On 09/04/2012 05:56 AM, Alexander 'Leo' Bergolth wrote: > Hi! > > I have a shorewall firewall that connects two private subnets via ipsec > and also has a dmz. > > private net private remote net > Zone: int Zone: vpn > 10.0.1.0/24 --- shorewall --- Internet --- 10.0.2.0/24 > / \ - - ipsec - - / > / > DMZ > 1.2.3.0/24 > > Connecting the two subnets works fine. There are ipsec policies that > match my two private subnets. > > However, I'd like to make a single exception and allow one host in the > DMZ to make dns requests to one host in the remote net (via ipsec). I'd > like to use SNAT to map its address to an address in the internal net. > > There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no" in > masq in order to make the SNAT filter work: > -------------------- 8< -------------------- > outgoing INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK > eth0:10.0.2.0/24 1.2.3.4 10.0.1.9 - - no > -------------------- 8< -------------------- > > (This includes a "policy match dir out pol none" filter, which matches > the packets from my DMZ host when they fist pass the POSTROUTING chain, > before they are rewritten using SNAT.) > > Unfortunately the other shorewall policies and rules still won't work > because the calls to the dmz2vpn chains also include "policy match dir > out pol ipsec", which won't match because there is no security policy > for the DMZ. > > Do you have any hints how to solve this?
Try adding this to /etc/shorewall/hosts: dmz ethX:10.0.1.9 ipsec -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
