Here's what I use:
/etc/shorewall/params:
lan4_net=192.168.4.0/24
wifi_net=192.168.6.0/24
local_net=$lan4_net,$wifi_net
RFC1918=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
zones:
# all RFC 1918 that we're not using
r1918 ipv4
hosts:
r1918 $LAN4_IF:$RFC1918!$local_net,$ipsec_net,$ovpn_net
r1918 $WIFI_IF:$RFC1918!$local_net,$ipsec_net,$ovpn_net
inet $INET1_IF:!$RFC1918
inet $INET2_IF:!$RFC1918
policy:
r1918 fw REJECT notice
lan4 r1918 REJECT info
r1918 lan4 REJECT notice
wifi r1918 REJECT notice
r1918 wifi REJECT notice
r1918 inet DROP warning
Bill
On 10/13/2017 4:53 AM, Dorian Kind wrote:
Hi all,
I'm a happy shorewall user since 2009 and never had an issue that I couldn't solve using the excellent documentation. There's
just one thing that always bugged me. We have a couple of tunnels to branch offices, for which shorewall inserts the
appropriate iptables rules (webr being the local zone, while the *pn zones are connected over IPsec tunnels):
Chain webr_frwd (1 references)
pkts bytes target prot opt in out source destination
[...]
759K 121M webr2gvapn all -- * eth-ext1 0.0.0.0/0 <http://0.0.0.0/0> 10.50.0.0/16 <http://10.50.0.0/16>
policy match dir out pol ipsec
6660K 4097M webr2swlpn all -- * eth-ext1 0.0.0.0/0 <http://0.0.0.0/0> 10.60.0.0/16 <http://10.60.0.0/16>
policy match dir out pol ipsec
18M 66G webr2fnopn all -- * eth-ext1 0.0.0.0/0 <http://0.0.0.0/0> 10.70.0.0/16 <http://10.70.0.0/16>
policy match dir out pol ipsec
4961K 6804M webr2hyppn all -- * eth-ext1 0.0.0.0/0 <http://0.0.0.0/0> 10.80.0.0/16 <http://10.80.0.0/16>
policy match dir out pol ipsec
99227 134M webr2rwvpn all -- * eth-ext1 0.0.0.0/0 <http://0.0.0.0/0> 10.100.0.0/16 <http://10.100.0.0/16>
policy match dir out pol ipsec
However, in order to prevent local traffic from leaking out when the IPsec SA can't be established for some reason, I use a
script to insert the following two rules after shorewall has generated its ruleset--because per policy, local (webr) traffic
to the internet is allowed:
iptables -I OUTPUT -d 10.0.0.0/8 <http://10.0.0.0/8> --out-interface eth-ext1 -m policy --pol none --dir out -j REJECT
--reject-with icmp-admin-prohibited
iptables -I FORWARD -d 10.0.0.0/8 <http://10.0.0.0/8> --out-interface eth-ext1 -m policy --pol none --dir out -j REJECT
--reject-with icmp-admin-prohibited
I would really like to integrate these rules into the shorewall configuration, but can't figure out any way to do it. From
what I can tell, shorewall-rules does not have policy match options.
Is there a canonical way to prevent RFC1918-addressed, non IPsec encrypted
packets from leaving the FW on an external interface?
Thanks and best regards,
Dorian
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
