Shorewall users - Feb 2011 - VPN and its affect on policy

Hi,

I have shorewall 4.4.11.1 running successfully on an fc14 box with two
interfaces. Each interface also has a virtual interface (the external
for a web server, and the internal for a mail server on the local
lan). The virtual interfaces came about as part of a consolidation
effort of an old web server on the outside and an old email server on
the inside.

I have a few questions pertaining to how shorewall manages VPNs, and
also how it manages virtual interfaces.

For the VPN (using openswan), for some reason the firewall thinks they
are external packets and are not passed through the VPN tunnel. I''ve
specified the VPN network in the hosts file, and "vpn" is defined as a
zone. Perhaps I''m not somehow binding the vpn interface to the
firewall as a trusted zone? How do I accomplish that?

Regarding virtual interfaces, I''ve used /sbin/ip in the way described
by the FAQ, but how do I convince shorewall it''s a trusted internal
interface on the firewall? Do I always need to reference it as
$FW:192.168.1.2 or is there a way to treat it with the same policy as
the internal $FW interface (192.168.1.1)?

This is the relevant output from "shorewall show ip"

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    inet XX.YYY.193.42/29 brd XX.YYY.193.47 scope global eth0
    inet XX.YYY.193.42/32 scope global eth0:0
    inet XX.YYY.193.44/29 brd XX.YYY.193.47 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    inet 192.168.1.2/32 scope global eth1:0
    inet 192.168.1.2/24 brd 192.168.1.255 scope global secondary eth1:0

Thanks,
Alex

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/1/11 8:48 PM, Alex wrote:
> 
> I have a few questions pertaining to how shorewall manages VPNs, and
> also how it manages virtual interfaces.
> 
> For the VPN (using openswan), for some reason the firewall thinks they
> are external packets and are not passed through the VPN tunnel.
I''ve
> specified the VPN network in the hosts file, and "vpn" is defined
as a
> zone. Perhaps I''m not somehow binding the vpn interface to the
> firewall as a trusted zone? How do I accomplish that?
You follow the instructions at http://www.shorewall.net/IPSEC-2.6.html.
If you have connection problems, then please submit a Shorewall dump as
described at
http://www.shorewall.net/support.htm#Guidelines
> 
> Regarding virtual interfaces, I''ve used /sbin/ip in the way
described
> by the FAQ, but how do I convince shorewall it''s a trusted
internal
> interface on the firewall? Do I always need to reference it as
> $FW:192.168.1.2 or is there a way to treat it with the same policy as
> the internal $FW interface (192.168.1.1)?
> 
All IP addresses defined on the firewall are part of the $FW zone and
are governed by that zone''s policies. You can create
''vserver'' sub-zones
of $FW -- see
http://ipv6.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id36135728.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d