[Shorewall-users] Restricting intra-LAN traffic

Thu, 22 Feb 2018 17:42:04 -0800 

Greetings,
I am facing what I initially thought to be a simple matter however it is
now troubling me more than it should.

I have setup shorewall to a pretty much standard Two-Interface
configuration [0]. My LAN is 10.0.1.0/24. As per the guide I have
defined three zones, net, loc and fw and as it is packets flow freely
within the LAN. Now, I have a specific device within my network (for
instance 10.0.1.99) to which I would like to restrict access. The idea
is to limit access to 10.0.1.99 only from a specific computer within my
LAN ideally identified by MAC address. As there is no access control
from the device itself I can only limit the connection from shorewall.
Initially I intuitively added a simple DROP loc loc:10.0.1.99 rule to
/etc/shorewall/rules to gauge whether the connection to 10.0.1.99 is
actually dropped. Perhaps slightly to my surprise I found out that this
is not working as I thought and 10.0.1.99 is accessible from all hosts
from within the LAN.

Then I tried to follow this guide [1] to define a "subzone" (the
specific requirements bit) including only 10.0.1.99/32. So I added (eth1
is the LAN-facing interface)

"dev  eth1:10.0.1.99/32  broadcast" to /etc/shorewall/hosts,

"dev:loc ipv4" to /etc/shorewall/zones and

dev  loc  NONE
loc  dev  NONE

to /etc/shorewall/policy.

Then I added the same DROP rule to /etc/shorewall/rules yet once again
10.0.1.99 remains accessible from all hosts from within the LAN. Same
were the results when defaulting the dev<->loc policy to DROP.

At this point I'm out of ideas so I turned to the mailing list for help.
It is indeed entirely possible that my question is trivial and I'm
missing something fundamental so in that case I apologise in advance.

I am using shorewall{,6,-core} v5.1.8 on Alpine Linux (kernel 4.9.65).

[0]: http://shorewall.org/two-interface.htm
[1]: http://shorewall.org/Multiple_Zones.html

Thanks,
Spyros

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to