Shorewall users - Aug 2004 - how to define a dozens of interface as one zone

hi,
we use openvpn as for our vpn endpoints and we''ve got about 70-80 vpn
connections which means we have tun0 - tun80 interface. i''d like to
define one zone for all of our vpn connections how can I do that?
actualy our local zone is 192.168.0.0/17 (not 16) and all of the vpn''s
are in 192.168.128.0/17. our should i define somehow the local zone as
192.168.0.0/16? but in this case i can''t use the eth interface as our
local zone definition.
so what is the solution in case of shorewall? it it possible to define
the vpn zone without list all the 80 tun interface as the part of the
vpn zone?
thank you for your help in advance.
yours.

-- 
   Levente                               "Si vis pacem para bellum!"

> hi,
> we use openvpn as for our vpn endpoints and we''ve got about 70-80
vpn
> connections which means we have tun0 - tun80 interface. i''d like
to
> define one zone for all of our vpn connections how can I do that?
> actualy our local zone is 192.168.0.0/17 (not 16) and all of the
vpn''s
> are in 192.168.128.0/17. our should i define somehow the local zone as
> 192.168.0.0/16? but in this case i can''t use the eth interface as
our
> local zone definition.
> so what is the solution in case of shorewall? it it possible to define
> the vpn zone without list all the 80 tun interface as the part of the
> vpn zone?
> thank you for your help in advance.
> yours.
>
> --
>    Levente                               "Si vis pacem para
bellum!"
>
put all the interfaces into one zone.

-- 
Jack At Monkeynoodle.Org:  It''s A Scientific Venture...
"Believe what you''re told; there''d be chaos if everyone
thought for
themselves." -- Top Dog hotdog stand, Berkeley, CA

Hi again!

I have onw fw with four nic. 2 DMZ, 1 lan and 1 wan. In the wan I have 2
subnet diferent, How to set the simple form the second subnet in the
shorewall  for dmz use ?

Thank

Jack Coates wrote:
>>hi,
>>we use openvpn as for our vpn endpoints and we''ve got about
70-80 vpn
>>connections which means we have tun0 - tun80 interface. i''d
like to
>>define one zone for all of our vpn connections how can I do that?
>>actualy our local zone is 192.168.0.0/17 (not 16) and all of the
vpn''s
>>are in 192.168.128.0/17. our should i define somehow the local zone as
>>192.168.0.0/16? but in this case i can''t use the eth interface
as our
>>local zone definition.
>>so what is the solution in case of shorewall? it it possible to define
>>the vpn zone without list all the 80 tun interface as the part of the
>>vpn zone?
>>thank you for your help in advance.
>>yours.
>>
>>--
>>   Levente                               "Si vis pacem para
bellum!"
>>
> 
> 
> put all the interfaces into one zone.
that what i don''t realy like...



-- 
   Levente                               "Si vis pacem para bellum!"

What is the reason you do not like that approach?


----- Original Message ----- 
From: "Farkas Levente" <lfarkas@bppiac.hu>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Friday, August 06, 2004 4:04 PM
Subject: Re: [Shorewall-users] how to define a dozens of interface as one
zone

> Jack Coates wrote:
> >>hi,
> >>we use openvpn as for our vpn endpoints and we''ve got
about 70-80 vpn
> >>connections which means we have tun0 - tun80 interface.
i''d like to
> >>define one zone for all of our vpn connections how can I do that?
> >>actualy our local zone is 192.168.0.0/17 (not 16) and all of the
vpn''s
> >>are in 192.168.128.0/17. our should i define somehow the local zone
as
> >>192.168.0.0/16? but in this case i can''t use the eth
interface as our
> >>local zone definition.
> >>so what is the solution in case of shorewall? it it possible to
define
> >>the vpn zone without list all the 80 tun interface as the part of
the
> >>vpn zone?
> >>thank you for your help in advance.
> >>yours.
> >>
> >>--
> >>   Levente                               "Si vis pacem para
bellum!"
> >>
> >
> >
> > put all the interfaces into one zone.
>
> that what i don''t realy like...
>
>
>
> -- 
>    Levente                               "Si vis pacem para
bellum!"
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Farkas wrote on 06/08/2004 17:04:12:
> Jack Coates wrote:
> >>hi,
> >>so what is the solution in case of shorewall? it it possible to
define
> >>the vpn zone without list all the 80 tun interface as the part of
the
> >>vpn zone?
> >>thank you for your help in advance.
> >>yours.
> >>
> >>--
> >>   Levente                               "Si vis pacem para
bellum!"
> >>
> > 
> > 
> > put all the interfaces into one zone.
> 
> that what i don''t realy like...
> 
You should note that if you define 80 zones, one for each vpn tunnel, you 
will end with a HUGE set of rules - I don''t know if it would affect 
performance any way, but...

cheers,


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Farkas Levente wrote:
> we use openvpn as for our vpn endpoints and we''ve got about 70-80
vpn
> connections which means we have tun0 - tun80 interface. i''d like
to
> define one zone for all of our vpn connections how can I do that?
> actualy our local zone is 192.168.0.0/17 (not 16) and all of the
vpn''s
> are in 192.168.128.0/17. our should i define somehow the local zone as
> 192.168.0.0/16? but in this case i can''t use the eth interface as
our
> local zone definition.
> so what is the solution in case of shorewall? it it possible to define
> the vpn zone without list all the 80 tun interface as the part of the
> vpn zone?

I would suggest to use bridging. Please read the full story on 
http://fedoranews.org/contributors/florin_andrei/openvpn/

This document very well describes on how to do it.

-- 
Groeten,
Peter


NO! Not that button!

-
- Heb je een Dreambox 7000S ?
- Kijk eens op http://www.dreamvcr.com
- Kijk ook op http://www.lindeman.org
- ICQ 22383596
- Uptime lindeman.org - 21 days, 23 hours and 40 minutes, 1 user logged in.

Eduardo Ferreira wrote:
> Farkas wrote on 06/08/2004 17:04:12:
> 
> 
>>Jack Coates wrote:
>>
>>>>hi,
>>>>so what is the solution in case of shorewall? it it possible to
define
>>>>the vpn zone without list all the 80 tun interface as the part
of the
>>>>vpn zone?
>>>>thank you for your help in advance.
>>>>yours.
>>>>
>>>>--
>>>>  Levente                               "Si vis pacem para
bellum!"
>>>>
>>>
>>>
>>>put all the interfaces into one zone.
>>
>>that what i don''t realy like...
>>
> 
> You should note that if you define 80 zones, one for each vpn tunnel, you 
> will end with a HUGE set of rules - I don''t know if it would
affect
> performance any way, but...
may be i was not clear. i do not want to define 80 zones, rather i would 
like to define one vpn zone but i assume if i add 80 interface to one 
zone than that creates a huge set of rules also, doesn''t it?

-- 
   Levente                               "Si vis pacem para bellum!"

Farkas wrote on 06/08/2004 18:09:38:
> Eduardo Ferreira wrote:
> > Farkas wrote on 06/08/2004 17:04:12:
> > 
> > 
> >>Jack Coates wrote:
> >>
> >>>>hi,
> >>>>so what is the solution in case of shorewall? it it
possible to
define
> >>>>the vpn zone without list all the 80 tun interface as the
part of
the
> >>>>vpn zone?
> >>>>thank you for your help in advance.
> >>>>yours.
> >>>>
> >>>>--
> >>>>  Levente                               "Si vis pacem
para bellum!"
> >>>>
> >>>
> >>>
> >>>put all the interfaces into one zone.
> >>
> >>that what i don''t realy like...
> >>
> > 
> > You should note that if you define 80 zones, one for each vpn tunnel, 
you 
> > will end with a HUGE set of rules - I don''t know if it would
affect
> > performance any way, but...
> 
> may be i was not clear. i do not want to define 80 zones, rather i would 
> like to define one vpn zone but i assume if i add 80 interface to one 
> zone than that creates a huge set of rules also, doesn''t it?
> 
> -- 
You can define a zone as tun+ in your interfaces file (see doc in the 
file).  Shorewall will create a single rule for INPUT (ppp_in chain for -i 
ppp+), FORWARD (ppp_fwd chain for -i ppp+) and OUTPUT chains.  Seems good 
to me.

hope it helps,


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

> Eduardo Ferreira wrote:
>> Farkas wrote on 06/08/2004 17:04:12:
>>
>>
>>>Jack Coates wrote:
>>>
>>>>>hi,
>>>>>so what is the solution in case of shorewall? it it possible
to define
>>>>>the vpn zone without list all the 80 tun interface as the
part of the
>>>>>vpn zone?
>>>>>thank you for your help in advance.
>>>>>yours.
>>>>>
>>>>>--
>>>>>  Levente                               "Si vis pacem
para bellum!"
>>>>>
>>>>
>>>>
>>>>put all the interfaces into one zone.
>>>
>>>that what i don''t realy like...
>>>
>>
>> You should note that if you define 80 zones, one for each vpn tunnel,
>> you
>> will end with a HUGE set of rules - I don''t know if it would
affect
>> performance any way, but...
>
> may be i was not clear. i do not want to define 80 zones, rather i would
> like to define one vpn zone but i assume if i add 80 interface to one
> zone than that creates a huge set of rules also, doesn''t it?
>
no.
-- 
Jack At Monkeynoodle.Org:  It''s A Scientific Venture...
"Believe what you''re told; there''d be chaos if everyone
thought for
themselves." -- Top Dog hotdog stand, Berkeley, CA