On Wed, 11 Dec 2024 15:03:35 +0000 simonseys via Shorewall-users <shorewall-users@lists.sourceforge.net> wrote:
> Hi Tuomo, > > > You can change this behaviour by changing vpn-vpn policy in policy > > file. Default policy in shorewall is ACCEPT for inter-zone traffic. > > > > I assume you are referring to the policy file. If so, mine contains: > > $FW net ACCEPT > net all DROP #$LOG_LEVEL > vpn all REJECT $LOG_LEVEL > all all REJECT $LOG_LEVEL > > The second last line to drop VPN traffic was added to test if the > firewall was having any affect. What I found was that with routeback > and even with that policy to reject VPN traffic it is still allowed. > > I am familiar with this configuration, I had it working before on an > older system that that was lost due to a hard rive crash. I also ots > of experience with Shorewall. The only difference is this time I am > using Debian instead of Ubuntu and it seems like routeback is not > behaving as it did in the past. There is no changes to that. And you didn't add vpn vpn policy in this case because all doesn't match same zone. You really need "vpn vpn REJECT $LOG_LEVEL" to block traffic between vpn clients. After that only traffic allowed by your rules are allowed. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
