[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Jason Stahls jason at justuscare.ca
Tue Mar 18 18:29:18 CET 2014


Figured it out, not sure if it's the right way but port scans appear to 
say it's working :)

Started with a fresh firewall.conf from the tarball, eth0 for EXT, ppp+ 
for INT and tun+ in DMZ.  Opened the ports I wanted open on eth0 with 
OPEN_TCP/UDP, opened ports for specific DMZ hosts with 
DMZ_HOST_OPEN_TCP/UDP and all seems to be good.

Thanks for the help :)

Jason

On 3/14/2014 4:20 PM, Lonnie Abelbeck wrote:
> Jason,
>
> I think all the info you need is in this thread,  if you treat tun0 (or tun+) as a INT_IF, etc. .
>
> I don't think OpenVPN would 'short-circuit' any forward paths, though there are some client to client rules in OpenVPN IIRC.
>
> Give it a shot, and if there are specific issues with specific tests, ask again.
>
> Lonnie
>
>
> On Mar 14, 2014, at 2:08 PM, Jason Stahls wrote:
>
>> Lonnie,
>>
>> This box's primary purpose is actually web/mail/db server, it is also the center of a PtMP OpenVPN network.
>>
>> IPv4 is all off-net, each site uses their local provider for general Internet.  IPv6 is all allocated out of the /48 I get from my hosting provider so it's all routed back through the OpenVPN links and jumps to the rest of the Internet through this box.  I want to open 22,25,53,80,ect for the computer on it's external interface but still block those ports forwarding through to the internal tun+ interface.  Do I do this via a NAT forward to one of the internal interface IP's, or a forward to the external interface, or? :)  I do have NAT enabled for PPTP clients (kinda round about but gets me on US Netflix) and I've set NAT_INTERNAL_NET to just the PPTP range.
>>
>> Thanks,
>>
>> Jason
>>
>> On 3/14/2014 10:46 AM, Lonnie Abelbeck wrote:
>>> Jason,
>>>
>>> A couple more 'tips'...
>>>
>>> For IPv4 NAT Forwarding use:
>>>
>>> NAT_FORWARD_TCP (or _UDP or _IP)
>>>
>>> For IPv6 (or routed IPv4) Forwarding use:
>>>
>>> INET_FORWARD_TCP (or _UDP or _IP)
>>>
>>> "Any" Host values:
>>>
>>> 0.0.0.0/0 - Any IPv4 Address
>>>
>>> ::/0 - Any IPv6 Address
>>>
>>> 0/0 - Any IPv4 or IPv6 Address (unless source or destination is qualified as IPv4 or IPv6)
>>>
>>> Lonnie
>>>
>>>
>>> On Mar 14, 2014, at 9:23 AM, Wijatmoko U. Prayitno wrote:
>>>
>>>> Use variable HOST_OPEN_UDP or HOST_OPEN_TCP
>>>>
>>>> On Fri, 14 Mar 2014 10:18:44 -0400
>>>> Jason Stahls <jason at justuscare.ca> wrote:
>>>>
>>>>> I still haven't quite figured out what I've done, but I decided to
>>>>> start with a fresh config instead. How can I open ports for just the
>>>>> host? From my understanding of the comments using OPEN_TCP/UDP/IP
>>>>> will cause it to forward and not block those ports right?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jason
>>>>>



More information about the Firewall mailing list