Bret Hughes
2003-Jan-25 21:07 UTC
[Shorewall-users] multiple ssh tunnels needing different rules
I have a firewall running Shorewall 1.3.13-1 from rpm on a redhat 7.3 box. The box has three nics assigned to zones loc net and dmz. We also have multiple vpn links accomplished via ssh tunnels, These links all come from dynamic IP addresses with known private subnets behind them. There are basically two types of networks these vpns connect, one with access to almost everything and one with very limited ssh and mail only access to the loc zone. The issue that I have is that while I know the internal ip and subnets if the hosts on the far end of the tunnels I have no control over the interface ppp? that these connections get assigned to. How can I build rules to not open up everything to all ppp interfaces? Everything I have read implies the knowledge of the interface. Do I have to restart shorewall everytime an interface comes up and do some scripting magic to determine what ppp interface is assigned to which subnet? Is this even possible? Right now I have separate zones setup for each subnet and they are assigned arbitrarily to ppp[0-4] and all rules allow access to everything needed by the least locked down subnet. Any pointers to docs that may explain this is appreciated. Bret
Tom Eastep
2003-Jan-26 06:29 UTC
[Shorewall-users] multiple ssh tunnels needing different rules
--On Saturday, January 25, 2003 11:08 PM -0600 Bret Hughes <bhughes@elevating.com> wrote:> I have a firewall running Shorewall 1.3.13-1 from rpm on a redhat 7.3 > box. The box has three nics assigned to zones loc net and dmz. We also > have multiple vpn links accomplished via ssh tunnels, These links all > come from dynamic IP addresses with known private subnets behind them. > > There are basically two types of networks these vpns connect, one with > access to almost everything and one with very limited ssh and mail only > access to the loc zone. > > The issue that I have is that while I know the internal ip and subnets > if the hosts on the far end of the tunnels I have no control over the > interface ppp? that these connections get assigned to. > > How can I build rules to not open up everything to all ppp interfaces? > Everything I have read implies the knowledge of the interface. >In /etc/shorewall/zones: z1 z2 z3 z4 In /etc/shorewall/interfaces: - ppp+ In /etc/shorewall/hosts: z1 ppp+:<remote subnet 1a>[,<remote subnet 1b>, ...] z2 ppp+:<remote subnet 2a>[,<remote subnet 2b>, ...] ... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Bret Hughes
2003-Jan-26 21:32 UTC
[Shorewall-users] multiple ssh tunnels needing different rules
On Sun, 2003-01-26 at 08:29, Tom Eastep wrote:> > > --On Saturday, January 25, 2003 11:08 PM -0600 Bret Hughes > <bhughes@elevating.com> wrote: > > > I have a firewall running Shorewall 1.3.13-1 from rpm on a redhat 7.3 > > box. The box has three nics assigned to zones loc net and dmz. We also > > have multiple vpn links accomplished via ssh tunnels, These links all > > come from dynamic IP addresses with known private subnets behind them. > > > > There are basically two types of networks these vpns connect, one with > > access to almost everything and one with very limited ssh and mail only > > access to the loc zone. > > > > The issue that I have is that while I know the internal ip and subnets > > if the hosts on the far end of the tunnels I have no control over the > > interface ppp? that these connections get assigned to. > > > > How can I build rules to not open up everything to all ppp interfaces? > > Everything I have read implies the knowledge of the interface. > > > > In /etc/shorewall/zones: > > z1 > z2 > z3 > z4 > > In /etc/shorewall/interfaces: > > - ppp+ > > In /etc/shorewall/hosts: > > z1 ppp+:<remote subnet 1a>[,<remote subnet 1b>, ...] > z2 ppp+:<remote subnet 2a>[,<remote subnet 2b>, ...] > ...Worked absolutely perfectly the first time through. Thank you very much. This is an outstanding piece of software. Bret
Tom Eastep
2003-Oct-11 08:42 UTC
[Shorewall-users] multiple ssh tunnels needing different rules
On Sat, 2003-01-25 at 21:08, Bret Hughes wrote:> > Do I have to restart shorewall everytime an interface comes up and do > some scripting magic to determine what ppp interface is assigned to > which subnet? Is this even possible?Not necessary (may be possible).> > > Right now I have separate zones setup for each subnet and they are > assigned arbitrarily to ppp[0-4] and all rules allow access to > everything needed by the least locked down subnet. > > Any pointers to docs that may explain this is appreciated./etc/shorewall/zones vpn1 Hither First VPN Remote Network vpn2 Dither Second VPN Remote Network vpn3 Yon Third VPN Remote Network /etc/shorewall/interfaces: - ppp+ - /etc/shorewall/hosts: vpn1 ppp+:<subnet 1> vpn2 ppp+:<subnet 2> vpn3 ppp+:<subnet 3> Now set up access rules based strictly on zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Oct-11 16:09 UTC
[Shorewall-users] multiple ssh tunnels needing different rules
On Sat, 11 Oct 2003, Tom Eastep wrote:> > > > Any pointers to docs that may explain this is appreciated. > > /etc/shorewall/zones > > vpn1 Hither First VPN Remote Network > vpn2 Dither Second VPN Remote Network > vpn3 Yon Third VPN Remote Network > > /etc/shorewall/interfaces: > > - ppp+ - > > /etc/shorewall/hosts: > > vpn1 ppp+:<subnet 1> > vpn2 ppp+:<subnet 2> > vpn3 ppp+:<subnet 3> > > Now set up access rules based strictly on zones. >I''ve also updated http://shorewall.net/PPTP.htm#ServerFW to include this information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net