1 Temat przez artur5236 (edytowany przez artur5236 2019-01-24 15:54:57)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Temat: Firewall - problem z regułą na blokadę wan

Cześć,

Mam dziwny problem związany z firewallem.

Dodałem regułę

config rule
        option src 'vlan7'
        option proto 'tcpudp'
        option name 'reject-vlan7-wan'
        option target 'REJECT'
        option dest 'wan'
config zone
        option name 'vlan7'
        option network 'vlan7'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

Chciałem zablokować dostęp do wanu z zony vlan7 i mimo powyższego wpisu w /etc/config/firewall nadal będąc w vlan7 mam dostęp do wanu.
Możecie podpowiedź jak zdiagnozować ten problem?

2 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,059

Odp: Firewall - problem z regułą na blokadę wan

forward masz na REJECT więc i tak nie powinno działać. Patrz w reguły firewalla czy się utworzyły, patrz w liczniki czy się zwiększają. Jeżeli nie to postaw tcpdump i złap ten ruch, zobacz co faktycznie idzie i na co.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

3 Odpowiedź przez artur5236 (edytowany przez artur5236 2019-01-24 19:09:39)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Cezary miałem jeszcze to w etc/config/firewall

config forwarding
        option scr 'vlan7'
        option dest 'wan'

I jak powyższe wywaliłem to wtedy ruch do wanu był niedostępny.


W iptables wygląda na to, że reguły się dodają

Chain zone_vlan7_dest_ACCEPT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_forward (1 references)
target     prot opt source               destination
forwarding_vlan7_rule  all  --  anywhere             anywhere             /* !fw3: user chain for forwarding */
zone_wan_dest_REJECT  tcp  --  anywhere             anywhere             /* !fw3: reject-vlan7-wan */
zone_wan_dest_REJECT  udp  --  anywhere             anywhere             /* !fw3: reject-vlan7-wan */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_vlan7_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_input (1 references)
target     prot opt source               destination
input_vlan7_rule  all  --  anywhere             anywhere             /* !fw3: user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_vlan7_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_output (1 references)
target     prot opt source               destination
output_vlan7_rule  all  --  anywhere             anywhere             /* !fw3: user chain for output */
zone_vlan7_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Mógłbym prosić jeszcze o informację, gdzie sprawdzić te liczniki?

4 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,059

Odp: Firewall - problem z regułą na blokadę wan

iptables -v -L

po co zezwalasz na vlan<>wan z później blokujesz?

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

5 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Docelowo, chciałbym aby z vlan7 dostęp do wanu miał tylko jeden host więc muszę zezwolić a następnie zablokować pozostałe hosty.

Sprawdziłem liczniki i jest 0 więc ruch w ogóle nie przechodzi przez tą regułę.

6 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Zrobiłem również testowo regułę na blokadę jednego ip z lanu i tak samo nie działa.

config rule
        option enabled '1'
        option src 'lan'
        option dest 'wan'
        option name 'reject-test-lan'
        option src_ip '192.168.5.108'
        option target 'REJECT'

Ktoś może podpowiedzieć o co chodzi?

7 Odpowiedź przez andrut

  • andrut
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2013-05-11
  • Posty: 292

Odp: Firewall - problem z regułą na blokadę wan

Głupie pytanie, ale robiłeś reboot?
U mnie zanim FW zaczął cokolwiek blokować potrzebny był restart (pierwszy raz po instalacji openwrt).

prognoza pogody dla Warszawy

8 Odpowiedź przez 9tysiecy

  • Zarejestrowany: 2018-01-30
  • Posty: 724

Odp: Firewall - problem z regułą na blokadę wan

Przecież wystarczy /etc/init.d/firewall restart

9 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Tak, robiłem. Inne zmiany się zapisują, reguła dopisuje się do iptables ale ruchu nie blokuje.

10 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,059

Odp: Firewall - problem z regułą na blokadę wan

Wiec jesteś pewien że wychodzi to za adresacją 192.168.5.108? Postaw sobie tcpdumpa i zobacz.

PS A masz w ogóle "wan"?

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

11 Odpowiedź przez artur5236 (edytowany przez artur5236 2019-01-27 11:43:25)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Zainstalowałem tcpdump na routerze.
Odpaliłem na hoście 192.168.5.108 ping na 8.8.8.8 i jak widać tcpdump wychwycił ten ruch:
PunBB bbcode test


Tak 'wan' mam smile

config interface 'wan'
        option ifname 'eth0.2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.0.9'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option dns '62.179.1.62 62.179.1.63'

12 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,059

Odp: Firewall - problem z regułą na blokadę wan

Pokaż całe uci show network

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

13 Odpowiedź przez artur5236 (edytowany przez artur5236 2019-01-27 11:48:15)

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Proszę:
Mam zrobioną oprócz lanu (192.168.5.0/24), dodatkowo podsieć 192.168.10.0/24 na vlan7

