Hi,
I am discovering NethServer and run some testing before deciding to deploy it or not.
My server has two network ports - Lan and WAN using a public IP address.
In the Firewall app, I have unticked the option “Ping From Internet” …
But I am still able to ping the WAN socket from the outside world …
Any suggestion ?
I hope only the WAN port has a public IP. The configuration should be like the following
A green interface you must have, a red one you should have, if your nethserver shoud be reachable from WAN side (this one is firewalled) and the others are optional.
Is nethserver connected to the internet through a modem or a router? If it is a router perhaps the router response to the ping.
I have indeed a LAN interface (private IP) and a WAN one with a public IP, using the modem (linked to a switch) as a gateway. I definitely ping the WAN IP, not the Modem one.
Indeed I can confirm this on my server, but I can see the line in /etc/shorewall/rules :
?SECTION NEW
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP net $FWReading this, something has probably changed in the syntax of shorewall
we should have
#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW
but it fact it works as expected
first verify that you have applied the configuration once saved (upper right corner)
then it works only for new connection, if you are already pinging, then you must stop and ping again
Ok, i works as expected indeed. I was monitoring the same ping session.
I cannot find it again, but I am frankly sure that we did something to apply this also for established connection, and not only to the new connection
cc @giacomo
ok what I had in mind was the PR relative to block a host immediately
Indeed we are quite in the same configuration, but it has not been implemented for the ping, probably because the ping echo is not really an attack