On 02/22/2018 06:08 PM, James Andrewartha wrote:
> On 23/02/18 10:01, Tom Eastep wrote:
>> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote:
>>> As there is no access control
>>> from the device itself I can only limit the connection from shorewall.
>>
>> The value in defining multiple zones within a LAN is to define different
>> rules/policies to/from the LAN. Because intra-LAN traffic within a
>> subnet does not pass through the Shorewall system, rules and policies on
>> that system are ineffective in controlling intra-LAN traffic. If
>> different disjoint subnets are defined, traffic between the subnets does
>> go through the Shorewall system, but such a setup is easily bypassed by
>> LAN users who have administrative privileges on their systems. The best
>> way to accomplish what you want is via firewall rules on 10.0.1.99 itself.
> 
> What about putting the device on a separate interface and using
> shorewall's bridge firewall feature?
> http://shorewall.net/bridge-Shorewall-perl.html
> 

That will work, but netfilter doesn't allow you to control traffic from
other interfaces to individual ports on the bridge. That capability was
removed in the 2.6.20 kernel.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to