On Thu, Nov 8, 2018 at 5:49 PM Tom Eastep <teas...@shorewall.net> wrote: > > I was also trying to configure a bridge, > > There is *nothing* unique about VLAN interfaces, as far as Shorewall is > concerned. Treat them just as you would non-VLAN ethernet devices.
OK, so I went for a bridge config. It seems to be working as I expect it to. However, there's one case where things don't seem to add up. The switch the Shorewall firewall is connecting to has: ports 1-10,13-44 Untagged VLAN 1 ports 45-48 Tagged VLAN 1 + Tagged VLAN 11 + TAGGED VLAN 12 port 11 Untagged VLAN 1 port 12 Untagged VLAN 12 When I connect the Shorewall Firewall to any one of the ports 45-48, it seems that my Shorewall rules/policy are as I expect them to be. However, if I connect my Shorewall interface to any one of the ports 1-10,13-44, I am expecting to REJECT packets according to my policy here below (last line): dmz11 lan ACCEPT info dmz11 $FW ACCEPT info dmz1 lan ACCEPT info dmz1 $FW ACCEPT info dmz0 lan REJECT info dmz0 $FW REJECT info Here's the shorewall dump when I try to ping $FW (192.168.215.1) from a host in "dmz0" with IP address 192.168.215.200: https://drive.google.com/open?id=1ldm7DZvTEgaMqtt7Rt_PydWGd-XcSwWd The dmz0 host gets ICMP replies from the Firewall. Why? How can I properly reject this traffic? On the Shorewall system I can see the following: # tcpdump -n -i enp8s5 host 192.168.215.200 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp8s5, link-type EN10MB (Ethernet), capture size 262144 bytes 11:25:44.376991 IP 192.168.215.200 > 192.168.215.1: ICMP echo request, id 1, seq 7163, length 40 11:25:44.377038 IP 192.168.215.1 > 192.168.215.200: ICMP echo reply, id 1, seq 7163, length 40 11:25:45.394745 IP 192.168.215.200 > 192.168.215.1: ICMP echo request, id 1, seq 7164, length 40 11:25:45.394805 IP 192.168.215.1 > 192.168.215.200: ICMP echo reply, id 1, seq 7164, length 40 11:25:46.410132 IP 192.168.215.200 > 192.168.215.1: ICMP echo request, id 1, seq 7165, length 40 11:25:46.410172 IP 192.168.215.1 > 192.168.215.200: ICMP echo reply, id 1, seq 7165, length 40 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel # tcpdump -n -i enp8s5_1 host 192.168.215.200 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp8s5_1, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel # tcpdump -n -i enp8s5_11 host 192.168.215.200 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp8s5_11, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel Any ideas? Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users