hi all,
i have a classic net topology with two local zone, a firewall/router
with dsl connection
loc1 (192.168.11.0/24)
----- fw ----- net
loc2 (192.168.12.0/24)
now on the local zone 1 (on a WinXP machine) i have installed
OpenVPN 2.x to make a test connection with a company.
OpenVPN is configured as client to use tun on udp
port 10000 with ip 10.0.0.2, on the other side (the server
located on company) the ip is 10.0.0.1, the connection
work very well.
The problem is that i''m not able to filter or anyway log, traffic
passing through VPN, for testing purpose i make rules on fw to stop all
traffic from local to all zones but VPN still work, and it work also
with shorewall stopped.
So this VPN create a direct connection from one of my internal machine
to external server completely bypass my firewall, seem i can do nothing
to control traffic.
From the VPN point of view this is the correct result but i believed
i was able to control packets passing through firewall.
Before send my entire shorewall configuration or whatever else I would
like to know if my conclusion is correct or it''s possible to control
such a traffic.
In any case i will remove OpenVPN from local machine putting it on
firewall/router but i like to have some other opinions.
thanks and excuse form my english, Paolo.
Paolo, Your diagram doesn''t map with your description of what is happening. In order to be completely clear about your problem, it would be helpful if you would send the required information indicated on the shorewall page. On Tue, 15 Mar 2005 01:04:41 +0100, Paolo <paolo@paologalati.it> wrote:> hi all, > > i have a classic net topology with two local zone, a firewall/router > with dsl connection > > loc1 (192.168.11.0/24) > ----- fw ----- net > loc2 (192.168.12.0/24) > > now on the local zone 1 (on a WinXP machine) i have installed > OpenVPN 2.x to make a test connection with a company. > OpenVPN is configured as client to use tun on udp > port 10000 with ip 10.0.0.2, on the other side (the server > located on company) the ip is 10.0.0.1, the connection > work very well. > > The problem is that i''m not able to filter or anyway log, traffic > passing through VPN, for testing purpose i make rules on fw to stop all > traffic from local to all zones but VPN still work, and it work also > with shorewall stopped. > So this VPN create a direct connection from one of my internal machine > to external server completely bypass my firewall, seem i can do nothing > to control traffic. > From the VPN point of view this is the correct result but i believed > i was able to control packets passing through firewall. > > Before send my entire shorewall configuration or whatever else I would > like to know if my conclusion is correct or it''s possible to control > such a traffic. > In any case i will remove OpenVPN from local machine putting it on > firewall/router but i like to have some other opinions. > > thanks and excuse form my english, Paolo. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Paolo wrote:> hi all, > > i have a classic net topology with two local zone, a firewall/router > with dsl connection > > loc1 (192.168.11.0/24) > ----- fw ----- net > loc2 (192.168.12.0/24) > > now on the local zone 1 (on a WinXP machine) i have installed > OpenVPN 2.x to make a test connection with a company. > OpenVPN is configured as client to use tun on udp > port 10000 with ip 10.0.0.2, on the other side (the server > located on company) the ip is 10.0.0.1, the connection > work very well. > > The problem is that i''m not able to filter or anyway log, traffic > passing through VPNStop and THINK -- if you could do that on your router, ANY ROUTER BETWEEN ANY TWO VPN ENDPOINTS COULD DO THE SAME THING! Maybe that is your definition of "private" -- it''s not mine! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Paolo wrote:> So this VPN create a direct connection from one of my internal machine > to external server completely bypass my firewall, seem i can do nothing > to control traffic.With ADMINISABSENTMINDED=Yes, once you have allowed the VPN connection to be established then the only things that you can do to stop traffic through that VPN are: a) Use the ''cutter'' utility to sever the VPN connection (or unload the ip_conntrack kernel module). b) Set BLACKLISTNEWONLY=No in shorewall.conf and blacklist the remote gateway. With ADMINISABSENTMINDED=No, stopping Shorewall will probably stop VPN traffic since you normally don''t have your external interfaces enabled in your /etc/shorewall/routestopped file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
first, thanks for replies, now i''ll try to complete info, in attach there is an image with a more clear net topology this is my configuration: shorewall/zones net Net Internet loc Local Local Network wlan wlan Wireless LAN shorewall/interfaces net ppp0 - routefilter,norfc1918,tcpflags,nosmurfs loc eth1 detect dhcp wlan eth2 detect dhcp shorewall/policy fw net ACCEPT loc net ACCEPT wlan net ACCEPT fw loc ACCEPT fw wlan ACCEPT net all DROP info all all REJECT info shorewall/routestopped eth1 - Now to reply to Tom, yes stopping firewall with ADMINISABSENTMINDED=No stop vpn blocking incoming packet (absolutely no external interface in routestopped), but with firewall started i''m not able to log or filter traffic, i put on top of rules file this entry: #ACTION SOURCE DEST PROTO LOG:info all all udp but using vpn nothing appear on log, is the rule correct to log traffic on this vpn? maybe not!! Thanks for fast replay, Paolo. Tom Eastep ha scritto:> Paolo wrote: > > >>So this VPN create a direct connection from one of my internal machine >>to external server completely bypass my firewall, seem i can do nothing >>to control traffic. > > > With ADMINISABSENTMINDED=Yes, once you have allowed the VPN connection > to be established then the only things that you can do to stop traffic > through that VPN are: > > a) Use the ''cutter'' utility to sever the VPN connection (or unload the > ip_conntrack kernel module). > b) Set BLACKLISTNEWONLY=No in shorewall.conf and blacklist the remote > gateway. > > With ADMINISABSENTMINDED=No, stopping Shorewall will probably stop VPN > traffic since you normally don''t have your external interfaces enabled > in your /etc/shorewall/routestopped file. > > -Tom-- Paolo mailto:paolo@paologalati.it
Paolo wrote:> > Now to reply to Tom, yes stopping firewall with ADMINISABSENTMINDED=No > stop vpn blocking incoming packet (absolutely no external interface in > routestopped), but with firewall started i''m not able to log or filter > traffic, i put on top of rules file this entry: > > #ACTION SOURCE DEST PROTO > LOG:info all all udp > > but using vpn nothing appear on log, is the rule correct to log traffic > on this vpn? maybe not!! >And I''m going to tell you for the last time -- YOU CAN''T LOG TRAFFIC GOING THROUGH THE VPN! Please read http://shorewall.net/shorewall_logging.html. There you will learn that: "The disposition of packets entering a Shorewall firewall is determined by one of a number of Shorewall facilities. Only some of these facilities permit logging. 1. The packet is part of an established connection. The packet is accepted and cannot be logged." So once the VPN connection is established, all VPN traffic is part of that original connection and you can''t log it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Possibly Parallel Threads
- Snort and Shorewall
- Questions: place for doco, and routestopped during ''shorewall restart''
- Shorewall 1.4.0 RC1
- ERROR: Unknown Host (All hosts) : /usr/share/shorewall/macro.Any macro or rule
- ERROR: Unknown Host (All hosts) : /usr/share/shorewall/macro.Any macro or rule