Am 19.11.18 um 18:13 schrieb Tom Eastep: > On 11/16/18 1:31 PM, Boris wrote: >> Am 14.11.18 um 19:01 schrieb Tom Eastep: >>> >>> You can assign a zone (call it 'hack') to eth0 then add these policies: >>> >>> hack all ACCEPT >>> all hack REJECT <log level> >>> >> >> Hej Tom, >> >> thank you VERY much for this! >> I will try this the next days and give report. >> > I have thought a bit more about this, and I think that a better idea is > to just add an entry in /etc/shorewall/interfaces that associates eth0 > with the same zone as the ppp interface (probably 'net' or 'wan'). You > don't have to worry about output traffic on eth0 because it has no IP > address; hence, there can be no routes out of the interface and no IP > traffic will be sent there.
Hej Tom, thanks again for spending time and brain for my trouble! I was just working on the idea with the dedicated inbound zone that you suggested to be named 'hack'. I did not yet have good success when your new idea reaches me. So I stepped back with plan one and followed the new plan, what is obviously very much easier. I added net eth0 to /etc/shorewall/interfaces and changed all all ACCEPT back to all all REJECT NFLOG(4) in /etc/shorewall/polcy. In short words: It works!! Mostly the best solutions are simple. This is a perfect proof for that. I will now spend some time in checking the behaviour because still I find all that to be extremely strange. But on that point it's time to give you many thanks!! I will open a beer and drink on you! Boris _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
