firewalld rich rules, filter by IP and MAC

[The.Ex-pat]

I have a simple proxy server running in the USA that I use from my vacation home in Mexico.

I normally set a rich rule allowing only my ip address can access the port. As of late the ISP in Mexico has been rotation my IP regularly.
I wanted to pass a rich rule that allowed IP 172.123.0.0/16 and the MAC from my router. Didn't work.

Code: Select all

firewall-cmd --permanent --zone=home --add-rich-rule='rule family="ipv4" source mac="**:**:**:**:**:**" port port="1234" protocol="tcp" accept'

using the MAC from my router and from my PC, tried both because I'm not sure which one would be seen by firewalld.
Didn't fly.

This is what I have working currently

Code: Select all

firewall-cmd --permanent --zone=home --add-rich-rule='rule family="ipv4" source address="172.239.0.0/16" port port="1234" protocol="tcp" accept'

They don't rotate out of that subnet, so, the service remains up without daily(sometimes hourly) disruption. but, it opens up my port to everyone on my subnet.

I need some guidance. What is the savvy play here?

[jlehtone]

The FirewallD ideology is to use zones, not rich rules.
The 172.239.0.0/16 is one zone that allows (some) traffic. A source zone.
Everything else is the other zone (that does not allow). Zone of the interface.

MAC addresses are not carried with the packet. They are link-local.
The MAC of your machine is seen by your router.
The WAN-port MAC of your router is seen by the ISP router that it forwards traffic to.
You can try 'traceroute' to see "hops" (routers) between Mexico and USA.

[The.Ex-pat]

Ok, I can remove the rich rule and add 172.239.0.0/16 as a source.

firewall-cmd --permanent --zone=public --add-source="177.239.0.0/16"
firewall-cmd --permanent --zone=public --add-port="3128"

... That still allows anyone in the 172.239.0.0/16 address range to access my proxy server.
What should I do to secure the proxy server yet still allow access after the ISP rotates my IP address?

[jlehtone]

Akward solution is to have wider access to ssh and then via ssh update the config that allows access to proxy.

I'm not familiar with proxies. Could they be made to require authentication?


Btw, ssh can act as SOCKS5 proxy. (Option -D).