Shorewall users - Jun 2009 - Openvpn Bridge

Ok started a new thread with appropriate topic
also reconfigged this mail client to be more
friendly to the list.. 
I think I have my bridge part good. this is /etc/init.d/bridge start

#!/bin/bash

#  Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged
tap="tap0"

# Define a list of physical ethernet interfaces to be bridged
# with TAP interface(s) above.
#
eth="eth1"
eth_ip="10.194.79.191"
eth_netmask="255.255.255.0"
eth_broadcast="10.194.79.255"
default_gw=10.194.79.191

# Path to the system networking script
# For Debian
#NETWORK="/etc/init.d/networking"
# For SuSE
NETWORK="/etc/init.d/network"

# Path to the openvpn start/stop script
OPENVPN_INIT="/etc/init.d/openvpn"

# Path to the openvpn binary
OPENVPN="/usr/sbin/openvpn"

# Path to the brctl binary
BRCTL="/sbin/brctl"

# Path to the ifconfig binary
IFCONFIG="/sbin/ifconfig"

# Path to the route binary
ROUTE="/sbin/route"

do_start(){

for i in $tap; do
$OPENVPN --mktun --dev $i
done

$BRCTL addbr $br

for i in $eth; do
$BRCTL addif $br $i
done

for i in $tap; do
$BRCTL addif $br $i
done

for i in $eth; do
$IFCONFIG $i 0.0.0.0 promisc up
done

for i in $tap; do
$IFCONFIG $i 0.0.0.0 promisc up
done

$IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

$ROUTE add default gw $default_gw

$OPENVPN_INIT start

}

do_stop(){

$IFCONFIG $br down
$BRCTL delbr $br

for i in $tap; do
$OPENVPN --rmtun --dev $i
$IFCONFIG $i down
$NETWORK force-reload
done

$OPENVPN_INIT stop

}

case "$1" in

start)
        do_start
;;
stop)
        do_stop
;;
restart)
        do_stop
        sleep 1
        do_start
;;
*)
echo "usage: $0 start|stop|restart" >&2
exit 3
;;
esac
exit 0

