On 02/22/2018 06:08 PM, James Andrewartha wrote: > On 23/02/18 10:01, Tom Eastep wrote: >> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote: >>> As there is no access control >>> from the device itself I can only limit the connection from shorewall. >> >> The value in defining multiple zones within a LAN is to define different >> rules/policies to/from the LAN. Because intra-LAN traffic within a >> subnet does not pass through the Shorewall system, rules and policies on >> that system are ineffective in controlling intra-LAN traffic. If >> different disjoint subnets are defined, traffic between the subnets does >> go through the Shorewall system, but such a setup is easily bypassed by >> LAN users who have administrative privileges on their systems. The best >> way to accomplish what you want is via firewall rules on 10.0.1.99 itself. > > What about putting the device on a separate interface and using > shorewall's bridge firewall feature? > http://shorewall.net/bridge-Shorewall-perl.html >
That will work, but netfilter doesn't allow you to control traffic from other interfaces to individual ports on the bridge. That capability was removed in the 2.6.20 kernel. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
