking Netset files (next release), I >> also want to use a Jump box for management. This server would connect to >> each system via Wireguard VPN allowing management also when in a failover >> condition through NAT e.g. 4G backup, firewall managed by others. >> >> With this architecture in mind, I was wondering how I would go about >> restricting access to a single port only from this Wireguard VPN tunnel to >> the local interface e.g. wg0 address. I think is completely open currently. >> >> Is it easy to do? >> >> Regards >> Michael Knill > > If SSH access can only occur within a WireGuard tunnel, no port filtering > is required since access is secured by WireGuard. > > As such, only allow remote user access to the management VPN via a > WireGuard tunnel. > > But, if you want to filter SSH from wg0 to the local device by source IP > address, try > > Firewall Rules: > Action: [ Deny LAN->Local ] > > keeping in mind that the wg0 interface is treated as an isolated LAN > subnet from any other LAN subnet. > > Lonnie > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
