Artur UszyĆski
2014-Feb-26 11:40 UTC
IPSec subzone and netmap - traffic rules are not working.
Hello. Shorewall version 4.5.7.1, the configuration example follows: zones: loc ipv4 net ipv4 sitea:net ipsec interfaces: loc eth0 - eth1 hosts: sitea eth1:192.168.111.0/24 net eth1:0.0.0.0/0 policy: loc net ACCEPT loc sitea REJECT all all REJECT netmap: SNAT 192.168.1.0/24 eth1 10.1.0.0/24 192.168.111.0/24 rules: Web(ACCEPT) loc sitea ALL traffic from loc to sitea will be accepted, because resulting rule in loc_frwd chain is never matched (in particular ipsec policy is not matched): Chain eth0_fwd (1 references) 168 23503 loc_frwd all -- * * 192.168.1.0/24 0.0.0.0/0 policy match dir in pol none 46 7456 loc_frwd all -- * * 10.1.0.0/24 0.0.0.0/0 policy match dir in pol none Chain loc_frwd (2 references) 0 0 loc2sitea all -- * eth1 0.0.0.0/0 192.168.111.0/24 policy match dir out pol ipsec Traffic from loc to sitea eventually hits loc2net policy (ACCEPT). Without netmap all works like expected. When zone is defined as an ordinary ipv4 zone, all works like expected too. Is there any way to keep a zone as an ipsec zone, use netmap and have working loc2sitea rules ? Do I lose anything by defining zone as ipv4 instead of ipsec (is it significantly less secure) ? Regards. -- Artur ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk