Could not you add each "spoke" as its own zone (using /shorewall/hosts)?
Then firewall away....
- Bob
On 12/12/2024 4:56:59 PM, Justin Pryzby
wrote:
openvpn's document for client-to-client says:When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. You seem to be thinking that "routeback" will cause shorewall to enforce policies on the vpn interface (which the openvpn docs indicate won't work). But what routeback actually does is to (conditionally) *allow* something that's not allowed by default. On Thu, Nov 28, 2024 at 06:47:47AM +0000, simonseys via Shorewall-users wrote:Hi. I am using Shorewall 5.2.8 on Debian Bookworm. I'm building a system to act as a VPN server in a hub and spoke topology where the clients connect to the sever and Shorewall is used to selectively allow traffic between clients. Therefore I am using routeback for my vpn tun interface. At first glance it seems to work and the clients can ping each other. But I found that Shorewall rules have no impact on traffic when routeback is added. I tested this by adding a rule to reject traffic from a specific system to another specific system. But it cannot reject/drop the traffic. Without routeback I of course get sfilter drop messages in the logs. So basically routeback is behaving like client-to-client would allowing inter-client communication unfettered by Shorewall. Why is routeback not having the desired effect of allowing me firewall traffic that is arriving and leaving on my vpn zone interface?
-- Robert K Coffman Jr. Info From Data Corp. 3307249000 supp...@infofromdata.com
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
