On Thu, Nov 08, 2018 at 11:32:56PM +0100, Hans-Peter Jansen wrote:
On Donnerstag, 8. November 2018 20:09:07 Hans-Peter Jansen wrote:
I'm about to combine these zones into external, using more rich rules, similar to those, that I'm using already, and changing the external target to drop.
This is, how it looks now:
drop (active) target: DROP icmp-block-inversion: no interfaces: eth0 sources: services: ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable reject-route required-option-missing source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option rich rules: rule family="ipv4" source address="172.16.123.0/24" service name="http" accept rule family="ipv4" source address="172.16.123.0/24" port port="4559" protocol="tcp" accept rule family="ipv4" source address="172.16.123.0/24" port port="19150" protocol="tcp" accept rule family="ipv4" source address="172.16.123.0/24" port port="15060" protocol="udp" accept rule family="ipv4" source address="172.16.123.0/24" port port="10000-10099" protocol="udp" accept rule family="ipv4" source address="213.167.161.0/26" port port="15060" protocol="udp" accept rule family="ipv4" source address="213.167.161.0/26" port port="10000-10099" protocol="udp" accept rule family="ipv4" source address="213.167.162.0/26" port port="15060" protocol="udp" accept rule family="ipv4" source address="213.167.162.0/26" port port="10000-10099" protocol="udp" accept rule family="ipv4" source address="172.16.123.0/24" icmp-type name="echo-reply" accept rule family="ipv4" source address="172.16.123.0/24" icmp-type name="echo-request" accept
Is that considered good practice?
I don't follow why you have these rich rules instead of just adding the services/ports to your "voip" zone.
Ideally you'd have a zone per logical grouping of source IP address. I think zones setup as below get you what you desire without rich rules.
voip-plus-more (active) target: default icmp-block-inversion: yes interfaces: http sources: 172.16.123.0/24 services: http ports: 10000-10099/udp 15060/udp 4559/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: echo-reply echo-request rich rules:
voip (active) target: default icmp-block-inversion: no interfaces: sources: 213.167.161.0/26 213.167.162.0/26 services: ports: 10000-10099/udp 15060/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
drop (active) target: DROP icmp-block-inversion: yes interfaces: eth0 sources: services: ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: