On Donnerstag, 8. November 2018 20:09:07 Hans-Peter Jansen wrote:
I'm about to combine these zones into external, using more rich rules, similar to those, that I'm using already, and changing the external target to drop.
This is, how it looks now:
drop (active) target: DROP icmp-block-inversion: no interfaces: eth0 sources: services: ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable reject-route required-option-missing source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option rich rules: rule family="ipv4" source address="172.16.123.0/24" service name="http" accept rule family="ipv4" source address="172.16.123.0/24" port port="4559" protocol="tcp" accept rule family="ipv4" source address="172.16.123.0/24" port port="19150" protocol="tcp" accept rule family="ipv4" source address="172.16.123.0/24" port port="15060" protocol="udp" accept rule family="ipv4" source address="172.16.123.0/24" port port="10000-10099" protocol="udp" accept rule family="ipv4" source address="213.167.161.0/26" port port="15060" protocol="udp" accept rule family="ipv4" source address="213.167.161.0/26" port port="10000-10099" protocol="udp" accept rule family="ipv4" source address="213.167.162.0/26" port port="15060" protocol="udp" accept rule family="ipv4" source address="213.167.162.0/26" port port="10000-10099" protocol="udp" accept rule family="ipv4" source address="172.16.123.0/24" icmp-type name="echo-reply" accept rule family="ipv4" source address="172.16.123.0/24" icmp-type name="echo-request" accept
Is that considered good practice?
Thanks, Pete