tony.blue.mailinglist@gmx.de
2012-Dec-29 23:40 UTC
How could I open Port 1701 for VPN l2tp/ipsec
Hello Mailinglist, please excuse my bad english - but I am not a native speaker. My Network looks like this: Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X) No I try to connect my iphone (from mobile Internet G3) over VPN (l2tp/ipsec) with the firewall. But I can´t open the necessary Port 1701. /var/log/syslog ... Dec 30 00:24:29 router kernel: [226128.293757] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:ae:d0:00:00:2d:11:bd:e5:50:bb:60:4f:54:39:1b:64:0a:98 SRC=80.187.96.79 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=44752 PROTO=UDP SPT=62933 DPT=1701 LEN=75 Dec 30 00:24:30 router kernel: [226129.093450] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:92:d2:00:00:2d:11:d9:e3:50:bb:60:4f:54:39:1b:64:0a:98 SRC=80.187.96.79 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=37586 PROTO=UDP SPT=62933 DPT=1701 LEN=75 ... How could I opten Port 1701 for VPN l2tp/ipsec? Thank you! Like the description in http://www.shorewall.net/IPSEC-2.6.html I tried to configure: /etc/shorewall/zones fw firewall net ipv4 loc ipv4 vmn ipv4 <--- subnet for virtual machines dmz ipv4 ovpn ipv4 <--- subnet for open-vpn (but iPhone don´t run with open-vpn) wlan ipv4 vpn1 ipv4 <--- old VPN over pptp - but unsure -> in future should be l2tp/ipsec vpn2 ipsec <--- new entry l2tp ipv4 <--- new entry #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces net ppp0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians loc eth0 detect tcpflags,detectnets,nosmurfs dmz eth2 detect tcpflags,detectnets,nosmurfs ovpn tun0 detect tcpflags,detectnets,nosmurfs wlan eth3 detect tcpflags,dhcp,detectnets,nosmurfs vpn1 ppp1 detect tcpflags,detectnets,nosmurfs vmn eth4 detect tcpflags,detectnets,nosmurfs l2tp ppp2 - /etc/shorewall/policy ... # Policies für l2tp # l2tp net ACCEPT info l2tp loc ACCEPT info l2tp vmn ACCEPT info l2tp wlan ACCEPT info l2tp dmz REJECT info l2tp $FW REJECT info l2tp all REJECT info loc l2tp ACCEPT info /etc/shorewall/rules ... # Prevent IPSEC bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW #REJECT $FW net udp - 1701 # l2tp over the IPsec VPN ACCEPT vpn2 $FW udp 1701 # webserver that can only be accessed internally HTTP(ACCEPT) loc $FW HTTP(ACCEPT) l2tp $FW HTTPS(ACCEPT) loc $FW HTTPS(ACCEPT) l2tp $FW ACCEPT net l2tp udp 1701 ACCEPT l2tp net udp 1701 ACCEPT l2tp $FW udp 1701 ACCEPT $FW l2tp udp 1701 ACCEPT net vpn2 udp 1701 ACCEPT vpn2 net udp 1701 ACCEPT vpn2 $FW udp 1701 ACCEPT $FW vpn2 udp 1701 ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Roberto C. Sánchez
2012-Dec-30 00:48 UTC
Re: How could I open Port 1701 for VPN l2tp/ipsec
On Sun, Dec 30, 2012 at 12:40:52AM +0100, tony.blue.mailinglist@gmx.de wrote:> > Hello Mailinglist, > > please excuse my bad english - but I am not a native speaker. > > My Network looks like this: > > Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X) > > No I try to connect my iphone (from mobile Internet G3) over VPN > (l2tp/ipsec) with the firewall. > > But I can´t open the necessary Port 1701. >What do you have in your /etc/shorewall/tunnels file? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012
tony.blue.mailinglist@gmx.de
2012-Dec-30 09:56 UTC
Re: How could I open Port 1701 for VPN l2tp/ipsec
Am 30.12.2012 01:48, schrieb Roberto C. Sánchez:> What do you have in your /etc/shorewall/tunnels file? Regards, -RobertoHello Roberto, thank you for your message. You are right - first I forgot an entry in the tunnels file. But now I added a entry. Unfortunately, I get again now rejectionsagain. /etc/shorewall/tunnels # ZONE openvpnserver:1194 net 0.0.0.0/0 pptpserver vpn1 0.0.0.0/0 pptpserver net 0.0.0.0/0 ipsec net 0.0.0.0/0 vpn2 <--- added line #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /var/log/syslog Dec 30 10:50:44 router kernel: [263702.821796] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:9e:19:00:00:2d:11:c7:a3:50:bb:67:48:54:39:1b:64:5c:a4 SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=40473 