dassey@gmail.com wrote:> I have a dedicated openvpn FC4 box with a public IP. I connect to it
> fine and all that, everything works, etc, etc, Have not been hacked
> which surprises me, so I must of done something right.
Or you''ve been lucky.
> Basically most
> everything works, except for some reason, some ports are blocked when
> on the VPN. For instance I can not connect to IRC servers, 6888, while
> connected on the VPN.
>
It does not follow that because you cannot connect that the "ports are
blocked". Not all connection problems are caused by faulty rulesets.
Do you redirect the VPN clients'' default gateway through the Shorewall
firewall while they are connected (OpenVPN
''redirect-gateway'')? If not, the
inability to connect to IRC has nothing to do with your Firewall at all.
> /etc/shorewall/policy
> $FW net ACCEPT
> road $FW ACCEPT
> road net ACCEPT
> $FW road ACCEPT
> net $FW DROP info
> net all DROP info
>
> /etc/shorewall/rules
> Web/ACCEPT net $FW
> DROP $FW net icmp
Please remove that last rule. There is no valid reason to have it and it
breaks TCP path MTU discovery. ICMP is an essential part of IPv4 and
blocking it unconditionally is just plain wrong.
>
> /usr/share/shorewall/macro.Web
> PARAM - - TCP 1593 # TCP Webmin (plaintext)
> PARAM - - TCP 22 #
> PARAM - - TCP 9999 #
> PARAM - - TCP 421 #
> PARAM - - TCP 422 #
> PARAM - - TCP 446 #
> PARAM - - TCP 443 #
> PARAM - - TCP 65001 #
> PARAM - - TCP 65002 #
> PARAM - - TCP 65003 #
> PARAM - - TCP 65004 #
> PARAM - - TCP 65005 #
> PARAM - - TCP 65006 #
> (I need to change most of the above to accessable via VPN clients
> ONLY, but not sure how)
First, why did you choose to call this "Swiss Army Knife" macro
''Web''? ''Web''
is the name of one of the standard Shorewall macros. Given the wide range of
applications that it controls, it seems like an odd name.
Second, you are invoking the macro in your rules file exactly once:
Web/ACCEPT net $FW
So it can *only* control traffic from the ''net'' zone that is
addressed to
the firewall itself. If you intended it to control connections from the VPN
clients to the firewall, you probably wanted something like:
Web/ACCEPT road $FW
>
> I want the VPN users to be able to use any port they want to use,
What does that mean? That they should be able to connect to any application
on any host? Including the Shorewall system?
this> may be wrong list to ask it on, but I was thinking since shorewall is
> my firewall, yall would know. I only need a few ports open that i make
> the VPN use (80, 443 TCP) and then the rest I will close, but i want
> the VPN users to be able to use any port they want to.
I don''t understand what you are trying to say.
If you have further questions, it would be a good idea to include the output
of "shorewall dump" collected as described at
http://www.shorewall.net/support.htm#Guidelines.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/