From abd56fccf75cd4132b62cb53d90b07529b4f4290 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Thu, 4 Aug 2016 14:57:03 -0400
Subject: Disallow intra-client connectivity (#8272).

If you connect to the VPN with a client, you can make direct network
connections to the other connected clients.

This allows communication to the eip gateways, but disallows any other
connections.

Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
---
 puppet/modules/site_shorewall/manifests/eip.pp | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index d608d08c..2ab000a7 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -104,20 +104,19 @@ class site_shorewall::eip {
       source          => 'eip',
       destination     => 'eip:10.43.0.1',
       proto           => 'all',
-      order           => 302;
+      order           => 304;
 
     'accept_all_eip_to_eip_gateway_tcp_limited':
       action          => 'ACCEPT',
       source          => 'eip',
       destination     => 'eip:10.44.0.1',
-      proto           => 'all',
-      order           => 303;
+      order           => 305;
 
     'reject_all_other_eip_to_eip':
       action          => 'REJECT',
       source          => 'eip',
       destination     => 'eip',
-      order           => 304;
+      order           => 306;
   }
 
   # create dnat rule for each port
-- 
cgit v1.2.3