Thu Jun 11 17:21:22 2009 us=403996 Current Parameter Settings:
Thu Jun 11 17:21:22 2009 us=404125   config =
''/etc/openvpn/honda.conf''
Thu Jun 11 17:21:22 2009 us=404149   mode = 1
Thu Jun 11 17:21:22 2009 us=404170   persist_config = DISABLED
Thu Jun 11 17:21:22 2009 us=404189   persist_mode = 1
Thu Jun 11 17:21:22 2009 us=404210   show_ciphers = DISABLED
Thu Jun 11 17:21:22 2009 us=404229   show_digests = DISABLED
Thu Jun 11 17:21:22 2009 us=404248   show_engines = DISABLED
Thu Jun 11 17:21:22 2009 us=404268   genkey = DISABLED
Thu Jun 11 17:21:22 2009 us=404288   key_pass_file = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=404308   show_tls_ciphers = DISABLED
Thu Jun 11 17:21:22 2009 us=404329   proto = 0
Thu Jun 11 17:21:22 2009 us=404348   local = ''10.194.79.191''
Thu Jun 11 17:21:22 2009 us=404368   remote_list = NULL
Thu Jun 11 17:21:22 2009 us=404390   remote_random = DISABLED
Thu Jun 11 17:21:22 2009 us=404410   local_port = 1194
Thu Jun 11 17:21:22 2009 us=404430   remote_port = 1194
Thu Jun 11 17:21:22 2009 us=404450   remote_float = DISABLED
Thu Jun 11 17:21:22 2009 us=404469   ipchange = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=404489   bind_local = ENABLED
Thu Jun 11 17:21:22 2009 us=404518   dev = ''tap0''
Thu Jun 11 17:21:22 2009 us=404538   dev_type = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=404558   dev_node = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=404578   tun_ipv6 = DISABLED
Thu Jun 11 17:21:22 2009 us=404597   ifconfig_local =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=404620   ifconfig_remote_netmask =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=404640   ifconfig_noexec = DISABLED
Thu Jun 11 17:21:22 2009 us=404659   ifconfig_nowarn = DISABLED
Thu Jun 11 17:21:22 2009 us=404678   shaper = 0
Thu Jun 11 17:21:22 2009 us=404698   tun_mtu = 1500
Thu Jun 11 17:21:22 2009 us=404718   tun_mtu_defined = ENABLED
Thu Jun 11 17:21:22 2009 us=404738   link_mtu = 1500
Thu Jun 11 17:21:22 2009 us=404757   link_mtu_defined = DISABLED
Thu Jun 11 17:21:22 2009 us=404777   tun_mtu_extra = 32
Thu Jun 11 17:21:22 2009 us=404797   tun_mtu_extra_defined = ENABLED
Thu Jun 11 17:21:22 2009 us=404816   fragment = 0
Thu Jun 11 17:21:22 2009 us=404836   mtu_discover_type = -1
Thu Jun 11 17:21:22 2009 us=404856   mtu_test = 0
Thu Jun 11 17:21:22 2009 us=404875   mlock = DISABLED
Thu Jun 11 17:21:22 2009 us=404934   keepalive_ping = 10
Thu Jun 11 17:21:22 2009 us=404955   keepalive_timeout = 120
Thu Jun 11 17:21:22 2009 us=404974   inactivity_timeout = 0
Thu Jun 11 17:21:22 2009 us=404994   ping_send_timeout = 10
Thu Jun 11 17:21:22 2009 us=405013   ping_rec_timeout = 240
Thu Jun 11 17:21:22 2009 us=405033   ping_rec_timeout_action = 2
Thu Jun 11 17:21:22 2009 us=405053   ping_timer_remote = DISABLED
Thu Jun 11 17:21:22 2009 us=405073   remap_sigusr1 = 0
Thu Jun 11 17:21:22 2009 us=405093   explicit_exit_notification = 0
Thu Jun 11 17:21:22 2009 us=405113   persist_tun = ENABLED
Thu Jun 11 17:21:22 2009 us=405132   persist_local_ip = DISABLED
Thu Jun 11 17:21:22 2009 us=405152   persist_remote_ip = DISABLED
Thu Jun 11 17:21:22 2009 us=405172   persist_key = ENABLED
Thu Jun 11 17:21:22 2009 us=405191   mssfix = 1450
Thu Jun 11 17:21:22 2009 us=405210   passtos = DISABLED
Thu Jun 11 17:21:22 2009 us=405230   resolve_retry_seconds = 1000000000
Thu Jun 11 17:21:22 2009 us=405250   connect_retry_seconds = 5
Thu Jun 11 17:21:22 2009 us=405270   username = ''nobody''
Thu Jun 11 17:21:22 2009 us=405290   groupname = ''nogroup''
Thu Jun 11 17:21:22 2009 us=405309   chroot_dir = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405328   cd_dir = ''/etc/openvpn''
Thu Jun 11 17:21:22 2009 us=405348   writepid =
''/var/run/openvpn/honda.pid''
Thu Jun 11 17:21:22 2009 us=405368   up_script = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405387   down_script = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405407   down_pre = DISABLED
Thu Jun 11 17:21:22 2009 us=405427   up_restart = DISABLED
Thu Jun 11 17:21:22 2009 us=405445   up_delay = DISABLED
Thu Jun 11 17:21:22 2009 us=405465   daemon = ENABLED
Thu Jun 11 17:21:22 2009 us=405485   inetd = 0
Thu Jun 11 17:21:22 2009 us=405504   log = ENABLED
Thu Jun 11 17:21:22 2009 us=405524   suppress_timestamps = DISABLED
Thu Jun 11 17:21:22 2009 us=405544   nice = 0
Thu Jun 11 17:21:22 2009 us=405563   verbosity = 5
Thu Jun 11 17:21:22 2009 us=405583   mute = 0
Thu Jun 11 17:21:22 2009 us=405602   gremlin = 0
Thu Jun 11 17:21:22 2009 us=405622   status_file =
''/etc/openvpn/servers/honda/logs/openvpn-status.log''
Thu Jun 11 17:21:22 2009 us=405642   status_file_version = 1
Thu Jun 11 17:21:22 2009 us=405661   status_file_update_freq = 60
Thu Jun 11 17:21:22 2009 us=405681   occ = ENABLED
Thu Jun 11 17:21:22 2009 us=405701   rcvbuf = 65536
Thu Jun 11 17:21:22 2009 us=405720   sndbuf = 65536
Thu Jun 11 17:21:22 2009 us=405740   socks_proxy_server =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405761   socks_proxy_port = 0
Thu Jun 11 17:21:22 2009 us=405780   socks_proxy_retry = DISABLED
Thu Jun 11 17:21:22 2009 us=405799   fast_io = DISABLED
Thu Jun 11 17:21:22 2009 us=405819   comp_lzo = ENABLED
Thu Jun 11 17:21:22 2009 us=405838   comp_lzo_adaptive = ENABLED
Thu Jun 11 17:21:22 2009 us=405858   route_script = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405878   route_default_gateway =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405898   route_noexec = DISABLED
Thu Jun 11 17:21:22 2009 us=405917   route_delay = 0
Thu Jun 11 17:21:22 2009 us=405937   route_delay_window = 30
Thu Jun 11 17:21:22 2009 us=405957   route_delay_defined = DISABLED
Thu Jun 11 17:21:22 2009 us=405976   management_addr =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=405997   management_port = 0
Thu Jun 11 17:21:22 2009 us=406016   management_user_pass =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406036   management_log_history_cache = 250
Thu Jun 11 17:21:22 2009 us=406056   management_echo_buffer_size = 100
Thu Jun 11 17:21:22 2009 us=406076   management_query_passwords = DISABLED
Thu Jun 11 17:21:22 2009 us=406096   management_hold = DISABLED
Thu Jun 11 17:21:22 2009 us=406115   shared_secret_file =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406136   key_direction = 0
Thu Jun 11 17:21:22 2009 us=406156   ciphername_defined = ENABLED
Thu Jun 11 17:21:22 2009 us=406177   ciphername = ''BF-CBC''
Thu Jun 11 17:21:22 2009 us=406197   authname_defined = ENABLED
Thu Jun 11 17:21:22 2009 us=406217   authname = ''SHA1''
Thu Jun 11 17:21:22 2009 us=406237   keysize = 0
Thu Jun 11 17:21:22 2009 us=406257   engine = DISABLED
Thu Jun 11 17:21:22 2009 us=406295   replay = ENABLED
Thu Jun 11 17:21:22 2009 us=406316   mute_replay_warnings = DISABLED
Thu Jun 11 17:21:22 2009 us=406337   replay_window = 64
Thu Jun 11 17:21:22 2009 us=406357   replay_time = 15
Thu Jun 11 17:21:22 2009 us=406377   packet_id_file =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406397   use_iv = ENABLED
Thu Jun 11 17:21:22 2009 us=406416   test_crypto = DISABLED
Thu Jun 11 17:21:22 2009 us=406435   tls_server = ENABLED
Thu Jun 11 17:21:22 2009 us=406455   tls_client = DISABLED
Thu Jun 11 17:21:22 2009 us=406475   key_method = 2
Thu Jun 11 17:21:22 2009 us=406495   ca_file =
''/etc/openvpn/keys/honda/ca.crt''
Thu Jun 11 17:21:22 2009 us=406515   dh_file =
''/etc/openvpn/keys/honda/dh2048.pem''
Thu Jun 11 17:21:22 2009 us=406535   cert_file =
''/etc/openvpn/keys/honda/ca.crt''
Thu Jun 11 17:21:22 2009 us=406555   priv_key_file =
''/etc/openvpn/keys/honda/ca.key''
Thu Jun 11 17:21:22 2009 us=406576   pkcs12_file = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406595   cipher_list = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406614   tls_verify = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406634   tls_remote = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406653   crl_file = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406674   ns_cert_type = 0
Thu Jun 11 17:21:22 2009 us=406694   tls_timeout = 2
Thu Jun 11 17:21:22 2009 us=406714   renegotiate_bytes = 0
Thu Jun 11 17:21:22 2009 us=406734   renegotiate_packets = 0
Thu Jun 11 17:21:22 2009 us=406755   renegotiate_seconds = 3600
Thu Jun 11 17:21:22 2009 us=406775   handshake_window = 60
Thu Jun 11 17:21:22 2009 us=406795   transition_window = 3600
Thu Jun 11 17:21:22 2009 us=406815   single_session = DISABLED
Thu Jun 11 17:21:22 2009 us=406835   tls_exit = DISABLED
Thu Jun 11 17:21:22 2009 us=406855   tls_auth_file = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=406877   server_network = 0.0.0.0
Thu Jun 11 17:21:22 2009 us=406899   server_netmask = 0.0.0.0
Thu Jun 11 17:21:22 2009 us=406927   server_bridge_ip = 10.194.79.191
Thu Jun 11 17:21:22 2009 us=406951   server_bridge_netmask = 255.255.255.0
Thu Jun 11 17:21:22 2009 us=406974   server_bridge_pool_start = 10.194.79.200
Thu Jun 11 17:21:22 2009 us=406996   server_bridge_pool_end = 10.194.79.202
Thu Jun 11 17:21:22 2009 us=407016   push_list = ''route 10.194.79.0
255.255.255.0,route-gateway 10.194.79.191,ping 10,ping-restart 120''
Thu Jun 11 17:21:22 2009 us=407037   ifconfig_pool_defined = ENABLED
Thu Jun 11 17:21:22 2009 us=407060   ifconfig_pool_start = 10.194.79.200
Thu Jun 11 17:21:22 2009 us=407081   ifconfig_pool_end = 10.194.79.202
Thu Jun 11 17:21:22 2009 us=407103   ifconfig_pool_netmask = 255.255.255.0
Thu Jun 11 17:21:22 2009 us=407124   ifconfig_pool_persist_filename =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407145   ifconfig_pool_persist_refresh_freq = 600
Thu Jun 11 17:21:22 2009 us=407165   ifconfig_pool_linear = DISABLED
Thu Jun 11 17:21:22 2009 us=407186   n_bcast_buf = 256
Thu Jun 11 17:21:22 2009 us=407207   tcp_queue_limit = 64
Thu Jun 11 17:21:22 2009 us=407226   real_hash_size = 256
Thu Jun 11 17:21:22 2009 us=407247   virtual_hash_size = 256
Thu Jun 11 17:21:22 2009 us=407267   client_connect_script =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407287   learn_address_script =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407308   client_disconnect_script =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407328   client_config_dir =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407349   ccd_exclusive = DISABLED
Thu Jun 11 17:21:22 2009 us=407369   tmp_dir = ''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407389   push_ifconfig_defined = DISABLED
Thu Jun 11 17:21:22 2009 us=407411   push_ifconfig_local = 0.0.0.0
Thu Jun 11 17:21:22 2009 us=407433   push_ifconfig_remote_netmask = 0.0.0.0
Thu Jun 11 17:21:22 2009 us=407453   enable_c2c = ENABLED
Thu Jun 11 17:21:22 2009 us=407473   duplicate_cn = DISABLED
Thu Jun 11 17:21:22 2009 us=407493   cf_max = 0
Thu Jun 11 17:21:22 2009 us=407513   cf_per = 0
Thu Jun 11 17:21:22 2009 us=407534   max_clients = 1024
Thu Jun 11 17:21:22 2009 us=407554   max_routes_per_client = 256
Thu Jun 11 17:21:22 2009 us=407591   client_cert_not_required = DISABLED
Thu Jun 11 17:21:22 2009 us=407612   username_as_common_name = DISABLED
Thu Jun 11 17:21:22 2009 us=407633   auth_user_pass_verify_script =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407654   auth_user_pass_verify_script_via_file =
DISABLED
Thu Jun 11 17:21:22 2009 us=407674   client = DISABLED
Thu Jun 11 17:21:22 2009 us=407694   pull = DISABLED
Thu Jun 11 17:21:22 2009 us=407715   auth_user_pass_file =
''[UNDEF]''
Thu Jun 11 17:21:22 2009 us=407736 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO]
[EPOLL] built on Dec  3 2008
Thu Jun 11 17:21:22 2009 us=459576 Diffie-Hellman initialized with 2048 bit key
Thu Jun 11 17:21:22 2009 us=460423 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0
ET:0 EL:0 ]
Thu Jun 11 17:21:22 2009 us=460530 TUN/TAP device tap0 opened
Thu Jun 11 17:21:22 2009 us=460562 TUN/TAP TX queue length set to 100
Thu Jun 11 17:21:22 2009 us=460622 Data Channel MTU parms [ L:1574 D:1450 EF:42
EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jun 11 17:21:22 2009 us=461498 GID set to nogroup
Thu Jun 11 17:21:22 2009 us=461608 UID set to nobody
Thu Jun 11 17:21:22 2009 us=461673 Socket Buffers: R=[112640->131072]
S=[112640->131072]
Thu Jun 11 17:21:22 2009 us=461729 UDPv4 link local (bound): 10.194.79.191:1194
Thu Jun 11 17:21:22 2009 us=461757 UDPv4 link remote: [undef]
Thu Jun 11 17:21:22 2009 us=461809 MULTI: multi_init called, r=256 v=256
Thu Jun 11 17:21:22 2009 us=461924 IFCONFIG POOL: base=10.194.79.200 size=3
Thu Jun 11 17:21:22 2009 us=461993 Initialization Sequence Completed

and my ifconfig
linux-rwu0:~ # ifconfig 
br0       Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:317 errors:0 dropped:0 overruns:0 frame:0
          TX packets:241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:43215 (42.2 Kb)  TX bytes:133486 (130.3 Kb)

eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
          inet addr:75.149.172.88  Bcast:75.149.172.95  Mask:255.255.255.240
          inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1865 errors:0 dropped:0 overruns:0 frame:0
          TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:165265 (161.3 Kb)  TX bytes:146769 (143.3 Kb)
          Interrupt:20 Base address:0xa000 

eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2006 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:507287 (495.3 Kb)  TX bytes:1009394 (985.7 Kb)
          Interrupt:23 Base address:0x4000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5508 (5.3 Kb)  TX bytes:5508 (5.3 Kb)

tap0      Link encap:Ethernet  HWaddr AA:84:53:75:10:7D  
          inet6 addr: fe80::a884:53ff:fe75:107d/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:35184 (34.3 Kb)

not sure how to config shorewall or if I have this bridge right but 
now there seems to be several ways to config shorewall here
which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?





------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

-------- Original Message --------
> From: "Mike Lander" <landers@lanlinecomputers.com>
> Sent: Thursday, June 11, 2009 10:38 PM
> To: shorewall-users@lists.sourceforge.net
> Subject: [Shorewall-users] Openvpn Bridge
> 
> Ok started a new thread with appropriate topic
> also reconfigged this mail client to be more
> friendly to the list.. 
> I think I have my bridge part good. this is /etc/init.d/bridge start
> 
> #!/bin/bash
> 
> #  Define Bridge Interface
> br="br0"
> 
> # Define list of TAP interfaces to be bridged
> tap="tap0"
> 
> # Define a list of physical ethernet interfaces to be bridged
> # with TAP interface(s) above.
> #
> eth="eth1"
> eth_ip="10.194.79.191"
> eth_netmask="255.255.255.0"
> eth_broadcast="10.194.79.255"
> default_gw=10.194.79.191
> 
> # Path to the system networking script
> # For Debian
> #NETWORK="/etc/init.d/networking"
> # For SuSE
> NETWORK="/etc/init.d/network"
> 
> # Path to the openvpn start/stop script
> OPENVPN_INIT="/etc/init.d/openvpn"
> 
> # Path to the openvpn binary
> OPENVPN="/usr/sbin/openvpn"
> 
> # Path to the brctl binary
> BRCTL="/sbin/brctl"
> 
> # Path to the ifconfig binary
> IFCONFIG="/sbin/ifconfig"
> 
> # Path to the route binary
> ROUTE="/sbin/route"
> 
> do_start(){
> 
> for i in $tap; do
> $OPENVPN --mktun --dev $i
> done
> 
> $BRCTL addbr $br
> 
> for i in $eth; do
> $BRCTL addif $br $i
> done
> 
> for i in $tap; do
> $BRCTL addif $br $i
> done
> 
> for i in $eth; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> for i in $tap; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> $IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> 
> $ROUTE add default gw $default_gw
> 
> $OPENVPN_INIT start
> 
> }
> 
> do_stop(){
> 
> $IFCONFIG $br down
> $BRCTL delbr $br
> 
> for i in $tap; do
> $OPENVPN --rmtun --dev $i
> $IFCONFIG $i down
> $NETWORK force-reload
> done
> 
> $OPENVPN_INIT stop
> 
> }
> 
> case "$1" in
> 
> start)
>         do_start
> ;;
> stop)
>         do_stop
> ;;
> restart)
>         do_stop
>         sleep 1
>         do_start
> ;;
> *)
> echo "usage: $0 start|stop|restart" >&2
> exit 3
> ;;
> esac
> exit 0
> 
> Thu Jun 11 17:21:22 2009 us=403996 Current Parameter Settings:
> Thu Jun 11 17:21:22 2009 us=404125   config =
''/etc/openvpn/honda.conf''
> Thu Jun 11 17:21:22 2009 us=404149   mode = 1
> Thu Jun 11 17:21:22 2009 us=404170   persist_config = DISABLED
> Thu Jun 11 17:21:22 2009 us=404189   persist_mode = 1
> Thu Jun 11 17:21:22 2009 us=404210   show_ciphers = DISABLED
> Thu Jun 11 17:21:22 2009 us=404229   show_digests = DISABLED
> Thu Jun 11 17:21:22 2009 us=404248   show_engines = DISABLED
> Thu Jun 11 17:21:22 2009 us=404268   genkey = DISABLED
> Thu Jun 11 17:21:22 2009 us=404288   key_pass_file =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=404308   show_tls_ciphers = DISABLED
> Thu Jun 11 17:21:22 2009 us=404329   proto = 0
> Thu Jun 11 17:21:22 2009 us=404348   local =
''10.194.79.191''
> Thu Jun 11 17:21:22 2009 us=404368   remote_list = NULL
> Thu Jun 11 17:21:22 2009 us=404390   remote_random = DISABLED
> Thu Jun 11 17:21:22 2009 us=404410   local_port = 1194
> Thu Jun 11 17:21:22 2009 us=404430   remote_port = 1194
> Thu Jun 11 17:21:22 2009 us=404450   remote_float = DISABLED
> Thu Jun 11 17:21:22 2009 us=404469   ipchange = ''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=404489   bind_local = ENABLED
> Thu Jun 11 17:21:22 2009 us=404518   dev = ''tap0''
> Thu Jun 11 17:21:22 2009 us=404538   dev_type = ''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=404558   dev_node = ''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=404578   tun_ipv6 = DISABLED
> Thu Jun 11 17:21:22 2009 us=404597   ifconfig_local =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=404620   ifconfig_remote_netmask =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=404640   ifconfig_noexec = DISABLED
> Thu Jun 11 17:21:22 2009 us=404659   ifconfig_nowarn = DISABLED
> Thu Jun 11 17:21:22 2009 us=404678   shaper = 0
> Thu Jun 11 17:21:22 2009 us=404698   tun_mtu = 1500
> Thu Jun 11 17:21:22 2009 us=404718   tun_mtu_defined = ENABLED
> Thu Jun 11 17:21:22 2009 us=404738   link_mtu = 1500
> Thu Jun 11 17:21:22 2009 us=404757   link_mtu_defined = DISABLED
> Thu Jun 11 17:21:22 2009 us=404777   tun_mtu_extra = 32
> Thu Jun 11 17:21:22 2009 us=404797   tun_mtu_extra_defined = ENABLED
> Thu Jun 11 17:21:22 2009 us=404816   fragment = 0
> Thu Jun 11 17:21:22 2009 us=404836   mtu_discover_type = -1
> Thu Jun 11 17:21:22 2009 us=404856   mtu_test = 0
> Thu Jun 11 17:21:22 2009 us=404875   mlock = DISABLED
> Thu Jun 11 17:21:22 2009 us=404934   keepalive_ping = 10
> Thu Jun 11 17:21:22 2009 us=404955   keepalive_timeout = 120
> Thu Jun 11 17:21:22 2009 us=404974   inactivity_timeout = 0
> Thu Jun 11 17:21:22 2009 us=404994   ping_send_timeout = 10
> Thu Jun 11 17:21:22 2009 us=405013   ping_rec_timeout = 240
> Thu Jun 11 17:21:22 2009 us=405033   ping_rec_timeout_action = 2
> Thu Jun 11 17:21:22 2009 us=405053   ping_timer_remote = DISABLED
> Thu Jun 11 17:21:22 2009 us=405073   remap_sigusr1 = 0
> Thu Jun 11 17:21:22 2009 us=405093   explicit_exit_notification = 0
> Thu Jun 11 17:21:22 2009 us=405113   persist_tun = ENABLED
> Thu Jun 11 17:21:22 2009 us=405132   persist_local_ip = DISABLED
> Thu Jun 11 17:21:22 2009 us=405152   persist_remote_ip = DISABLED
> Thu Jun 11 17:21:22 2009 us=405172   persist_key = ENABLED
> Thu Jun 11 17:21:22 2009 us=405191   mssfix = 1450
> Thu Jun 11 17:21:22 2009 us=405210   passtos = DISABLED
> Thu Jun 11 17:21:22 2009 us=405230   resolve_retry_seconds = 1000000000
> Thu Jun 11 17:21:22 2009 us=405250   connect_retry_seconds = 5
> Thu Jun 11 17:21:22 2009 us=405270   username = ''nobody''
> Thu Jun 11 17:21:22 2009 us=405290   groupname =
''nogroup''
> Thu Jun 11 17:21:22 2009 us=405309   chroot_dir =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405328   cd_dir =
''/etc/openvpn''
> Thu Jun 11 17:21:22 2009 us=405348   writepid =
''/var/run/openvpn/honda.pid''
> Thu Jun 11 17:21:22 2009 us=405368   up_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405387   down_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405407   down_pre = DISABLED
> Thu Jun 11 17:21:22 2009 us=405427   up_restart = DISABLED
> Thu Jun 11 17:21:22 2009 us=405445   up_delay = DISABLED
> Thu Jun 11 17:21:22 2009 us=405465   daemon = ENABLED
> Thu Jun 11 17:21:22 2009 us=405485   inetd = 0
> Thu Jun 11 17:21:22 2009 us=405504   log = ENABLED
> Thu Jun 11 17:21:22 2009 us=405524   suppress_timestamps = DISABLED
> Thu Jun 11 17:21:22 2009 us=405544   nice = 0
> Thu Jun 11 17:21:22 2009 us=405563   verbosity = 5
> Thu Jun 11 17:21:22 2009 us=405583   mute = 0
> Thu Jun 11 17:21:22 2009 us=405602   gremlin = 0
> Thu Jun 11 17:21:22 2009 us=405622   status_file =
''/etc/openvpn/servers/honda/logs/openvpn-status.log''
> Thu Jun 11 17:21:22 2009 us=405642   status_file_version = 1
> Thu Jun 11 17:21:22 2009 us=405661   status_file_update_freq = 60
> Thu Jun 11 17:21:22 2009 us=405681   occ = ENABLED
> Thu Jun 11 17:21:22 2009 us=405701   rcvbuf = 65536
> Thu Jun 11 17:21:22 2009 us=405720   sndbuf = 65536
> Thu Jun 11 17:21:22 2009 us=405740   socks_proxy_server =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405761   socks_proxy_port = 0
> Thu Jun 11 17:21:22 2009 us=405780   socks_proxy_retry = DISABLED
> Thu Jun 11 17:21:22 2009 us=405799   fast_io = DISABLED
> Thu Jun 11 17:21:22 2009 us=405819   comp_lzo = ENABLED
> Thu Jun 11 17:21:22 2009 us=405838   comp_lzo_adaptive = ENABLED
> Thu Jun 11 17:21:22 2009 us=405858   route_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405878   route_default_gateway =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405898   route_noexec = DISABLED
> Thu Jun 11 17:21:22 2009 us=405917   route_delay = 0
> Thu Jun 11 17:21:22 2009 us=405937   route_delay_window = 30
> Thu Jun 11 17:21:22 2009 us=405957   route_delay_defined = DISABLED
> Thu Jun 11 17:21:22 2009 us=405976   management_addr =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=405997   management_port = 0
> Thu Jun 11 17:21:22 2009 us=406016   management_user_pass =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406036   management_log_history_cache = 250
> Thu Jun 11 17:21:22 2009 us=406056   management_echo_buffer_size = 100
