Hello, I have a problem and I do not know yet what the best solution is to solve it. I now have two tunnels with OpenVPN to the Linux server with shorewall installed. I do not want that those tunnels can reach each other. A possibility would be to add per VPN connection a physical ethernet device and place the VPN connection in this LAN but this is physical not possible :-) Can I somehow add virtual network cards to accomplisch this? I hope it is clear what I mean. Thanks -- Groeten, Peter DFA - Dalnet Flood Association - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 4 days, 20 hours and 58 minutes, 0 users logged in.
Peter wrote on 20/07/2004 15:28:38:> > I now have two tunnels with OpenVPN to the Linux server with shorewall > installed. > > I do not want that those tunnels can reach each other.you could put each tunnel in a zone defined by there tunnels and create a policy line to drop any traffic from one zone to the other. in your zone file: vpn1 FirstVPN vpn2 SecondVPN ... in your interfaces file: tun0 vpn1 tun1 vpn2 ... in your policy file: vpn1 vpn2 DROP vpn2 vpn1 DROP hope it helps... ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Tue, 2004-07-20 at 20:28 +0200, Peter Lindeman wrote:> Hello, > > I have a problem and I do not know yet what the best solution is to > solve it. > > I now have two tunnels with OpenVPN to the Linux server with shorewall > installed. > > I do not want that those tunnels can reach each other. A possibility > would be to add per VPN connection a physical ethernet device and place > the VPN connection in this LAN but this is physical not possible :-) > > Can I somehow add virtual network cards to accomplisch this? > > I hope it is clear what I mean. Thanks >If one tunnel is on tun0 and the other is tun1, have both of those in different zones and make the policy between them DROP or REJECT (or just take the default ''deny all'' policy). No separate Ethernet device is necessary. -- David T Hollis <dhollis@davehollis.com>
Eduardo Ferreira wrote:>>I now have two tunnels with OpenVPN to the Linux server with shorewall >>installed. >> >>I do not want that those tunnels can reach each other. > > you could put each tunnel in a zone defined by there tunnels and create a > policy line to drop any traffic from one zone to the other. > > in your zone file: > vpn1 FirstVPN > vpn2 SecondVPN > .... > in your interfaces file: > tun0 vpn1 > tun1 vpn2 > .... > in your policy file: > vpn1 vpn2 DROP > vpn2 vpn1 DROP > > hope it helps...Thanks, I''m using the tap devices but I guess for tap the same rule applies? I only then have to force somehow that first the tap devices are being created and after that shorewall starts otherwise I expect shorewall not to start. I am going to try this tomorrow when I''m at the system! -- Groeten, Peter ERROR WRITING MAXCONNECTBPS - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 4 days, 21 hours and 30 minutes, 0 users logged in.
Peter Lindeman wrote:> > Thanks, I''m using the tap devices but I guess for tap the same rule > applies? I only then have to force somehow that first the tap devices > are being created and after that shorewall starts otherwise I expect > shorewall not to start. >Shorewall will start fine if you don''t use features that require the device to be started first (like "detect" in the BROADCAST column). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2004-07-20 at 20:59 +0200, Peter Lindeman wrote:> > Thanks, I''m using the tap devices but I guess for tap the same rule > applies? I only then have to force somehow that first the tap devices > are being created and after that shorewall starts otherwise I expect > shorewall not to start. > > I am going to try this tomorrow when I''m at the system! >You could "prime the pump" using the --mktun option of openvpn. A quick script could create the tap0, tap1 devices prior to Shorewall startup. -- David T Hollis <dhollis@davehollis.com>
Tom Eastep wrote:>> Thanks, I''m using the tap devices but I guess for tap the same rule >> applies? I only then have to force somehow that first the tap devices >> are being created and after that shorewall starts otherwise I expect >> shorewall not to start. >> > > Shorewall will start fine if you don''t use features that require the > device to be started first (like "detect" in the BROADCAST column).Ok, I''m going to try it tomorrow. From what I understand I should specify the broadcast address then so it can startup if the interface is not there yet. -- Groeten, Peter Cannot use the IPX net number assigned by the remote server. Check the event log. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 4 days, 23 hours and 27 minutes, 0 users logged in.
Peter Lindeman wrote:> Tom Eastep wrote: > >>> Thanks, I''m using the tap devices but I guess for tap the same rule >>> applies? I only then have to force somehow that first the tap devices >>> are being created and after that shorewall starts otherwise I expect >>> shorewall not to start. >>> >> >> Shorewall will start fine if you don''t use features that require the >> device to be started first (like "detect" in the BROADCAST column). > > > Ok, I''m going to try it tomorrow. From what I understand I should > specify the broadcast address then so it can startup if the interface is > not there yet.Yes, that''s correct. You also don''t want to specify ''detectnets'' as an option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>>> Shorewall will start fine if you don''t use features that require the >>> device to be started first (like "detect" in the BROADCAST column). >> >> Ok, I''m going to try it tomorrow. From what I understand I should >> specify the broadcast address then so it can startup if the interface >> is not there yet. > > Yes, that''s correct. You also don''t want to specify ''detectnets'' as an > option. >OK ;-) Is there a limit on max nr. of zones etc I can specify or is it ''unlimited'' as long as there are enough machine resources? -- Groeten, Peter Press any key... no, no, no, NOT THAT ONE! - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 5 days, 0 hours and 25 minutes, 0 users logged in.
Peter Lindeman wrote:> Tom Eastep wrote: > >>>> Shorewall will start fine if you don''t use features that require the >>>> device to be started first (like "detect" in the BROADCAST column). >>> >>> >>> Ok, I''m going to try it tomorrow. From what I understand I should >>> specify the broadcast address then so it can startup if the interface >>> is not there yet. >> >> >> Yes, that''s correct. You also don''t want to specify ''detectnets'' as an >> option. >> > > OK ;-) Is there a limit on max nr. of zones etc I can specify or is it > ''unlimited'' as long as there are enough machine resources? >The actual limit is probably determined by how long you are willing to wait for "shorewall start" to complete :-) The time for several phases of [re]start is the proportional to the square of the number of networks you have defined where a network is a <zone>:<interface>:[<bridge port>:]:<cidr> tupple. Note that each non-empty zone comprises at least one network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > The actual limit is probably determined by how long you are willing to > wait for "shorewall start" to complete :-) > > The time for several phases of [re]start is the proportional to the > square of the number of networks you have defined where a network is a > <zone>:<interface>:[<bridge port>:]:<cidr> tupple. Note that each > non-empty zone comprises at least one network.Let me try that last paragraph again: The time for several phases of [re]start is proportional to the square of the number of networks you have defined where a network is a <zone>:<interface>:[<bridge port>:]:<cidr> tupple. Note that each non-empty zone comprises at least one network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Peter Lindeman wrote:>>> Thanks, I''m using the tap devices but I guess for tap the same rule >>> applies? I only then have to force somehow that first the tap devices >>> are being created and after that shorewall starts otherwise I expect >>> shorewall not to start. >>> >> >> Shorewall will start fine if you don''t use features that require the >> device to be started first (like "detect" in the BROADCAST column). > > > Ok, I''m going to try it tomorrow. From what I understand I should > specify the broadcast address then so it can startup if the interface is > not there yet.This is working great now on the machine! For the VPN''s I defined small LAN''s with a 255.255.255.252 mask and now I can do exactly what I needed. -- Groeten, Peter Je dorp heeft gebeld. Ze willen hun idioot terug. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 6 days, 1 hours and 10 minutes, 0 users logged in.