Hi sorry Lonnie, I didn't explain it well enough.
I want to provide different access to Local from a physical LAN than the wg0
interface.
For instance I want to open TCP443, my SSH Port and possibly other ports from
the physical LAN but open my SSH Port only from wg0.
I could do it based on the Source IP however as there is only Deny LAN->Local
rules possible, I'm not sure how I could just open a single port and deny all
the rest?
Regards
Michael Knill
On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
I don't understand what you are asking, but the default isolated wg0
interface can be allowed to access physical LAN interfaces with:
_x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
And LAN's can access Local by default.
Lonnie
> On Sep 8, 2019, at 10:57 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie.
>
> Just wondering how I could use Deny LAN->Local when I actually want to
allow onsite local LAN traffic to access the system admin interface?
> I really need a Pass LAN->Local to do this!
>
> Regards
> Michael Knill
>
> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
>
>
>> On Sep 8, 2019, at 8:46 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Hi Group
>>
>> I am seeing lots of hacking attempts on my systems as they have found my
non standard SSH port. Although there is no issue as I have SSH Key access
only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm
thinking I should be adding another line of defence in my security anyway.
>> As such, along with implementing Geoblocking Netset files (next
release), I also want to use a Jump box for management. This server would
connect to each system via Wireguard VPN allowing management also when in a
failover condition through NAT e.g. 4G backup, firewall managed by others.
>>
>> With this architecture in mind, I was wondering how I would go about
restricting access to a single port only from this Wireguard VPN tunnel to the
local interface e.g. wg0 address. I think is completely open currently.
>>
>> Is it easy to do?
>>
>> Regards
>> Michael Knill
>
> If SSH access can only occur within a WireGuard tunnel, no port
filtering is required since access is secured by WireGuard.
>
> As such, only allow remote user access to the management VPN via a
WireGuard tunnel.
>
> But, if you want to filter SSH from wg0 to the local device by source
IP address, try
>
> Firewall Rules:
> Action: [ Deny LAN->Local ]
>
> keeping in mind that the wg0 interface is treated as an isolated LAN
subnet from any other LAN subnet.
>
> Lonnie
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
