Hi again, so, lately I started looking at the less crucial or obvious parts of my shorewall configuration that was originally based on the three- interface example configuration. I haven't touched my stoppedrules for a while and came to question whether they are still any good for my current setup.
What struck me in particular were the rules that accepted traffic from any source to the local interfaces (which are used for the local zone and dmz zone in the example): ACCEPT eth1 - -> ACCEPT - eth1 <- ACCEPT eth2 - -> ACCEPT - eth2 <- In the stopped state of my firewall, I would certainly not want to forward any traffic from my external interface to my local ones. Now, in case of IPv4, where most people will use masquerading, that won't be an issue because there are not NAT rules. But with IPv6 and global addressing that would mean any traffic could reach the internal networks if there are valid routes for these addresses. I actually tested that and hooked up a computer to an interface not listed in the stoppedrules and stopped the firewall. I could reach other clients connected to the local interfaces mentioned in stoppedrules. Is that behavior really intended? If I'm not completely missing something here, I think there should be a warning about this in the stoppedrules examples for people with a dual- stack configuration. Best regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
