Michael Weickel - iQom Business Services GmbH
2009-Nov-29 02:20 UTC
WG: WG: Policy make troubles once multiple zones are applied
copy/paste malfunction sorry Of course there is NO ipsec option and the end of the hosts row. -----Ursprüngliche Nachricht----- Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Sonntag, 29. November 2009 03:15 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] WG: Policy make troubles once multiple zones are applied Yes, you are right with this. Thanks for the answer. I have another question to your http://www.shorewall.net/VPNBasics.html There you wrote that - at some point - you want to get rid of the tunnel file since rule can cover all of our needs. I tried it and figured out that I was not able to manage it. As I understood the following row in tunnel file ipsec net 10.20.30.40 means, that remote host 10.20.30.40 is allowed to access fw by udp 500 as well as esp 50 and ah 51 without specifying any additional rule. I tried it as following in the tunnel. ipsec v3005 0.0.0.0/0 and hosts v3005 vlan3005:0.0.0.0/0 ipsec but message in log appears Nov 29 03:05:25 ffmfw01 kernel: [ 3449.115968] Shorewall:INPUT:DROP:IN=vlan3005 OUTMAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=80.186.95.14 DST=217.112.144.33 LEN=372 TOS=0x00 PREC=0x00 TTL=114 ID=107 PROTO=UDP SPT=4076 DPT=500 LEN=352 My interface - vlan3005 217.112.144.39 $WAN_OPTS And my params WAN_OPTS=tcpflags,norfc1918,routefilter,nosmurfs,logmartians If I additionally specify in rules ACCEPT lv3005 fw udp 500 - 217.112.144.33 everything is fine. BTW. Linking to http://ipsec.math.ucla.edu/services/ipsec-windows.html in http://www.shorewall.net/IPSEC-2.6.html does not work anymore. -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Samstag, 21. November 2009 16:59 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Policy make troubles once multiple zones are applied Michael Weickel - iQom Business Services GmbH wrote:> OK - I figured out what it is but maybe someone can give an explanation > here. > > If I use he multiple zones configuration I have to do in addition > > Hosts > > v3005 vlan3005:0.0.0.0/0 > > And of course this seems to be very logic since this means all ip´s on the > internet. > > But I am still confused a lot why this is the first time I have to do it > after using Shorewall over years without to be forced to say 0.0.0.0/0. > > If I use non-multiple configuration it works perfectly as well without the > need to configure 0.0.0.0/0 but the broadcast of the subnet, linked to the > next-hop pointing Shorewall to the public internet. > > So from my side there stays nothing against configuring 0.0.0.0/0 in > multiple zones but I am still interested why the need occurs in my special > environment. > > Any help would be appreciated.I suspect that in the past you have been specifying a zone name rather than ''-'' in the ZONE column of /etc/shorewall/interfaces in addition to an entry in /etc/shorewall/hosts. That has the same effect as putting 0.0.0.0/0 in the /etc/shorewall/hosts file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july