On 23-Feb-18 02:17, Tom Eastep wrote: > On 02/22/2018 06:08 PM, James Andrewartha wrote: >> On 23/02/18 10:01, Tom Eastep wrote: >>> On 02/22/2018 05:39 PM, Spyros Stathopoulos wrote: >>>> As there is no access control >>>> from the device itself I can only limit the connection from shorewall. >>> >>> The value in defining multiple zones within a LAN is to define different >>> rules/policies to/from the LAN. Because intra-LAN traffic within a >>> subnet does not pass through the Shorewall system, rules and policies on >>> that system are ineffective in controlling intra-LAN traffic. If >>> different disjoint subnets are defined, traffic between the subnets does >>> go through the Shorewall system, but such a setup is easily bypassed by >>> LAN users who have administrative privileges on their systems. The best >>> way to accomplish what you want is via firewall rules on 10.0.1.99 itself. >> >> What about putting the device on a separate interface and using >> shorewall's bridge firewall feature? >> http://shorewall.net/bridge-Shorewall-perl.html >> >
So would it make sense to put the device in a different subnetwork (say 10.0.7.1/24), create a VLAN (eg. eth1:0) and a new zone out of eth1:0 and do SNAT into the new subnetwork? I have done that to access me PPP modem on the WAN interface and it works but it is connected to a physical interface (eth0). Would such a similar approach work with VLANs? Spyros ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
