Let me show this over and say what I'm doing.
With the 3 files below that is how I connect to the internet and go online
via eth0 or wlan0 it's also how I need the files so I can connect to
OpenVPN.
*INTERFACES*
#############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs
net wlan0 detect dhcp,tcpflags,logmartians,nosmurfs
# OpenVPN Interface
vpn tun0 detect
vpn tap0 detect
*
POLICY*
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
#
# Block this machine from accessing NET ZONE accept for exceptions in
/etc/shorewall/rules
*#$FW net DROP info*
# Allow NET Zone when not on VPN - (Allow all connection requests from the
firewall to the Internet)
*$FW net ACCEPT
*
# Allow this machine to access the VPN ZONE for everything
$FW vpn ACCEPT
# Block anything from the NET ZONE to all other zones - (Drop (ignore) all
connection requests from the Internet to your firewall)
net all DROP info
# Block from using another connection
net net NONE
#
# The FOLLOWING POLICY MUST BE LAST
#
# Block everything else - (Reject all other connection requests (Shorewall
requires this catchall policy)
all all REJECT info
*ZONE*
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#vpn ipsec
vpn ipv4
Now once I'm connected to OpenVPN I comment line 2 in the policy and
uncomment line 1 like below (and restart shorewall)
# Block this machine from accessing NET ZONE accept for exceptions in
/etc/shorewall/rules
*$FW net DROP info*
# Allow NET Zone when not on VPN - (Allow all connection requests from the
firewall to the Internet)
*#$FW net ACCEPT*
Now if the VPN connection drops I'm not able to get online which is what I
want because I use OpenVPN for security. So for me this is working just
fine. Now to connect back to the VPN I have to comment line 1 and uncomment
line 2 and restart shorewall.
This is all I want to know if it's ok to do things this way for OpenVPN
because it works for me without any hosts rules and tunnels...
THANKS
On Thu, Jul 28, 2011 at 5:53 PM, Ryan Joiner <[email protected]> wrote:
> **
> Tom. You are the man. I just joined this list a couple of weeks and have
> been following everything. Thanks for your help to the world.
>
> Das, you are the man. Don't give up. I think you are right, you keep just
> those policies with the tunnel config. You take away the access to the net
> via the policy, but, correct me if I'm wrong (someone who isn't Tom so he
> can chill,) you do the tunnel config because that opens up access to going
> out and connecting to the VPN server.
>
> What does your routing table say? Do we want the default route to be that
> of the OpenVPN server so accessing the net goes through it? Or will that
> blow stuff up?
>
> Rj
>
>
> On 7/28/2011 6:38 PM, Das wrote:
>
> Hi,
>
> Ok so this?
>
> openvpnclient net <actual IP I connect to?>
>
> So if I make the tunnels like above, to the actual IP and then I make the
> policy like below:
>
> # Block this machine from accessing NET ZONE accept for exceptions in
> /etc/shorewall/rules
> $FW net DROP ULOG
>
> # Allow this machine to access the VPN ZONE for everything
> $FW vpn ACCEPT
>
> This isn't doing anything...
>
> Am I understanding this correct that those two lines with the tunnels is
> all I need now in the policy, if so, then how is someone suppose to connect
> to the internet over eth0 or wlan0 net if it's not being accepted first?
>
> I'm using a computer that I want to have normal internet connectivity and I
> do not see how that is possible with only those 2 lines above, also like
> that you can't connect to the VPN, you have to accept the net first then
> drop it later once connected to the vpn, so I still do not see what the
> tunnels is doing...
>
>
> 1. I use a broadband internet connection for a desktop/laptop.
> 2. Besides normal internet activities I also use OpenVPN.
> 3. When using OpenVPN I want to protect the computer from being able to get
> back online if the VPN connection drops, this is the objective here and that
> is why I have the policy like that, because as you can see, once I am
> connected to the vpn I then drop the net and no longer accept it and like
> that, if the vpn connection goes down, I can't get back online and that is
> what I want, the VPN is for protection, so of course I don't want to be
> online without it...
>
> Because of 1-3 this is why I make the policy like this, I see no other way
> around this, or I'm very lost here, or I'm not explaining this very well for
> others to understand what I'm trying to do...
>
>
> THANKS
>
>
> On Thu, Jul 28, 2011 at 2:59 PM, Tom Eastep <[email protected]> wrote:
>
>>
>> On Jul 28, 2011, at 5:05 PM, Das wrote:
>>
>>
>> Can you please show me how I should write the tunnels?
>>
>>
>>
>> Keep this line
>>
>> # Block this machine from accessing NET ZONE accept for exceptions in
>> /etc/shorewall/rules
>> *$FW net DROP info**
>> *
>> # Allow this machine to access the VPN ZONE for everything
>> $FW vpn ACCEPT
>>
>>
>> And add this line to /etc/shorewall/tunnels
>>
>> openvpnclient net <remote endpoints>
>>
>> The <remote endpoints> can be a network or list of servers that you
>> connect to.
>>
>> -Tom
>>
>> Tom Eastep \ When I die, I want to go like my Grandfather
>> who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Got Input? Slashdot Needs You.
>> Take our quick survey online. Come on, we don't ask for help often.
>> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>> http://p.sf.net/sfu/slashdot-survey
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on
> ThinkGeek.http://p.sf.net/sfu/slashdot-survey
>
>
> _______________________________________________
> Shorewall-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
