On Mon, 2004-12-13 at 11:03 -0800, Tom Eastep wrote:> On Mon, 2004-12-13 at 10:45 -0800, Tom Eastep wrote: > > On Mon, 2004-12-13 at 13:43 -0500, M Lu wrote: > > > Tom, can he specify openvpn twice in the tunnel file, e.g. > > > > > > openvpn:udp:5000 > > > openvpn:udp:5001 > > > > > > I think I had the problems with that so I use generic instead. > > > > You should be able to specify multiple openvpn tunnels using different > > ports. > > Note though that the syntax is: > > openvpn:5000 > openvpn:5001 > > Shorewall doesn''t know anything about openvpn TCP tunnels; you must use > generic tunnels for TCP. > > Also, both ends must use the same port for both source and destination. > The 2.2 version of Shorewall relaxes that so that the following are > equivalent: > > openvpn:5001 > generic:udp:5001 >I should also note that I consider the presence of the tunnels file to be the worst design error in Shorewall. There is nothing done by entries in that file that can''t be done using entries in the rules file and if people had to add rules to accommodate tunnel traffic, maybe they would have a better notion of how to troubleshoot non-working tunnels. I thought seriously about removing the file in Shorewall 2.2 but kept it only because I didn''t have the time and energy to rewrite all of the tunnel documentation. I''ll again consider making that change in 2.3/2.4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Andrew Niemantsverdriet
2004-Dec-13 23:37 UTC
Re: Re: [leaf-user] Can Multiple openvpn processes run on LEAF?
Hi, On Mon, 2004-12-13 at 12:15, Tom Eastep wrote:> I should also note that I consider the presence of the tunnels file to > be the worst design error in Shorewall. There is nothing done by entries > in that file that can''t be done using entries in the rules file and if > people had to add rules to accommodate tunnel traffic, maybe they would > have a better notion of how to troubleshoot non-working tunnels. I > thought seriously about removing the file in Shorewall 2.2 but kept it > only because I didn''t have the time and energy to rewrite all of the > tunnel documentation. I''ll again consider making that change in 2.3/2.4. > > -TomNot that I don''t love Shorewall as it is but I agree with you Tom. When I first starting using tunnels I thought the tunnel file was some sort of black magic. I could not figure out why I would not just use rules. Troubleshooting would indeed be easier if it was just included in the rules. So in short I think it would be a good idea for future versions of Shorewall. -- _ /-\ ndrew
Paul
2004-Dec-13 23:53 UTC
Re: Re: [leaf-user] Can Multiple openvpn processes run on LEAF?
>>I should also note that I consider the presence of the tunnels file to >>be the worst design error in Shorewall. There is nothing done by entries >>in that file that can''t be done using entries in the rules file and if >>people had to add rules to accommodate tunnel traffic, maybe they would >>have a better notion of how to troubleshoot non-working tunnels. I >>thought seriously about removing the file in Shorewall 2.2 but kept it >>only because I didn''t have the time and energy to rewrite all of the >>tunnel documentation. I''ll again consider making that change in 2.3/2.4. >> >>-TomI use the tunnels file now .. and it is magic to me, although I''m pretty good at reading doc''s and would love to know how to implement this in the rules file. Have you started any doc''s on doing this in rules?
Tom Eastep
2004-Dec-14 00:50 UTC
Re: Re: [leaf-user] Can Multiple openvpn processes run on LEAF?
On Tue, 2004-12-14 at 12:53 +1300, Paul wrote:> I use the tunnels file now .. and it is magic to me, although I''m pretty > good at reading doc''s and would love to know how to implement this in > the rules file. > > Have you started any doc''s on doing this in rules?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Robert K Coffman Jr - Info From Data Corporation
2004-Dec-14 22:07 UTC
RE: Re: [leaf-user] Can Multipleopenvpn processes run on LEAF?
I would think this would be as simple as removing the tunnel declarations from the tunnels file, and start watching logs.... If I have time this week I''ll give it a shot. - Bob Coffman -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: Monday, December 13, 2004 7:50 PM To: Shorewall Users Subject: Re: [Shorewall-users] Re: [leaf-user] Can Multipleopenvpn processes run on LEAF? On Tue, 2004-12-14 at 12:53 +1300, Paul wrote:> I use the tunnels file now .. and it is magic to me, although I''m pretty > good at reading doc''s and would love to know how to implement this in > the rules file. > > Have you started any doc''s on doing this in rules?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm