My dear sirs,
i have the folwing setup,
1 masquarading gateway server with the following interfaces,
1. connected to internet via ppp0,
2. Local network eth0 (192.168.1.1)
3. Local wireless network ra0 (192.168.0.1)
The following are my files,
1. shorewall/zones
net Net Internet
loc Local local network
2. shorewall/interfaces
net ppp0 detect
loc eth0 detect
loc ra0 detect
3. shorewall/policy
loc net ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info
With the above basic setup masqurading works fine, now i setup ipsec using
racoon between the server (192.168.0.1) and a client called 192.168.0.3,
it works ok.
My question is that i want to request shorewall to only accept ipsec
traffic from interface ra0, thus any host who wishes to access my network
via the wireless connection must be able to authenticate via ipsec, all
non ipsec traffic from ra0 should be dropped.
I would like to have your kind opinion on how to set about doing this.
here are my shorewall capabilities
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Connmark Match: Available
Raw Table: Available
CLASSIFY Target: Available
Grendel
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Saturday 31 December 2005 19:18, Grendel wrote:> My dear sirs, > > i have the folwing setup, > 1 masquarading gateway server with the following interfaces, > 1. connected to internet via ppp0, > 2. Local network eth0 (192.168.1.1) > 3. Local wireless network ra0 (192.168.0.1) >> My question is that i want to request shorewall to only accept ipsec > traffic from interface ra0, thus any host who wishes to access my network > via the wireless connection must be able to authenticate via ipsec, all > non ipsec traffic from ra0 should be dropped.You have not given us either your Shorewall version or your kernel version -- we are helpless to give you advice without that information. -To -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 31 Dec 2005, Tom Eastep wrote:> You have not given us either your Shorewall version or your kernel version -- > we are helpless to give you advice without that information.In addition to thanking you for your speedy reply please do accept my profuse apologies regarding this elemntarary omission, i am running gentoo linux with Linux version 2.6.14.4 (gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)) #1 PREEMPT Wed Dec 21 06:07:30 LKT 2005 shorewall version 3.0.2 I forgot to display my shorewall/masq file ppp0 eth0 ppp0 ra0 Grendel ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Saturday 31 December 2005 20:15, Grendel wrote:> On Sat, 31 Dec 2005, Tom Eastep wrote: > > You have not given us either your Shorewall version or your kernel > > version -- we are helpless to give you advice without that information. > > In addition to thanking you for your speedy reply please do accept my > profuse apologies regarding this elemntarary omission, i am running gentoo > linux with > > Linux version 2.6.14.4 (gcc version 3.4.4 > (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)) #1 PREEMPT Wed Dec 21 > 06:07:30 LKT 2005 > > shorewall version > 3.0.2 > > I forgot to display my shorewall/masq file > ppp0 eth0 > ppp0 ra0 > > > GrendelOk -- there''s an example at http://www.shorewall.net/2.0/myfiles.htm. Access from the Wifi zone (eth0) is restricted to either IPSEC (using the ''sec'' zone) or to OpenVPN (using the ''vpn'' zone). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 01 January 2006 07:56, Tom Eastep wrote:> > Ok -- there''s an example at http://www.shorewall.net/2.0/myfiles.htm. > Access from the Wifi zone (eth0) is restricted to either IPSEC (using the > ''sec'' zone) or to OpenVPN (using the ''vpn'' zone). >I should point out that the example uses the /etc/shorewall/ipsec file to define the ''sec'' zone. Since you are using 3.0.2, you will probably be defining the zone using /etc/shorewall/zones; syntax is similar. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key