Hi, I could solve the issue by my own. The "option dest lan" is missing in the blocking rule and the destination port must be 8443.
Regards, Hartmut Am 26.11.2022 um 11:47 schrieb e9hack:
Hi, I do redirect https traffic from wan to a specific ip address in lan with a different port: config redirect option enabled '1' option name 'wan: Redirect HTTPS for xxxx.net:443 to my-box.yyyy.lan:8443' option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option family 'ipv4' option src_dport '443' option dest_ip '192.168.101.92' option dest_port '8443' option reflection '1' I would like to block some ip ranges and following the example from the firewall documentation. config ipset option enabled '1' option name 'dropcidr' option match 'src_net' option loadfile '/var/dropcidr.txt' config rule option enabled '1' option src 'wan' option proto 'tcp' option ipset 'dropcidr' option dest_port '443' option target 'DROP' option name 'DROP-HTTPS-WAN-LAN' It doesn't block redirected traffic from wan at 443 to the internal lan at 8443. I did try it with port 8443 in the blocking rule too, but it doesn't block anything. How must I define such a blocking rule? With firewall3 (iptables), I did add the the following to firewall.user: ipset restore -file /tmp/https_blacklist.conf iptables -n --list https_scan >/dev/null 2>&1 [ $? -eq 0 ] && iptables -X https_scan iptables -N https_scan iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --update --seconds 1800 --reap -j DROP iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --set -j LOG --log-level info --log-prefix "HTTPS blocked: " iptables -A https_scan -j DROP iptables -A forwarding_wan_rule -p tcp --dport 8443 -m conntrack --ctstate DNAT -m set --match-set HTTPS_BLACKLIST src -j https_scan How can I define a similar rule set for firewall4 (nftables)? Regards, Hartmut
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
