Re: [Shorewall-users] netfilter + vpn + how/why + etc... -- Corrected Diagram

[Tom Eastep]

I had the port labels reversed in the first version.

-Tom

Yclept Nemo wrote:

Hi,

I have a few questions about the inner workings of netfilter

(a graphical layout of my network setup @ https://aequorin.homeunix.net:62389/local/media/network-graph.png)

Rather than answer each of your first three individual questions, I'm
going to try to explain to you how it works.

Here is a diagram of what is going on:

       _____________                        ____________
      |             |                      |            |
      | VPN Clients |                      | LAN Hosts  |
      |_____________|                      |____________|
             |                                    |
             |                                    |
       ----------------                   -----------------
      |     tap0       |                 |      eth0       |
      |----------------------------------------------------|
      |                        br0                         |
      |----------------------------------------------------|
      |                                                    |
      |                        $FW                         |
      |____________________________________________________|

So:

1) Any packet from a VPN client will have PHYSIN=eth0.
2) Any packet from a LAN host will have PHYSIN=tap0.
3) Any packet to the firewall will have PHYSOUT= because the connection
does not go out either of the 'physical' (layer 2) interfaces (bridge
ports).
4) All traffic must pass through the bridge; traffic never passes
directly from one bridge port to another. The bridge is always the IN=
interface for traffic from the VPN clients and LAN hosts and it is
always the OUT= interface for traffic to those clients and hosts.

4) The shorewall docs mention that the lan(br0) zone exists b/c it is not possible to do $FW->vpn(tap0) or $FW->phys(eth0)

Is this because netfilter in kernels >=2.6.20 cannot recognize $FW->vpn(tap0) or $FW->phys(eth0) ? ... because I havent seens any traffic that would match $FW->vpn(tap0) or $FW->phys(eth0).

That is correct -- In order to be associated with an output physical
device (PHYSOUT=), a packet must have entered the bridge through a
physical device (port). It cannot have been routed from another IPv4
interface (one with an IPV4 address) and it cannot have originated on
the firewall itself.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

signature.asc
Description: PGP signature

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users