Ok. I''m knocking down one problem at a time. I''ve managed to figure out how to bridge my tap0 and my eth1 with br0. This is good stuff. But if I have shorewall running, I can''t ping the local network at all. If I have shorewall not running, I can ping the local network. Here is my setup. Firewall/NAT box: eth0 - DHCP from cable provider eth1 - 192.168.2.0/255.255.255.0 local network tap0 - OpenVPN endpoint tap1 - OpenVPN endpoint Laptop Work client - coming from the internet via the cable box Home wireless client - coming through the wireless router internally. Zones: fw loc net I also have a wireless lan 192.168.1.0/255.255.255.0 that has an NAT at 192.168.2.198 - secured w/ WPA-PSK. I want to be able to connect to the tap0 from outside the firewall. I want to be able to conenct to the tap1 from the wireless lan. I would prefer to use security regardless, so that if I decide to use VPN from the wireless router, I can shut off WPA-PSK and maybe only open the VPN port for forwarding. I want the laptop, when connected via OpenVPN to act like it sits on 192.168.2.0/255.255.255.0. So obviously, to me, this means bridging tap0, tap1 and eth1. That''s as far as I understand it so far. As far as the firewalling goes. Firstly, I need to understand what interfaces/rules/policies I have to set in shorewall to maket his happen. I can try to do this by hand, but it defeats the purpose of having shorewall at all, and I like the logical separation of concerns. I just don''t always see how to do the complicated stuff, especially, when I''m not quite understanding the flow that has to occur. I attempted to follow the details for the bridged ethernet networks that were masqueraded, but couldn''t understand how it would fit my architecture seeing as I had a single laptop, not a second network at the other end. I was getting confused. So I need to understand how to set up the necessary configuration for the setup I''m trying to get to. With shoreall running now, after I bridge, I can''t ping the local network even from the firewall. With shorewall off, I can ping the local network. Any help would be greatly appreciated. Or even a pointer to someone else''s message thread that solves the same problem. Thanks. -- Shamim Islam BA BS
Shamim, By default Shorewall has pinging disabled so you need to add it into rules ACCEPT fw loc icmp Hopefully this will knock down another problem Graham -----Ursprüngliche Nachricht----- Von: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] Im Auftrag von Files Gesendet: Donnerstag, 23. September 2004 16:39 An: shorewall-users@lists.shorewall.net Betreff: [Shorewall-users] Shorewall and OpenVPN woes Ok. I''m knocking down one problem at a time. I''ve managed to figure out how to bridge my tap0 and my eth1 with br0. This is good stuff. But if I have shorewall running, I can''t ping the local network at all. If I have shorewall not running, I can ping the local network. -- Shamim Islam BA BS
Thanks for pointing that out, Graham. I found that out the hard way when I first started using Shorewall - I could have really used this list then. I didn''t know it existed. Ugh. The things you wish you had known. Anyway - to clarify - w/o briding, shorewall works like a champ for me. Personally, I went one step further and created a signalling system from the apache error trapping pages (/error) to log all attempts to hack my webserver (nimda et al) by detecting regex''s - when they''re detected, a file is dropped into /tmp/shorewall/drop and a corresponding file is dropped into /tmp/shorewall/lock. The lock file identifies the drop file to process. fam is watches /tmp/shorewall/lock for drop requests. Drop requests get logged to gdbm and a "shorewall drop" is executed for each IP address - quarantined as it were. Every hour via cron, the dropped IPs are reinstated unless they have made too many attempts to hack in which case they get permanently put into the blacklist. So every hour the blacklist is autogenerated. Also, I have it set up so that I have an admin interface to allow me to identify IPs to always ignore, IPs to always block, and to also create the patterns to look for. All in PHP - works like a champ. I love it. That''s why I want to stick w/ it w/ my VPN setup. A cron job makes sure that "drop" is always running (checks like every minute). I wish there was an easier way to do something like this but I haven''t had time to explore shorewall nor do I see any real database capabilities that can be triggered. So I''m relegated to using apache to do that part. So - hopefully I will have a working VPN w/ shorewall as my firewall when this whole process is done. Thanks again Graham. P.S. Do I need to post my config files or anything? -- Shamim Islam BA BS Graham Dodd said:> Shamim, > > By default Shorewall has pinging disabled so you need to add it into rules > > ACCEPT fw loc icmp > > Hopefully this will knock down another problem > > > Graham > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] Im Auftrag von Files > Gesendet: Donnerstag, 23. September 2004 16:39 > An: shorewall-users@lists.shorewall.net > Betreff: [Shorewall-users] Shorewall and OpenVPN woes > > Ok. I''m knocking down one problem at a time. > > I''ve managed to figure out how to bridge my tap0 and my eth1 with br0. > > This is good stuff. > > But if I have shorewall running, I can''t ping the local network at all. > > If I have shorewall not running, I can ping the local network. > > > -- > Shamim Islam > BA BS > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thursday 23 September 2004 09:41, Files wrote:> > P.S. Do I need to post my config files or anything?At http://shorewall.net/support.htm you will find very explicit instructions for submitting a problem report. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
