Hi All, I''m fairly new to shorewall and have a unique environment to setup, currently have two building connected via Orinoco AP. Both building are part of the same subnet and must stay that way. I want to incress secury of the wirelless segment and have decided to user Bering, VTunnel and Shorewall to accomplish this. Both system currently create a VPN tunnel using VTUN (/dev/tap0) and automaticaly add this interface to the the bridge interface br0 So to recap eth1 in the internal device, eth0 external. tap0 in the VTUN interface after the connection br0 has tap0 and eth1 bridged. What do I have to do to allow VTUN to establish the connection in the external interface ? it uses udp prot 5000 What do I have to do to allow triffic from both segments to flow ? Please send me a direct e-mail if you have the answer Thanks in advance Hugues hbelanger@lanux.com
Hugues Belanger wrote:> Hi All, > > I''m fairly new to shorewall and have a unique environment to setup, > currently have two building connected via Orinoco AP. > Both building are part of the same subnet and must stay that way. > > I want to incress secury of the wirelless segment and have decided to > user Bering, VTunnel and Shorewall to accomplish this. > Both system currently create a VPN tunnel using VTUN (/dev/tap0) and > automaticaly add this interface to the the bridge interface br0 > > So to recap eth1 in the internal device, eth0 external. tap0 in the > VTUN interface after the connection br0 has tap0 and eth1 bridged. > > What do I have to do to allow VTUN to establish the connection in the > external interface ? it uses udp prot 5000 > > What do I have to do to allow triffic from both segments to flow ? > > Please send me a direct e-mail if you have the answer >Since no one else has responded, I''ll ask a question: What does the routing table look like on one of these Bering boxes? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Hugues, The appropriate place to request Bering support is on the leaf-user list. Please submit your question there. Thanks. LEAF - Bering Support http://leaf-project.org/mod.php?mod=userpage&menu=11&page_id=4 On Mon, 2003-02-10 at 08:59, Hugues Belanger wrote:> I''m fairly new to shorewall and have a unique environment to setup, > currently have two building connected via Orinoco AP. > Both building are part of the same subnet and must stay that way. > > I want to incress secury of the wirelless segment and have decided to > user Bering, VTunnel and Shorewall to accomplish this. > Both system currently create a VPN tunnel using VTUN (/dev/tap0) and > automaticaly add this interface to the the bridge interface br0 > > So to recap eth1 in the internal device, eth0 external. tap0 in the > VTUN interface after the connection br0 has tap0 and eth1 bridged. > > What do I have to do to allow VTUN to establish the connection in the > external interface ? it uses udp prot 5000 > > What do I have to do to allow triffic from both segments to flow ?-- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
Hugues Belanger wrote:> Hi Don''t understand why I''m getting so much flake about posting on this > list ? The fact that I user Bering as a distro does matter I could have > done the same with gentoo or RedHat. The problem I''m having is with > shorewall configuration not Bering.Hugues -- you are asking for free support for free products. Is it too much to ask of you in return that you follow the procedure that we have established for supporting Shorewall under Leaf?> Anyhow here''s my routing table > > 1.1.1.1 is the external interface > > Routing Table > ---------------- > 192.168.96.0/24 dev br0 proto kernel scope link src 192.168.96.100 > 1.1.1.0/24 dev eth0 proto kernel scope link src 1.1.1.1 > default via 1.1.1.2 dev eth0 > > Interface configuration > ----------------------- > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop > link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:01:03:2b:bf:f4 brd ff:ff:ff:ff:ff:ff > inet 1.1.1.1/24 brd 1.1.1.255 scope global eth0 > 4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen > 100 > link/ether 00:01:03:2b:c7:44 brd ff:ff:ff:ff:ff:ff > 5: tap0: <BROADCAST,NOARP,PROMISC,UP> mtu 1450 qdisc noqueue > link/ether fe:fd:00:00:00:00 brd ff:ff:ff:ff:ff:ff > 6: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue > link/ether 00:01:03:2b:c7:44 brd ff:ff:ff:ff:ff:ff > inet 192.168.96.100/24 brd 192.168.96.100 scope global br0 > > Bridge configuration after VTUN is establish > --------------------------------------------- > brctl show > bridge name bridge id STP enabled interfaces > br0 8000.0001032bc744 yes eth1 > tap0 >Here is my guess and I must stress that it is only a guess: a) I would define the local zone to be associated with eth1 and tap0 and I would have a loc->loc ACCEPT policy. b) I would associate the ''net'' zone with eth0. c) I would define an OpenVPN tunnel in /etc/shorewall/tunnels. openvpn net <IP of other tunnel endpoint> The default for open VPN is to use UDP port 5000 for both ends so it sounds like it''s compatible with would you have. d) The remainder of your rules can be adjusted to suit your needs. Let _us_ know how that works... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net