On 09/05/2012 11:44 PM, Tom Eastep wrote: > On 9/5/12 12:31 PM, Alexander 'Leo' Bergolth wrote: >>> The original DNS request from 1.2.3.4 isn't a dmz->vpn request; it's >>> probably a dns->net request. So you may need something like: >>> >>> DNS(ACCEPT) dmz:1.2.3.4 net:<DNS Server IP> >>> >>> if you don't currently allow dmz->net DNS requests. >> >> Yes, it's a dmz2net request and that's the problem. >> >> The dmz2net policy is too permissive (it allows everything) and >> shouldn't be applied to that request. >> >> I can, of course, explicitly deny everything but DNS requests for that >> host to the vpn per separate rule but that looks quite dangerous and >> error-prone. >> >> I think the problem is that when the "policy match dir out pol ipsec" >> rules are generated, only the destination zone is checked for an IPSEC >> mark. And when the "policy match dir in pol ipsec" rules are generated, >> only the source zone is checked for IPSEC. >> But in reality the ipsec security policies are applied to src-dst-pairs >> and there is currently no way configure those src-dst-pairs in >> shorewall. So the dmz2vpn (and of course the net2vpn) policies can never >> match. > > I'm not going to require people to duplicate their IPSEC configuration > in the Shorewall configuration.
Hmm. Maybe only an option to omit the ipsec matches would be sufficient? But I'll simply use a custom action as a workaround and put my exceptions in there and call it like that: DMZ2VPN dmz net:$VPN_NETS > If those policies can never match, then > you can specify NONE in /etc/shorewall/policy. OK. Thanks. > And if you really want 1.2.3.4 to use the tunnel, then you can make that > happen by adding two additional IPSEC policies. Of course. But in my setup it will actually use the tunnel. First 1.2.3.4 traverses the chains using the vpn2net shorewall policies and rules. Then it will be SNAT'ed to 10.0.1.9 and after that, the "normal" ipsec security policies for int to vpn will be applied and the chains will be traversed a second time. (I guess this time the int2vpn policies and rules will be applied.) Cheers, --oeo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
