Hi,
After making the OpenVPN you should have your connection only allowed
through the VPN tunnel, for various reasons, most security related...
If I make a rule it seems to complicate this process, where as if I just use
the interfaces, policy an zones it's just a simple matter of commenting and
uncommenting 2 lines in the policy...
*This is a regular internet connection, no VPN, you need the policy like
this to first establish the VPN, or to just have regular internet
connectivity;*
# Block this machine from accessing NET ZONE accept for exceptions in
/etc/shorewall/rules
#$FW net DROP ULOG
# Allow NET Zone when not on VPN - (Allow all connection requests from the
firewall to the Internet)
$FW net ACCEPT
# Allow this machine to access the VPN ZONE for everything
$FW vpn ACCEPT
*This is now the change in the policy once the VPN connection has been
established and all traffic is routed on the VPN, we drop the net and only
accept on the vpn;
*# Block this machine from accessing NET ZONE accept for exceptions in
/etc/shorewall/rules
$FW net DROP ULOG
# Allow NET Zone when not on VPN - (Allow all connection requests from the
firewall to the Internet)
#$FW net ACCEPT
# Allow this machine to access the VPN ZONE for everything
$FW vpn ACCEPT
So for me, changing the policy like this doesn't seem complicated, seems
actually the simplest method here I can see. Because no matter what you do
there is going to be a leak to the Net unless you drop it somewhere once
connected to the VPN, so this is why I do it this way, because I don't
understand how it can be done any simpler...
So if anyone can show me a simpler way, if there is, that would be great! :)
THANKS
On Thu, Jul 28, 2011 at 2:51 AM, Tom Eastep <[email protected]> wrote:
> On Wed, 2011-07-27 at 21:51 -1000, Das wrote:
>
> > Sorry getting lost now, been at this with other Slackware users, soHi
> > Tom,
> >
> > I've gotten quite spun around with this for the past few weeks.
> >
> > Let me ask this over, or another way, if I did before and sorry if I'm
> > repeating myself. I only use OpenVPN as a client connecting to a VPN
> > service, so will the 3 files below as you see them work after I've
> > connect to OpenVPN? Because when I showed this to another Slackware
> > user that seemed quite experienced with iptables and I showed him the
> > output of iptables-save, he could not see anything wrong with the 3
> > files below not working for me.
> >
> > So the 3 files below work for me when I'm connected to OpenVPN, of
> > course when I need to connect to the VPN, I have to comment the first
> > line in the Policy and uncomment the second line, so how you see it
> > now, this is after I've connected and I've restarted shorewall...
> >
> > So for me I do not need a host, tunnels or rules to make the
> > connection work....
>
> Of course you don't - you could even:
>
> - shorewall clear
> - /etc/init.d/openvpn start
> - shorewall start
>
> But why?
>
> Why not set up the Shorewall configuration so that you don't have to
> fiddle with the policies if your current init scripts happen to start
> OpenVPN after they start Shorewall, or if you need to restart OpenVPN?
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
