On 23-Feb-18 02:17, Tom Eastep wrote:
> On 02/22/2018 06:08 PM, James Andrewartha wrote:
>> On 23/02/18 10:01, Tom Eastep wrote:
>>> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote:
>>>> As there is no access control
>>>> from the device itself I can only limit the connection from shorewall.
>>> The value in defining multiple zones within a LAN is to define different
>>> rules/policies to/from the LAN. Because intra-LAN traffic within a
>>> subnet does not pass through the Shorewall system, rules and policies on
>>> that system are ineffective in controlling intra-LAN traffic. If
>>> different disjoint subnets are defined, traffic between the subnets does
>>> go through the Shorewall system, but such a setup is easily bypassed by
>>> LAN users who have administrative privileges on their systems. The best
>>> way to accomplish what you want is via firewall rules on itself.
>> What about putting the device on a separate interface and using
>> shorewall's bridge firewall feature?
>> http://shorewall.net/bridge-Shorewall-perl.html

So would it make sense to put the device in a different subnetwork (say, create a VLAN (eg. eth1:0) and a new zone out of eth1:0
and do SNAT into the new subnetwork? I have done that to access me PPP
modem on the WAN interface and it works but it is connected to a
physical interface (eth0). Would such a similar approach work with VLANs?


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to