diff --git a/shorewall/etc/interfaces b/shorewall/etc/interfaces index b9994bf..c491b56 100644 --- a/shorewall/etc/interfaces +++ b/shorewall/etc/interfaces @@ -11,5 +11,5 @@ ############################################################################### #ZONE INTERFACE OPTIONS - lo ignore -dock docker0 -net all dhcp,physical=+,routeback +dock docker0 bridge +net all dhcp,physical=+ diff --git a/shorewall/etc/masq b/shorewall/etc/masq index dc73582..aaafc88 100644 --- a/shorewall/etc/masq +++ b/shorewall/etc/masq @@ -9,5 +9,4 @@ ################################################################################################################ #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL # GROUP DEST -#eth0 172.17.0.0/16 -#wlan0 172.17.42.1/24 +#net 172.17.0.0/16 diff --git a/shorewall/etc/policy b/shorewall/etc/policy index 861cb97..9d08354 100644 --- a/shorewall/etc/policy +++ b/shorewall/etc/policy @@ -7,11 +7,13 @@ # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: +#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK -dock all ACCEPT -# on a server you would obviously want to accept +dock net ACCEPT +dock fw ACCEPT + net dock DROP net all DROP + fw net ACCEPT fw dock ACCEPT diff --git a/shorewall/etc/rules b/shorewall/etc/rules index e304808..9b7ca12 100644 --- a/shorewall/etc/rules +++ b/shorewall/etc/rules @@ -16,7 +16,8 @@ ?SECTION UNTRACKED ?SECTION NEW Invalid(DROP) net $FW tcp -# on a server you would obiously want to accept here -SSH(DROP) net $FW +Invalid(DROP) net dock tcp +Invalid(DROP) net dock udp +#SSH(ACCEPT) net $FW # on a server you would obviously want to accept here -Ping(DROP) net $FW +#Ping(ACCEPT) net $FW