Hello, I''m a former Seawall user and I''m getting ready to implement a 3 interface firewall with shorewall to support our new internet/vpn connection. This part seems easy enough, but there is a twist and I want to make sure shorewall will work for me. I''ve thoroughly read the documentation, and I think it will work, but wanted to run this by the list for verification and/or suggestions before I take down my remote office to try and implement this. My ISP (Qwest) is doing our VPN for us. This means that traffic from our remote office will come in on our net interface from addresses in the 10.0.1.0/24 range and will need to talk to our local net of 10.0.0.0/24. If I do this, will it work? zones - tuc Tucson Tucson net Net Internet loc Local Local networks dmz DMZ Demilitarized zone interfaces - - eth0 x.x.x.215 blacklist,norfc1918,logunclean loc eth1 10.0.0.255 routestopped dmz eth2 10.0.100.255 routestopped hosts - tuc eth0:10.0.1.0/24 net eth0:0.0.0.0/0 policy - tuc loc ACCEPT tuc dmz ACCEPT loc net ACCEPT net all DROP info all all REJECT info rfc1918 - (1st line) 10.0.1.0/24 RETURN Will this work? If so, would it be better to add a 4th interface strictly for our Tucson office? If that''s all good, how to I NOT masq outgoing connections to the 10.0.1.0/24 subnet from our local subnet of 10.0.0.0/24? Thanks in advance, Greg _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
On Wed, 19 Jun 2002, Greg M wrote:> > My ISP (Qwest) is doing our VPN for us. This means that traffic from our > remote office will come in on our net interface from addresses in the > 10.0.1.0/24 range and will need to talk to our local net of 10.0.0.0/24. > > If I do this, will it work? > > zones - > tuc Tucson Tucson > net Net Internet > loc Local Local networks > dmz DMZ Demilitarized zone > > interfaces - > - eth0 x.x.x.215 blacklist,norfc1918,logunclean > loc eth1 10.0.0.255 routestopped > dmz eth2 10.0.100.255 routestopped > > hosts - > tuc eth0:10.0.1.0/24 > net eth0:0.0.0.0/0 > > policy - > tuc loc ACCEPT > tuc dmz ACCEPTDo you also want: loc tuc CONTINUE or loc tuc ACCEPT so that your local systems will have access to Tucson?> loc net ACCEPT > net all DROP info > all all REJECT info > > rfc1918 - (1st line) > 10.0.1.0/24 RETURNGood.> > Will this work? If so, would it be better to add a 4th interface strictly > for our Tucson office? >No -- that should be alright.> If that''s all good, how to I NOT masq outgoing connections to the > 10.0.1.0/24 subnet from our local subnet of 10.0.0.0/24? >masq- eth0:!10.0.1.0/24 10.0.0.0/24 [ <SNAT Address> ] -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
>On Wed, 19 Jun 2002, Greg M wrote: > > My ISP (Qwest) is doing our VPN> > rfc1918 - (1st line) > > 10.0.1.0/24 RETURN > >Good.I also needed this for outgoing traffic through eth0 that was destined for 10.0.1.0/24 and therefore not masq''d. 10.0.0.0/24 RETURN> > If that''s all good, how to I NOT masq outgoing connections to the > > 10.0.1.0/24 subnet from our local subnet of 10.0.0.0/24? > > > >masq- > >eth0:!10.0.1.0/24 10.0.0.0/24 [ <SNAT Address> ]My external ip address is x.x.x.209 and I have eth0:!10.0.1.0/24 10.0.0.0/24 x.x.x.210 but this doesn''t seem to be working. If I enable ADD_SNAT_ALIASES=Yes my ipsec0 gets set to x.x.x.210 but I want it to be x.x.x.209. Lastly, our VPN has been erratic since install. In order to get anything to work, my routers and the ISP''s routers have been set to a MTU of 1380. I even had to set the mtu on eth0 to 1380. I read in shorewall.conf about ''brain dead'' ISP''s blocking icmp fragmentation needed packets, and the symptoms mentioned are the exact issues we''ve been having (except MTU 1380 seems to be working). How can I tell if my ISP is in fact blocking those packets? Thanks again, Greg _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
On Fri, 21 Jun 2002, Greg M wrote:> >On Wed, 19 Jun 2002, Greg M wrote:> I also needed this for outgoing traffic through eth0 that was destined for > 10.0.1.0/24 and therefore not masq''d. > > 10.0.0.0/24 RETURNI have no idea what you are talking about but if it will help, ''norfc1918'' only applies to inbound traffic.> > > 10.0.1.0/24 subnet from our local subnet of 10.0.0.0/24? > > > > > > >masq- > > > >eth0:!10.0.1.0/24 10.0.0.0/24 [ <SNAT Address> ] > > My external ip address is x.x.x.209 and I have > > eth0:!10.0.1.0/24 10.0.0.0/24 x.x.x.210 > > but this doesn''t seem to be working."It doesn''t work" reports are useless. Had you added x.x.x.210 as an address on eth0 when "it didn''t work"?> If I enable ADD_SNAT_ALIASES=Yes my ipsec0 gets set to x.x.x.210 but I > want it to be x.x.x.209. >You''ll have to figure that out for yourself. I no longer run FreeS/Wan (I experienced too many flaky surprises) and you can read the IPSEC docs as easily as I can. I would think though that if you set ''left'' or ''right'' (whichever applies) to x.x.x.209 in your ipsec.conf file that FreeS/Wan will do the correct thing.> Lastly, our VPN has been erratic since install. In order to get anything to > work, my routers and the ISP''s routers have been set to a MTU of 1380. I > even had to set the mtu on eth0 to 1380. > > I read in shorewall.conf about ''brain dead'' ISP''s blocking icmp > fragmentation needed packets, and the symptoms mentioned are the exact > issues we''ve been having (except MTU 1380 seems to be working). > > How can I tell if my ISP is in fact blocking those packets? >I think you''ve already answered the question. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 21 Jun 2002, Tom Eastep wrote:> On Fri, 21 Jun 2002, Greg M wrote: > > > If I enable ADD_SNAT_ALIASES=Yes my ipsec0 gets set to x.x.x.210 but I > > want it to be x.x.x.209. > > > > You''ll have to figure that out for yourself. I no longer run FreeS/Wan (I > experienced too many flaky surprises) and you can read the IPSEC docs as > easily as I can. I would think though that if you set ''left'' or ''right'' > (whichever applies) to x.x.x.209 in your ipsec.conf file that FreeS/Wan > will do the correct thing. >>From your post it was hard to understand exactly what you are seeing butif you are seeing the IP of ipsec0 change from x.x.x.209 to x.x.x.210 when you start Shorewall, configuring x.x.x.210 statically (and reseting ADD_SNAT_ALIASES) might help. I''ve seen other cases where an operation on the external ethernet interface mistakenly gets applied to ipsec0. This happens if you try to add an ARP cache entry for example. It is this sort of problem that let me to stop using IPSEC. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net