[EMAIL PROTECTED] wrote: > I have a dedicated openvpn FC4 box with a public IP. I connect to it > fine and all that, everything works, etc, etc, Have not been hacked > which surprises me, so I must of done something right.
Or you've been lucky. > Basically most > everything works, except for some reason, some ports are blocked when > on the VPN. For instance I can not connect to IRC servers, 6888, while > connected on the VPN. > It does not follow that because you cannot connect that the "ports are blocked". Not all connection problems are caused by faulty rulesets. Do you redirect the VPN clients' default gateway through the Shorewall firewall while they are connected (OpenVPN 'redirect-gateway')? If not, the inability to connect to IRC has nothing to do with your Firewall at all. > /etc/shorewall/policy > $FW net ACCEPT > road $FW ACCEPT > road net ACCEPT > $FW road ACCEPT > net $FW DROP info > net all DROP info > > /etc/shorewall/rules > Web/ACCEPT net $FW > DROP $FW net icmp Please remove that last rule. There is no valid reason to have it and it breaks TCP path MTU discovery. ICMP is an essential part of IPv4 and blocking it unconditionally is just plain wrong. > > /usr/share/shorewall/macro.Web > PARAM - - TCP 1593 # TCP Webmin > (plaintext) > PARAM - - TCP 22 # > PARAM - - TCP 9999 # > PARAM - - TCP 421 # > PARAM - - TCP 422 # > PARAM - - TCP 446 # > PARAM - - TCP 443 # > PARAM - - TCP 65001 # > PARAM - - TCP 65002 # > PARAM - - TCP 65003 # > PARAM - - TCP 65004 # > PARAM - - TCP 65005 # > PARAM - - TCP 65006 # > (I need to change most of the above to accessable via VPN clients > ONLY, but not sure how) First, why did you choose to call this "Swiss Army Knife" macro 'Web'? 'Web' is the name of one of the standard Shorewall macros. Given the wide range of applications that it controls, it seems like an odd name. Second, you are invoking the macro in your rules file exactly once: Web/ACCEPT net $FW So it can *only* control traffic from the 'net' zone that is addressed to the firewall itself. If you intended it to control connections from the VPN clients to the firewall, you probably wanted something like: Web/ACCEPT road $FW > > I want the VPN users to be able to use any port they want to use, What does that mean? That they should be able to connect to any application on any host? Including the Shorewall system? this > may be wrong list to ask it on, but I was thinking since shorewall is > my firewall, yall would know. I only need a few ports open that i make > the VPN use (80, 443 TCP) and then the rest I will close, but i want > the VPN users to be able to use any port they want to. I don't understand what you are trying to say. If you have further questions, it would be a good idea to include the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
