Hello.
Shorewall version 4.5.7.1, the configuration example follows:
zones:
loc ipv4
net ipv4
sitea:net ipsec
interfaces:
loc eth0
- eth1
hosts:
sitea eth1:192.168.111.0/24
net eth1:0.0.0.0/0
policy:
loc net ACCEPT
loc sitea REJECT
all all REJECT
netmap:
SNAT 192.168.1.0/24 eth1 10.1.0.0/24 192.168.111.0/24
rules:
Web(ACCEPT) loc sitea
ALL traffic from loc to sitea will be accepted, because resulting rule in
loc_frwd chain is never matched (in particular ipsec policy is not matched):
Chain eth0_fwd (1 references)
168 23503 loc_frwd all -- * * 192.168.1.0/24 0.0.0.0/0
policy match dir in pol none
46 7456 loc_frwd all -- * * 10.1.0.0/24 0.0.0.0/0
policy match dir in pol none
Chain loc_frwd (2 references)
0 0 loc2sitea all -- * eth1 0.0.0.0/0
192.168.111.0/24 policy match dir out pol ipsec
Traffic from loc to sitea eventually hits loc2net policy (ACCEPT).
Without netmap all works like expected.
When zone is defined as an ordinary ipv4 zone, all works like expected too.
Is there any way to keep a zone as an ipsec zone, use netmap and have working
loc2sitea rules ? Do I lose anything by defining zone as ipv4 instead of ipsec
(is it significantly less secure) ?
Regards.
--
Artur
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
