Re: [Shorewall-users] ARP

2018-02-23 Thread Tom Eastep
On 02/23/2018 02:18 PM, Vieri Di Paola via Shorewall-users wrote: > > > From: Tom Eastep >>> >>> Can I avoid replying ARP requests for 192.168.200.0/24 only? >>> >> Yes -- add a DROP entry in /etc/shorewall/arprules. > > > Thanks.

Re: [Shorewall-users] ARP

2018-02-23 Thread Vieri Di Paola via Shorewall-users
From: Tom Eastep >> >> Can I avoid replying ARP requests for 192.168.200.0/24 only? >> > Yes -- add a DROP entry in /etc/shorewall/arprules. Thanks. However, I don't understand why the ARP replies were generated even if I set

Re: [Shorewall-users] Restricting intra-LAN traffic

2018-02-23 Thread Tim S
I have a hyper-paranoid least-privilege security design on my network. I use a layer-3 switch with each port as its own VLAN, and the 10GBe uplinks as VLAN trunks. Since the individual devices do not "see" the VLAN assignment (since it's done at the switch and above), all traffic runs through the

Re: [Shorewall-users] ARP

2018-02-23 Thread Tom Eastep
On 02/23/2018 06:42 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > > In my LAN I have two networks on the same physical infrastructure (no VLAN): > 10.215.0.0/16 and 192.168.200.0/24 > > The LAN interface on Shorewall firewall/gateway has proxy_arp enabled for > some cases, but it

Re: [Shorewall-users] Shorewall 5.2.0 Beta 1

2018-02-23 Thread Tom Eastep
On 02/23/2018 05:01 AM, Alexander Stoll wrote: > Am 21.02.2018 um 01:38 schrieb Tom Eastep: > >> 3)  With the wide availability of ipset-based blacklisting, the need >> for the 'refresh' command has been largely eliminated. As a result, >> that command has been removed. > > Dear Tom, >

Re: [Shorewall-users] Restricting intra-LAN traffic

2018-02-23 Thread Tom Eastep
On 02/23/2018 02:44 AM, Spyros Stathopoulos wrote: > On 23-Feb-18 02:17, Tom Eastep wrote: >> On 02/22/2018 06:08 PM, James Andrewartha wrote: >>> On 23/02/18 10:01, Tom Eastep wrote: On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote: > As there is no access control > from the device

Re: [Shorewall-users] Restricting intra-LAN traffic

2018-02-23 Thread Bill Shirley
On 2/23/2018 5:44 AM, Spyros Stathopoulos wrote: So would it make sense to put the device in a different subnetwork (say 10.0.7.1/24), create a VLAN (eg. eth1:0) and a new zone out of eth1:0 and do SNAT into the new subnetwork? I have done that to access me PPP modem on the WAN interface and

[Shorewall-users] ARP

2018-02-23 Thread Vieri Di Paola via Shorewall-users
Hi, In my LAN I have two networks on the same physical infrastructure (no VLAN): 10.215.0.0/16 and 192.168.200.0/24 The LAN interface on Shorewall firewall/gateway has proxy_arp enabled for some cases, but it seems to be initerfering with ARP requests. This is what I see on the Shorewall box

Re: [Shorewall-users] Shorewall 5.2.0 Beta 1

2018-02-23 Thread Alexander Stoll
Am 21.02.2018 um 01:38 schrieb Tom Eastep: 3) With the wide availability of ipset-based blacklisting, the need for the 'refresh' command has been largely eliminated. As a result, that command has been removed. Dear Tom, I use traffic shaping on multiple hosts, all connected via

Re: [Shorewall-users] Restricting intra-LAN traffic

2018-02-23 Thread Spyros Stathopoulos
On 23-Feb-18 02:17, Tom Eastep wrote: > On 02/22/2018 06:08 PM, James Andrewartha wrote: >> On 23/02/18 10:01, Tom Eastep wrote: >>> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote: As there is no access control from the device itself I can only limit the connection from shorewall. >>>