Questions tagged [firewall]
A firewall is a program that controls the incoming and outgoing network traffic on a system. Use this tag for all questions related to firewall configuration and operation.
1,061 questions
0
votes
0
answers
47
views
why my forward port couldn't work use firewall-cmd
config forward port
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-forward-port=port=81:proto=tcp:toaddr=127.0.0.1:toport=80
firewall-cmd --reload
now, this is my firwall-...
- 101
0
votes
1
answer
37
views
Block income GRE ERSPAN traffic RHEL8
We have LinuxMachine(VoiceBiometrics) and customers VoiceBot.
LinuxMachine needs only SIP/SDP and RTP traffic from VoiceBot.
Customer network engineers configured on cisco device traffic mirroring(gre ...
- 31
0
votes
0
answers
44
views
Wireguard handshake, but no ping
I'm stuck at the most basic step, which is configuring PC2 (10.0.0.3) in order to allow connections from PC1 (10.0.0.1). Just a simple connection, no VPN or anything like that, for now.
I am using ...
- 1
0
votes
1
answer
34
views
Redirect all outgoing http and https requests to Burp using nftables
I'm working on a very limited client (based on Poky from the Yocto Project), on which I want to redirect all http/https requests to my other machine on the same network. I have nftables available on ...
0
votes
1
answer
92
views
Firewall to allow only web browsing and no other network access
I am working on Debian Stable and it is working very well.
I see apf-firewall to simplify iptables. I want my firewall to only allow web browsing (including forms) and block all other network access. ...
- 293
0
votes
0
answers
27
views
Help configuring firewall/routing for ocserv on ubunte
I can't set up internet access via OpenConnect.
From the router where the openconnect client is running, i see only VPS with OCServ
root@OpenWrt:~# traceroute google.com
traceroute to google.com (74....
- 109
0
votes
0
answers
18
views
The issue with the order of rule execution in iptables
These are the iptables policies auto-generated by the firewalld.service. The iptables policies are matched in top-down order, but testing has found that the second rule " ACCEPT all -- 0.0....
- 1
0
votes
1
answer
63
views
Securing a linux machine with server running applications [closed]
I have a Kubuntu 24.04 and I want to install, for development purposes applications that open ports. Specifically install docker, k8s, cassandra, mysql or kafka.
What do I need to do to make sure my ...
- 1,449
0
votes
0
answers
40
views
Plesk Firewall blocking internet access for WireGuard clients
I'm currently facing an issue I can not fix myself. The initial idea was to setup WireGuard on my server running Plesk. I've searched a bit the internet and found this really nice tutorial. It really ...
- 203
0
votes
1
answer
109
views
Red Hat 8 - Decoding firewalld rejects
I have started testing the firewall on a Red Hat 8 system. My only question here is how
to debug the cryptic data that means almost nothing. How do I trace a rejection back to
the source of the ...
- 591
0
votes
0
answers
33
views
"Couldn't connect to server" outside of the server
I have a VPS instance running FreeBSD. I started a simple web server on port 80.
When I am ssh'd into the server, I can reach the server:
$ curl <server-ip-address>
hello
However, when I try to ...
- 121
1
vote
1
answer
104
views
Why does Debian ship a preconfigured firewall?
Recently I reinstalled Debian Testing (to become Trixie). After that, I couldn't use a network printer any more, which was resolved in this question.
This made me wonder:
Why is there a default ...
- 225
0
votes
0
answers
33
views
How To Add An Allow Rule To UFW's before*.rules
I've appended to my /etc/ufw/before6.rules file the following
-A ufw6-before-input -p tcp -s XX.XX.XXX.XX -j ACCEPT
-A ufw6-before-output -p tcp -d XX.XX.XXX.XX -j ACCEPT
but still am not able to ...
- 1
0
votes
0
answers
270
views
Running apt-get update in Debian Docker container hangs on installing bookworm
This is probably the strangest error I've run into.
So I'm running a Wikibase Docker setup on a Windows machine. The Docker containers are all Debian OS.
In order to install some packages upon setting ...
- 101
0
votes
1
answer
65
views
Forward Traffic From LAN To Tailscale Subnet with Firewalld
I have a Raspberry Pi with an ethernet connection on the end0 interface to the 10.15.16.0/20 network. It has a static IP address on this network at 10.20.30.15.
The Pi is also connected to my ...
- 101
0
votes
1
answer
107
views
Determining the performance Impact of firewalld rule count
I was working on tweaking the performance of fail2ban and I read that a too-long ban can result in a build-up of rules that will negatively impact performance, which made me wonder, "Is there any ...
