Hi Shorewall Geek !! This really flashed in my mind after reading your post!
I couldn't believe the simplicity of it. Thanks a million ! and I think it's about time to say .... Merry Christmas to you, to Tom and to all shorewall users. Harry. > > >> In short the setup that it sugests is this >> --------------------------------------------------- >> Shorewall.conf >> >> BRIDGING=Yes >> > > That won't work with your 2.6.25 kernel -- this is pointed out in large > bold font on the Shorewall home page: > http://www.shorewall.net/shorewall_index.htm#Notice1 > > >> ------------------------------------- >> Zones >> vpn ipv4 >> -------------------------------------- >> Interfaces >> #ZONE INTERFACE BROADCAST OPTIONS >> - br0 >> > > I personally would just use a simple bridge > (http://www.shorewall.net/SimpleBridge.html) and make your VPN clients > part of the 'loc' zone. > > #ZONE INTERFACE BROADCAST OPTIONS > loc br0 ... > > And remove whatever entry you currently have for loc. > > >> ------------------------------------- >> hosts >> #ZONE HOST(S) OPTIONS >> loc br0:eth3 >> vpn br0:tap0 >> > > You don't need anything in the hosts file. > > >> ----------------------------------------- >> tunnels >> # TYPE ZONE GATEWAY GATEWAY >> # ZONE >> openvpn net 0.0.0.0/0 vpn >> > > I would make that 'openvpnserver' and get rid of the 'vpn' at the end > (GATEWAY ZONE only applies to IPSEC tunnels). > > >> ----------------------------------------------------------- >> and finally policy >> >> #SOURCE DEST POLICY LOG LEVEL >> loc vpn ACCEPT >> vpn loc ACCEPT >> > > And you don't need any policies since the VPN clients are already in the > loc zone. > > >> ------------------------------------------------------------------------------ >> So far so good this seemed clear >> >> In my case though with 2 ISPs >> >> I miss how to fill the providers file the copy field >> > > Replace your current local interface with 'br0'. > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
