On 3/26/11 9:09 AM, Tom Eastep wrote: > On 3/25/11 3:33 AM, Vieri Di Paola wrote: >> I have a bridge setup with lan and wan bp-zones. >> >> I'm pinging successfully from a host in the lan bp-zone with IP addr >> 10.215.146.70 to a host in the wan bp-zone with IP addr 10.215.146.89 and >> this is reflected in the Conntrack Table (see dump). >> >> According to the documentation I should be able to set policies and rules >> between 2 bp-zones (eg. lan -> wan; wan -> lan). >> I must have set them wrong because I'm expecting to REJECT all traffic >> between lan and wan. >> However, pings between hosts in wan and lan are working both ways... >> >> Please take a look at my shorewall dump at: >> http://213.96.91.201/temp/dump.gz >> >> Why are pings wan2lan and lan2wan working? > > Because your configuration is allowing all br0->br0 traffic. > >> How can I block them? > > Configure your firewall correctly. If you will send me a tarball of > /etc/shorewall, I'll take a look.
Okay -- this is very subtle and I will try to make it less so, but the problem has to do with your hosts.FHM entries. I assume that you know which bridge port the IPSEC tunnels come in through (eth0 or eth1). So specify that interface rather than br0 and you should be okay. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