> Thu Jun 11 17:21:22 2009 us=406076   management_query_passwords = DISABLED
> Thu Jun 11 17:21:22 2009 us=406096   management_hold = DISABLED
> Thu Jun 11 17:21:22 2009 us=406115   shared_secret_file =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406136   key_direction = 0
> Thu Jun 11 17:21:22 2009 us=406156   ciphername_defined = ENABLED
> Thu Jun 11 17:21:22 2009 us=406177   ciphername =
''BF-CBC''
> Thu Jun 11 17:21:22 2009 us=406197   authname_defined = ENABLED
> Thu Jun 11 17:21:22 2009 us=406217   authname = ''SHA1''
> Thu Jun 11 17:21:22 2009 us=406237   keysize = 0
> Thu Jun 11 17:21:22 2009 us=406257   engine = DISABLED
> Thu Jun 11 17:21:22 2009 us=406295   replay = ENABLED
> Thu Jun 11 17:21:22 2009 us=406316   mute_replay_warnings = DISABLED
> Thu Jun 11 17:21:22 2009 us=406337   replay_window = 64
> Thu Jun 11 17:21:22 2009 us=406357   replay_time = 15
> Thu Jun 11 17:21:22 2009 us=406377   packet_id_file =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406397   use_iv = ENABLED
> Thu Jun 11 17:21:22 2009 us=406416   test_crypto = DISABLED
> Thu Jun 11 17:21:22 2009 us=406435   tls_server = ENABLED
> Thu Jun 11 17:21:22 2009 us=406455   tls_client = DISABLED
> Thu Jun 11 17:21:22 2009 us=406475   key_method = 2
> Thu Jun 11 17:21:22 2009 us=406495   ca_file =
''/etc/openvpn/keys/honda/ca.crt''
> Thu Jun 11 17:21:22 2009 us=406515   dh_file =
''/etc/openvpn/keys/honda/dh2048.pem''
> Thu Jun 11 17:21:22 2009 us=406535   cert_file =
''/etc/openvpn/keys/honda/ca.crt''
> Thu Jun 11 17:21:22 2009 us=406555   priv_key_file =
''/etc/openvpn/keys/honda/ca.key''
> Thu Jun 11 17:21:22 2009 us=406576   pkcs12_file =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406595   cipher_list =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406614   tls_verify =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406634   tls_remote =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406653   crl_file = ''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406674   ns_cert_type = 0
> Thu Jun 11 17:21:22 2009 us=406694   tls_timeout = 2
> Thu Jun 11 17:21:22 2009 us=406714   renegotiate_bytes = 0
> Thu Jun 11 17:21:22 2009 us=406734   renegotiate_packets = 0
> Thu Jun 11 17:21:22 2009 us=406755   renegotiate_seconds = 3600
> Thu Jun 11 17:21:22 2009 us=406775   handshake_window = 60
> Thu Jun 11 17:21:22 2009 us=406795   transition_window = 3600
> Thu Jun 11 17:21:22 2009 us=406815   single_session = DISABLED
> Thu Jun 11 17:21:22 2009 us=406835   tls_exit = DISABLED
> Thu Jun 11 17:21:22 2009 us=406855   tls_auth_file =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=406877   server_network = 0.0.0.0
> Thu Jun 11 17:21:22 2009 us=406899   server_netmask = 0.0.0.0
> Thu Jun 11 17:21:22 2009 us=406927   server_bridge_ip = 10.194.79.191
> Thu Jun 11 17:21:22 2009 us=406951   server_bridge_netmask = 255.255.255.0
> Thu Jun 11 17:21:22 2009 us=406974   server_bridge_pool_start =
10.194.79.200
> Thu Jun 11 17:21:22 2009 us=406996   server_bridge_pool_end = 10.194.79.202
> Thu Jun 11 17:21:22 2009 us=407016   push_list = ''route
10.194.79.0 255.255.255.0,route-gateway 10.194.79.191,ping 10,ping-restart
120''
> Thu Jun 11 17:21:22 2009 us=407037   ifconfig_pool_defined = ENABLED
> Thu Jun 11 17:21:22 2009 us=407060   ifconfig_pool_start = 10.194.79.200
> Thu Jun 11 17:21:22 2009 us=407081   ifconfig_pool_end = 10.194.79.202
> Thu Jun 11 17:21:22 2009 us=407103   ifconfig_pool_netmask = 255.255.255.0
> Thu Jun 11 17:21:22 2009 us=407124   ifconfig_pool_persist_filename =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407145   ifconfig_pool_persist_refresh_freq =
600
> Thu Jun 11 17:21:22 2009 us=407165   ifconfig_pool_linear = DISABLED
> Thu Jun 11 17:21:22 2009 us=407186   n_bcast_buf = 256
> Thu Jun 11 17:21:22 2009 us=407207   tcp_queue_limit = 64
> Thu Jun 11 17:21:22 2009 us=407226   real_hash_size = 256
> Thu Jun 11 17:21:22 2009 us=407247   virtual_hash_size = 256
> Thu Jun 11 17:21:22 2009 us=407267   client_connect_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407287   learn_address_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407308   client_disconnect_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407328   client_config_dir =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407349   ccd_exclusive = DISABLED
> Thu Jun 11 17:21:22 2009 us=407369   tmp_dir = ''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407389   push_ifconfig_defined = DISABLED
> Thu Jun 11 17:21:22 2009 us=407411   push_ifconfig_local = 0.0.0.0
> Thu Jun 11 17:21:22 2009 us=407433   push_ifconfig_remote_netmask = 0.0.0.0
> Thu Jun 11 17:21:22 2009 us=407453   enable_c2c = ENABLED
> Thu Jun 11 17:21:22 2009 us=407473   duplicate_cn = DISABLED
> Thu Jun 11 17:21:22 2009 us=407493   cf_max = 0
> Thu Jun 11 17:21:22 2009 us=407513   cf_per = 0
> Thu Jun 11 17:21:22 2009 us=407534   max_clients = 1024
> Thu Jun 11 17:21:22 2009 us=407554   max_routes_per_client = 256
> Thu Jun 11 17:21:22 2009 us=407591   client_cert_not_required = DISABLED
> Thu Jun 11 17:21:22 2009 us=407612   username_as_common_name = DISABLED
> Thu Jun 11 17:21:22 2009 us=407633   auth_user_pass_verify_script =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407654   auth_user_pass_verify_script_via_file
= DISABLED
> Thu Jun 11 17:21:22 2009 us=407674   client = DISABLED
> Thu Jun 11 17:21:22 2009 us=407694   pull = DISABLED
> Thu Jun 11 17:21:22 2009 us=407715   auth_user_pass_file =
''[UNDEF]''
> Thu Jun 11 17:21:22 2009 us=407736 OpenVPN 2.0.9 i586-suse-linux [SSL]
[LZO] [EPOLL] built on Dec  3 2008
> Thu Jun 11 17:21:22 2009 us=459576 Diffie-Hellman initialized with 2048 bit
key
> Thu Jun 11 17:21:22 2009 us=460423 TLS-Auth MTU parms [ L:1574 D:138 EF:38
EB:0 ET:0 EL:0 ]
> Thu Jun 11 17:21:22 2009 us=460530 TUN/TAP device tap0 opened
> Thu Jun 11 17:21:22 2009 us=460562 TUN/TAP TX queue length set to 100
> Thu Jun 11 17:21:22 2009 us=460622 Data Channel MTU parms [ L:1574 D:1450
EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
> Thu Jun 11 17:21:22 2009 us=461498 GID set to nogroup
> Thu Jun 11 17:21:22 2009 us=461608 UID set to nobody
> Thu Jun 11 17:21:22 2009 us=461673 Socket Buffers: R=[112640->131072]
S=[112640->131072]
> Thu Jun 11 17:21:22 2009 us=461729 UDPv4 link local (bound):
10.194.79.191:1194
> Thu Jun 11 17:21:22 2009 us=461757 UDPv4 link remote: [undef]
> Thu Jun 11 17:21:22 2009 us=461809 MULTI: multi_init called, r=256 v=256
> Thu Jun 11 17:21:22 2009 us=461924 IFCONFIG POOL: base=10.194.79.200 size=3
> Thu Jun 11 17:21:22 2009 us=461993 Initialization Sequence Completed
> 
> and my ifconfig
> linux-rwu0:~ # ifconfig 
> br0       Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
>           inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
>           inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:317 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:241 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:43215 (42.2 Kb)  TX bytes:133486 (130.3 Kb)
> 
> eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
>           inet addr:75.149.172.88  Bcast:75.149.172.95 
Mask:255.255.255.240
>           inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1865 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:165265 (161.3 Kb)  TX bytes:146769 (143.3 Kb)
>           Interrupt:20 Base address:0xa000 
> 
> eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
>           inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:4218 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:2006 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:507287 (495.3 Kb)  TX bytes:1009394 (985.7 Kb)
>           Interrupt:23 Base address:0x4000 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:43 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:5508 (5.3 Kb)  TX bytes:5508 (5.3 Kb)
> 
> tap0      Link encap:Ethernet  HWaddr AA:84:53:75:10:7D  
>           inet6 addr: fe80::a884:53ff:fe75:107d/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100 
>           RX bytes:0 (0.0 b)  TX bytes:35184 (34.3 Kb)
> 
> not sure how to config shorewall or if I have this bridge right but 
> now there seems to be several ways to config shorewall here
> which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?
> 
Forgot this sorry :<)

