Shorewall users - Jun 2009 - zones and interfaces for OpenVPN roadwarrior and Site2Site on the same box

I am building a openvpn gateway/firewall.
I have 2 zones: vsite and vmobile (for vpn site2site and vpn roadwarrior
respectively). And in /etc/shorewall/interfaces, I define:
vsite tun+
vmobile tun9

In Openvpn, I have an instance running to serve roadwarrior on tun9. While the
other tun interfaces (tun0 - tun8) are for sites, would rules/policy defined for
vsite will be valid for vmobile?

If that''s the case, is there a way so that vsite zone (a group of
tunnels) and vmobile zone separate? I like the idea of being able to do:
vsite tun+,!tun9 (something like this), don''t know if it is possible.

Shorewall version: shorewall-4.2.9-1

Regards,
Lito


      

------------------------------------------------------------------------------

Lito Kusnadi wrote:
> I am building a openvpn gateway/firewall.
> I have 2 zones: vsite and vmobile (for vpn site2site and vpn roadwarrior
respectively). And in /etc/shorewall/interfaces, I define:
> vsite tun+
> vmobile tun9
> 
> In Openvpn, I have an instance running to serve roadwarrior on tun9. While
the other tun interfaces (tun0 - tun8) are for sites, would rules/policy defined
for vsite will be valid for vmobile?
> 
> If that''s the case, is there a way so that vsite zone (a group of
tunnels) and vmobile zone separate? I like the idea of being able to do:
> vsite tun+,!tun9 (something like this), don''t know if it is
possible.
Can you elaborate? I''m very unclear about what you are trying to
accomplish.
> 
> Shorewall version: shorewall-4.2.9-1
> 
Shorewall-shell or Shorewall-perl?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Hi Tom,

I''m trying to split rules for roadwarrior and site2site vpn tunnels but
want to keep the rules/policy minimal.

I want to create rules/policy for vsite separate to vroad (i.e.
/etc/shorewall/policy:
vsite loc   accept
loc   vsite accept
vroad loc   accept
loc   vroad reject

in /etc/shorewall/interfaces, i got:
vsite tun+
vroad tun9
now, the way I interprete this:
any traffic on any tun interface falls into vsite zone
any traffic on tun9 falls into vroad zone
and here''s the problem: vroad is a subset of vsite

I need to make vroad is not a subset of vsite, but keen to use "tun+"
in interface (for ease of maintenance).

I know one way in my rule is to do:
ACCEPT  loc   vsite:!192.168.99.0/24 tcp 22 (for example, but you see, I have to
put !192.168.99.0/24 on all vsite - by the way 192.168.99.0 is subnet for
roadwarrior)
nice if I can still do:
ACCEPT  loc   vsite tcp 22
but still loc -> vroad on ssh is rejected

Another way I can think of is to split each tunnel for the sites, but this is
messy because it increase the permutation of policy and rules i have to create
for each site.

i.e. /etc/shorewall/interfaces:
vsite0 tun0
vsite1 tun1
vsite2 tun2
vroad  tun9

I hope I describe a bit better. I''m using shorwall perl.

--- On Thu, 6/25/09, Tom Eastep <teastep@shorewall.net> wrote:
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] zones and interfaces for OpenVPN roadwarrior
and Site2Site on the same box
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Date: Thursday, June 25, 2009, 3:03 AM
> Lito Kusnadi wrote:
> > I am building a openvpn gateway/firewall.
> > I have 2 zones: vsite and vmobile (for vpn site2site
> and vpn roadwarrior respectively). And in
> /etc/shorewall/interfaces, I define:
> > vsite tun+
> > vmobile tun9
> > 
> > In Openvpn, I have an instance running to serve
> roadwarrior on tun9. While the other tun interfaces (tun0 -
> tun8) are for sites, would rules/policy defined for vsite
> will be valid for vmobile?
> > 
> > If that''s the case, is there a way so that vsite zone
> (a group of tunnels) and vmobile zone separate? I like the
> idea of being able to do:
> > vsite tun+,!tun9 (something like this), don''t know if
> it is possible.
> 
> Can you elaborate? I''m very unclear about what you are
> trying to accomplish.
> 
> > 
> > Shorewall version: shorewall-4.2.9-1
> > 
> 
> Shorewall-shell or Shorewall-perl?
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want
> to go like my Grandfather who
> Shoreline,         \ died
> peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the
> passengers in his car
> http://shorewall.net
> \________________________________________________
> 
> 
> -----Inline Attachment Follows-----
> 
>
------------------------------------------------------------------------------
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

      

------------------------------------------------------------------------------

Lito Kusnadi wrote:
> Hi Tom,
> 
> I''m trying to split rules for roadwarrior and site2site vpn
tunnels but want to keep the rules/policy minimal.
> 
> I want to create rules/policy for vsite separate to vroad (i.e.
/etc/shorewall/policy:
> vsite loc   accept
> loc   vsite accept
> vroad loc   accept
> loc   vroad reject
> 
> in /etc/shorewall/interfaces, i got:
> vsite tun+
> vroad tun9
> now, the way I interprete this:
> any traffic on any tun interface falls into vsite zone
> any traffic on tun9 falls into vroad zone
> and here''s the problem: vroad is a subset of vsite
> 
> I need to make vroad is not a subset of vsite, but keen to use
"tun+" in interface (for ease of maintenance).
> 
> I know one way in my rule is to do:
> ACCEPT  loc   vsite:!192.168.99.0/24 tcp 22 (for example, but you see, I
have to put !192.168.99.0/24 on all vsite - by the way 192.168.99.0 is subnet
for roadwarrior)
> nice if I can still do:
> ACCEPT  loc   vsite tcp 22
> but still loc -> vroad on ssh is rejected
> 
> Another way I can think of is to split each tunnel for the sites, but this
is messy because it increase the permutation of policy and rules i have to
create for each site.
> 
> i.e. /etc/shorewall/interfaces:
> vsite0 tun0
> vsite1 tun1
> vsite2 tun2
> vroad  tun9
> 
> I hope I describe a bit better. I''m using shorwall perl.
a) In /etc/shorewall/zones, be sure that vroad is defined *before* vsite
   *or* that you make their nested relationship explicit:

	fw		firewall
	vsite		ipv4
	vroad:vsite	ipv4
	...

b) In /etc/shorewall/shorewall.conf, set IMPLICIT_CONTINUE=No.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------