On 23/02/18 10:01, Tom Eastep wrote: > On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote: >> As there is no access control >> from the device itself I can only limit the connection from shorewall. > > The value in defining multiple zones within a LAN is to define different > rules/policies to/from the LAN. Because intra-LAN traffic within a > subnet does not pass through the Shorewall system, rules and policies on > that system are ineffective in controlling intra-LAN traffic. If > different disjoint subnets are defined, traffic between the subnets does > go through the Shorewall system, but such a setup is easily bypassed by > LAN users who have administrative privileges on their systems. The best > way to accomplish what you want is via firewall rules on 10.0.1.99 itself.
What about putting the device on a separate interface and using shorewall's bridge firewall feature? http://shorewall.net/bridge-Shorewall-perl.html -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users