Thanks for the info, however I could use some clarification (the
nitty-gritty details) on my 3rd question.
(normal, no vpn)
incoming: phys(eth0) ->
$FW
outgoing: $FW ->
lan(br)
1) outgoing $FW -> lan(br0) will in actuality always be $FW ->
phys(eth0) (?)
The shorewall docs also mention that all vpn traffic will pass through
netfilter twice.
I see this happening on outgoing vpn traffic:
(vpn)
outgoing: phys(eth0) ->
vpn(tap0)
---then---
$FW ->
lan(br0)
This first entry completes the chain from eth0 -> lan(br0) ->
vpn(tap0) -> server
Then the second follows from server($FW) -> lan(br0), which will
output phys(eth0)
Blocking either of these chains will make it impossible for a
vpn
packet to leave the server.
3) Is this [the above] correct (?)
2) similarly, the $FW -> lan(br0) will in actuality always be
$FW ->
phys(eth0) ?
i.e. the outgoing bridge port will never be tap0.
However, incoming vpn traffic seems to travel over only one of two
possible routes:
(vpn)
incoming: vpn(tap0) ->
phys(eth0)
---or-----
lan(br0) ->
$FW
The first route is solely for (vpn client -> lan) communication
the second route is only for (vpn client -> vpn server)
communications
(see what I recorded in the syslog)
Blocking either of these routes only blocks the respective
communication chain.
4) why doesn't incoming traffic travel through netfilter twice ?
Similarly, why doesn't all incoming traffic have to
cross the $FW
zone just like outgoing vpn traffic has to.
I'd expect some symmetricity between the
incoming/outgoing vpn connections
5) In a similar vein, ping(vpn client->server) travels from
lan(br0)
-> $FW despite the PHYSIN=tap0
Doesn't this contradict what you said in your previous
response?
Shouldn't ping(vpn client->server) be vpn(tap0) -> $FW
because of PHYSIN?
Take your time; have your coffee ; )
thanks,
orbisvicis
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
