I have tried to add OpenVPN support to shorewall. OpenVPN works fine and the changes to shorewall seem to work fine too. There is only one thing I don''t understand: While testing, I changed the port for OpenVPN in the tunnels file to 7777 instead of 5000 and expected my OpenVPN to stop running after restarting shorewall. Although the iptables chains got modified, the current connection on port 5000 keept working and so did OpenVPN. I tried shorewall stop, clear, reset, restart but it didn''t help, only restarting the box did help. What do I miss here? Attached patches are against shorewall-1.3.13. TIA Simon-------------- next part -------------- A non-text attachment was scrubbed... Name: tunnel.diff Type: application/octet-stream Size: 2189 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030131/912afa01/tunnel.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: firewall.diff Type: application/octet-stream Size: 1443 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030131/912afa01/firewall.obj
OoO En cette fin de matin?e radieuse du vendredi 31 janvier 2003, vers 11:27, Simon Matter <simon.matter@ch.sauter-bc.com> disait:> While testing, I changed the port for OpenVPN in the tunnels file to > 7777 instead of 5000 and expected my OpenVPN to stop running after > restarting shorewall. Although the iptables chains got modified, the > current connection on port 5000 keept working and so did OpenVPN. I > tried shorewall stop, clear, reset, restart but it didn''t help, only > restarting the box did help. What do I miss here?There is no way to empty the conntrack table. So, until the conntrack entry times out, it will be possible to continue to use the port 5000. -- Make sure comments and code agree. - The Elements of Programming Style (Kernighan & Plaugher)
--On Friday, January 31, 2003 11:27:22 AM +0100 Simon Matter <simon.matter@ch.sauter-bc.com> wrote:> > Attached patches are against shorewall-1.3.13. >I would like to propose the additional changes implemented by my attached patches. They avoid having to add an additional ''tunnels'' column that is unique to openvpn tunnels. They should apply cleanly although the firewall patch will be offset. -Tom PS -- I will also be patching my copy to remove the stutter ("setup_setup_openvpn...") :-) -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net -------------- next part -------------- A non-text attachment was scrubbed... Name: firewall.diff1 Type: application/octet-stream Size: 1200 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030131/5eaecb74/firewall.obj -------------- next part -------------- z''mjZr+tzlv''O*^je^ky7 Zi^RaX!jYgzh[z?jZr?M7]ynw
--On Friday, January 31, 2003 12:25 PM +0100 Vincent Bernat <bernat@free.fr> wrote:> > There is no way to empty the conntrack table. So, until the conntrack > entry times out, it will be possible to continue to use the port 5000. >And of course as long as you are using the tunnel, the conntrack entry won''t time out... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep schrieb:> > --On Friday, January 31, 2003 11:27:22 AM +0100 Simon Matter > <simon.matter@ch.sauter-bc.com> wrote: > > > > > Attached patches are against shorewall-1.3.13. > > > > I would like to propose the additional changes implemented by my attached > patches. They avoid having to add an additional ''tunnels'' column that is > unique to openvpn tunnels.Good idea, makes perfect sense. In fact, I have first tried to do it like you do it with IPSEC to allow using OPENVPN with nat too. Unfortunately I got so confused about the conntrack thing that I completely removed those changes again. Would it make sense to do OPENVPN similar to IPSEC? Simon> > They should apply cleanly although the firewall patch will be offset. > > -Tom > > PS -- I will also be patching my copy to remove the stutter > ("setup_setup_openvpn...") :-)cut_n_p_p_p_paste :)> -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > ------------------------------------------------------------------------ > Name: firewall.diff1 > firewall.diff1 Type: Ohne Angabe (application/octet-stream) > Encoding: base64 > > Name: tunnels.diff > tunnels.diff Type: Ohne Angabe (application/octet-stream) > Encoding: base64 > > ------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users
--On Friday, January 31, 2003 4:34 PM +0100 Simon Matter <simon.matter@ch.sauter-bc.com> wrote:> > Good idea, makes perfect sense. > In fact, I have first tried to do it like you do it with IPSEC to allow > using OPENVPN with nat too. Unfortunately I got so confused about the > conntrack thing that I completely removed those changes again. Would it > make sense to do OPENVPN similar to IPSEC? >The version now in CVS has that change. Thanks again, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net