Hi,
This is what I've been trying to explain, with just the interface, policy
and zones I can make this work on any distro, I don't need rules to connect
to OpenVPN or stay online with it...
It seems like to me for OpenVPN as long as you have an interface, vpn
running on tun0, defined in the policy to allow this connection, with the
zone vpn ipv4, you can connect to an OpenVPN server as a client and then
make the changes in the Policy as I explained before once you've connected,
restart Shorewall and have the connection routed over the tunnel...
THANKS
On Thu, Jul 28, 2011 at 12:21 AM, Joerg Gollnick <
[email protected]> wrote:
> Hello,
> you need a rule to allow communication from your firewall to your
> openvpnserver.
>
> /etc/shorewall/rules
> #
> # openvpnclient to any openvpnserver
> #
> OpenVPN/ACCEPT $FW net
> or
>
> /etc/shorewall/rules
> #
> # openvpnclient to one openvpnserver (e.q. 203.0.113.1)
> #
> OpenVPN/ACCEPT $FW net:203.0.113.1
>
> Best regards Joerg
>
> On Wednesday 27 July 2011 21:51:50 Das wrote:
> > Hi Tom,
> >
> > Sorry getting lost now, been at this with other Slackware users, so I've
> > gotten quite spun around with this for the past few weeks.
> >
> > Let me ask this over, or another way, if I did before and sorry if I'm
> > repeating myself. I only use OpenVPN as a client connecting to a VPN
> > service, so will the 3 files below as you see them work after I've
> connect
> > to OpenVPN? Because when I showed this to another Slackware user that
> seemed
> > quite experienced with iptables and I showed him the output of
> > iptables-save, he could not see anything wrong with the 3 files below not
> > working for me.
> >
> > So the 3 files below work for me when I'm connected to OpenVPN, of course
> > when I need to connect to the VPN, I have to comment the first line in
> the
> > Policy and uncomment the second line, so how you see it now, this is
> after
> > I've connected and I've restarted shorewall...
> >
> > So for me I do not need a host, tunnels or rules to make the connection
> > work....
> >
> > Stopping and starting for 10 mins. doesn't do anything, everything works
> > just fine for me the way you see it below, once I'm on the VPN...
> >
> >
> > THANKS
> >
> >
> >
> > *INTERFACES*
> >
> ############################################################################
> > ### #ZONE INTERFACE BROADCAST OPTIONS
> >
> > net eth0 detect
> dhcp,tcpflags,logmartians,nosmurfs
> > net wlan0 detect
> dhcp,tcpflags,logmartians,nosmurfs
> >
> > # OpenVPN Interface
> > vpn tun0 detect
> > vpn tap0 detect
> >
> > *
> > POLICY*
> >
> ############################################################################
> > ### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
> > # LEVEL BURST MASK
> > #
> > # Block this machine from accessing NET ZONE accept for exceptions in
> > /etc/shorewall/rules*
> > $FW net DROP info*
> >
> > # Allow NET Zone when not on VPN - (Allow all connection requests from
> the
> > firewall to the Internet)*
> > #$FW net ACCEPT**
> > *
> > # Allow this machine to access the VPN ZONE for everything
> > $FW vpn ACCEPT
> >
> > # Block anything from the NET ZONE to all other zones - (Drop (ignore)
> all
> > connection requests from the Internet to your firewall)
> > net all DROP info
> >
> > # Block from using another connection
> > net net NONE
> >
> > #
> > # The FOLLOWING POLICY MUST BE LAST
> > #
> >
> > # Block everything else - (Reject all other connection requests
> (Shorewall
> > requires this catchall policy)
> > all all REJECT info
> >
> >
> > *ZONE*
> >
> ############################################################################
> > ### #ZONE TYPE OPTIONS IN OUT
> > # OPTIONS OPTIONS
> > fw firewall
> > net ipv4
> > #vpn ipsec
> > vpn ipv4
> >
> > On Wed, Jul 27, 2011 at 1:50 PM, Tom Eastep <[email protected]>
> wrote:
> > > On Jul 27, 2011, at 4:18 PM, Tom Eastep wrote:
> > >
> > >
> > > I didn't say Netfilter messed up -- I'm betting on my solution a)
> > >
> > >
> > > And to prove it:
> > >
> > > a) Stop OpenVPN
> > > b) Wait 10 Minutes
> > > c) Try to start OpenVPN
> > >
> > > -Tom
> > >
> > > Tom Eastep \ When I die, I want to go like my Grandfather who
> > > Shoreline, \ died peacefully in his sleep. Not screaming like
> > > Washington, USA \ all of the passengers in his car
> > > http://shorewall.net \________________________________________________
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > > ------ Got Input? Slashdot Needs You.
> > > Take our quick survey online. Come on, we don't ask for help often.
> > > Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> > > http://p.sf.net/sfu/slashdot-survey
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
