Disallow intra-client connectivity (#8272).

If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
author: Micah <micah@leap.se> 2016-08-04 14:57:03 -0400
committer: Micah <micah@leap.se> 2016-08-08 11:08:46 -0400
commit: 9c2025cd0dbd8b8e19a838c3be2669a288f8a6b9 (patch)
tree: ac287e5866ef0a31ad39826b27221cda947b49ee
parent: 5d6a4c389b93486ab1aa0012284b5bdcfbbc8a20 (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index b31f5c6f..9da0ae3a 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -105,20 +105,19 @@ class site_shorewall::eip {
       source          => 'eip',
       destination     => 'eip:10.43.0.1',
       proto           => 'all',
-      order           => 302;
+      order           => 304;
 
     'accept_all_eip_to_eip_gateway_tcp_limited':
       action          => 'ACCEPT',
       source          => 'eip',
       destination     => 'eip:10.44.0.1',
-      proto           => 'all',
-      order           => 303;
+      order           => 305;
 
     'reject_all_other_eip_to_eip':
       action          => 'REJECT',
       source          => 'eip',
       destination     => 'eip',
-      order           => 304;
+      order           => 306;
   }
 
   # create dnat rule for each port
author	Micah <micah@leap.se>	2016-08-04 14:57:03 -0400
committer	Micah <micah@leap.se>	2016-08-08 11:08:46 -0400
commit	9c2025cd0dbd8b8e19a838c3be2669a288f8a6b9 (patch)
tree	ac287e5866ef0a31ad39826b27221cda947b49ee
parent	5d6a4c389b93486ab1aa0012284b5bdcfbbc8a20 (diff)