Okay, that''s great news.
I have been using default-drop on net->vpn and vpn->net in the policy
file,
and have the following rules dynamically commented in/out in the rules file:
# mark johnson - client1
ACCEPT net vpn:84.234.16.143 all
ACCEPT vpn:84.234.16.143 net all
#/
...which allowed me (when I was using NAT - the vpn:address was their
internal IP) to turn on and off their access at will.
If I add the proposed smtp DROP rules before these dynamically generated
rules, it''ll still block smtp correctly? The rules up at the top of the
rules file are added to the beginning of the chain, I presume?
I''m running a default-accept policy for activated users, and just want
to
filter out any ''nasties'' that may cause trouble.
Thanks,
Jan
On 08/04/06, Tom Eastep <teastep@shorewall.net>
wrote:>
> On Friday 07 April 2006 15:46, Jan Mulders wrote:
> > Hello,
> >
> > I''m running a medium size network, and need to filter certain
protocols
> > (SMTP, in particular) between the Internet (eth0) and the clients
(tun0)
> on
> > my network.
> >
> > Is this possible with ProxyARP? Do I simply put in an entry into rules
> > stating:
> >
> > #ACTION SOURCE DEST PROTO DEST SOURCE
> > ORIGINAL RATE USER/
> > # PORT PORT(S)
> > DEST LIMIT GROUP
> > # drop smtp connections - prevents spamming
> > DROP net vpn tcp smtp
> > DROP vpn net tcp smtp
> >
> > Will this work?
>
> Sure. Proxy ARP just tricks layer 2 into sending packets to the firewall
> so
> that the firewall can route them on according to it''s routing
table(s) and
> rules. From the point of view of the packet filter, it''s all just
> forwarded
> traffic.
>
> That having been said, I would have thought that the net->vpn policy
would
> have been DROP or REJECT already so your first proposed DROP rule looks
> redundant.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>