Hugues Belanger wrote:
Hi Don't understand why I'm getting so much flake about posting on thisHugues -- you are asking for free support for free products. Is it too much to ask of you in return that you follow the procedure that we have established for supporting Shorewall under Leaf?
list ? The fact that I user Bering as a distro does matter I could have
done the same with gentoo or RedHat. The problem I'm having is with
shorewall configuration not Bering.
Anyhow here's my routing tableHere is my guess and I must stress that it is only a guess:
1.1.1.1 is the external interface
Routing Table ----------------
192.168.96.0/24 dev br0 proto kernel scope link src 192.168.96.100
1.1.1.0/24 dev eth0 proto kernel scope link src 1.1.1.1
default via 1.1.1.2 dev eth0
Interface configuration -----------------------
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:03:2b:bf:f4 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.1/24 brd 1.1.1.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
link/ether 00:01:03:2b:c7:44 brd ff:ff:ff:ff:ff:ff
5: tap0: <BROADCAST,NOARP,PROMISC,UP> mtu 1450 qdisc noqueue
link/ether fe:fd:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:01:03:2b:c7:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.96.100/24 brd 192.168.96.100 scope global br0
Bridge configuration after VTUN is establish
---------------------------------------------
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0001032bc744 yes eth1
tap0
a) I would define the local zone to be associated with eth1 and tap0 and I would have a loc->loc ACCEPT policy.
b) I would associate the 'net' zone with eth0.
c) I would define an OpenVPN tunnel in /etc/shorewall/tunnels.
openvpn net <IP of other tunnel endpoint>
The default for open VPN is to use UDP port 5000 for both ends so it sounds like it's compatible with would you have.
d) The remainder of your rules can be adjusted to suit your needs.
Let _us_ know how that works...
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
