On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote:
> Greetings,
> I am facing what I initially thought to be a simple matter however it is
> now troubling me more than it should.
>
> I have setup shorewall to a pretty much standard Two-Interface
> configuration [0]. My LAN is 10.0.1.0/24. As per the guide I have
> defined three zones, net, loc and fw and as it is packets flow freely
> within the LAN. Now, I have a specific device within my network (for
> instance 10.0.1.99) to which I would like to restrict access. The idea
> is to limit access to 10.0.1.99 only from a specific computer within my
> LAN ideally identified by MAC address. As there is no access control
> from the device itself I can only limit the connection from shorewall.
> Initially I intuitively added a simple DROP loc loc:10.0.1.99 rule to
> /etc/shorewall/rules to gauge whether the connection to 10.0.1.99 is
> actually dropped. Perhaps slightly to my surprise I found out that this
> is not working as I thought and 10.0.1.99 is accessible from all hosts
> from within the LAN.
>
> Then I tried to follow this guide [1] to define a "subzone" (the
> specific requirements bit) including only 10.0.1.99/32. So I added (eth1
> is the LAN-facing interface)
>
> "dev eth1:10.0.1.99/32 broadcast" to /etc/shorewall/hosts,
>
> "dev:loc ipv4" to /etc/shorewall/zones and
>
> dev loc NONE
> loc dev NONE
>
> to /etc/shorewall/policy.
>
> Then I added the same DROP rule to /etc/shorewall/rules yet once again
> 10.0.1.99 remains accessible from all hosts from within the LAN. Same
> were the results when defaulting the dev<->loc policy to DROP.
>
> At this point I'm out of ideas so I turned to the mailing list for help.
> It is indeed entirely possible that my question is trivial and I'm
> missing something fundamental so in that case I apologise in advance.
>
> I am using shorewall{,6,-core} v5.1.8 on Alpine Linux (kernel 4.9.65).
>
> [0]: http://shorewall.org/two-interface.htm
> [1]: http://shorewall.org/Multiple_Zones.html
> The value in defining multiple zones within a LAN is to define different rules/policies to/from the LAN. Because intra-LAN traffic within a subnet does not pass through the Shorewall system, rules and policies on that system are ineffective in controlling intra-LAN traffic. If different disjoint subnets are defined, traffic between the subnets does go through the Shorewall system, but such a setup is easily bypassed by LAN users who have administrative privileges on their systems. The best way to accomplish what you want is via firewall rules on 10.0.1.99 itself. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