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdef:c78e:e737::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.5.1'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='78:11:dc:42:b5:f8'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan._orig_ifname='eth0.2'
network.wan._orig_bridge='false'
network.wan.proto='static'
network.wan.ipaddr='192.168.0.9'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.0.1'
network.wan.dns='62.179.1.62 62.179.1.63'
network.vlan7=interface
network.vlan7.proto='static'
network.vlan7.netmask='255.255.255.0'
network.vlan7.ifname='eth0.7'
network.vlan7.ipaddr='192.168.10.1'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='7'
network.@switch_vlan[2].ports='2t 6t'
network.vpn=interface
network.vpn.ifname='tun0'
network.vpn.proto='none'

14 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,059

Odp: Firewall - problem z regułą na blokadę wan

To teraz pokaż całe iptables -v -L

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

15 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

root@OpenWrt:~# iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  3954 ACCEPT     all  --  lo     any     anywhere             anywhere             /* !fw3 */
 1936  260K input_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
 1192  200K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
   60  2656 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
  502 35689 zone_lan_input  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
   83  5072 zone_wan_input  all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */
   27  1877 zone_vpn_input  all  --  tun0   any     anywhere             anywhere             /* !fw3 */
  132 17266 zone_vlan7_input  all  --  eth0.7 any     anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 240K  228M forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
 239K  228M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
  744 93954 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding * -> vpn */
  741 93639 zone_vlan7_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding * -> vlan7 */
  724 90339 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding * -> lan */
  537 80619 zone_vlan7_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding * -> vlan7 */
  537 80619 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding * -> vpn */
  537 80619 zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */
    0     0 zone_vpn_forward  all  --  tun0   any     anywhere             anywhere             /* !fw3 */
    0     0 zone_vlan7_forward  all  --  eth0.7 any     anywhere             anywhere             /* !fw3 */
    0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  3954 ACCEPT     all  --  any    lo      anywhere             anywhere             /* !fw3 */
 1499  208K output_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
  912  167K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_output  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
  557 37573 zone_wan_output  all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */
    0     0 zone_vpn_output  all  --  any    tun0    anywhere             anywhere             /* !fw3 */
   30  2850 zone_vlan7_output  all  --  any    eth0.7  anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  ppp+   any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    ppp+    anywhere             anywhere

Chain forwarding_vlan7_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vlan7_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_vlan7_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
   62  2724 REJECT     tcp  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
   20  2306 REJECT     all  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
   60  2656 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (8 references)
 pkts bytes target     prot opt in     out     source               destination
  187  9720 ACCEPT     all  --  any    br-lan  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
  537 80619 forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
    0     0 zone_wan_dest_REJECT  tcp  --  any    any     WIN10-ELM001.lan     anywhere             /* !fw3: reject-test-lan */
    0     0 zone_wan_dest_REJECT  udp  --  any    any     WIN10-ELM001.lan     anywhere             /* !fw3: reject-test-lan */
  537 80619 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding lan -> wan */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  502 35689 input_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
  502 35689 zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  502 35689 ACCEPT     all  --  br-lan any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_vlan7_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
   47  6150 ACCEPT     all  --  any    eth0.7  anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_vlan7_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
    0     0 zone_wan_dest_REJECT  tcp  --  any    any     anywhere             anywhere             /* !fw3: reject-vlan7-wan */
    0     0 zone_wan_dest_REJECT  udp  --  any    any     anywhere             anywhere             /* !fw3: reject-vlan7-wan */
    0     0 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding vlan7 -> wan */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_vlan7_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  132 17266 input_vlan7_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
  132 17266 zone_vlan7_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   30  2850 output_vlan7_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
   30  2850 zone_vlan7_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vlan7_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  132 17266 ACCEPT     all  --  eth0.7 any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_vpn_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    3   315 ACCEPT     all  --  any    tun0    anywhere             anywhere             /* !fw3 */

Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
    0     0 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding vpn -> wan */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding vpn -> lan */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   27  1877 input_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
   27  1877 zone_vpn_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   27  1877 ACCEPT     all  --  tun0   any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
   51  2148 DROP       all  --  any    eth0.2  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
 1043  116K ACCEPT     all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  any    any     anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
    0     0 zone_lan_dest_ACCEPT  tcp  --  any    any     anywhere             anywhere             tcp dpt:1723 /* !fw3: @rule[10] */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:1723 /* !fw3: @rule[10] */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   83  5072 input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
    1    42 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:5236 /* !fw3: OpenVPN */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
   82  5030 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  557 37573 output_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
  557 37573 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   82  5030 reject     all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */

16 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,059

Odp: Firewall - problem z regułą na blokadę wan

Taaa, tylko że blokujesz tcp i udp, a sprawdzasz icmp....


option proto all sobie dodaj do reguły.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

17 Odpowiedź przez artur5236

  • Zarejestrowany: 2014-07-22
  • Posty: 174

Odp: Firewall - problem z regułą na blokadę wan

Ale skucha, faktycznie.

Dzięki za pomoc Cezary