Shorewall users - Jan 2005 - vpn2fw before nordc1918 in ???_in

I am not subscribed to the list, so if you could CC me on replies, it
would be appreciated.

Hi there.  I am running 2.0.8 on a linux 2.6 kernel with ipsec (i.e. no
ipsec<n> interfaces).

Since ipsec traffic comes in on the same interface as "net" traffic, I
have been looking at the rules for "eth0_in" on my ipsec
gateway/firewall.  I see that "norfc1918" is before
"vpn2fw".  Since it
is common to route rfc1918 addresses over vpn tunnels, would it not make
more sense to reverse the order of those two rules?  That would
eliminate the need to alter the rfc1918 rules file.

Thots?

b.

On Sun, 2005-01-02 at 19:31 -0500, Brian J. Murrell
wrote:
> I am not subscribed to the list, so if you could CC me on replies, it
> would be appreciated.
> 
> Hi there.  I am running 2.0.8 on a linux 2.6 kernel with ipsec (i.e. no
> ipsec<n> interfaces).
> 
> Since ipsec traffic comes in on the same interface as "net"
traffic, I
> have been looking at the rules for "eth0_in" on my ipsec
> gateway/firewall.  I see that "norfc1918" is before
"vpn2fw".  Since it
> is common to route rfc1918 addresses over vpn tunnels, would it not make
> more sense to reverse the order of those two rules?  That would
> eliminate the need to alter the rfc1918 rules file.
> 
> Thots?
Do 2.6 IPSEC right (http://shorewall.net/IPSEC-2.6.html) -- that way,
the problem you are describing goes away because only non-IPSEC traffic
is passed to norfc1918.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key