Hello... I am trying setup a new box with LEAF and Shorewall to act primarily as IPSEC server for the access to our LAN. I am going to have users use certificates and would like be able them to be able to connect from any IP. Problem with that is that the computers on the LAN then can not tell who is who. I have found a wonderful solution to this, but have a problem getting it to work with shorewall. Here is the link to the original solution: http://lists.freeswan.org/archives/users/2002-December/016859.html I have modified it slightly but using /etc/hosts file instead of DNS, but the core of the solution is still the same. I would like to be able to filter the packets with shorewall after their source address has been re-written to allow only certain types of packets through. Any suggestions are appreciated. Thank you, Leonid Entov.
Leonid Entov wrote:> > I would like to be able to filter the packets with shorewall after their > source address has been re-written to allow only certain types of packets > through. >The Shorewall solution is to use Dynamic Zones -- see the Shorewall IPSEC documentation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thank you for the response, I have looked at the described way of doing this, but I have a couple of problems with this.>From the firewall''s standpoint theroadwarriors would actually be the same - just some basic filtering at traffic restrictions. The actual per user "discrimination" would happen at the server behind the firewall and I would like to identify user by IP there. Also - I am going to have at least a dozen of these roadwarriors and I do not want to deal with individual zone for each of them. Thank you, Leonid.
Thank you for the response, I have looked at the described way of doing this, but I have a couple of problems with this.>From the firewall''s standpoint theroadwarriors would actually be the same - just some basic filtering at traffic restrictions. The actual per user "discrimination" would happen at the server behind the firewall and I would like to identify user by IP there. Also - I am going to have at least a dozen of these roadwarriors and I do not want to deal with individual zone for each of them. Thank you, Leonid.
entov@entov.myip.org wrote:> > The actual per user "discrimination" would > happen at the server behind the firewall and > I would like to identify user by IP there. > > Also - I am going to have at least a dozen > of these roadwarriors and I do not want to > deal with individual zone for each of them.And they each have different firewalling requirements??? At any rate, if you don''t like that solution you are pretty much on our own. "shorewall show nat" will show you how Shorewall has configured the nat table. You can create separate chains as described in the documentation linked from your earlier post -- just be sure you put the jumps to those chains in the correct order with the jumps that Shorewall generates. You can place your commands in /etc/shorewall/start. Placing your NAT rules in separate chains won''t stop you from loosing them during a "shorewall restart". If that is a problem, you''ll need to keep track of which users are connected so that you can restore the rules in /etc/shorewall/start. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net