Outbound traffic through router
by Michael Crider - HOEC
I am trying to recreate an existing firewall configuration created in
Firewall Builder using Firewalld. It runs on a router that controls
traffic in and out of our company network. The existing configuration
has rules that permit traffic to be relayed out on specified ports for
specified addresses on the internal network. For example: a list of
addresses are allowed to get out on ports 80 and 443 for http and https
traffic, any other internal machines are denied. I currently have the
external interface in the external zone, and the internal interface in
the public zone, with the following configuration:
external (active)
target: DROP
icmp-block-inversion: no
interfaces: ens2f1
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: ens2f0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I have found examples of direct interface rules for allowing traffic
out, but is there any other way (rich rule or something else I'm
overlooking) to unblock traffic like the log excerpt below? As far as I
can tell a rich rule with an element of service and an action of accept
only allows traffic to the router, not passing through the router.
kernel: [21251.995383] FWDI_public_REJECT: IN=ens2f0 OUT=ens2f1
MAC=00:1e:67:7c:95:6c:f8:16:54:37:3a:e3:08:00 SRC=192.168.10.195
DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35016 DF PROTO=TCP
SPT=45504 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
5 years, 10 months
Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 10 months