Shorewall devel - Sep 2002 - [Fwd: Building custom _updown script for freeswan to make it talk with shorewall]

Tuomo Soini wrote:
> You don''t happen to read shorewall-devel mailinglist ?
I read it -- I just didn''t know what to make of your post and it
arrived
while I was on vacation.

What exactly are you trying to accomplish that Shorewall isn''t doing
for
you now?

e.g.

/etc/shorewall/zones

rw	Roadwarriors	Road Warriors

/etc/shorewall/interfraces

rw	ipsec+	

/etc/shorewall/policy (only if you want to Road Warriors to be able to 
access each other''s hosts).

rw	rw	ACCEPT
rw	loc	ACCEPT
loc	rw	ACCEPT

/etc/shorewall/tunnels

ipsec	net	0.0.0.0/0	rw

Am I missing something?

-Tom
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Shorewall-devel] Building custom _updown script for freeswan to make it 
> talk with shorewall
> From:
> Tuomo Soini <tis@foobar.fi>
> Date:
> Sat, 21 Sep 2002 22:23:07 +0300
> To:
> Shorewall Devel <shorewall-devel@shorewall.net>
> 
> 
> I have a plan to make freeswan and shorewall talk to each other.
> 
> Shorewall doesn''t currently have proper handles to make ipsec and 
> firewall work properly together and I''m planning on building a
custom
> _updown script for freeswan to make it communicate with shorewall.
> 
> 
> How can I make shorewall work properly with different road warriors with 
> different dynamic ip-addresses and different accesses?
> 
> I have following plan:
> 
> have zone for every road warrior
> not to have zone in hosts or interfaces
> make updown script to jump to correct rules. In freeswan 
> connection-descriptions give as parameter to updown script knowledge to 
> which zone this connection is part of.
> 
> Have I missed anything important or is this plan possible?
> 


-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> Tuomo Soini wrote:
> 
>> You don''t happen to read shorewall-devel mailinglist ?
> 
> 
> I read it -- I just didn''t know what to make of your post and it
arrived
> while I was on vacation.
> 
> What exactly are you trying to accomplish that Shorewall isn''t
doing for
> you now?
> 
> e.g.
> 
> /etc/shorewall/zones
> 
> rw    Roadwarriors    Road Warriors
> 
> /etc/shorewall/interfraces
> 
> rw    ipsec+   
> 
> /etc/shorewall/policy (only if you want to Road Warriors to be able to 
> access each other''s hosts).
> 
> rw    rw    ACCEPT
> rw    loc    ACCEPT
> loc    rw    ACCEPT
> 
> /etc/shorewall/tunnels
> 
> ipsec    net    0.0.0.0/0    rw
> 
> Am I missing something?
> 
> -Tom
> 
>>
>>
>>
------------------------------------------------------------------------
>>
>> Subject:
>> [Shorewall-devel] Building custom _updown script for freeswan to make 
>> it talk with shorewall
>> From:
>> Tuomo Soini <tis@foobar.fi>
>> Date:
>> Sat, 21 Sep 2002 22:23:07 +0300
>> To:
>> Shorewall Devel <shorewall-devel@shorewall.net>
>>
>>
>> I have a plan to make freeswan and shorewall talk to each other.
>>
>> Shorewall doesn''t currently have proper handles to make ipsec
and
>> firewall work properly together and I''m planning on building a
custom
>> _updown script for freeswan to make it communicate with shorewall.
>>
>>
>> How can I make shorewall work properly with different road warriors 
>> with different dynamic ip-addresses and different accesses?
>>
>> I have following plan:
>>
>> have zone for every road warrior
>> not to have zone in hosts or interfaces
>> make updown script to jump to correct rules. In freeswan 
>> connection-descriptions give as parameter to updown script knowledge 
>> to which zone this connection is part of.
>>
>> Have I missed anything important or is this plan possible?
>>
> 
> 
> 
Yes. There is no possibility to define _different_ rules for each road 
warrior. I have one case where there is need to give access to only part 
of local network. In fact, there are more than 12 local nets which 
doesn''t have very much in common and I want to get road warriors 
communicating only with their own net, not all nets secured from 
internet and each other with shorewall.

So I need possiblity to combine freeswan and shorewall more tightly. So 
that I can get one ipsec tunnel to zone regardless of it''s ip.

So I have different connection-descriptions to different road-warriors. 
Each road-warrior has it''s own connection-description and I could
handle
them to correct zone with freeswan updown script. There is this 
leftupdown and rightupdown thing in freeswan configuration which is very 
usable here.

Now there is only one class for all road warriors and that''s not 
acceptable for any larger organization.

