Hi, I need a help... I''m a beginner with shorewall. I have two shorewall firewalls, each with a link. FW (a) - w/ openVPN eth0 = 192.168.150.5/24 eth1 = 192.168.200.5/24 eth2 = public IP eth3 = 192.168.120.5/24 tun240 = 10.240.255.1 /etc/shorewall/zones all zones declared as ipv4 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS tlm eth0 detect routefilter,tcpflags,dhcp adm eth1 detect routefilter,tcpflags,dhcp net eth2 detect norfc1918,tcpflags,routefilter sis eth3 detect routefilter,tcpflags l240 tun240 - /etc/shorewall/tunnels #TYPE ZONE GATEWAY GATEWAY # ZONE openvpn:3865 net 122.x.y.120 openvpn:3845 net 222.x.y.93 /etc/shorewall/hosts #ZONE HOST(S) OPTIONS layer240 tun240:192.168.240.0/24 FW(b) - w/ openVPN eth0 = 192.168.100.5/24 eth1 = 192.168.200.6/24 # Its running at same network with FW(a) eth2 = public IP tun190 = 10.190.255.1 /etc/shorewall/zones all zones declared as ipv4 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS gar eth0 detect routefilter,tcpflags,dhcp tlm eth1 detect routefilter,tcpflags,dhcp net eth2 detect norfc1918,tcpflags,routefilter nfp tun190 - /etc/shorewall/tunnels #TYPE ZONE GATEWAY GATEWAY # ZONE openvpn:3875 net 202.x.y.115 /etc/shorewall/hosts #ZONE HOST(S) OPTIONS nfp tun190:192.168.1.0/24,192.168.168.0/24 # Is correct? How I can list two networks? My questions are: 1) In FW(b), /etc/shorewall.hosts, Is it correct my configuration? 2) How can I make a rule to allow a remote vpn connect to both firewalls? 3) For all internals networks (''adm'', ''sis'', ''tlm'' and ''gar''), the proxy service is running at FW(a) and the access to ''nfp'' zone/network, is running at FW(b). 3a) I need, from FW(a), ''adm'' zone, make a rule to redirect (use), by FW(b), the route and vpn to ''nfp'' zone. 3b) I need, from FW(b), ''tlm'' zone, make a rule to redirect (use), at FW(a), the proxy service. I''m sorry, but I need yours help. Best Regards, Anderson Watanabe ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Mon, Mar 09, 2009 at 11:20:56AM +0900, Anderson Watanabe wrote:> Hi, > > > I need a help... I''m a beginner with shorewall. > > > > I have two shorewall firewalls, each with a link. >Did you read this first? http://www.shorewall.net/OPENVPN.html Then did you read this? http://www.shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Mr Sanchez, Yes! I read those documents and others too. But I still have some doubts, therefore, wrote to the list. My questions were about to know if are correct or wrong. Is that after so long, I understant the new concept of Shorewall? I''ve used Shorewall for 8 years ago (version 1.x??), and since that time, never used more. I was at the "spiritual retirium" (in state of coma), and just back to life again, now. Sorry if my original e-mail offended you or the community, but, if don''t make a question to this list, who answer to me ? Who can help me? Best Regards, Watanabe ------------------------------------------------------------------------------
Anderson Watanabe wrote:> Mr Sanchez, > > > Yes! I read those documents and others too. But I still have some > doubts, therefore, wrote to the list. > > My questions were about to know if are correct or wrong. Is that > after so long, I understant the new concept of Shorewall?"Correct or wrong" is never easy to determine by simply looking at part of your config files.> > I''ve used Shorewall for 8 years ago (version 1.x??), and since that > time, never used more. I was at the "spiritual retirium" (in state of > coma), and just back to life again, now. Sorry if my original e-mail > offended you or the community, but, if don''t make a question to this > list, who answer to me ? Who can help me?We can help you but we have to have full and correct information. Here are your questions:> 1) In FW(b), /etc/shorewall.hosts, Is it correct my configuration?See above.> 2) How can I make a rule to allow a remote vpn connect to both > firewalls?The OpenVPN document that Roberto refers you to gives that information. Without knowing what you''ve configured, we can''t answer that other than by saying "Read the manual".> 3) For all internals networks (''adm'', ''sis'', ''tlm'' and ''gar''), the > proxy service is running at FW(a) and the access to ''nfp'' > zone/network, is running at FW(b). > > 3a) I need, from FW(a), ''adm'' zone, make a rule to redirect (use), by > FW(b), the route and vpn to ''nfp'' zone. > > 3b) I need, from FW(b), ''tlm'' zone, make a rule to redirect (use), at > FW(a), the proxy service.Without knowing what you have already put in place, 3a not answerable. And what is "proxy service"? Squid? SOCKS? Internet Proxy Server for anonymous access? ??? And is traffic to be transparently redirected to this service? If so, what traffic? You use the word ''redirect'' so I can *guess* that you simply want to forward some traffic -- if so, that is a simple DNAT rule; see Shorewall FAQ 1. If you post again, we need a description such as "host 192.168.4.5 in FW a''s n The second URL that Roberto gave you describes what we need from you to solve your problem. Note that it explicitly asks that you *not* send us your configuration files unless specifically asked to do so. It also asks for the output of "shorewall dump" collected in a specific way and with accompanying details. Again, we are here to help but we are not mind readers -- we can''t answer questions when we don''t have enough information to even understand those questions. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------