On 9/5/12 12:31 PM, Alexander 'Leo' Bergolth wrote: >> >> The original DNS request from 1.2.3.4 isn't a dmz->vpn request; it's >> probably a dns->net request. So you may need something like: >> >> DNS(ACCEPT) dmz:1.2.3.4 net:<DNS Server IP> >> >> if you don't currently allow dmz->net DNS requests. > > Yes, it's a dmz2net request and that's the problem. > > The dmz2net policy is too permissive (it allows everything) and > shouldn't be applied to that request. > > I can, of course, explicitly deny everything but DNS requests for that > host to the vpn per separate rule but that looks quite dangerous and > error-prone. > > I think the problem is that when the "policy match dir out pol ipsec" > rules are generated, only the destination zone is checked for an IPSEC > mark. And when the "policy match dir in pol ipsec" rules are generated, > only the source zone is checked for IPSEC. > But in reality the ipsec security policies are applied to src-dst-pairs > and there is currently no way configure those src-dst-pairs in > shorewall. So the dmz2vpn (and of course the net2vpn) policies can never > match.
I'm not going to require people to duplicate their IPSEC configuration in the Shorewall configuration. If those policies can never match, then you can specify NONE in /etc/shorewall/policy. And if you really want 1.2.3.4 to use the tunnel, then you can make that happen by adding two additional IPSEC policies. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