my openvpn config is in /etc/openvpn
not in servers or client is that correct?

my config below note the lan is temporary have no client up yet

server-bridge 10.194.79.191 255.255.255.0 10.194.79.200 10.194.79.202

client-to-client
local 10.194.79.191
port 1194
#remote 66.224.100.194 1194 dont need this anymore 
#except on client I believe

verb 5
mute 0

ca /etc/openvpn/keys/honda/ca.crt
cert /etc/openvpn/keys/honda/ca.crt
key /etc/openvpn/keys/honda/ca.key

dh /etc/openvpn/keys/honda/dh2048.pem

proto udp


dev tap0

user nobody

group nogroup

keepalive 10 120

status /etc/openvpn/servers/honda/logs/openvpn-status.log

log-append /etc/openvpn/servers/honda/logs/openvpn.log

comp-lzo

persist-key
persist-tun
push "route 10.194.79.0 255.255.255.0"
#
#These opt will work on the server install
#OFF for now
#push "dhcp-option DNS 10.3.85.15"
#push "dhcp-option WINS 10.3.85.15"



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> 
> not sure how to config shorewall or if I have this bridge right but 
> now there seems to be several ways to config shorewall here
> which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?
> 
I used the shorewall simple bridge since this seem to fit when no traffic
control is needed, Can I still shape traffic?
interfaces
#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth0            detect          tcpflags,nosmurfs
loc     br0            detect          routeback,bridge

Seemed to simple that all I needed is to edit interfaces
there is nothing in tunnels or zones and I got this error

Checking /etc/shorewall/masq...
   ERROR: Unknown Interface (eth1) : /etc/shorewall/masq (line 18)
so changed that to

#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
eth0                   br0

Is this all there is to this? Also why is it not mentioned to change snat for
internet
access? from br0 to wan eth0? 
On the simple bridge it states 
"This example illustrates the bridging of two ethernet devices but the
types of the devices really isn''t important"
Not trying to be smart here but I dont feel like have got this right with so
little shorewall config here?


Thank you 

Mike



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> not sure how to config shorewall or if I have this bridge right but 
> now there seems to be several ways to config shorewall here
> which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?
Hi Mike,

''brctl show br0'' will show you the bridge configuration.

Do you need to firewall traffic through the bridge? If not, simply set
''routeback'' on ''br0'' and you are finished.
That''s
http://www.shorewall.net/SimpleBridge.html. If you need to firewall
traffic through the bridge, then you need to folllow
http://www.shorewall.net/bridge-Shorewall-perl.html.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> push "route 10.194.79.0 255.255.255.0"
You don''t need to push a route to the local LAN with a bridged setup.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> 
>> not sure how to config shorewall or if I have this bridge right but 
>> now there seems to be several ways to config shorewall here
>> which shorewall docs should I look at with suse 11.1 and shorewall
4.2.9?
>>
> I used the shorewall simple bridge since this seem to fit when no traffic
> control is needed, Can I still shape traffic?
> interfaces
> #ZONE	INTERFACE	BROADCAST	OPTIONS
> net     eth0            detect          tcpflags,nosmurfs
> loc     br0            detect          routeback,bridge
You don''t need ''bridge''.
> 
> Seemed to simple that all I needed is to edit interfaces
> there is nothing in tunnels or zones and I got this error
> 
> Checking /etc/shorewall/masq...
>    ERROR: Unknown Interface (eth1) : /etc/shorewall/masq (line 18)
> so changed that to
> 
> #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
> eth0                   br0
> 
> Is this all there is to this?
Yes.
Also why is it not mentioned to change snat for internet
> access? from br0 to wan eth0? 
The two-interface quickstart guide tells you to change
/etc/shorewall/masq to match your setup.
> On the simple bridge it states 
> "This example illustrates the bridging of two ethernet devices but the
types of the devices really isn''t important"
> Not trying to be smart here but I dont feel like have got this right with
so little shorewall config here?
That''s because it is really very very simple. It is a two-interface
basic setup with the local interface being ''br0'' rather than
an ethernet
device.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> 
> Mike Lander wrote:
> 
> > not sure how to config shorewall or if I have this bridge right but 
> > now there seems to be several ways to config shorewall here
> > which shorewall docs should I look at with suse 11.1 and shorewall
4.2.9?
> 
> Hi Mike,
> 
> ''brctl show br0'' will show you the bridge configuration.
Tom

linux-rwu0:~ # brctl show br0
bridge name     bridge id               STP enabled     interfaces
br0             8000.0016177efed1       no              eth1
                                                        tap0
> 
> Do you need to firewall traffic through the bridge? If not, simply set
> ''routeback'' on ''br0'' and you are
finished. That''s
> http://www.shorewall.net/SimpleBridge.html. If you need to firewall
> traffic through the bridge, then you need to folllow
> http://www.shorewall.net/bridge-Shorewall-perl.html.
I do need to firewall traffic to the internet eth0, however traffic
between the bridge I just need traffic shaping. I remove the push
route and bridge option.

Items I changed in shorewall from stock two interface is in interfaces,masq, and
routestopped
which is correct according to simple bridge I believe. I changed these as
follows

net     eth0            detect          tcpflags,nosmurfs
loc     br0            detect          routeback

masq
eth0    br0

routestopped
br0     -

However when starting the bridge with /etc/init.d/bridge, I lose connectivity
with
the internet from the firewall and lan. I believe routing in the
/etc/init.d/bridge
is incorrect. I followed examples and I believe the gateway is incorrect. 
Here is /etc/init.d/bridge, ip route ls and ifconfig.

