On 02/22/2018 06:08 PM, James Andrewartha wrote:
> On 23/02/18 10:01, Tom Eastep wrote:
>> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote:
>>> As there is no access control
>>> from the device itself I can only limit the connection from shorewall.
>> The value in defining multiple zones within a LAN is to define different
>> rules/policies to/from the LAN. Because intra-LAN traffic within a
>> subnet does not pass through the Shorewall system, rules and policies on
>> that system are ineffective in controlling intra-LAN traffic. If
>> different disjoint subnets are defined, traffic between the subnets does
>> go through the Shorewall system, but such a setup is easily bypassed by
>> LAN users who have administrative privileges on their systems. The best
>> way to accomplish what you want is via firewall rules on itself.
> What about putting the device on a separate interface and using
> shorewall's bridge firewall feature?
> http://shorewall.net/bridge-Shorewall-perl.html

That will work, but netfilter doesn't allow you to control traffic from
other interfaces to individual ports on the bridge. That capability was
removed in the 2.6.20 kernel.

Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to