Re: [Shorewall-users] VPN zones and policies

Sat, 24 Nov 2018 11:28:29 -0800 

On 11/24/18 7:59 AM, Alex wrote:
> Hi,
> I have a shorewall-5.2.0.4 system on fedora28 connecting to a similar
> shorewall system as a net-to-net VPN and having some difficulties with
> rules for the VPNs involved with the firewall.
> 
> The local side is 68.194.193.42 (orion) with private subnet
> 192.168.1.0/24 behind it and the remote side is 65.45.72.6 (cyclops)
> with 64.1.15.0/27 (DMZ) behind it.
> 
> The problem I'm having is that hosts in the DMZ can't reach hosts on
> the private subnet 192.168.1.0/24. Should the local private network be
> listed in hosts among the VPN networks?
> 
> I have all these networks listed in the hosts file as part of the VPN on 
> orion:
> vpn               br0:192.168.1.0/24,65.45.72.6,64.1.15.0/27 ipsec
> 
> How do I indicate to the firewall that the 64.1.15.0/27 network is the
> DMZ on the remote firewall and should be access through the VPN by the
> local private network 192.168.1.0/24?
> 
> I've included below my current configuration, but I don't believe the
> "ext" network is defined properly.
> 
> interfaces:
> ext     br0             detect
> tcpflags,nosmurfs,routefilter,logmartians
> int     eth1            detect
> tcpflags,nosmurfs,routefilter,logmartians,routeback
> 
> zones:
> vpn     ipsec   mode=tunnel     mss=1400
> ext     ipv4
> int     ipv4
> 
> Should I create a "dmz" zone to contain the 64.1.15.0/27 remote network?
> 
> policy:
> int     int     ACCEPT
> int     ext     ACCEPT
> $FW     int     ACCEPT
> int     vpn     ACCEPT
> int     $FW     ACCEPT
> vpn     int     ACCEPT  info
> $FW     vpn     ACCEPT
> vpn     $FW     ACCEPT
> $FW     ext     ACCEPT
> all     all     REJECT  $LOG
> 

I can't begin to help you without knowing what your IPSEC config looks
like. The output of 'shorewall dump' would be very helpful.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to