On 09/05/2012 04:45 PM, Tom Eastep wrote: > On 09/05/2012 05:22 AM, Alexander 'Leo' Bergolth wrote: >> On 09/04/2012 05:54 PM, Tom Eastep wrote: >>> On 09/04/2012 05:56 AM, Alexander 'Leo' Bergolth wrote: >>>> I have a shorewall firewall that connects two private subnets via ipsec >>>> and also has a dmz. >>>> >>>> private net private remote net >>>> Zone: int Zone: vpn >>>> 10.0.1.0/24 --- shorewall --- Internet --- 10.0.2.0/24 >>>> / \ - - ipsec - - / >>>> / >>>> DMZ >>>> 1.2.3.0/24 >>>> >>>> Connecting the two subnets works fine. There are ipsec policies that >>>> match my two private subnets. >>>> >>>> However, I'd like to make a single exception and allow one host in the >>>> DMZ to make dns requests to one host in the remote net (via ipsec). I'd >>>> like to use SNAT to map its address to an address in the internal net. >>>> >>>> There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no" in >>>> masq in order to make the SNAT filter work: >>>> -------------------- 8< -------------------- >>>> outgoing INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK >>>> eth0:10.0.2.0/24 1.2.3.4 10.0.1.9 - - no >>>> -------------------- 8< -------------------- >>>> >>>> (This includes a "policy match dir out pol none" filter, which matches >>>> the packets from my DMZ host when they fist pass the POSTROUTING chain, >>>> before they are rewritten using SNAT.) >>>> >>>> Unfortunately the other shorewall policies and rules still won't work >>>> because the calls to the dmz2vpn chains also include "policy match dir >>>> out pol ipsec", which won't match because there is no security policy >>>> for the DMZ. >>>> >>>> Do you have any hints how to solve this? >>> >>> Try adding this to /etc/shorewall/hosts: >>> >>> dmz ethX:10.0.1.9 ipsec >> >> I think this does the opposite of what I want. >> >> It adds entries like: >> -------------------- 8< -------------------- >> 21 1617 net2dmz 0 -- * vlan2 0.0.0.0/0 >> 0.0.0.0/0 policy match dir out pol none 0 0 net2dmz 0 >> -- * vlan2 0.0.0.0/0 10.0.1.9 policy match >> dir out pol ipsec >> -------------------- 8< -------------------- >> ... i.e. it adds "policy match dir out pol ipsec" matches to all xxx2dmz >> calls >> for that host. This won't work because there is no ipsec policy for the dmz >> zone. >> (Only for zone int to zone vpn and back.) >> >> I think I'd need some way to change the "policy match dir out pol ipsec" >> matches >> that are currently attached to all calls to dmz2vpn to "policy match dir out >> pol none". > > The original DNS request from 1.2.3.4 isn't a dmz->vpn request; it's > probably a dns->net request. So you may need something like: > > DNS(ACCEPT) dmz:1.2.3.4 net:<DNS Server IP> > > if you don't currently allow dmz->net DNS requests.
Yes, it's a dmz2net request and that's the problem. The dmz2net policy is too permissive (it allows everything) and shouldn't be applied to that request. I can, of course, explicitly deny everything but DNS requests for that host to the vpn per separate rule but that looks quite dangerous and error-prone. I think the problem is that when the "policy match dir out pol ipsec" rules are generated, only the destination zone is checked for an IPSEC mark. And when the "policy match dir in pol ipsec" rules are generated, only the source zone is checked for IPSEC. But in reality the ipsec security policies are applied to src-dst-pairs and there is currently no way configure those src-dst-pairs in shorewall. So the dmz2vpn (and of course the net2vpn) policies can never match. Cheers, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
