Shorewall users - Nov 2005 - (no subject)

I have been reviewing the threads discussing VPN (specifically OpenVPN
w/routing) and have read the on-line docs.  Although I believe I have the
VPN working, and working with Shorewall, I am certain I do not understand
everything which I configured.

I am running Shorewall 2.4.3.

Adding zone and new interface (tun+) is self explanatory and makes sense.

To the tunnels file I added:

openvpn:1194            inet

Does this allow the UDP connection from VPN client to VPN server?  If so
could you just do this in a rule?  What is special about the tunnels file?

I also added a rule for:

from vpn zone to defined-zone using TCP on desired port.  In my case
allowing SSH access from the VPN connection.

If VPN connection is made  and rule is in place, what is the purpose of
the tunnels file?

Functionally every thing appears to work.  I am just wondering if I am
missing something and I have left behind a security gap.
-- 



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

As my subject line was deleted, and most likely ignored, I thought I would
post this message one more time...

Sory for the wasted bandwidth and repetition.
> I have been reviewing the threads discussing VPN (specifically OpenVPN
> w/routing) and have read the on-line docs.  Although I believe I have the
> VPN working, and working with Shorewall, I am certain I do not understand
> everything which I configured.
>
> I am running Shorewall 2.4.3.
>
> Adding zone and new interface (tun+) is self explanatory and makes sense.
>
> To the tunnels file I added:
>
> openvpn:1194            inet
>
> Does this allow the UDP connection from VPN client to VPN server?  If so
> could you just do this in a rule?  What is special about the tunnels file?
>
> I also added a rule for:
>
> from vpn zone to defined-zone using TCP on desired port.  In my case
> allowing SSH access from the VPN connection.
>
> If VPN connection is made  and rule is in place, what is the purpose of
> the tunnels file?
>
> Functionally every thing appears to work.  I am just wondering if I am
> missing something and I have left behind a security gap.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

On Thursday 17 November 2005 17:35, Scott Ruckh wrote:
> As my subject line was deleted, and most likely ignored, I thought I would
> post this message one more time...
>
> Sory for the wasted bandwidth and repetition.
>
> > I have been reviewing the threads discussing VPN (specifically OpenVPN
> > w/routing) and have read the on-line docs.  Although I believe I have
the
> > VPN working, and working with Shorewall, I am certain I do not
understand
> > everything which I configured.
> >
> > I am running Shorewall 2.4.3.
> >
> > Adding zone and new interface (tun+) is self explanatory and makes
sense.
> >
> > To the tunnels file I added:
> >
> > openvpn:1194            inet
> >
> > Does this allow the UDP connection from VPN client to VPN server?  If
so
> > could you just do this in a rule?  What is special about the tunnels
> > file?
Please read http://www.shorewall.net/2.0/VPNBasics.html. 
> >
> > I also added a rule for:
> >
> > from vpn zone to defined-zone using TCP on desired port.  In my case
> > allowing SSH access from the VPN connection.
> >
> > If VPN connection is made  and rule is in place, what is the purpose
of
> > the tunnels file?
Again, please read the documentation. FYI, you get to the above-referenced 
article from the Documentation index by looking under VPN.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> > >
> > > To the tunnels file I added:
> > >
> > > openvpn:1194            inet
> > >
> > > Does this allow the UDP connection from VPN client to VPN server?
If
> > > so could you just do this in a rule?  What is special about the
tunnels
> > > file?
>
> Please read http://www.shorewall.net/2.0/VPNBasics.html.
>
Another source of information on this subject is my LinuxFest NW presentation 
from last year:

	http://www.shorewall.net/LinuxFest.pdf - slides 43 - 49.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks.

I guess I am thick in the head.

I had read the documentation and the comments in the tunnels file.  I am
confusing myself.  I don''t understand remote gateway.  Is this the
remote
addresses/networks where clients would come from (source address network)?
 If clients could come from "any" then it should be set to 0.0.0.0/0?

Ok, at least I know this can all be done in rules, but now that I see that
one entry in a tunnel file could potentially be replaced by many lines in
a rules file, why is the goal (long-term) to remove the tunnels file?

I will also take a look at the pdf file.

Thank You.

-- 

This is what you said Tom Eastep
>
>> > >
>> > > To the tunnels file I added:
>> > >
>> > > openvpn:1194            inet
>> > >
>> > > Does this allow the UDP connection from VPN client to VPN
server?
>> If
>> > > so could you just do this in a rule?  What is special about
the
>> tunnels
>> > > file?
>>
>> Please read http://www.shorewall.net/2.0/VPNBasics.html.
>>
>
> Another source of information on this subject is my LinuxFest NW
> presentation
> from last year:
>
> 	http://www.shorewall.net/LinuxFest.pdf - slides 43 - 49.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

On Thursday 17 November 2005 18:31, Scott Ruckh wrote:
>
> I will also take a look at the pdf file.
>
Please do -- then if you still have questions, I''ll try to answer them.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key