diff options
author | Micah <micah@leap.se> | 2016-08-04 14:57:03 -0400 |
---|---|---|
committer | Micah <micah@leap.se> | 2016-08-25 15:50:02 -0400 |
commit | 6e7c970afb44aab6c8a293e088bac5d205660e74 (patch) | |
tree | b40ecc8cc6b90121895d628abeb20b85a7394073 /puppet/modules/site_shorewall | |
parent | dbeaa91f10441bb44d328f5abe255f5b93c6ef63 (diff) |
Disallow intra-client connectivity (#8272).
If you connect to the VPN with a client, you can make direct network
connections to the other connected clients.
This allows communication to the eip gateways, but disallows any other
connections.
Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 8fbba658..d608d08c 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -84,6 +84,40 @@ class site_shorewall::eip { proto => 'tcp', destinationport => 'domain', order => 301; + + 'accept_all_eip_to_eip_gateway_udp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.41.0.1', + proto => 'all', + order => 302; + + 'accept_all_eip_to_eip_gateway_tcp_unlimited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.42.0.1', + proto => 'all', + order => 303; + + 'accept_all_eip_to_eip_gateway_udp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.43.0.1', + proto => 'all', + order => 302; + + 'accept_all_eip_to_eip_gateway_tcp_limited': + action => 'ACCEPT', + source => 'eip', + destination => 'eip:10.44.0.1', + proto => 'all', + order => 303; + + 'reject_all_other_eip_to_eip': + action => 'REJECT', + source => 'eip', + destination => 'eip', + order => 304; } # create dnat rule for each port |