not sure of shorewall setup

[nordic bro]

I think my basic network setup is pretty straightforward but aren't sure I have shorewall set up properly. it may be but I'm not sure (spent a couple weeks poring over shorewall docs/examples, searching gentoo forums, etc.).

it's a desktop machine with a single nic device plugged into my own router which is connected to fios. my computer can use internet just fine.

I have two vpns, one not regularly used, the main one starts at bootup via openvpn. afaik all my internet traffic passes through the latter (which I want) but aren't 100% sure.

my concerns:

#1 for some reason I do not know, I had to add a shorewall rule for eth0 to allow my desktop to access router admin account at 192.168.1.1 (via web browser). otherwise I get 'not reachable' or something like that in web browser.

and because eth0 is connected to the router which in turn is hooked to internet, I'm wondering if ANY outgoing/incoming internet traffic could now bypass the vpn and go directly through router/eth0?

#2 or even if everything does go in/out through main vpn I'm not sure I've properly set up shorewall to protect from malicious outside connections coming in via the vpn or router/eth0.

#3 or maybe eth0 should be my only shorewall interface and making the vpn tun(0) was a mistake? I changed 'net eth0' to 'net tun0' because (a) tun0 is my 'real' internet connection afaik and (b) ~all the basic shorewall docs use examples with at least two interfaces but I only had one (eth0); then thought since internet is supposed to go through tun0 perhaps that's my second shorewall interface?

thanks!

/etc/conf.d/net:

[digifuzzy]

I have a different setup (two NICs -> one LAN; other WAN) but one thing jumps out at me from my setup and may be of use for you is the need for SNAT.

From my configuration...

[digifuzzy]

FYI, there is also the /etc/shorewall/tunnels file.

[NeddySeagoon]

nordic bro,

Lets look at what you actually have at the end of all this.