I only need hint how to do it because shorewall is quite complex and I 
think it''s very easy to add capability to make something like:

tunnels:
ipsec 
0.0.0.0/0 
gw

jump for road warrior from external script. I just need a handle to 
start doing it.

So that I can have updown script like:

rightupdown="/var/lib/shorewall/updown gw"

To make same thing than with tunnels. I''ts acceptable to have to add
all
  "gw" zones to tunnels too.

-- 
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/

Tuomo Soini wrote:
> 
> Yes. There is no possibility to define _different_ rules for each road 
> warrior. I have one case where there is need to give access to only part 
> of local network. In fact, there are more than 12 local nets which 
> doesn''t have very much in common and I want to get road warriors 
> communicating only with their own net, not all nets secured from 
> internet and each other with shorewall.
> 
> So I need possiblity to combine freeswan and shorewall more tightly. So 
> that I can get one ipsec tunnel to zone regardless of it''s ip.
> 
> So I have different connection-descriptions to different road-warriors. 
> Each road-warrior has it''s own connection-description and I could
handle
> them to correct zone with freeswan updown script. There is this 
> leftupdown and rightupdown thing in freeswan configuration which is very 
> usable here.
> 
> Now there is only one class for all road warriors and that''s not 
> acceptable for any larger organization.
> 
> I only need hint how to do it because shorewall is quite complex and I 
> think it''s very easy to add capability to make something like:
> 
> tunnels:
> ipsec 0.0.0.0/0 gw
> 
> jump for road warrior from external script. I just need a handle to 
> start doing it.
> 
> So that I can have updown script like:
> 
> rightupdown="/var/lib/shorewall/updown gw"
> 
> To make same thing than with tunnels. I''ts acceptable to have to
add all
>  "gw" zones to tunnels too.
> 
Ok -- I propose the following externals:

a) In /etc/shorewall/zones you can have one zone per roadwarrior. In this 
example, I will call them rw1, rw2, rw3, ...

b) In /etc/shorewall/interfaces:

-	ipsec0
-	ipsec1
...	

c) In /etc/shorewall/hosts

rw1	dynamic
rw2	dynamic
rw3	dynamic
...

d) In /etc/shorewall/tunnels

ipsec	net	dynamic

e) When road warrior 2 connects, the updown script issues a "shorewall 
bind ipsec0:<remote ip> rw2" command.

f) When road warrior 2 disconnects, the updown scripts issues "shorewall 
unbind ipsec0:<remote ip>".

Comments anyone?
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
>>
> 
> Ok -- I propose the following externals:
> 
Just to clarify -- I''m proposing that I add this capability to
Shorewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> Tom Eastep wrote:
> 
>>>
>>
>> Ok -- I propose the following externals:
>>
> 
> Just to clarify -- I''m proposing that I add this capability to
Shorewall.
> 
Unless someone else wants to give it a try....

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> Tuomo Soini wrote:
> 
>>
>> Yes. There is no possibility to define _different_ rules for each road 
>> warrior. I have one case where there is need to give access to only 
>> part of local network. In fact, there are more than 12 local nets 
>> which doesn''t have very much in common and I want to get road
warriors
>> communicating only with their own net, not all nets secured from 
>> internet and each other with shorewall.
>>
>> So I need possiblity to combine freeswan and shorewall more tightly. 
>> So that I can get one ipsec tunnel to zone regardless of it''s
ip.
>>
>> So I have different connection-descriptions to different 
>> road-warriors. Each road-warrior has it''s own
connection-description
>> and I could handle them to correct zone with freeswan updown script. 
>> There is this leftupdown and rightupdown thing in freeswan 
>> configuration which is very usable here.
>>
>> Now there is only one class for all road warriors and that''s
not
>> acceptable for any larger organization.
>>
>> I only need hint how to do it because shorewall is quite complex and I 
>> think it''s very easy to add capability to make something like:
>>
>> tunnels:
>> ipsec 0.0.0.0/0 gw
>>
>> jump for road warrior from external script. I just need a handle to 
>> start doing it.
>>
>> So that I can have updown script like:
>>
>> rightupdown="/var/lib/shorewall/updown gw"
>>
>> To make same thing than with tunnels. I''ts acceptable to have
to add
>> all  "gw" zones to tunnels too.
>>
> 
> Ok -- I propose the following externals:
> 
> a) In /etc/shorewall/zones you can have one zone per roadwarrior. In 
> this example, I will call them rw1, rw2, rw3, ...
> 
> b) In /etc/shorewall/interfaces:
> 
> -    ipsec0
> -    ipsec1
> ...   
> 
> c) In /etc/shorewall/hosts
> 
> rw1    dynamic
> rw2    dynamic
> rw3    dynamic
> ...
> 
> d) In /etc/shorewall/tu
> 
> ipsec    net    dynamic
> 
> e) When road warrior 2 connects, the updown script issues a "shorewall
> bind ipsec0:<remote ip> rw2" command.
> 
> f) When road warrior 2 disconnects, the updown scripts issues
"shorewall
> unbind ipsec0:<remote ip>".
> 
> Comments anyone?
> -Tom
Yes. Quite complicated to configure but sounds technically ok.

