Ok, mine is actualy even edgier than that; no transit at all, to
paraphrase Steeley Dan.
But does anyone have a pointer to a good set of ports to block in each
direction through my Shorewall DNAT setup, preferably annotated?
On reflection, that's actually only outbound; the necessity to set up
inbound DNAT manually makes it a default-deny environment, which is one
of the reasons that some people like NAT as a component of an edge
firewall.
Cheers,
-- jra