On 1/1/2015 6:03 PM, Marcelo Bello wrote: > Hi, > > Happy 2015 to all! > > I am setting up tinc VPN on a firewall (shorewall setup) that is > also the network gateway. > > The standard tinc setup has the tincd daemon create and remove the > necessary VPN interface (tun0 in my case). The problem is that when > tincd is not running, the tun0 interface is not just down, it actually > is removed from the system (the command ifconfig tun0 returns "device > not found"). > > The first test I did was to check if the "optional" interface > option would work with an interface that could not be found (I initially > assumed it would work only on an interface that is down) but shorewall > did start just fine. I also ran iptables -L and saw rules associated to > the zone linked to the tun0 interface. > > However I am worried that such firewall rules may not for some > reason work reliably. I do not have a deep understanding of how iptables > work but can I assume that once the tun0 interface is brought up that > the firewall will be working just like I configured shorewall to treat > it (without restarting shorewall)? Is shorewall able to add all > necessary firewall rules even when the interface does not exist in the > system? Any reason for concern?
For such interfaces, it is best to omit the 'optional' option if you can. If the firewall starts successfuly when the interface doesn't exist, then it will work correctly when the interface is created and configured. If the firewall doesn't start and you need to add 'optional', then you will also need to arrange for 'shorewall enable tun0' to be executed when the VPN starts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