This poster sent me a bunch of useless information in a private email (sent me information about a configuration that *works*, not the one that *doesn''t work*). Here''s my response... On Thursday 23 September 2004 10:03, Files wrote:> > I want to set up ethernet briding and use OpenVPN. > > I then set up a bridge between eth1 and tap0 and tap1 and set the IP of the > bridge br0 to 192.168.2.9. > > eth0 remains connected to the outside world. > > For the network 192.168.2.0/255.255.255.0, if shorewall is running, I am > not able to reach any node on the network. If shorewall is stopped, I can > reach any node on the network. > > I want to configure shorewall to treat my bridged interface the way it > treated my original eth1. > > I do not want to use shorewall as a bridging firewall. > > That''s my first step. >I believe that FAQ 35 gives you all of the hints you need to make this work (make ''br0'' your ''loc'' interface and set ''routeback'' on that interface). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, What you think about creating a new command line option to create a ''support'' file with the all information needed to support users''s posts ? For example: shorewall supportfile "/root/shorewall-support.txt" This file (for example: /root/shorewall-support.txt) will contain the information asked in http://shorewall.net/support.htm and some others like vlan, bridge, etc configurations that could be identified by shorewall confs OR not. Ie, the common/usual confs which affect "shorewall network environment". -Guilson
By the way, this information will be very usefull for me too, for documentation/snapshot purposes. -Guilsson On Thu, 23 Sep 2004 15:05:48 -0300, Guilsson <guilsson@gmail.com> wrote:> Tom, > > What you think about creating a new command line option to create a > ''support'' file with the all information needed to support users''s > posts ? > > For example: > shorewall supportfile "/root/shorewall-support.txt" > > This file (for example: /root/shorewall-support.txt) will contain the > information asked in http://shorewall.net/support.htm and some others > like vlan, bridge, etc configurations that could be identified by > shorewall confs OR not. Ie, the common/usual confs which affect > "shorewall network environment". > > -Guilson >
Confused - you''re referring to the ip commands as the configuration? If so, I apologize for not sending them after getting the bridge up. I misunderstood. I read the details of the commands that had to be executed, but kept thinking the configuration was the /etc/shorewall files. Also, didn''t realize I replied directly to you. Again, I apologize. I will look at FAQ # 35. -- Shamim Islam BA BS Tom Eastep said:> This poster sent me a bunch of useless information in a private email (sent me > information about a configuration that *works*, not the one that *doesn''t > work*). > > Here''s my response... > > On Thursday 23 September 2004 10:03, Files wrote: > >> >> I want to set up ethernet briding and use OpenVPN. >> >> I then set up a bridge between eth1 and tap0 and tap1 and set the IP of the >> bridge br0 to 192.168.2.9. >> >> eth0 remains connected to the outside world. >> >> For the network 192.168.2.0/255.255.255.0, if shorewall is running, I am >> not able to reach any node on the network. If shorewall is stopped, I can >> reach any node on the network. >> >> I want to configure shorewall to treat my bridged interface the way it >> treated my original eth1. >> >> I do not want to use shorewall as a bridging firewall. >> >> That''s my first step. >> > > I believe that FAQ 35 gives you all of the hints you need to make this work > (make ''br0'' your ''loc'' interface and set ''routeback'' on that interface). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Files wrote: | Confused - you''re referring to the ip commands as the configuration? | | If so, I apologize for not sending them after getting the bridge up. I | misunderstood. I read the details of the commands that had to be executed, but | kept thinking the configuration was the /etc/shorewall files. | | Also, didn''t realize I replied directly to you. Again, I apologize. | | I will look at FAQ # 35. Check out http://shorewall.net/SimpleBridge.html - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBUyedO/MAbZfjDLIRAvO+AKCkUK8BMHs2hIWNrmCd0/oEaI6XOgCfbHM3 YwxW5d/h7WXJfv8sV2IoXRg=3CAD -----END PGP SIGNATURE-----
On Thursday 23 September 2004 11:05, Guilsson wrote:> Tom, > > What you think about creating a new command line option to create a > ''support'' file with the all information needed to support users''s > posts ? > > For example: > shorewall supportfile "/root/shorewall-support.txt" > > This file (for example: /root/shorewall-support.txt) will contain the > information asked in http://shorewall.net/support.htm and some others > like vlan, bridge, etc configurations that could be identified by > shorewall confs OR not. Ie, the common/usual confs which affect > "shorewall network environment". >Basically, "shorewall status" already does this in Shorewall 2.0.7 and later. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
But it didn''t include some other interesting things like Shorewall confs (policy, interfaces, etc) although some of them can be extracted from it. The idea is, with just one command, you have all info about the environment. -Guilsson On Thu, 23 Sep 2004 14:44:53 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > > On Thursday 23 September 2004 11:05, Guilsson wrote: > > Tom, > > > > What you think about creating a new command line option to create a > > ''support'' file with the all information needed to support users''s > > posts ? > > > > For example: > > shorewall supportfile "/root/shorewall-support.txt" > > > > This file (for example: /root/shorewall-support.txt) will contain the > > information asked in http://shorewall.net/support.htm and some others > > like vlan, bridge, etc configurations that could be identified by > > shorewall confs OR not. Ie, the common/usual confs which affect > > "shorewall network environment". > > > > Basically, "shorewall status" already does this in Shorewall 2.0.7 and later. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >
On Thursday 23 September 2004 15:57, Guilsson wrote:> But it didn''t include some other interesting things like Shorewall > confs (policy, interfaces, etc) although some of them can be extracted > from it. > > The idea is, with just one command, you have all info about the > environment. >If you know how Shorewall works, then you can easily reconstruct the configuration files from the output of "shorewall status" :-) Although, come to think of it some of the options in the config files that only affect /proc are not currently reflected in the "shorewall status" output. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key