On 02/23/2018 02:44 AM, Spyros Stathopoulos wrote: > On 23-Feb-18 02:17, Tom Eastep wrote: >> On 02/22/2018 06:08 PM, James Andrewartha wrote: >>> On 23/02/18 10:01, Tom Eastep wrote: >>>> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote: >>>>> As there is no access control >>>>> from the device itself I can only limit the connection from shorewall. >>>> >>>> The value in defining multiple zones within a LAN is to define different >>>> rules/policies to/from the LAN. Because intra-LAN traffic within a >>>> subnet does not pass through the Shorewall system, rules and policies on >>>> that system are ineffective in controlling intra-LAN traffic. If >>>> different disjoint subnets are defined, traffic between the subnets does >>>> go through the Shorewall system, but such a setup is easily bypassed by >>>> LAN users who have administrative privileges on their systems. The best >>>> way to accomplish what you want is via firewall rules on 10.0.1.99 itself. >>> >>> What about putting the device on a separate interface and using >>> shorewall's bridge firewall feature? >>> http://shorewall.net/bridge-Shorewall-perl.html >>> >> > > So would it make sense to put the device in a different subnetwork (say > 10.0.7.1/24), create a VLAN (eg. eth1:0) and a new zone out of eth1:0 > and do SNAT into the new subnetwork? I have done that to access me PPP > modem on the WAN interface and it works but it is connected to a > physical interface (eth0). Would such a similar approach work with VLANs? >
Yes. And you don't need SNAT in that case. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