PROTO=UDP SPT=61751 DPT=1701 LEN=75 Dec 30 10:50:46 router kernel: [263704.830262] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:b9:60:00:00:2d:11:ac:5c:50:bb:67:48:54:39:1b:64:5c:a4 SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=47456 PROTO=UDP SPT=61751 DPT=1701 LEN=75 Dec 30 10:50:50 router kernel: [263708.851385] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:18:5c:00:00:2d:11:4d:61:50:bb:67:48:54:39:1b:64:5c:a4 SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=6236 PROTO=UDP SPT=61751 DPT=1701 LEN=75 Dec 30 10:50:54 router kernel: [263712.870372] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:bf:77:00:00:2d:11:a6:45:50:bb:67:48:54:39:1b:64:5c:a4 SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=49015 PROTO=UDP SPT=61751 DPT=1701 LEN=75 Dec 30 10:50:58 router kernel: [263716.892744] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:19:48:00:00:2d:11:4c:75:50:bb:67:48:54:39:1b:64:5c:a4 SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=6472 PROTO=UDP SPT=61751 DPT=1701 LEN=75 Dec 30 10:51:02 router kernel: [263720.881264] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:d1:ae:00:00:2d:11:94:0e:50:bb:67:48:54:39:1b:64:5c:a4 SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=53678 PROTO=UDP SPT=61751 DPT=1701 LEN=75 ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012
tony.blue.mailinglist@gmx.de
2012-Dec-31 18:37 UTC
Re: How could I open Port 1701 for VPN l2tp/ipsec
Hello Mailinglist, I'm stumped. For three days I tried unsuccessfully to get started with L2TP/IPSEC with shorewall. I configured shorewall like the instructiones in http://www.shorewall.net/IPSEC-2.6.html but it does not run. I allways get in /var/log/syslog: ... Dec 31 19:08:31 router kernel: [81080.616087] Shorewall:INPUT:REJECT:IN=ppp0 OUT= MAC=45:00:00:88:3e:3e:00:00:2d:11:20:cd:50:bb:67:59:54:39:22:05:1b:2e SRC=80.187.103.89 DST=84.57.34.5 LEN=95 TOS=0x00 PREC=0x00 TTL=45 ID=15934 PROTO=UDP SPT=62781 DPT=1701 LEN=75 ... Only, if I change the last line of /etc/shorewall/policy for a short time to: ... all all ACCEPT info ... the L2TP/IPSEC tunnel runs. I would be very happy if someone had an idea how I could get it running. Thank you! Tony I made an easier configuration: /etc/shorewall/tunnels ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:1194 net 0.0.0.0/0 ipsec net 0.0.0.0/0 vpn1 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ----> /etc/shorewall/zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 vmn ipv4 <--- subnet for virtual machines dmz ipv4 ovpn ipv4 <--- openvpn for win-clients - but iPhone doesn´t run with openvpn wlan ipv4 vpn1 ipsec <--- ipsec l2tp ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE ----> /etc/shorewall/hosts #ZONE HOSTS OPTIONS vpn1 eth0:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ----> /etc/shorewall/masq ############################################################################## #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC ppp0 eth0 ppp0 eth2 ppp0 eth3 ppp0 eth4 ppp0 tun0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ----> /etc/shorewall/interfaces ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians loc eth0 detect tcpflags,detectnets,nosmurfs dmz eth2 detect tcpflags,detectnets,nosmurfs ovpn tun0 detect tcpflags,detectnets,nosmurfs wlan eth3 detect tcpflags,detectnets,nosmurfs l2tp ppp1 detect tcpflags,detectnets,nosmurfs vmn eth4 detect tcpflags,detectnets,nosmurfs #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ----> /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # # Policies for traffic originating from the local LAN (loc) loc net ACCEPT info loc vmn ACCEPT info loc ovpn ACCEPT info loc dmz REJECT info loc $FW REJECT info loc wlan ACCEPT info loc l2tp ACCEPT info loc all REJECT info # # Policies for traffic originating from the virtual Network of the Virtual Machines LAN (vmn) vmn net ACCEPT info vmn loc ACCEPT info vmn ovpn ACCEPT info vmn dmz REJECT info vmn $FW REJECT info vmn wlan ACCEPT info vmn all REJECT info # # Policies for traffic originating from the firewall ($FW) $FW net ACCEPT info $FW dmz ACCEPT info $FW loc ACCEPT info $FW vmn ACCEPT info $FW wlan ACCEPT info $FW all ACCEPT info # # Policies for traffic originating from the De-Militarized Zone (dmz) dmz net ACCEPT info dmz $FW REJECT info dmz loc REJECT info dmz vmn REJECT info dmz wlan REJECT info dmz all REJECT info # # Policies for traffic originating from the Internet zone (net) net dmz DROP info net $FW ACCEPT info net loc DROP info net vmn DROP info net wlan DROP info net all DROP info # # Policies für OpenVPN ovpn net ACCEPT info ovpn loc ACCEPT info ovpn vmn ACCEPT info ovpn wlan ACCEPT info ovpn dmz REJECT info ovpn $FW REJECT info ovpn all REJECT info # # Policies für wlan wlan net ACCEPT info wlan loc REJECT info wlan vmn REJECT info wlan dmz REJECT info wlan $FW ACCEPT info wlan ovpn REJECT info wlan all REJECT info # # Policies für l2tp l2tp loc ACCEPT info l2tp net ACCEPT info # # THE FOLLOWING POLICY MUST BE LAST all all ACCEPT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ----> /etc/shorewall/rules ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # ... # Prevent IPSEC bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW REJECT $FW net udp - 1701 # l2tp over the IPsec VPN ACCEPT vpn1 $FW udp 1701 # webserver that can only be accessed internally HTTP(ACCEPT) loc $FW HTTP(ACCEPT) l2tp $FW HTTPS(ACCEPT) loc $FW HTTPS(ACCEPT) l2tp $FW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 12/31/12 10:37 AM, tony.blue.mailinglist@gmx.de wrote:> I configured shorewall like the instructiones in > http://www.shorewall.net/IPSEC-2.6.html but it does not run. > > I allways get in /var/log/syslog: > ... > Dec 31 19:08:31 router kernel: [81080.616087] > Shorewall:INPUT:REJECT:IN=ppp0 OUT= > MAC=45:00:00:88:3e:3e:00:00:2d:11:20:cd:50:bb:67:59:54:39:22:05:1b:2e > SRC=80.187.103.89 DST=84.57.34.5 LEN=95 TOS=0x00 PREC=0x00 TTL=45 > ID=15934 PROTO=UDP SPT=62781 DPT=1701 LEN=75 > ... > > Only, if I change the last line of /etc/shorewall/policy for a short > time to: > ... > all all ACCEPT info > ... > > > I made an easier configuration:> > ----> /etc/shorewall/hosts > #ZONE HOSTS OPTIONS > vpn1 eth0:0.0.0.0/0That can''t be right -- don''t you want ppp0:0.0.0.0/0?> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE> > ----> /etc/shorewall/policy> # Policies for traffic originating from the Internet zone (net) > net dmz DROP info > net $FW ACCEPT infoThat''s a horrible idea.... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
tony.blue.mailinglist@gmx.de
2013-Jan-01 02:18 UTC
Re: How could I open Port 1701 for VPN l2tp/ipsec
Am 31.12.2012 20:39, schrieb Tom Eastep:> ----> /etc/shorewall/hosts > #ZONE HOSTS OPTIONS > vpn1 eth0:0.0.0.0/0 > That can''t be right -- don''t you want ppp0:0.0.0.0/0? >Thank you for this great tip. Now l2tp/ipec gets a connect.>> ----> /etc/shorewall/policy >> # Policies for traffic originating from the Internet zone (net) >> net dmz DROP info >> net $FW ACCEPT info > That''s a horrible idea.... > >Thats right. Now I changed the policy to: net $FW DROP info But now I get a new problem: ... Jan 1 02:56:45 router kernel: [ 455.395574] Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=80.187.106.196 DST=84.57.4.128 LEN=140 TOS=0x00 PREC=0x00 TTL=45 ID=43653 PROTO=UDP SPT=7827 DPT=4500 LEN=120 ... Do you think its sure to solve that with a rule like: ACCEPT net $FW udp 4500 Thank you! Tony ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
tony.blue.mailinglist@gmx.de
2013-Jan-01 02:49 UTC
Re: How could I open Port 1701 for VPN l2tp/ipsec
Am 01.01.2013 03:18, schrieb tony.blue.mailinglist@gmx.de:> Am 31.12.2012 20:39, schrieb Tom Eastep: >With the above Konfigruation I can reach everything in the local network (for example, pick up mail, surf the DMZ) but I can not surf the Internet. The requests are sent, in the syslog is also "Accept." Unfortunately obvious is no return. Currently, I have no idea where I could find a mistake here. How can I find out what happened with the packages? Thank you! Tony ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
