[leaf-user] Shorewall1.4 - Openvpn Strangeness

Tibbs, Richard Thu, 09 Dec 2004 07:26:17 -0800

Dear list:
I am having a weird problem with shorewall rejecting openvpn packets
unless I include some redundant rules, that shorewall complains about
(but that make things work).  Below are the shorewall files  and the
resulting logs.
Unless I uncomment the last 8 ACCEPTS in the rules file, I get Rejects
of openvpn traffic from shorewall. Uncommenting those lines makes
shorewall complain during bootup as it is working through the rules file
before prompting for login.


Any ideas??  TIA, Rick

The shorewall zones file is
net     NET             Internet
loc     Local           Local Networks
vpn1    VPN-ipsec       RoadWarrior
bpn3    WLAN-openvpn    openvpn

The interfaces file is
net     eth0    detect  norfc1918
loc     eth1    detect  dhcp
vpn1    ipsec0
vpn3    tun0

The tunnels file is
ipsec                   net     0.0.0.0/0               vpn1
generic:udp:5000        loc     192.168.1.0/24  vpn3

firewall: -root-
# more policy
#
#       Shorewall 1.4 -- Sample Policy File For Two Interfaces
###
#SOURCE         DEST            POLICY          LOG LEVEL
LIMIT:BURST
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line.
#fw             net             ACCEPT
loc             vpn1            ACCEPT
#loc            vpn2            ACCEPT
loc             vpn3            ACCEPT
fw              vpn3            ACCEPT
net             vpn3            ACCEPT
vpn1            loc             ACCEPT
#vpn2           loc             ACCEPT
vpn3            loc             ACCEPT
vpn3            fw              ACCEPT
vpn3            net             ACCEPT
fw              loc             ACCEPT
net             all             DROP            ULOG
all             all             REJECT          ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

firewall: -root-
# more rules
#
#       Shorewall version 1.4 - Sample Rules File For Two Interfaces
#                                                       PORT    PORT(S)
DEST
#
#       Accept DNS connections from the firewall to the network
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#                           
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
ACCEPT          net:137.45.192.73       fw      tcp     22
ACCEPT          net:137.45.34.77        fw      tcp     22
ACCEPT          net:137.45.192.86       fw      tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
# Rules for openvpn (despite policies being set)
#ACCEPT         loc             fw              all
#ACCEPT         fw              loc             all
#ACCEPT         loc             net             all
#ACCEPT         net             loc             all
#ACCEPT         vpn3            fw              all
#ACCEPT         fw              vpn3            all
#ACCEPT         vpn3            net             all
#ACCEPT         net             vpn3            all
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#  .... deleted for brevity....

firewall: -root-
#  

The logs that result from the 8 ACCEPT lines being commented out are:
f3:08:00  SRC=192.168.1.3 DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00
TTL=128 ID=21018 PROTO=UDP SPT=5000 DPT=5000 LEN=68 
Dec  9 11:18:48 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21079 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:18:58 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21154 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:09 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21207 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:18 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21256 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:30 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21329 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:40 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21381 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:50 firewall Shorewall:all2all:REJECT: IN=eth1 OUT=
MAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21433 PROTO=UDP
SPT=5000 DPT=5000 LEN=68






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Shorewall1.4 - Openvpn Strangeness

Reply via email to