Hi, I'm reaching out because I'm having the following issue.
My configuration: - a firewall/route, run shorewall - the firewall have an interface for "net" zone - the "net" interface's IP is the next hop for a network, for some routers on the "net" zone - the network is configured on the router to be unreachable (not yet configured/available) I want to filter (firewall), with "rules" and "blrules", accesses trying for the network. I read documentation, but I don't find any information for the case. This case exists on IPv4 and IPv6. As an example: - the "net" IP for the router/firewall: 2001:db8:1::1/64 - the routed unreachable network: 2001:db8:2::/64 - as an attachment, a shorewall6 configuration sample for the case To test: - configure the firewall with the configuration sample, and create the "blacklist6" ipset - add route 2001:db8:2::/64 via 2001:db8:1::1 on a machine - ping an address in 2001:db8:2::/64, like 2001:db8:2::1 - the machine receive ICMP destination unreachable - add the machine address in the "blacklist6" ipset - retry ping - the machine continue to receive ICMP destination unreachable, the DROP rule is not match On the "ip6tables -nvL", the "FORWARD" chain contains anything else of the default policy. I don't search a workaround. I have some ideas to do this: - using "inline" in "rules" - adding iptables rules manually - configure routes to be "blackhole" instead of "unreachable" - … What is the best way to do this in "shorewall" syntax ? I have tried to make a "fake zone" to represent the routes (with "hosts" file), without success. Thanks for your help, Regards,
shorewall6.tar.xz
Description: application/xz
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
