Hi,
after some intensive hours of dealing with switching an important system to
firewalld (v0.7.3) running on openSUSE 15.1, may I gently ask for some
clarification.
I have to pass VoIP to an Asterisk PBX through the firewall:
# empty and completely unrelated values removed
$ firewall-cmd --info-zone external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth1
services: dns http https ssh
masquerade: yes
forward-ports: port=15060:proto=udp:toport=15060:toaddr=192.168.2.2
port=10000-10099:proto=udp:toport=10000-10099:toaddr=192.168.2.2
icmp-blocks: *almost all*
rich rules:
rule family="ipv4" source address="213.167.161.0/26"
destination
address="192.168.2.2/32" port port="15060" protocol="udp"
accept
rule family="ipv4" source address="213.167.162.0/26"
destination
address="192.168.2.2/32" port port="15060" protocol="udp"
accept
Due to continuous attacks on the VoIP infrastructure, I'm using a non standard
SIP port here and try to block all accesses, that didn't derive from my
provider. If forward ports and rich rules are combined, is the rich rule
effective before forwarding (using the iptables backend)? Given it is, would
this hold true with the nftables backend as well?
Thanks,
Pete