thr3ads.net - Shorewall users - [Shorewall-users] Selective VPN-access with Shorewall [Jan 2003]

If this information is useful, please help other people find it:
Share via:

Ad Koster

2003-Jan-31 06:47 UTC

[Shorewall-users] Selective VPN-access with Shorewall

Currently we are using Shorewall on our VPN-server. Besides some static
connections we also have several roadwarriors connecting to our network.

Is it possible to configure shorewall that way that each roadwarrior can
only access a selected port range (rw 1 -> port 3389 ; rw2 -> port 3389,
21,23 etc)

Thanks.


-- 
Ad Koster < lidad@zeelandnet.nl > 
ICQ 174714031

Tom Eastep

2003-Jan-31 06:59 UTC

head link

[Shorewall-users] Selective VPN-access with Shorewall

--On Friday, January 31, 2003 3:30 PM +0100 Ad Koster
<lidad@zeelandnet.nl>
wrote:
> Currently we are using Shorewall on our VPN-server. Besides some static
> connections we also have several roadwarriors connecting to our network.
>
> Is it possible to configure shorewall that way that each roadwarrior can
> only access a selected port range (rw 1 -> port 3389 ; rw2 -> port
3389,
> 21,23 etc)
>
Yes -- that is the purpose of dynamic zones. See 
http://www.shorewall.net/IPSEC.htm.

Dynamic zones depend on your VPN software being able to identify the 
individual RW then execute a "shorewall add" command to add the
RW''s client
IP address to the dynamic zone corresponding to that RW''s access
rights.
When the RW disconnects, your VPN software must be able to issue a 
"shorewall delete" command to delete the client IP address from the
zone.

In FreeS/WAN, the above is accomplished using the ''updown''
script to
execute the ''shorewall'' commands.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom Eastep

2003-Jan-31 07:07 UTC

head link

[Shorewall-users] Selective VPN-access with Shorewall

--On Friday, January 31, 2003 06:59:14 AM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:

>
> Yes -- that is the purpose of dynamic zones. See
> http://www.shorewall.net/IPSEC.htm.
>
I should also mention that there have been a couple of bad bugs fixed 
recently in the dynamic zone code so if you are going to try this, be sure 
that you are running either 1.3.14Beta2 (which includes the fixes) or 
1.3.13 with the latest errata updates included.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Shorewall users - Jan 2003 - Selective VPN-access with Shorewall

[Shorewall-users] Selective VPN-access with Shorewall

[Shorewall-users] Selective VPN-access with Shorewall

[Shorewall-users] Selective VPN-access with Shorewall