#!/bin/bash

########openvpn bridge-script#################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

#  Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged
tap="tap0"

# Define a list of physical ethernet interfaces to be bridged
# with TAP interface(s) above.
#
eth="eth1"
eth_ip="10.194.79.191"
eth_netmask="255.255.255.0"
eth_broadcast="10.194.79.255"
default_gw=10.194.79.191

# Path to the system networking script
# For Debian
#NETWORK="/etc/init.d/networking"
# For SuSE
NETWORK="/etc/init.d/network"

# Path to the openvpn start/stop script
OPENVPN_INIT="/etc/init.d/openvpn"

# Path to the openvpn binary
OPENVPN="/usr/sbin/openvpn"

# Path to the brctl binary
BRCTL="/sbin/brctl"

# Path to the ifconfig binary
IFCONFIG="/sbin/ifconfig"

# Path to the route binary
ROUTE="/sbin/route"

do_start(){

for i in $tap; do
$OPENVPN --mktun --dev $i
done

$BRCTL addbr $br

for i in $eth; do
$BRCTL addif $br $i
done

for i in $tap; do
$BRCTL addif $br $i
done

for i in $eth; do
$IFCONFIG $i 0.0.0.0 promisc up
done

for i in $tap; do
$IFCONFIG $i 0.0.0.0 promisc up
done

$IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

$ROUTE add default gw $default_gw

$OPENVPN_INIT start

}

do_stop(){

$IFCONFIG $br down
$BRCTL delbr $br

for i in $tap; do
$OPENVPN --rmtun --dev $i
$IFCONFIG $i down
$NETWORK force-reload
done

$OPENVPN_INIT stop

}

case "$1" in

start)
        do_start
;;
stop)
        do_stop
;;
restart)
        do_stop
        sleep 1
        do_start
;;
*)
echo "usage: $0 start|stop|restart" >&2
exit 3
;;
esac
exit 0

linux-rwu0:~ # ip route ls
75.149.172.80/28 dev eth0  proto kernel  scope link  src 75.149.172.88 
10.194.79.0/24 dev br0  proto kernel  scope link  src 10.194.79.191 
169.254.0.0/16 dev eth0  scope link 
127.0.0.0/8 dev lo  scope link 
default via 10.194.79.191 dev br0  scope link 
default via 75.149.172.94 dev eth0 

The gateway to br0 is the problem I think. Since the firewall already has
a gateway do enter 75.149.172.94 as the gateway in /etc/init.d/bridge?

ifconfig

linux-rwu0:~ # ifconfig 
br0       Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1742 errors:0 dropped:0 overruns:0 frame:0
          TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:145423 (142.0 Kb)  TX bytes:257627 (251.5 Kb)

eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
          inet addr:75.149.172.88  Bcast:75.149.172.95  Mask:255.255.255.240
          inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:739 errors:0 dropped:0 overruns:0 frame:0
          TX packets:309 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:69916 (68.2 Kb)  TX bytes:36146 (35.2 Kb)
          Interrupt:20 Base address:0x4000 

eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2987 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1538 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:317952 (310.5 Kb)  TX bytes:528815 (516.4 Kb)
          Interrupt:23 Base address:0xc000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:25 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2788 (2.7 Kb)  TX bytes:2788 (2.7 Kb)

tap0      Link encap:Ethernet  HWaddr 8E:F2:06:E9:82:70  
          inet6 addr: fe80::8cf2:6ff:fee9:8270/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1067 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:85438 (83.4 Kb)


Mike



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> > 
> > Mike Lander wrote:
> > 
> > > not sure how to config shorewall or if I have this bridge right
but
> > > now there seems to be several ways to config shorewall here
> > > which shorewall docs should I look at with suse 11.1 and
shorewall 4.2.9?
> > 
> > Hi Mike,
> > 
> > ''brctl show br0'' will show you the bridge
configuration.
> Tom
> 
> linux-rwu0:~ # brctl show br0
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.0016177efed1       no              eth1
>                                                         tap0
> 
> > 
> > Do you need to firewall traffic through the bridge? If not, simply set
> > ''routeback'' on ''br0'' and you are
finished. That''s
> > http://www.shorewall.net/SimpleBridge.html. If you need to firewall
> > traffic through the bridge, then you need to folllow
> > http://www.shorewall.net/bridge-Shorewall-perl.html.
> 
> I do need to firewall traffic to the internet eth0, however traffic
> between the bridge I just need traffic shaping. I remove the push
> route and bridge option.
> 
> Items I changed in shorewall from stock two interface is in
interfaces,masq, and routestopped
> which is correct according to simple bridge I believe. I changed these as
follows
> 
> net     eth0            detect          tcpflags,nosmurfs
> loc     br0            detect          routeback
> 
> masq
> eth0    br0
> 
> routestopped
> br0     -
> 
> However when starting the bridge with /etc/init.d/bridge, I lose
connectivity with
> the internet from the firewall and lan. I believe routing in the
/etc/init.d/bridge
> is incorrect. I followed examples and I believe the gateway is incorrect. 
> Here is /etc/init.d/bridge, ip route ls and ifconfig.
Ok changing the gateway to my eth0 gateway fixed that with the complaint
SIOCADDRT: File exists but now the box and lan have internet access.
If I leave gateway blank complains as well maybe remove gateway from
/etc/sysconfig/routes to make it pretty. However things are working now.
or maybe modify script to remove gateway entry?

linux-rwu0:~ # /etc/init.d/bridge start
Fri Jun 12 03:42:43 2009 TUN/TAP device tap0 opened
Fri Jun 12 03:42:43 2009 Persist state set to: ON
SIOCADDRT: File exists
Starting OpenVPN      

Mike           




------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

On Fri, 2009-06-12 at 08:36 -0700, Mike Lander wrote:
> 
> > 
> > Mike Lander wrote:
> > 
> > > not sure how to config shorewall or if I have this bridge right
but
> > > now there seems to be several ways to config shorewall here
> > > which shorewall docs should I look at with suse 11.1 and
shorewall 4.2.9?
> > 
> > Hi Mike,
> > 
> > ''brctl show br0'' will show you the bridge
configuration.
> Tom
> 
> linux-rwu0:~ # brctl show br0
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.0016177efed1       no              eth1
>                                                         tap0
> 
> > 
> > Do you need to firewall traffic through the bridge? If not, simply set
> > ''routeback'' on ''br0'' and you are
finished. That''s
> > http://www.shorewall.net/SimpleBridge.html. If you need to firewall
> > traffic through the bridge, then you need to folllow
> > http://www.shorewall.net/bridge-Shorewall-perl.html.
> 
> I do need to firewall traffic to the internet eth0, however traffic
> between the bridge I just need traffic shaping. I remove the push
> route and bridge option.
> 
> Items I changed in shorewall from stock two interface is in
interfaces,masq, and routestopped
> which is correct according to simple bridge I believe. I changed these as
follows
> 
> net     eth0            detect          tcpflags,nosmurfs
> loc     br0            detect          routeback
> 
> masq
> eth0    br0
> 
> routestopped
> br0     -
> 
> However when starting the bridge with /etc/init.d/bridge, I lose
connectivity with
> the internet from the firewall and lan. I believe routing in the
/etc/init.d/bridge
> is incorrect. I followed examples and I believe the gateway is incorrect. 
> Here is /etc/init.d/bridge, ip route ls and ifconfig.
> 
> #!/bin/bash
> 
> ########openvpn bridge-script#################
> # Set up Ethernet bridge on Linux
> # Requires: bridge-utils
> #################################
> 
> #  Define Bridge Interface
> br="br0"
> 
> # Define list of TAP interfaces to be bridged
> tap="tap0"
> 
> # Define a list of physical ethernet interfaces to be bridged
> # with TAP interface(s) above.
> #
> eth="eth1"
> eth_ip="10.194.79.191"
> eth_netmask="255.255.255.0"
> eth_broadcast="10.194.79.255"
> default_gw=10.194.79.191
> 
Don''t add default_gw here, the firewall would be the gateway for that
lan. 

