Hi,
I’ve just ended configuring Nethserver as Gateway, DNS, DHCP, MultiWan etc… I’m literally in love with it, so simple that even one like me, without any special skills in linux is able to get astonishing results: thank you all.
Anyway, today I was inspecting the server’s logs and I’ve been afraid discovering that some internet IPs are brute forcing SSH and other services!
Frankly, I thought that out of the box there should have been some kind of firewall rules preventing any kind of traffic toward public IPs (red network).
So, I’ve tried to set up a simple rule:
Source: Any
Destination: Public IP
Action: Drop
Sadly, it was not effective, I was able to ssh to the server from internet.
As a quick work around, I’ve changed sshd.conf.
Here comes the question: can I create a firewall rule to deny any kind of traffic (except OpenVPN) toward our public IPs? Could anyone please provide a quick explanation about how to do it?
In NS7 individual network services can be restricted by zone, from Security -> Network services (or from Gateway -> Firewall rules when the basic firewall module is installed).
Ping from Red zone can be disabled from Gateway -> Firewall rules -> Configure (in dropdown menu), but it will difficult future network troubleshooting.
A rule to block all external traffic might look like this:
Source: Red, Destination: Firewall, Action: Drop
To allow only OpenVPN, create a rule above the other one:
Stacking order matters:
Be aware I’m not good at this so there could be better ways to do it. A good starting point is to follow @fasttech’s advice (sorry, didn’t notice your post while writing this), cherry-picking the access to network services.
The firewall zone represents the firewall itself (NethServer), therefore rules applied to it will affect its network traffic, like the access to the services it is providing (ssh, httpd, vpn, et cetera).