On 02/08/2018 11:33 AM, Bernard Drozd wrote: >>10.10.10.1 is in the fw ($FW) zone, not the loc zone and your road->fw policy >>is REJECT. This is abundantly clear just looking at the log: > > Thank you. > So how could I safely 'open' services behind fw (in the fw zone) for > OpenVPN' roadwarriors? > Will the insertion of this row: > road $FW ACCEPT > to the /etc/shorewall/policy be sufficient and safe? >
It is certainly sufficient and is consistent with your other lax policies. Ideally, you would use REJECT policies between the firewall and your own networks, then use rules to allow only what is necessary. But that is more difficult to set up. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users