Thanks! This sets up traffic like I want it. The only thing left - tunnels
complain about zone net:
# shorewall check -r /etc/shorewall.testing
Checking...
Processing /etc/shorewall.testing/params ...
Processing /etc/shorewall.testing/shorewall.conf...
Loading Modules...
Checking /etc/shorewall.testing/zones...
Checking /etc/shorewall.testing/interfaces...
Checking /etc/shorewall.testing/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
Checking /usr/share/shorewall/action.Invalid for chain Invalid...
Checking /usr/share/shorewall/action.NotSyn for chain NotSyn...
Checking /usr/share/shorewall/action.Reject for chain Reject...
Checking /etc/shorewall.testing/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall.testing/providers...
Checking /etc/shorewall.testing/tcrules...
Checking /etc/shorewall.testing/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall.testing/rules...
Checking /etc/shorewall.testing/tunnels...
ERROR: Invalid tunnel ZONE (net) : /etc/shorewall.testing/tunnels (line 16)
if I replace it with world, it works fine, but tunnel rules (placed in
world2fw) will never be processed:
-A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic
-A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs
-A lan_in -p udp --dport 67:68 -j ACCEPT
-A lan_in -p tcp -j tcpflags
-A lan_in -m physdev --physdev-in eth0 -j eth0_in
-A lan_in -m physdev --physdev-in vf-ssw-vpn -j vpn2fw
-A lan_in -j world2fw
-A eth0_in -m conntrack --ctstate NEW,INVALID -j dynamic
-A eth0_in -s 192.168.0.0/24 -j lan2fw
-A eth0_in -j net2fw
-A net2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "SSH"
-A net2fw -p 6 --dport 636 -j ACCEPT -m comment --comment "LDAPS"
-A net2fw -p 17 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN"
-A net2fw -j Reject
-A net2fw -j LOG --log-level 6 --log-prefix "Shorewall:net2fw:REJECT:"
-A net2fw -g reject
-A world2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A world2fw -p udp --dport 2001 -s 85.214.209.171 -j ACCEPT
-A world2fw -p udp --dport 2002 -s 85.214.204.137 -j ACCEPT
-A world2fw -p udp --dport 1194 -j ACCEPT
-A world2fw -j Reject
I guess unless I specify policy net -> fw CONTINUE, right?
Thanks!
You have helped me a lot!
--
Radoslaw Kamil Ejsmont, Ph.D.
http://radoslaw.ejsmont.net
On 20 Dec 2012, at 17:30, Tom Eastep <[email protected]> wrote:
> On 12/20/2012 08:22 AM, Radoslaw Kamil Ejsmont wrote:
>> Tried that - eth0 is a bridge port. If I do, then policies between
>> lan/net and vpn don't work - shorewall complains about vpn and lan/net
>> not being on the same bridge device.
>
> zones:
>
> fw firewall
> world ipv4
> net:world bport
> lan:net bport
> vpn:world bport
>
> interfaces:
>
> FORMAT 2
> world br0 bridge
> net br0:eth0
> vpn br0:tap0
>
> hosts:
>
> lan eth0:192.168.0.0/24
>
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
