Hi,
I''m using a complex shorewall configuration:
I''ve two sites (site A and site B). In both sites I have a shorewall
box. Both sites have indipendent Internet connection. The sites have a
ipsec tunnel (=). The policy is drop everything by default and to accept
everything directed to Lan A coming from Lan B and vis-versa.
Now to FW B there are some road warriors that connect with openvpn.
The routing tells this road warriors to send to FW B everithing
destinated to Lan A. The routing on FW B tells to send everything
directed to Lan A through the ipsec tunnel.
But on FW there is no policy and no rule that accepts traffic coming
from 10.17.7.0/24.
I can''t understand why road warriors can access everithing in Lan A.
The problem is shurely in FW A configuration, but I cannot understand
where. Perhaps policy can''t filter traffic because of the fact it is
encrypted (ipsec)? Both FW A and FW B are VPN (ipsec gateway).
Any hints? Any idea?
FW B has shorewall 1.3.14a
FW A has shorewall 2.2.3
This is a scheme of my configuration.
RoadWarriors
(10.17.7.0/24)
I
I
FW A ======== FW B
(site A) (site B)
| |
Lan A Lan B
(10.2.0.0/16) (10.7.0.0/16)
Bye and Thanks
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mauro G. Todeschini wrote:> Hi, > I''m using a complex shorewall configuration: > I''ve two sites (site A and site B). In both sites I have a shorewall > box. Both sites have indipendent Internet connection. The sites have a > ipsec tunnel (=). The policy is drop everything by default and to accept > everything directed to Lan A coming from Lan B and vis-versa. > Now to FW B there are some road warriors that connect with openvpn. > The routing tells this road warriors to send to FW B everithing > destinated to Lan A. The routing on FW B tells to send everything > directed to Lan A through the ipsec tunnel. > But on FW there is no policy and no rule that accepts traffic coming > from 10.17.7.0/24.ehm... I mean on FW A Bye ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mauro G. Todeschini wrote:> Mauro G. Todeschini wrote: >> Hi, >> I''m using a complex shorewall configuration: >> I''ve two sites (site A and site B). In both sites I have a shorewall >> box. Both sites have indipendent Internet connection. The sites have a >> ipsec tunnel (=). The policy is drop everything by default and to accept >> everything directed to Lan A coming from Lan B and vis-versa. >> Now to FW B there are some road warriors that connect with openvpn. >> The routing tells this road warriors to send to FW B everithing >> destinated to Lan A. The routing on FW B tells to send everything >> directed to Lan A through the ipsec tunnel. >> But on FW there is no policy and no rule that accepts traffic coming >> from 10.17.7.0/24. > ehm... I mean on FW A > >We won''t be able to give you any help unless you give us details (output of "shorewall dump" on FW B as an attachment would be good). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Mauro G. Todeschini wrote: >> Mauro G. Todeschini wrote: >>> Hi, >>> I''m using a complex shorewall configuration: >>> I''ve two sites (site A and site B). In both sites I have a shorewall >>> box. Both sites have indipendent Internet connection. The sites have a >>> ipsec tunnel (=). The policy is drop everything by default and to accept >>> everything directed to Lan A coming from Lan B and vis-versa. >>> Now to FW B there are some road warriors that connect with openvpn. >>> The routing tells this road warriors to send to FW B everithing >>> destinated to Lan A. The routing on FW B tells to send everything >>> directed to Lan A through the ipsec tunnel. >>> But on FW there is no policy and no rule that accepts traffic coming >>> from 10.17.7.0/24. >> ehm... I mean on FW A >> >> > > We won''t be able to give you any help unless you give us details (output > of "shorewall dump" on FW B as an attachment would be good).Thanks for answering but as I said in my first message my firewalls use shorewall versions witch are a bit old: FW B has shorewall 1.3.14a FW A has shorewall 2.2.3 I read on FAQs that these versions are old and unsupported, but I think that the problem is in FW A (well I want to be able to decide on FW A what It should ACCEPT or DROP), and FW A has debian stable version of shorewall. If I can I''d like to continue using this version: I prefer not to install on my boxes software not coming directly from debian stable (to continue using their good quality security updates). So, I can''t use "shorewall dump" because this command appeared on shorewall 3. Any other hints or data I can send to help me with my problem? Bye and Thanks (expecially to Tom who created one of the best Open Source application I''ve ever seen and who supported It in a marvellous way). ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mauro G. Todeschini wrote:> Tom Eastep wrote: > >>Mauro G. Todeschini wrote: >> >>>Mauro G. Todeschini wrote: >>> >>>>Hi, >>>> I''m using a complex shorewall configuration: >>>>I''ve two sites (site A and site B). In both sites I have a shorewall >>>>box. Both sites have indipendent Internet connection. The sites have a >>>>ipsec tunnel (=). The policy is drop everything by default and to accept >>>>everything directed to Lan A coming from Lan B and vis-versa. >>>>Now to FW B there are some road warriors that connect with openvpn. >>>>The routing tells this road warriors to send to FW B everithing >>>>destinated to Lan A. The routing on FW B tells to send everything >>>>directed to Lan A through the ipsec tunnel. >>>>But on FW there is no policy and no rule that accepts traffic coming >>>>from 10.17.7.0/24. >>> >>>ehm... I mean on FW A >>> >>> >> >>We won''t be able to give you any help unless you give us details (output >>of "shorewall dump" on FW B as an attachment would be good).> I read on FAQs that these versions are old and unsupported, but I think > that the problem is in FW A (well I want to be able to decide on FW A > what It should ACCEPT or DROP), and FW A has debian stable version of > shorewall. If I can I''d like to continue using this version: I prefer > not to install on my boxes software not coming directly from debian > stable (to continue using their good quality security updates). > > So, I can''t use "shorewall dump" because this command appeared on > shorewall 3. > Any other hints or data I can send to help me with my problem?As stated at http://www.shorewall.net/2.0/support.htm, on Shorewall 2.x systems we need the output of "shorewall status". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key