Hello, I am looking for some example configurations of an openvpn bridge running with shorewall. Thus far I am able to create an openvpn connection using the tap0 on client to the server on br0= (eth1=lan + tap0=vpn) but I am unable to ping through. I feel that openvpn is configured properly at this point and feel that the issue is with my shorewall config possibly. Though my shorewall logs are not showing drops the ifconfig for tap0 shows TX drops after my failed ping attempts. The openvpn bridged howto specifics the following iptables rules be present: iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT but in shorewall/interfaces br0 ''s zone is labeled as such: #ZONE INTERFACE BROADCAST OPTIONS - br0 detect dhcp net eth0 detect routefilter,norfc1918,tcpflags and appropriately shorewall/host is: vpn br0:tap0 loc br0:eth1 this being so how do I tell shorewall to create the above iptables rules? thanks, brent
On Sunday 25 September 2005 10:56, Brent Schwartz wrote:> Hello, I am looking for some example configurations of an openvpn > bridge running with shorewall. Thus far I am able to create an > openvpn connection using the tap0 on client to the server on br0> (eth1=lan + tap0=vpn) but I am unable to ping through. I feel that > openvpn is configured properly at this point and feel that the issue > is with my shorewall config possibly. > Though my shorewall logs are > not showing drops the ifconfig for tap0 shows TX drops after my > failed ping attempts.TX drops in ifconfig have nothing to do with Shorewall. Also, if Shorewall is not logging any drops or rejects then it is highly unlikely that Shorewall has anything to do with your problem.> > The openvpn bridged howto specifics the following iptables rules be > present: > > iptables -A INPUT -i tap0 -j ACCEPT > iptables -A INPUT -i br0 -j ACCEPT > iptables -A FORWARD -i br0 -j ACCEPT > > but in shorewall/interfaces br0 ''s zone is labeled as such: > > #ZONE INTERFACE BROADCAST OPTIONS > - br0 detect dhcp > net eth0 detect routefilter,norfc1918,tcpflags > > and appropriately shorewall/host is: > > vpn br0:tap0 > loc br0:eth1 > > this being so how do I tell shorewall to create the above iptables > rules?First of all, the above iptables rules were suggested by someone who doesn''t understand how iptables and netfilter interact. The first rule is completely unnecessary (tap0 doesn''t have an IP address and hence will never match using "-i"). With your setup (separate zones for the individual bridge ports), you could achieve the effect of the other two rules with the following policies: vpn fw ACCEPT loc fw ACCEPT vpn loc ACCEPT loc vpn ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 25 September 2005 13:09, Tom Eastep wrote:> On Sunday 25 September 2005 10:56, Brent Schwartz wrote: > > Hello, I am looking for some example configurations of an openvpn > > bridge running with shorewall. Thus far I am able to create an > > openvpn connection using the tap0 on client to the server on br0> > (eth1=lan + tap0=vpn) but I am unable to ping through. I feel that > > openvpn is configured properly at this point and feel that the issue > > is with my shorewall config possibly. > Though my shorewall logs are > > not showing drops the ifconfig for tap0 shows TX drops after my > > failed ping attempts. > > TX drops in ifconfig have nothing to do with Shorewall. Also, if Shorewall > is not logging any drops or rejects then it is highly unlikely that > Shorewall has anything to do with your problem. >And "shorewall clear" will confirm -- if after "shorewall clear", you still can''t pass traffic through the bridge then Shorewall is definitely not the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom, The accept per bridge port rules you described are pretty much how I understood them. I just wanted to make sure I wasn''t making the wrong assumption about them. You mention with certainty that the TX drops have nothing to do with shorewall. Would you mind giving me a hint as to what I am possibly doing wrong here? I know it''s a little off subject, but thanks for you time anyways. ,Brent On Sep 25, 2005, at 3:09 PM, Tom Eastep wrote:> On Sunday 25 September 2005 10:56, Brent Schwartz wrote: > >> Hello, I am looking for some example configurations of an openvpn >> bridge running with shorewall. Thus far I am able to create an >> openvpn connection using the tap0 on client to the server on br0>> (eth1=lan + tap0=vpn) but I am unable to ping through. I feel that >> openvpn is configured properly at this point and feel that the issue >> is with my shorewall config possibly. > Though my shorewall logs are >> not showing drops the ifconfig for tap0 shows TX drops after my >> failed ping attempts. >> > > TX drops in ifconfig have nothing to do with Shorewall. Also, if > Shorewall is > not logging any drops or rejects then it is highly unlikely that > Shorewall > has anything to do with your problem. > > >> >> The openvpn bridged howto specifics the following iptables rules be >> present: >> >> iptables -A INPUT -i tap0 -j ACCEPT >> iptables -A INPUT -i br0 -j ACCEPT >> iptables -A FORWARD -i br0 -j ACCEPT >> >> but in shorewall/interfaces br0 ''s zone is labeled as such: >> >> #ZONE INTERFACE BROADCAST OPTIONS >> - br0 detect dhcp >> net eth0 detect >> routefilter,norfc1918,tcpflags >> >> and appropriately shorewall/host is: >> >> vpn br0:tap0 >> loc br0:eth1 >> >> this being so how do I tell shorewall to create the above iptables >> rules? >> > > First of all, the above iptables rules were suggested by someone > who doesn''t > understand how iptables and netfilter interact. The first rule is > completely > unnecessary (tap0 doesn''t have an IP address and hence will never > match using > "-i"). With your setup (separate zones for the individual bridge > ports), you > could achieve the effect of the other two rules with the following > policies: > > vpn fw ACCEPT > loc fw ACCEPT > vpn loc ACCEPT > loc vpn ACCEPT > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Sunday 25 September 2005 13:27, Brent Schwartz wrote:> Thanks Tom, The accept per bridge port rules you described are pretty > much how I understood them. I just wanted to make sure I wasn''t > making the wrong assumption about them. You mention with certainty > that the TX drops have nothing to do with shorewall. Would you mind > giving me a hint as to what I am possibly doing wrong here? I know > it''s a little off subject, but thanks for you time anyways. ,BrentI''m afraid that I have no experience with OpenVPN in bridge mode -- I only use tunnel mode. Hopefully someone else has a clue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key