Hi,
I'm trying to get a Shorewall installation to work with net-host configuration.
The shorewall box is running Debian Sarge (Kernel 2.4.27-3-386)
OpenSwan 2.2.0-8
Shorewall 3.2.6-2 (From Testing) as you won't answer questions on v2.
I'm trying to replace an IPCop box with a Debian/Shorewall solution.
Once I get it working I plan on migrating to OpenVPN :-)
At work I currently use an IPCop box allow remote users in from both
net-net and net-host configurations. I have replaced my home IPCop box
with a net-net Debian/Shorewall solution and this works fine. However,
I cannot get the net-host solution working. I have setup an isolated
test area at work to use.
The VPN tunnel works fine if the firewall isn't brought up.
Once I activate shorewall and try to connect from a host over the vpn
to an internal host I get the message in kern.log :
Shorewall:rfc1918:DROP:IN=eth2 OUT=eth0 SRC=2.2.2.1 DST=192.168.20.1
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=802 DP PROTO=TCP SPT=1052 DPT=23
...
If I take the norfc1918 out of the interfaces file I get a similar
message but this time caught in the net2loc rule.
My question is why the net-net configuration works but the net-host does not.
My configuration files are :
interfaces:vpn ipsec0
interfaces:net eth2 detect
tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
interfaces:loc eth0 detect tcpflags,detectnets,nosmurfs
interfaces:dmz eth1 detect
masq:eth2 eth0
masq:eth2 eth1
policy:loc vpn ACCEPT
policy:vpn loc ACCEPT
policy:loc net ACCEPT
policy:loc dmz REJECT info
policy:loc $FW REJECT info
policy:loc all REJECT info
policy:$FW net REJECT info
policy:$FW dmz REJECT info
policy:$FW loc REJECT info
policy:$FW all REJECT info
policy:dmz net REJECT info
policy:dmz $FW REJECT info
policy:dmz loc REJECT info
policy:dmz all REJECT info
policy:net dmz DROP info
policy:net $FW DROP info
policy:net loc DROP info
policy:net all DROP info
policy:all all REJECT info
routestopped:eth0 -
rules:SECTION NEW
rules:DNS/ACCEPT $FW net
rules:SSH/ACCEPT loc $FW
rules:SSH/ACCEPT loc dmz
rules:DNS/ACCEPT dmz net
rules:Ping/REJECT net $FW
rules:Ping/ACCEPT loc $FW
rules:Ping/ACCEPT dmz $FW
rules:Ping/ACCEPT loc dmz
rules:Ping/ACCEPT dmz loc
rules:Ping/ACCEPT dmz net
rules:ACCEPT $FW net icmp
rules:ACCEPT $FW loc icmp
rules:ACCEPT $FW dmz icmp
tunnels:ipsec net 2.2.2.1 vpn
zones:vpn ipv4
zones:fw firewall
zones:net ipv4
zones:loc ipv4
zones:dmz ipv4
Many thanks in advance for your time and suggestions.
Regards,
Simon
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
