Hi Tom, I'm trying to split rules for roadwarrior and site2site vpn tunnels but want to keep the rules/policy minimal.
I want to create rules/policy for vsite separate to vroad (i.e. /etc/shorewall/policy: vsite loc accept loc vsite accept vroad loc accept loc vroad reject in /etc/shorewall/interfaces, i got: vsite tun+ vroad tun9 now, the way I interprete this: any traffic on any tun interface falls into vsite zone any traffic on tun9 falls into vroad zone and here's the problem: vroad is a subset of vsite I need to make vroad is not a subset of vsite, but keen to use "tun+" in interface (for ease of maintenance). I know one way in my rule is to do: ACCEPT loc vsite:!192.168.99.0/24 tcp 22 (for example, but you see, I have to put !192.168.99.0/24 on all vsite - by the way 192.168.99.0 is subnet for roadwarrior) nice if I can still do: ACCEPT loc vsite tcp 22 but still loc -> vroad on ssh is rejected Another way I can think of is to split each tunnel for the sites, but this is messy because it increase the permutation of policy and rules i have to create for each site. i.e. /etc/shorewall/interfaces: vsite0 tun0 vsite1 tun1 vsite2 tun2 vroad tun9 I hope I describe a bit better. I'm using shorwall perl. --- On Thu, 6/25/09, Tom Eastep <[email protected]> wrote: > From: Tom Eastep <[email protected]> > Subject: Re: [Shorewall-users] zones and interfaces for OpenVPN roadwarrior > and Site2Site on the same box > To: "Shorewall Users" <[email protected]> > Date: Thursday, June 25, 2009, 3:03 AM > Lito Kusnadi wrote: > > I am building a openvpn gateway/firewall. > > I have 2 zones: vsite and vmobile (for vpn site2site > and vpn roadwarrior respectively). And in > /etc/shorewall/interfaces, I define: > > vsite tun+ > > vmobile tun9 > > > > In Openvpn, I have an instance running to serve > roadwarrior on tun9. While the other tun interfaces (tun0 - > tun8) are for sites, would rules/policy defined for vsite > will be valid for vmobile? > > > > If that's the case, is there a way so that vsite zone > (a group of tunnels) and vmobile zone separate? I like the > idea of being able to do: > > vsite tun+,!tun9 (something like this), don't know if > it is possible. > > Can you elaborate? I'm very unclear about what you are > trying to accomplish. > > > > > Shorewall version: shorewall-4.2.9-1 > > > > Shorewall-shell or Shorewall-perl? > > -Tom > -- > Tom Eastep \ When I die, I want > to go like my Grandfather who > Shoreline, \ died > peacefully in his sleep. Not screaming like > Washington, USA \ all of the > passengers in his car > http://shorewall.net > \________________________________________________ > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > > -----Inline Attachment Follows----- > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
