Re: [Shorewall-users] blacklist if connection attempt on unused port

Wed, 18 Jan 2017 07:09:14 -0800

I've become a little stuck on setting up ipset correctly. I followed the instructions from an email as follows: 

DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

and in Rules at end

ADD(SW_DBL4:src)    net    $FW


and after some testing  everything seemed to be working all OK. Using 
Shorewall  5.0.14.1



I have port 80 (web server) and 25 (Postfix server) open in my Rules 
file. Internal network using 192.168.1.1 on eth1



But as soon as I tried using the browser on my local network machine web 
sites, like Facebook, just stopped working.



I've tried to find a simple (I'm no IT specialist, just home hobbyist) 
explanation as to what I have done wrong or missed,  and seemed to have 
hit a brick wall.


If someone could point me in right direction I would be very gratefully.

Kind Regards, Nigel Aves.


In case it helps, here is my rules file.

DHCPfwd/ACCEPT    loc    fw
#
#
DHCPfwd/ACCEPT    $FW    loc
#
# Accept for web -server
ACCEPT    net    $FW        tcp    80
# no ssl
#  ACCEPT    net    $FW           tcp    443
#
#
# Turn FTP off when not transfering files from VideoKing
#
#  FTP/ACCEPT    net    fw    -    21
#  ACCEPT    net    $FW    tcp    6000:6100
#
######  use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips.
#
# ACCEPT    net    $FW     tcp    1xxxx
#
#
SMTP/ACCEPT    net    $FW    -    25
#
DNS(ACCEPT)    $FW        net
#    Accept DNS connections from the firewall to the network
#
SSH(ACCEPT)    loc        $FW
#
#    Accept SSH connections from the local network for administration
#
Ping(ACCEPT)    loc        $FW
#
#    Allow Ping from the local network
#
#
## Internal accepts
#
#Cable TV forward
DNAT    net    loc:192.168.1.180    udp    27177
DNAT    net    loc:192.168.1.180    udp    27178
DNAT    net    loc:192.168.1.180    tcp    27177
DNAT    net    loc:192.168.1.180    tcp    27178
#
ACCEPT             loc        $FW          tcp
ACCEPT             loc        $FW          udp
#
DNS(ACCEPT)      loc        $FW
SMB(ACCEPT)      loc        $FW
SMB(ACCEPT)      $FW        loc
#
DNS(ACCEPT)      phone        $FW
#

# Drop Ping from the "bad" net zone.. and prevent your log from being 
flooded..

#
Ping(DROP)    net        $FW
ACCEPT        $FW        loc        icmp
ACCEPT        $FW        net        icmp
#
ACCEPT        $FW        phone        icmp
#
# turn on ipset to stop testing ports from outside
#
# ADD(SW_DBL4:src)    net    $FW








<<attachment: nigel.vcf>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to