- 103
0
votes
0
answers
66
views
pfSense routing issues
Ive got a routing issue on my pfSense box that shows the response to a ping request being routed to a IP in a separate subnet/vlan.
10:25:13.239238 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 9374,...
- 103
0
votes
0
answers
106
views
Journalctl UFW Error
Jul 14 03:52:03 abysslocal kernel: [532579.389726] [UFW BLOCK] IN=enp9s0 OUT= MAC=08:62:66:26:28:c6:04:f4:d8:09:9e:88:08:00 SRC=192.168.4.37 DST=192.168.4.9 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64656 ...
ColeenChaos
0
votes
0
answers
127
views
nftables creating a rule with a counter
To debug nftables to identify if a rule is matched you can use counter. If I set counter and assign the ruleset, then the prompt for counter list is empty. How to list counter?
$ sudo nano /etc/...
- 1,216
-1
votes
2
answers
121
views
Troubleshoot nftables configuration for ssh
I can connect via ssh to my cloud server. In consequence of the rule-set below the server refused ssh connection.
I don't use custom ssh port. The server has an IPv6 address, in case that matters. And ...
- 1,216
0
votes
0
answers
182
views
No route to host (SSH) depending on the client
I am running sshd on port 22222 on a Fedora machine and tested ssh connection from a Mac within LAN and everything works. I also set up port forwarding from the router to my fedora machine and allowed ...
- 101
0
votes
2
answers
152
views
Wireguard and Ubuntu 22.04. Forcing traffic from port 25 over VPN
So Im hosting a server in a docker container which is a client in a VPN network. I Cant send any egress traffic out of port (say ummm 52) through the host. That box is a client to a wireguard server. ...
1
vote
1
answer
360
views
Prevent port scanning on OpenWRT
Imagine you need to have open ports on your Internet router but you don't want them to be easily discovered or enumerated.
How can you prevent hackers/companies from scanning your open ports?
- 31.6k
0
votes
1
answer
401
views
How are source ports chosen for iptables SNAT targets?
By default the SNAT target keeps the source port of the original packet. If that port is already in use, it chooses one at random. Is there any way to influence the choice of this port or gage the ...
- 519
1
vote
1
answer
192
views
How does linux report SNAT port exhaustion [closed]
I would like to monitor a router for potential SNAT port exhaustion. I'm fully aware of how unlikely this is to happen. I would still like to know how I could detect this on my running system. Does ...
- 519
2
votes
0
answers
47
views
Add user or process information in nftables logs
Hy,
Is it possible to customize nftables log's to add more informations ?
For example, it could be interesting to get users ( id, gid, ... ) or processes informations that try to out.
Example of ...
- 21
0
votes
0
answers
38
views
How to Allow all NATed traffic from iptables firewall via pfsense (gateway)
I have an iptables firewall (machine 1) and a centos 7 based gateway (machine 2), which is having 2 interfaces (machine-2:int-1) from WAN [/30] and (machine-2:int-2) is LAN [/28] one of the static IP ...
- 11
2
votes
1
answer
255
views
Tracing iptables Rules
I'm just beginning to dig into iptables for the first time today, so apologies for any naivete.
For reference, I'm using
Ubuntu 22.04.4 LTS (Jammy Jellyfish)
iptables v1.8.7 (nf_tables)
ufw 0.36.1
...
0
votes
1
answer
86
views
Why aren't my ipset counters incremented?
I'm trying to configure a firewall (using iptables on a Docker host) that allows inbound HTTP and HTTPS from everywhere, SSH from a certain set of IPs and no other incoming connections. I liked what I ...
- 1
3
votes
1
answer
85
views
Which is My Static IPv6 Interface Identifier?
I've been accustomed to IPv4 for so long and I'm really unfamiliar with IPv6.
I recently wanted to add a firewall rule to my OpenWRT router to allow inbound IPv6 connection to a certain port of my ...
- 151
0
votes
0
answers
189
views
nftables rules apparently blocking ssh traffic - could it be special characters?
I have a set of nftable rules of the following form:
chain INPUT {
type filter hook input priority filter; policy drop;
ip saddr 11.37.79.97/29 counter packets 0 bytes 0 log prefix ...
- 101
0
votes
1
answer
116
views
Install apache, php and mysql on Ubuntu 22.04 toolbox
I would like to install apache, php and mysql on Ubuntu 22.04 toolbox which is running in a Fedora 39 desktop VM.
I am following the steps instructions provided in this link, but is seems to have some ...
- 3
0
votes
1
answer
182
views
What configuration is blocking local ssh connections to my server?
So I recently bought a Raspberry Pi to work on a small passion project with the RetroPie Debian-based image.
I am now at the stage where I want to completely shield the server only allowing specific ...
