Shorewall users - Dec 2010 - Private host with pubblic IP, 1 Interface, OpenVPN Bridged

Hi all,
at office me and my collegaue have configured an Ubuntu Server 10.04
with OpenVPN (2.1~rc19-1ubuntu2) in bridged mode and shorewall
4.2.10-1.
Here a schematic representation:
http://img155.imageshack.us/img155/8264/netb.jpg

The ubuntu host is in the lan, it has several interface but only one
is working (eth0) and is not connected directly to the router/mode.
The eth0 interface is bridged to the tap0 (virtual) interface in the
br0 interface.
br0 has the provate ip 192.168.100.3.
On the router/modem there''s a NAT 1-to-1 of a static public IP versus
the ubuntu server machine (89.x.y.z -> 192.168.100.3).
Actually several roadwarriors use to connect to the lan office and the
relative shares (this is why the bridged mode is needed).


I''ve read the documents on the shorewall site web and now I''m
confused
about several question.
Some question:

- From OpenVPN docs I know that in the bridged mode the br0 interface
must be not firewalled. So in my case is useless a firewall?

- Anyway using shorewall is corretc to put in the intefaces file for
zone/interface/broadcast/options the only line "lan br0
192.168.100.255 routeback" with no net zone?

My doubt is: if I have not to firewall the br0 interface I''ve to put
in the policy file the ACCEPT policy to lan->net and net->lan and
consequently no control at all.

Any advice to clarify this doubts?
Thanks,

Marco

------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages, 
OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev

On 12/13/10 3:48 AM, sond wrote:
> 
> - From OpenVPN docs I know that in the bridged mode the br0 interface
> must be not firewalled. So in my case is useless a firewall?
In the scenarios covered by that article, firewalling is not required.
If you need to firewall traffic to/from the remote hosts, then see
http://www.shorewall.net/bridge-Shorewall-perl.html.
> 
> - Anyway using shorewall is corretc to put in the intefaces file for
> zone/interface/broadcast/options the only line "lan br0
> 192.168.100.255 routeback" with no net zone?
That''s fine.\
> 
> My doubt is: if I have not to firewall the br0 interface I''ve to
put
> in the policy file the ACCEPT policy to lan->net and net->lan and
> consequently no control at all.
Again, see the URL above.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages, 
OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev

2010/12/13 Tom Eastep <teastep@shorewall.net>:
> On 12/13/10 3:48 AM, sond wrote:
>
>
> In the scenarios covered by that article, firewalling is not required.
> If you need to firewall traffic to/from the remote hosts, then see
> http://www.shorewall.net/bridge-Shorewall-perl.html.

Thanks Tom for the tip, I''ve read the link you suggest me.
Some questions arise from the lecture:

1- In my scenario there''s no "net:world" (in zones) and
"net" (in
interfaces) zone because I''ve only eth0 and no eth1 phisical
interface. Consequently I have no

net:world  bport
net  all  DROP
net  bport:eth1

in the zones, policy, interfaces configuration files. Right?
Is it an error write net/bport:eth0 in spite of I have a
loc/bport:eth0 in the interfaces file?

2- How about PAT? If I want to reach a shared folder inside a lan host
with no vpn connection is it possible with this firewall configuration
to use the DNAT rules in the relative file?

Thanks again,

Marco

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/13/10 9:36 AM, sond wrote:
> 2010/12/13 Tom Eastep <teastep@shorewall.net>:
>> On 12/13/10 3:48 AM, sond wrote:
>>
>>
>> In the scenarios covered by that article, firewalling is not required.
>> If you need to firewall traffic to/from the remote hosts, then see
>> http://www.shorewall.net/bridge-Shorewall-perl.html.
> 
> 
> Thanks Tom for the tip, I''ve read the link you suggest me.
> Some questions arise from the lecture:
> 
> 1- In my scenario there''s no "net:world" (in zones) and
"net" (in
> interfaces) zone because I''ve only eth0 and no eth1 phisical
> interface. Consequently I have no
> 
> net:world  bport
> net  all  DROP
> net  bport:eth1
> 
> in the zones, policy, interfaces configuration files. Right?
> Is it an error write net/bport:eth0 in spite of I have a
> loc/bport:eth0 in the interfaces file?
> 
FORGET THE NAMES. You have a two-port bridge; that''s exactly what the
article has.
> 2- How about PAT? If I want to reach a shared folder inside a lan host
> with no vpn connection is it possible with this firewall configuration
> to use the DNAT rules in the relative file?
I''m lost. You have a bridge so everything should be in one IP network
and one broadcast domain. Why do you need any form of NAT?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

2010/12/13 Tom Eastep <teastep@shorewall.net>:
> On 12/13/10 9:36 AM, sond wrote:
>
> FORGET THE NAMES. You have a two-port bridge; that''s exactly what
the
> article has.
>
Ok I''m sorry. My fault , my thoughts was confused.
I have the portA (link layer interface eth0) and portB (link layer
interface tap0).
I hope I''m ok with this basic configuration. Can you check it out?

world   br0            192.168.100.255          bridge,routeback
net      br0:eth0
loc      br0:tap0

fw                 firewall
world            ipv4
net:world       bport
vpn:world       bport

vpn         net        ACCEPT
net         vpn        ACCEPT
net         world     ACCEPT
world      net        ACCEPT
net         all         DROP           info
all          all         REJECT        info

>
> I''m lost. You have a bridge so everything should be in one IP
network
> and one broadcast domain. Why do you need any form of NAT?
>
The question for the NAT regards a real practical problem.
I want to remind that the office router/modem has a NAT one-to-one
from a public static ip (89.x.y.z) to the br0 ubuntu host ip.
(I know that''s a potential security hole but for it has to be in this
way.)
Let suppose I want to reach a shared folder (or a web server, or a ftp
server and so on) using the 89.x.y.z.
How can I permit that?
I know I have to forward the right port to the right host and this is
why I thought to the DNAT rules.
Something like "DNAT     net     loc:192.168.100.10  tcp    www" for a
webserver.
Where am I wrong?

Thanks again and sorry for my past and present (possible) mistake,

Marco

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/13/2010 03:12 PM, sond wrote:
> 2010/12/13 Tom Eastep <teastep@shorewall.net>:
>> On 12/13/10 9:36 AM, sond wrote:
>>
>> FORGET THE NAMES. You have a two-port bridge; that''s exactly
what the
>> article has.
>>
> 
> Ok I''m sorry. My fault , my thoughts was confused.
> I have the portA (link layer interface eth0) and portB (link layer
> interface tap0).
> I hope I''m ok with this basic configuration. Can you check it out?
> 
> world   br0            192.168.100.255          bridge,routeback
> net      br0:eth0
> loc      br0:tap0
> 
> fw                 firewall
> world            ipv4
> net:world       bport
> vpn:world       bport
> 
> vpn         net        ACCEPT
> net         vpn        ACCEPT
> net         world     ACCEPT
> world      net        ACCEPT
> net         all         DROP           info
> all          all         REJECT        info
I can''t possibly comment about the policies without knowing what type
of
security you want to enforce.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d