> # Path to the system networking script
> # For Debian
> #NETWORK="/etc/init.d/networking"
> # For SuSE
> NETWORK="/etc/init.d/network"
> 
> # Path to the openvpn start/stop script
> OPENVPN_INIT="/etc/init.d/openvpn"
> 
> # Path to the openvpn binary
> OPENVPN="/usr/sbin/openvpn"
> 
> # Path to the brctl binary
> BRCTL="/sbin/brctl"
> 
> # Path to the ifconfig binary
> IFCONFIG="/sbin/ifconfig"
> 
> # Path to the route binary
> ROUTE="/sbin/route"
> 
> do_start(){
> 
> for i in $tap; do
> $OPENVPN --mktun --dev $i
> done
> 
> $BRCTL addbr $br
> 
> for i in $eth; do
> $BRCTL addif $br $i
> done
> 
> for i in $tap; do
> $BRCTL addif $br $i
> done
> 
> for i in $eth; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> for i in $tap; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> $IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> 
> $ROUTE add default gw $default_gw
> 
> $OPENVPN_INIT start
> 
> }
> 
> do_stop(){
> 
> $IFCONFIG $br down
> $BRCTL delbr $br
> 
> for i in $tap; do
> $OPENVPN --rmtun --dev $i
> $IFCONFIG $i down
> $NETWORK force-reload
> done
> 
> $OPENVPN_INIT stop
> 
> }
> 
> case "$1" in
> 
> start)
>         do_start
> ;;
> stop)
>         do_stop
> ;;
> restart)
>         do_stop
>         sleep 1
>         do_start
> ;;
> *)
> echo "usage: $0 start|stop|restart" >&2
> exit 3
> ;;
> esac
> exit 0
> 
> linux-rwu0:~ # ip route ls
> 75.149.172.80/28 dev eth0  proto kernel  scope link  src 75.149.172.88 
> 10.194.79.0/24 dev br0  proto kernel  scope link  src 10.194.79.191 
> 169.254.0.0/16 dev eth0  scope link 
> 127.0.0.0/8 dev lo  scope link 
> default via 10.194.79.191 dev br0  scope link 
> default via 75.149.172.94 dev eth0 
> 
> The gateway to br0 is the problem I think. Since the firewall already has
> a gateway do enter 75.149.172.94 as the gateway in /etc/init.d/bridge?
> 
No don''t add anything to the bridge script as a gateway.

> ifconfig
> 
> linux-rwu0:~ # ifconfig 
> br0       Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
>           inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
>           inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1742 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:145423 (142.0 Kb)  TX bytes:257627 (251.5 Kb)
> 
> eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
>           inet addr:75.149.172.88  Bcast:75.149.172.95 
Mask:255.255.255.240
>           inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:739 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:309 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:69916 (68.2 Kb)  TX bytes:36146 (35.2 Kb)
>           Interrupt:20 Base address:0x4000 
> 
> eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
>           inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:2987 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1538 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:317952 (310.5 Kb)  TX bytes:528815 (516.4 Kb)
>           Interrupt:23 Base address:0xc000 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:25 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:2788 (2.7 Kb)  TX bytes:2788 (2.7 Kb)
> 
> tap0      Link encap:Ethernet  HWaddr 8E:F2:06:E9:82:70  
>           inet6 addr: fe80::8cf2:6ff:fee9:8270/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1067 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100 
>           RX bytes:0 (0.0 b)  TX bytes:85438 (83.4 Kb)
> 
> 
> Mike
> 
Jerry



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> 
>> Mike Lander wrote:
>>
>>> not sure how to config shorewall or if I have this bridge right but
>>> now there seems to be several ways to config shorewall here
>>> which shorewall docs should I look at with suse 11.1 and shorewall
4.2.9?
>> Hi Mike,
>>
>> ''brctl show br0'' will show you the bridge
configuration.
> Tom
> 
> linux-rwu0:~ # brctl show br0
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.0016177efed1       no              eth1
>                                                         tap0
> 
>> Do you need to firewall traffic through the bridge? If not, simply set
>> ''routeback'' on ''br0'' and you are
finished. That''s
>> http://www.shorewall.net/SimpleBridge.html. If you need to firewall
>> traffic through the bridge, then you need to folllow
>> http://www.shorewall.net/bridge-Shorewall-perl.html.
> 
> I do need to firewall traffic to the internet eth0, however traffic
> between the bridge I just need traffic shaping. I remove the push
> route and bridge option.
> 
> Items I changed in shorewall from stock two interface is in
interfaces,masq, and routestopped
> which is correct according to simple bridge I believe. I changed these as
follows
> 
> net     eth0            detect          tcpflags,nosmurfs
> loc     br0            detect          routeback
> 
> masq
> eth0    br0
> 
> routestopped
> br0     -
> 
> However when starting the bridge with /etc/init.d/bridge, I lose
connectivity with
> the internet from the firewall and lan. I believe routing in the
/etc/init.d/bridge
> is incorrect. I followed examples and I believe the gateway is incorrect. 
> Here is /etc/init.d/bridge, ip route ls and ifconfig.
> 
> #!/bin/bash
> 
> ########openvpn bridge-script#################
> # Set up Ethernet bridge on Linux
> # Requires: bridge-utils
> #################################
> 
> #  Define Bridge Interface
> br="br0"
> 
> # Define list of TAP interfaces to be bridged
> tap="tap0"
> 
> # Define a list of physical ethernet interfaces to be bridged
> # with TAP interface(s) above.
> #
> eth="eth1"
> eth_ip="10.194.79.191"
> eth_netmask="255.255.255.0"
> eth_broadcast="10.194.79.255"
> default_gw=10.194.79.191
> 
> # Path to the system networking script
> # For Debian
> #NETWORK="/etc/init.d/networking"
> # For SuSE
> NETWORK="/etc/init.d/network"
> 
> # Path to the openvpn start/stop script
> OPENVPN_INIT="/etc/init.d/openvpn"
> 
> # Path to the openvpn binary
> OPENVPN="/usr/sbin/openvpn"
> 
> # Path to the brctl binary
> BRCTL="/sbin/brctl"
> 
> # Path to the ifconfig binary
> IFCONFIG="/sbin/ifconfig"
> 
> # Path to the route binary
> ROUTE="/sbin/route"
> 
> do_start(){
> 
> for i in $tap; do
> $OPENVPN --mktun --dev $i
> done
> 
> $BRCTL addbr $br
> 
> for i in $eth; do
> $BRCTL addif $br $i
> done
> 
> for i in $tap; do
> $BRCTL addif $br $i
> done
> 
> for i in $eth; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> for i in $tap; do
> $IFCONFIG $i 0.0.0.0 promisc up
> done
> 
> $IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
> 
> $ROUTE add default gw $default_gw
> 
> $OPENVPN_INIT start
> 
> }
> 
> do_stop(){
> 
> $IFCONFIG $br down
> $BRCTL delbr $br
> 
> for i in $tap; do
> $OPENVPN --rmtun --dev $i
> $IFCONFIG $i down
> $NETWORK force-reload
> done
> 
> $OPENVPN_INIT stop
> 
> }
> 
> case "$1" in
> 
> start)
>         do_start
> ;;
> stop)
>         do_stop
> ;;
> restart)
>         do_stop
>         sleep 1
>         do_start
> ;;
> *)
> echo "usage: $0 start|stop|restart" >&2
> exit 3
> ;;
> esac
> exit 0
> 
> linux-rwu0:~ # ip route ls
> 75.149.172.80/28 dev eth0  proto kernel  scope link  src 75.149.172.88 
> 10.194.79.0/24 dev br0  proto kernel  scope link  src 10.194.79.191 
> 169.254.0.0/16 dev eth0  scope link 
> 127.0.0.0/8 dev lo  scope link 
> default via 10.194.79.191 dev br0  scope link 
> default via 75.149.172.94 dev eth0 
> 
> The gateway to br0 is the problem I think. Since the firewall already has
> a gateway do enter 75.149.172.94 as the gateway in /etc/init.d/bridge?
Mike -- You seem to be one of the folks who mistakenly believes that
every interface needs a default gateway. That is simply not true. You
only need multiple default routes when you have multiple links to the
internet.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike -- You seem to be one of the folks who mistakenly believes that
every interface needs a default gateway. That is simply not true. You
only need multiple default routes when you have multiple links to the
internet.

Tom




No I was not thinking I needed two routes. Its just that this script 
kept complaining that there was no gateway. So I went to the example 
script I used and I think that guy was using rfc 1918 gateways now that
I think about it. I was very tired last night desperate to get joy.
Then first thing this morning that was the only mistake left in this
config left. Other than the shorewall entries you advised to correct.
I came straight from bed first cup coffee. My brain needs a sec you know.
Behold joy this morning. 
    Now I am configing the client. Any tips I need there?
I am hoping I can do this with two firewalls in my shop to test
one with eth0 75.149.172.88 server br0 10.194.79.191
one with eth0 75.149.172.89 client br0 not sure yet.
both with isp gateway 75.149.172.94
Then I am taking them to their intended location.

Thank you 
Tom and Jerry

Good to hear from both of you, been awhile I hope all is 
well :<)





------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> Mike -- You seem to be one of the folks who mistakenly believes that
> every interface needs a default gateway. That is simply not true. You
> only need multiple default routes when you have multiple links to the
> internet.
> 
> Tom
> 
> 
> 
> 
> No I was not thinking I needed two routes. Its just that this script 
> kept complaining that there was no gateway. So I went to the example 
> script I used and I think that guy was using rfc 1918 gateways now that
> I think about it. I was very tired last night desperate to get joy.
> Then first thing this morning that was the only mistake left in this
> config left. Other than the shorewall entries you advised to correct.
> I came straight from bed first cup coffee. My brain needs a sec you know.
> Behold joy this morning. 
>     Now I am configing the client. Any tips I need there?
> I am hoping I can do this with two firewalls in my shop to test
> one with eth0 75.149.172.88 server br0 10.194.79.191
> one with eth0 75.149.172.89 client br0 not sure yet.
> both with isp gateway 75.149.172.94
> Then I am taking them to their intended location.
Mike,

I realized earlier this morning that I''ve not tried to bridge an
OpenVPN
client to a LAN -- only a server. So I would have to research that and
experiment myself if I needed to do it.