Well. Easier for me if you have time to do this.

What will shorewall bind ipsec0:192.168.10.125 rw3 do if there is no 
such zone configured?

Two possible solutions, I think.

a) Do nothing, this is not road warrior connection
b) Complain.

a is better for use because every connection is not road-warrior and 
_updown script will run this command for every ipsec tunnel.

-- 
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/

Tuomo Soini wrote:
> 
> What will shorewall bind ipsec0:192.168.10.125 rw3 do if there is no 
> such zone configured?
> 
> Two possible solutions, I think.
> 
> a) Do nothing, this is not road warrior connection
> b) Complain.
> 
> a is better for use because every connection is not road-warrior and 
> _updown script will run this command for every ipsec tunnel.
> 
Why should your _updown script run this command for a non Road-warrior? 
For those, why don''t you use an _updown script that doesn''t
invoke Shorewall?

I think Shorewall has to complain when asked to do something that it
can''t
- it is too misleading otherwise.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tuomo Soini wrote:
> Tom Eastep wrote:
> 
>> Tuomo Soini wrote:
>>
>>>
>>> Yes. There is no possibility to define _different_ rules for each 
>>> road warrior. I have one case where there is need to give access to
>>> only part of local network. In fact, there are more than 12 local 
>>> nets which doesn''t have very much in common and I want to
get road
>>> warriors communicating only with their own net, not all nets
secured
>>> from internet and each other with shorewall.
>>>
>>> So I need possiblity to combine freeswan and shorewall more
tightly.
>>> So that I can get one ipsec tunnel to zone regardless of
it''s ip.
>>>
>>> So I have different connection-descriptions to different 
>>> road-warriors. Each road-warrior has it''s own
connection-description
>>> and I could handle them to correct zone with freeswan updown
script.
>>> There is this leftupdown and rightupdown thing in freeswan 
>>> configuration which is very usable here.
>>>
>>> Now there is only one class for all road warriors and
that''s not
>>> acceptable for any larger organization.
>>>
>>> I only need hint how to do it because shorewall is quite complex
and
>>> I think it''s very easy to add capability to make something
like:
>>>
>>> tunnels:
>>> ipsec 0.0.0.0/0 gw
>>>
>>> jump for road warrior from external script. I just need a handle to
>>> start doing it.
>>>
>>> So that I can have updown script like:
>>>
>>> rightupdown="/var/lib/shorewall/updown gw"
>>>
>>> To make same thing than with tunnels. I''ts acceptable to
have to add
>>> all  "gw" zones to tunnels too.
>>>
>>
>> Ok -- I propose the following externals:
>>
>> a) In /etc/shorewall/zones you can have one zone per roadwarrior. In 
>> this example, I will call them rw1, rw2, rw3, ...
>>
>> b) In /etc/shorewall/interfaces:
>>
>> -    ipsec0
>> -    ipsec1
>> ...  
>> c) In /etc/shorewall/hosts
>>
>> rw1    dynamic
>> rw2    dynamic
>> rw3    dynamic
>> ...
>>
>> d) In /etc/shorewall/tu
>>
>> ipsec    net    dynamic
>>
>> e) When road warrior 2 connects, the updown script issues a
"shorewall
>> bind ipsec0:<remote ip> rw2" command.
>>
>> f) When road warrior 2 disconnects, the updown scripts issues 
>> "shorewall unbind ipsec0:<remote ip>".
>>
>> Comments anyone?
>> -Tom
> 
> 
> Yes. Quite complicated to configure but sounds technically ok.
> 
I have this ready to begin debugging and I''ve made it quite a bit
simpler.
You can create empty zones - one for each class of Road Warrior. Shorewall 
will issue a warning during startup about the empty zones but those can be 
  ignored.

/etc/shorewall/zones

rw1	RW1	Road Warrior Class 1
rw2	RW2	Road Warrior Class 2
...
rwn	RWn	Road Warrior Class n

/etc/shorewall/interfaces

-	ipsec0	-
-	ipsec1	-
...

When a RW associated with zone rw2 connects, your _updown script:

	shorewall add ipsec0:<ip address> rw2

When the RW disconnects,

	shorewall delete ipsec0:<ipaddress> rw2

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net