Disallow intra-client connectivity (#8272).

If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
author: Micah <micah@leap.se> 2016-08-04 14:57:03 -0400
committer: Micah <micah@leap.se> 2016-08-25 15:50:39 -0400
commit: abd56fccf75cd4132b62cb53d90b07529b4f4290 (patch)
tree: 57627544d9cf76315e392ebe8e0254cb0d14a32c
parent: 6e7c970afb44aab6c8a293e088bac5d205660e74 (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index d608d08c..2ab000a7 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -104,20 +104,19 @@ class site_shorewall::eip {
       source          => 'eip',
       destination     => 'eip:10.43.0.1',
       proto           => 'all',
-      order           => 302;
+      order           => 304;
 
     'accept_all_eip_to_eip_gateway_tcp_limited':
       action          => 'ACCEPT',
       source          => 'eip',
       destination     => 'eip:10.44.0.1',
-      proto           => 'all',
-      order           => 303;
+      order           => 305;
 
     'reject_all_other_eip_to_eip':
       action          => 'REJECT',
       source          => 'eip',
       destination     => 'eip',
-      order           => 304;
+      order           => 306;
   }
 
   # create dnat rule for each port
author	Micah <micah@leap.se>	2016-08-04 14:57:03 -0400
committer	Micah <micah@leap.se>	2016-08-25 15:50:39 -0400
commit	abd56fccf75cd4132b62cb53d90b07529b4f4290 (patch)
tree	57627544d9cf76315e392ebe8e0254cb0d14a32c
parent	6e7c970afb44aab6c8a293e088bac5d205660e74 (diff)