First deployment of COS, so please forgive such an elementary question...but I'm coming from too many years of firewalls where you set address objects, then rules, etc. Anyway...am looking for input on limiting, for example, webconfig, to a specific external IP address. I think I get how to enter in Custom Firewall--but then do I do anything with the webconfig rule in the Incoming Firewall section for that port setting?
Share this post:
Accepted AnswerNick HowittOfflineIf you add a custom rule, you do not have to do anything else in the webconfig. The sort of rule you want is:
You should alwasd check the rule at the command line first but you have to use "iptables" there and not "$IPTABLES"
$IPTABLES -I INPUT -s your_permitted_IP_address -p tcp --dport 81-j ACCEPT
If you make bad mistake in the Custom rules you can put the firewall into a restart loop. At that point you need to edit /etc/clearos/firewall.d/custom and remove the errant rule.
My preferred option is not to open the firewall to anything like webconfig or SSH, but to use OpenVPN instead. With that you can then connect to ClearOS as if you are connected to the LAN and it is much more secure. If you go down this route, it is best to avoid the subnets 192.168.0.0/24 and 192.168.1.0/24 on your LAN.