Lito Kusnadi wrote: > Hi Tom, > > I'm trying to split rules for roadwarrior and site2site vpn tunnels but want > to keep the rules/policy minimal. > > I want to create rules/policy for vsite separate to vroad (i.e. > /etc/shorewall/policy: > vsite loc accept > loc vsite accept > vroad loc accept > loc vroad reject > > in /etc/shorewall/interfaces, i got: > vsite tun+ > vroad tun9 > now, the way I interprete this: > any traffic on any tun interface falls into vsite zone > any traffic on tun9 falls into vroad zone > and here's the problem: vroad is a subset of vsite > > I need to make vroad is not a subset of vsite, but keen to use "tun+" in > interface (for ease of maintenance). > > I know one way in my rule is to do: > ACCEPT loc vsite:!192.168.99.0/24 tcp 22 (for example, but you see, I have > to put !192.168.99.0/24 on all vsite - by the way 192.168.99.0 is subnet for > roadwarrior) > nice if I can still do: > ACCEPT loc vsite tcp 22 > but still loc -> vroad on ssh is rejected > > Another way I can think of is to split each tunnel for the sites, but this is > messy because it increase the permutation of policy and rules i have to > create for each site. > > i.e. /etc/shorewall/interfaces: > vsite0 tun0 > vsite1 tun1 > vsite2 tun2 > vroad tun9 > > I hope I describe a bit better. I'm using shorwall perl.
a) In /etc/shorewall/zones, be sure that vroad is defined *before* vsite
*or* that you make their nested relationship explicit:
fw firewall
vsite ipv4
vroad:vsite ipv4
...
b) In /etc/shorewall/shorewall.conf, set IMPLICIT_CONTINUE=No.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
