tofubl

joined 1 year ago
sorted by: new top controversial old
[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

I appreciate you taking a look. It does indeed have standard rules to drop private networks (192.168, 10.0 and so on), but I have them disabled.

The forward specifies range 8888-8888 and translates it to 8888.

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago

Do you mean these options under Interfaces > WAN? I have them disabled after they did show up as a block in the log.

1000014424

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago

Further digging: The request reaches the docker container, which returns 200 OK.

my-apache-app | 2024-02-09T12:53:22.925676854Z 192.168.0.123 - - [09/Feb/2024:12:53:22 +0000] "GET / HTTP/1.1" 200 161

What is going on here? Do I need some rules in the other direction, on top of "Automatic outbound NAT rule generation"?

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago (2 children)

And here's what this request looks like in the firewall log:

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago (4 children)

Can you please elaborate? Who's restricting 192.168.0.x? It's not actually WAN, right? It's just a local network I connected the firewall to.

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (3 children)

Like this?

~$ curl 192.168.0.136:8888
curl: (56) Recv failure: Connection reset by peer
[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 1 points 9 months ago (6 children)

Here's some more: From behind the firewall (i.e. from a 10.0.0.x IP) the port forward works (which would be a reflection, I suppose?).

From in front of the firewall, I get "connection reset", which I interpret as somewhat working but then breaking somewhere else. Does that make sense?

1000014421

Apple Vision Pro Owners Are Struggling to Figure Out What They Just Bought in c/[email protected]
[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (1 children)

i times i is -1, though. Imagine that!

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 3 points 9 months ago* (last edited 9 months ago)

My post title was going to be "firewall noob vs. double NAT", but I'm too much of a noob to tell if that's where the problem is. 😅

Edit: plus, is it actually a double NAT if I try to port forward into 10.0.0.x from 192.168.0.x? I'm only crossing one NAT, no?

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 2 points 9 months ago (9 children)

1000014418 1000014416 1000014417

The docker01 alias is a host alias with 10.0.0.22 and there's an apache test container running on port 8888.

I have created a pass any in rule on WAN (just until I figure out what's wrong)

In firewall > settings > advanced, I have set "reflection for port forwards" and "automatic outbound Nat for reflection" although I'm not sure if that is needed.

Is there any other info I can provide?

[SOLVED] Firewall noob vs. port forward in c/[email protected]
[–] [email protected] 4 points 9 months ago (6 children)

I am trying to learn in a safe environment without breaking my existing network. It's not actually a WAN, except from the firewall's point of view.

What are the most paranoid network/OS security measures you've implemented in your homelab? in c/[email protected]
[–] [email protected] 7 points 9 months ago (1 children)

Could you please elaborate how you do the honeypotting?

view more: ‹ prev next ›