On 12/31/2012 06:49 PM, tony.blue.mailinglist@gmx.de wrote:> Am 01.01.2013 03:18, schrieb tony.blue.mailinglist@gmx.de: >> Am 31.12.2012 20:39, schrieb Tom Eastep: >> > > With the above Konfigruation I can reach everything in the local network > (for example, pick up mail, surf the DMZ) but I can not surf the > Internet. The requests are sent, in the syslog is also "Accept." > Unfortunately obvious is no return. > > Currently, I have no idea where I could find a mistake here. How can I > find out what happened with the packages? >I would get rid of that mess you have in /etc/shorewall/masq and replace it with one entry: ppp0 0.0.0.0/0 One reason that we ask for the output of ''shorewall dump'' when you report a connection problem is so that we can see your IP configuration. You have not provided that information. So if you have a public subnet routed via ppp0, then the above entry needs to be replaced by: ppp0 !<public subnet> -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
tony.blue.mailinglist@gmx.de
2013-Jan-04 21:04 UTC
Re: How could I open Port 1701 for VPN l2tp/ipsec
Am 01.01.2013 16:52, schrieb Tom Eastep:> On 12/31/2012 06:49 PM, tony.blue.mailinglist@gmx.de wrote: >> Am 01.01.2013 03:18, schrieb tony.blue.mailinglist@gmx.de: >>> Am 31.12.2012 20:39, schrieb Tom Eastep: >>> > I would get rid of that mess you have in /etc/shorewall/masq and replace > it with one entry: > > ppp0 0.0.0.0/0 >Hi Tom, your tips are great. I spent four days on the road and therefore can only answer today. Now I added ppp0 ppp1 the / etc / shorewall / masq , and now it works. I am happy! A new problem has emerged: After the entry in the /etc/shorewall/masq shorewall does not work when the device ppp1is not created. If I want to start shorewall I have to make a VPN connection. Is there a way to start shorewall with no VPN connection(no ppp1 ipsec tunnel)? Thank you! Tony ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 1/4/13 1:04 PM, tony.blue.mailinglist@gmx.de wrote:> Am 01.01.2013 16:52, schrieb Tom Eastep: >> On 12/31/2012 06:49 PM, tony.blue.mailinglist@gmx.de wrote: >>> Am 01.01.2013 03:18, schrieb tony.blue.mailinglist@gmx.de: >>>> Am 31.12.2012 20:39, schrieb Tom Eastep: >>>> >> I would get rid of that mess you have in /etc/shorewall/masq and replace >> it with one entry: >> >> ppp0 0.0.0.0/0 >> > Hi Tom, > > your tips are great. I spent four days on the road and therefore can > only answer today. > > Now I added > > ppp0 ppp1 > > the / etc / shorewall / masq , and now it works. I am happy! > > A new problem has emerged: After the entry in the /etc/shorewall/masq > shorewall does not work when the device ppp1is not created. If I want to > start shorewall I have to make a VPN connection. > > Is there a way to start shorewall with no VPN connection(no ppp1 ipsec > tunnel)?why don''t you just do what I shoed you above? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 01/05/2013 01:46 AM, tony.blue.mailinglist@gmx.de wrote:> Am 04.01.2013 22:14, schrieb Tom Eastep: >> A new problem has emerged: After the entry in the /etc/shorewall/masq >> shorewall does not work when the device ppp1is not created. If I want to >> start shorewall I have to make a VPN connection. >> >> Is there a way to start shorewall with no VPN connection(no ppp1 ipsec >> tunnel)? >> why don''t you just do what I shoed you above? >> >> -Tom >> > > Hi Tom, > > please excuse. I was not sure if I post in the shorewall/dump on the > public list of published data that make my firewall insecure. > > Therefore, I send you the shorewall/dump personaly via email. I hope > this is okay. > > The structure is like this: > > +-------- eth2 (dmz > webserver) > | > Internet --- (dynamic IP) --- ppp0 ---- eth0 (local network) > | > +-------- eth3 (wlan) > | > +-------- tun0 (open-vpn) > | > +-------- ppp1 (vpn ipsec/l2tp) >This single entry will work: ppp0 192.168.0.0/16 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912