Hi! I am running shorewall with the following options on my public interface: net eth1 detect dhcp,routefilter,norfc1918 When I start FreeS/Wan I get the following message: ipsec_setup: WARNING: eth1 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth1/rp_filter = `1'', should be 0) I tried to figure out what the implications are but am not sure. Can I make an exception to the routefilter for the local network(s) that I want to use through the vpn tunnel or should I disable the routefilter on the public interface completely? Also I assume the routefilter must be disabled on both sides of the tunnel? Disabling routefilter seems like a dangerous thing? With routefilter disabled there is hardly any need to restrict some services to certain ip adresses because the originating ip can''t be trusted anyways is it? Thanks! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--On Wednesday, November 13, 2002 03:36:40 PM +0100 Remco Barendse <shorewall@barendse.to> wrote:> Hi! > I am running shorewall with the following options on my public interface: > net eth1 detect dhcp,routefilter,norfc1918 > > When I start FreeS/Wan I get the following message: > ipsec_setup: WARNING: eth1 has route filtering turned on, KLIPS may not > work > ipsec_setup: (/proc/sys/net/ipv4/conf/eth1/rp_filter = `1'', should be 0) > > I tried to figure out what the implications are but am not sure. > > Can I make an exception to the routefilter for the local network(s) that > I want to use through the vpn tunnel or should I disable the routefilter > on the public interface completely? > > Also I assume the routefilter must be disabled on both sides of the > tunnel? > > Disabling routefilter seems like a dangerous thing? With routefilter > disabled there is hardly any need to restrict some services to certain ip > adresses because the originating ip can''t be trusted anyways is it? >Unless you are using a host-to-host tunnel, you can usually ignore that warning from FreeS/Wan. I ran an IPSEC subnet-to-subnet tunnel for over a year with ''routefilter'' enabled and had no problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Oops, sorry for giving incomplete information. I want to use a net2net config to connect two subnets where each node on the subnet can see every other node on the subnet on the other side of the tunnel (not a road warrior setup). Is this the same setup that worked without problems on your end? Remco On Wed, 13 Nov 2002, Tom Eastep wrote:> > > --On Wednesday, November 13, 2002 03:36:40 PM +0100 Remco Barendse > <shorewall@barendse.to> wrote: > > > Hi! > > I am running shorewall with the following options on my public interface: > > net eth1 detect dhcp,routefilter,norfc1918 > > > > When I start FreeS/Wan I get the following message: > > ipsec_setup: WARNING: eth1 has route filtering turned on, KLIPS may not > > work > > ipsec_setup: (/proc/sys/net/ipv4/conf/eth1/rp_filter = `1'', should be 0) > > > > I tried to figure out what the implications are but am not sure. > > > > Can I make an exception to the routefilter for the local network(s) that > > I want to use through the vpn tunnel or should I disable the routefilter > > on the public interface completely? > > > > Also I assume the routefilter must be disabled on both sides of the > > tunnel? > > > > Disabling routefilter seems like a dangerous thing? With routefilter > > disabled there is hardly any need to restrict some services to certain ip > > adresses because the originating ip can''t be trusted anyways is it? > > > > Unless you are using a host-to-host tunnel, you can usually ignore that > warning from FreeS/Wan. I ran an IPSEC subnet-to-subnet tunnel for over a > year with ''routefilter'' enabled and had no problems. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > >-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--On Wednesday, November 13, 2002 04:03:52 PM +0100 Remco Barendse <shorewall@barendse.to> wrote:> Oops, sorry for giving incomplete information. > > I want to use a net2net config to connect two subnets where each node on > the subnet can see every other node on the subnet on the other side of > the tunnel (not a road warrior setup). > > Is this the same setup that worked without problems on your end? >Yes. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
I run a multi-ended WAN with freeswan where each node has 4 tunnels to all other nodes, including host to host. I have been doing this for over a year now with no trouble. I get these freeswan messages too and just assumed that the holes that shorewall punches through the firewall for ipsec defined tunnels was sufficient to avert any problems. Steve ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Remco Barendse" <shorewall@barendse.to>; <shorewall-users@shorewall.net> Sent: Wednesday, November 13, 2002 9:53 AM Subject: Re: [Shorewall-users] FreeS/Wan IPSEC and routefilter> > > --On Wednesday, November 13, 2002 03:36:40 PM +0100 Remco Barendse > <shorewall@barendse.to> wrote: > > > Hi! > > I am running shorewall with the following options on my publicinterface:> > net eth1 detect dhcp,routefilter,norfc1918 > > > > When I start FreeS/Wan I get the following message: > > ipsec_setup: WARNING: eth1 has route filtering turned on, KLIPS may not > > work > > ipsec_setup: (/proc/sys/net/ipv4/conf/eth1/rp_filter = `1'', should be0)> > > > I tried to figure out what the implications are but am not sure. > > > > Can I make an exception to the routefilter for the local network(s) that > > I want to use through the vpn tunnel or should I disable theroutefilter> > on the public interface completely? > > > > Also I assume the routefilter must be disabled on both sides of the > > tunnel? > > > > Disabling routefilter seems like a dangerous thing? With routefilter > > disabled there is hardly any need to restrict some services to certainip> > adresses because the originating ip can''t be trusted anyways is it? > > > > Unless you are using a host-to-host tunnel, you can usually ignore that > warning from FreeS/Wan. I ran an IPSEC subnet-to-subnet tunnel for over a > year with ''routefilter'' enabled and had no problems. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users