Jo�o Miguel Neves wrote:
The default firewall scripts have hooks to call custom code if you need to do something not possible with just the /etc/network.conf variables.SolutionI checked the rules and, after a lot of tweaking, I discovered that I needed to add rules to ipchains to allow forwarding between the subnets behind the firewalls. In my specific case the networks were: 192.168.0.0/16 and 192.168.31.0/24. So I created the file /etc/ipchains.forward with the following content: ipchains -I forward 2 -s 192.168.0.0/16 -d 192.168.31.0/24 -j ACCEPT ipchains -I forward 3 -s 192.168.31.0/24 -d 192.168.0.0/16 -j ACCEPT Well, this is just in case it can be useful for anyone else. I have no idea how to do it, but should this be integrated on the image configuration ?
With a default Dachstein system, you could simply put the rules above into /etc/ipchains.forward, and your custom rules will be added automatically when reloading the firewall rules.
Note you can also use the -b switch (bidirectional) to ipchains to reduce the above to a single rule, and in the /etc/ipchains.forward file, you should probably use the predefined IPCH environment variable, resulting in:
$IPCH -I forward -j ACCEPT -s 192.168.0.0/16 -d 192.168.31.0/24 -b
This is how I add the required forwarding rules to my firewall, but if the rule is simply for your VPN connection, you can specify the [left|right]firewall=yes setting in your ipsec connection definition, and the ipsec scripts will automatically add the required forwarding rules when the connection is brought up. This might be required if (for example) you had public IP's on both sides of the VPN link, and didn't want traffic going across the 'net unencrypted until the VPN tunnel comes up. With private IP's, this isn't as much of an issue (the default Dachstein firewall will prevent any private IP traffic from leaving the firewall unless it's tunneled through something like ipsec).
Also, if you use the [left|right]firewall setting in ipsec.conf, you have to stop ipsec if you want to modify your firewall rules, ie:
svi ipsec stop
net ipfilter reload
svi ipsec start
Which is one nice thing about using ipchains.forward to implement the forwarding rules, you can simply "net ipfilter reload" to change firewall rules, and your IPSec link will continue to work.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