- 1
1
vote
1
answer
714
views
nftables - multicast packets not matched
I've set up a rule to match multicast packets as follows:
add rule filter_4 new_out_4 meta pkttype multicast goto multicast_out_4
filter_4 is IPv4 table, new_out4 is output chain and multicast_out_4 ...
- 680
1
vote
1
answer
34
views
iptables rule not working as expected
I cannot get this one rule working right.
My interfaces:
#WAN
auto wan0
iface wan0 inet dhcp
#LAN
auto lan0.7
iface lan0.7 inet static
address 172.17.7.1
netmask 255.255.255.0
vlan-raw-...
- 11
0
votes
0
answers
338
views
Wireguard client incoming packets drop
I have a home server running Ubuntu Server. I'm running some services on docker which need a VPN client for anonymity. The wireguard client runs as a standalone application. I'm running traefik to ...
2
votes
1
answer
116
views
arptables not working with nmap
I'm trying to implement a way to prevent network scans from my notebook. One of the things I want is to allow arp request to specific hosts, like my gateway.
I added some rules using arptables and ...
- 253
0
votes
0
answers
110
views
Kafka with KRaft - what is listening on the random high port?
I'm in the process of writing some ansible to install Kafka on RHEL and I've got the service running and am about to configure the firewall to make the service accessible on the network.
When I look ...
- 1,000
0
votes
0
answers
39
views
Many UFW BLOCKs pr minute from numerous ports and numerous IP addresses
My syslog is flooded with numerous attacks of some sort coming from multiple sources.
I looked at all the other references in the search feature but none addressed tcp and from numerous sources
Feb 16 ...
- 207
0
votes
1
answer
201
views
Matching DSCP portion of ToS or traffic class byte using ebtables
Is it possible to match only the DSCP portion of the IPv4 ToS or IPv6 traffic class byte using ebtables? I see that ebtables has the --ip-tos match option for IPv4 packets and the --ip6-class match ...
- 103
2
votes
2
answers
757
views
nftables how to temporarily allow a port(s) for an application
I am using Warpinator on my android phone to transfer files between my linux machines and my mobile phone.
The application uses ports for 42001 for initial connection, and 42000 for data transfer. I ...
- 31
0
votes
0
answers
76
views
GUWF and firewall malfunctioning?
I keep adding IP addresses to the built-in Linux Mint "firewall" program (which is "GUWF" relabeled "firewall") and it worked for a while ... but now it doesn't look like ...
- 3
0
votes
1
answer
177
views
Iptables: order of redirect and input-filter
I will filter inbound traffic with iptables.
I have 2 goals.
a) Allow HTTPS inbound at port 443.
b) Redirect port 443 to process listening port on 9443.
Not sure about the processing of that 2 rules....
- 771
0
votes
0
answers
26
views
How to access to a kubenetes pod from outside using proxmox(Virtualisation solution)
I have a proxmox host(@ip=231.25.36.12),inside I have installed a kubernetes cluseter, this cluster consists of 3 vms(these VMs are not routable I mean they are accessible just from proxmox node, they ...
0
votes
1
answer
142
views
Knockd not executing the knock command
I am trying to setup knock daemon, however it does not seem to execute the knock command. To debug the issue, I used this simple configuration, which is slightly edited example from the documentation:
...
- 1
1
vote
0
answers
135
views
Can't ping external sites in Linux guest that already has internet access
I have an Ubuntu 20.10 guest and an Ubuntu 20.04 host and other devices on my LOCAL network, but for some reason the guest can't ping websites (e.g. ping google.com). What's interesting is that I have ...
- 13
0
votes
1
answer
250
views
How to exclude dnsmasq used by libvirt from Mullvad VPN's "local network sharing" block
I don't use the local network expect dnsmasq for libvirt. With blocking local network I have no DNS on my VM. For that reason I want to exclude dnsmasq from the local network sharing block with split ...
- 81
1
vote
1
answer
390
views
How to flush the nft flowtable hash of active connections?
I have flowtable offloading working just perfect on my router. Sometimes I want to block some ongoing traffic, being handled via the flowtable. If I add a new blocking rule to the regular routing ...
- 51
0
votes
0
answers
538
views
I am unable to access my HTTP NGINX server over LAN
I have allowed the port in ufw and have the following configuration:
server {
listen 0.0.0.0:8000 default_server;
server_name _;
index index.html;
access_log /var/log/nginx/html....
0
votes
2
answers
835
views
Load iptables or nftables rules as fast as possible during boot and before the network interfaces be put online
I rely on my specific service to load iptables rules at startup in my debian installation, this service calls
iptables-restore my_rules.v4
ip6tables-restore my_rules.v6
and do some other scripts
...
- 3,044