I am facing what I initially thought to be a simple matter however it is
now troubling me more than it should.

I have setup shorewall to a pretty much standard Two-Interface
configuration [0]. My LAN is As per the guide I have
defined three zones, net, loc and fw and as it is packets flow freely
within the LAN. Now, I have a specific device within my network (for
instance to which I would like to restrict access. The idea
is to limit access to only from a specific computer within my
LAN ideally identified by MAC address. As there is no access control
from the device itself I can only limit the connection from shorewall.
Initially I intuitively added a simple DROP loc loc: rule to
/etc/shorewall/rules to gauge whether the connection to is
actually dropped. Perhaps slightly to my surprise I found out that this
is not working as I thought and is accessible from all hosts
from within the LAN.

Then I tried to follow this guide [1] to define a "subzone" (the
specific requirements bit) including only So I added (eth1
is the LAN-facing interface)

"dev  eth1:  broadcast" to /etc/shorewall/hosts,

"dev:loc ipv4" to /etc/shorewall/zones and

dev  loc  NONE
loc  dev  NONE

to /etc/shorewall/policy.

Then I added the same DROP rule to /etc/shorewall/rules yet once again remains accessible from all hosts from within the LAN. Same
were the results when defaulting the dev<->loc policy to DROP.

At this point I'm out of ideas so I turned to the mailing list for help.
It is indeed entirely possible that my question is trivial and I'm
missing something fundamental so in that case I apologise in advance.

I am using shorewall{,6,-core} v5.1.8 on Alpine Linux (kernel 4.9.65).



Check out the vibrant tech community on one of the world's most
engaging tech sites,!
Shorewall-users mailing list

Reply via email to