Sorry,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Tom Eastep wrote:
> Mike Lander wrote:
>> Mike -- You seem to be one of the folks who mistakenly believes that
>> every interface needs a default gateway. That is simply not true. You
>> only need multiple default routes when you have multiple links to the
>> internet.
>>
>> Tom
>>
>>
>>
>>
>> No I was not thinking I needed two routes. Its just that this script 
>> kept complaining that there was no gateway. So I went to the example 
>> script I used and I think that guy was using rfc 1918 gateways now that
>> I think about it. I was very tired last night desperate to get joy.
>> Then first thing this morning that was the only mistake left in this
>> config left. Other than the shorewall entries you advised to correct.
>> I came straight from bed first cup coffee. My brain needs a sec you
know.
>> Behold joy this morning. 
>>     Now I am configing the client. Any tips I need there?
>> I am hoping I can do this with two firewalls in my shop to test
>> one with eth0 75.149.172.88 server br0 10.194.79.191
>> one with eth0 75.149.172.89 client br0 not sure yet.
>> both with isp gateway 75.149.172.94
>> Then I am taking them to their intended location.
> 
> Mike,
> 
> I realized earlier this morning that I''ve not tried to bridge an
OpenVPN
> client to a LAN -- only a server. So I would have to research that and
> experiment myself if I needed to do it.
Mike,

Looks like you want a simple p2p OpenVPN configuration rather than a
client-server configuration.

I tested this using a simple shared-key setup.

I set up the bridge between two systems:

	172.20.1.102 - ursa
	172.20.1.254 - gateway

Both systems, I configured a bridge with a single tun0 port.

	ursa	br0 is 10.0.0.1/24
	gateway	br0 is 10.0.0.2/24

On ursa, I executed this command:

	openvpn --genkey --secret bridgekey

I used scp to copy the ''bridgekey'' file to the other system.

On ursa, I then executed this command:

	openvpn --remote 172.20.1.254 --dev tap0 --key bridgekey

and on gateway, I executed this command:

	openvpn --remote 172.20.1.102 --dev tap0 --key bridgekey

Voila!!

root@ursa:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=2.24 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=2.08 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=2.43 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=1.84 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=2.10 ms
64 bytes from 10.0.0.2: icmp_seq=6 ttl=64 time=3.32 ms
^C
--- 10.0.0.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5006ms
rtt min/avg/max/mdev = 1.846/2.340/3.326/0.476 ms
root@ursa:~#

Hope that helps,
-Tom	
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> 
> Looks like you want a simple p2p OpenVPN configuration rather than a
> client-server configuration.
> 
> I tested this using a simple shared-key setup.
> 
> I set up the bridge between two systems:
> 
> 	172.20.1.102 - ursa
> 	172.20.1.254 - gateway
> 
> Both systems, I configured a bridge with a single tun0 port.
> 
> 	ursa	br0 is 10.0.0.1/24
> 	gateway	br0 is 10.0.0.2/24
> 
> On ursa, I executed this command:
> 
> 	openvpn --genkey --secret bridgekey
> 
> I used scp to copy the ''bridgekey'' file to the other
system.
> 
> On ursa, I then executed this command:
> 
> 	openvpn --remote 172.20.1.254 --dev tap0 --key bridgekey
> 
> and on gateway, I executed this command:
> 
> 	openvpn --remote 172.20.1.102 --dev tap0 --key bridgekey
> 
> Voila!!
> 
> root@ursa:~# ping 10.0.0.2
> PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
> 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=2.24 ms
> 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=2.08 ms
> 64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=2.43 ms
> 64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=1.84 ms
> 64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=2.10 ms
> 64 bytes from 10.0.0.2: icmp_seq=6 ttl=64 time=3.32 ms
> ^C
> --- 10.0.0.2 ping statistics ---
> 6 packets transmitted, 6 received, 0% packet loss, time 5006ms
> rtt min/avg/max/mdev = 1.846/2.340/3.326/0.476 ms
> root@ursa:~#
> 
> Hope that helps,
> Tom	
Ok I configed both of these boxes this way. this 
is the fist box as you can see br0 is 10.194.79.191/24
the other box the same with exception br0 10.194.79.177/24
Then at the command line 

linux-rwu0:/etc/openvpn/easy-rsa/2.0 # openvpn --remote 75.149.172.89 --dev tap0
--key bridgekey
Options error: Parameter priv_key_file can only be specified in TLS-mode, i.e.
where --tls-server or --tls-client is also specified.
Use --help for more information.
How is this tls mode?
My interfaces below

Also you state:
"Both systems, I configured a bridge with a single tun0 port"

Also is this supposed to mean single tap0 port ?

 
linux-rwu0:/etc/openvpn/easy-rsa/2.0 # ifconfig 
br0       Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1446 (1.4 Kb)  TX bytes:1050 (1.0 Kb)

eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
          inet addr:75.149.172.88  Bcast:75.149.172.95  Mask:255.255.255.240
          inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8756 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4071 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3122265 (2.9 Mb)  TX bytes:724879 (707.8 Kb)
          Interrupt:20 Base address:0x4000 

eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:19183 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12750 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2066359 (1.9 Mb)  TX bytes:5779702 (5.5 Mb)
          Interrupt:23 Base address:0xc000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:69 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:9892 (9.6 Kb)  TX bytes:9892 (9.6 Kb)

tap0      Link encap:Ethernet  HWaddr 96:44:E4:EA:4A:E3  
          inet6 addr: fe80::9444:e4ff:feea:4ae3/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:20 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Mike 



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> 
> Ok I configed both of these boxes this way. this 
> is the fist box as you can see br0 is 10.194.79.191/24
> the other box the same with exception br0 10.194.79.177/24
> Then at the command line 
> 
> linux-rwu0:/etc/openvpn/easy-rsa/2.0 # openvpn --remote 75.149.172.89 --dev
tap0 --key bridgekey
Should be --secret bridgekey rather than --key bridgekey -- my bad.

> 
> Also you state:
> "Both systems, I configured a bridge with a single tun0 port"
> 
> Also is this supposed to mean single tap0 port ?
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> 
> Mike Lander wrote:
> 
> > 
> > Ok I configed both of these boxes this way. this 
> > is the fist box as you can see br0 is 10.194.79.191/24
> > the other box the same with exception br0 10.194.79.177/24
> > Then at the command line 
> > 
> > linux-rwu0:/etc/openvpn/easy-rsa/2.0 # openvpn --remote 75.149.172.89
--dev tap0 --key bridgekey
> 
> Should be --secret bridgekey rather than --key bridgekey -- my bad.
> 
> 
> > 
> > Also you state:
> > "Both systems, I configured a bridge with a single tun0
port"
> > 
> > Also is this supposed to mean single tap0 port ?
> 
> Yes.
> 
> Tom
JoY!

ping from my vista workstation to firewall 2 which has no lan 
except its internal interface. There is no way to ping without it working.

Pinging 10.194.79.177 with 32 bytes of data:
Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
Reply from 10.194.79.177: bytes=32 time<1ms TTL=64

Thanks Tom
I think I was close with the server client thing it had a few complaints
still but this way is simple. I have not had to join to lans like this.
Fun!!




------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> JoY!
Cool.
> 
> ping from my vista workstation to firewall 2 which has no lan 
> except its internal interface. There is no way to ping without it working.
> 
> Pinging 10.194.79.177 with 32 bytes of data:
> Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> 
> Thanks Tom
> I think I was close with the server client thing it had a few complaints
> still but this way is simple. I have not had to join to lans like this.
> Fun!!
OpenVPN is a really nice thing to keep in your toolbox...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> Mike Lander wrote:
> 
> > JoY!
> 
> Cool.
> 
> > 
> > ping from my vista workstation to firewall 2 which has no lan 
> > except its internal interface. There is no way to ping without it
working.
> > 
> > Pinging 10.194.79.177 with 32 bytes of data:
> > Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> > Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> > Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> > Reply from 10.194.79.177: bytes=32 time<1ms TTL=64
> > 
> > Thanks Tom
> > I think I was close with the server client thing it had a few
complaints
> > still but this way is simple. I have not had to join to lans like
this.
> > Fun!!
> 
> OpenVPN is a really nice thing to keep in your toolbox...
> 
> Tom
Just thought I would let you know installed the boxes with out a hitch.
That was kinda strange having a guys app that telnets to a unix box
accross the tunnel instantly up doing his work so quickly. I was worried
a little as voip did not work for a few minutes presumably switch, voip board
arp cache. Now I can work on the wireless bridges. Have not done shaping yet.

Thanks
Mike




------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects