On 2/26/2014 3:40 AM, Artur Uszyński wrote: > Hello. > > Shorewall version 4.5.7.1, the configuration example follows: > > zones: > loc ipv4 > net ipv4 > sitea:net ipsec > > interfaces: > loc eth0 > - eth1 > > hosts: > sitea eth1:192.168.111.0/24 > net eth1:0.0.0.0/0 > > policy: > loc net ACCEPT > loc sitea REJECT > all all REJECT > > netmap: > SNAT 192.168.1.0/24 eth1 10.1.0.0/24 192.168.111.0/24 > > rules: > Web(ACCEPT) loc sitea > > > > ALL traffic from loc to sitea will be accepted, because resulting rule in > loc_frwd chain is never matched (in particular ipsec policy is not matched): > > Chain eth0_fwd (1 references) > 168 23503 loc_frwd all -- * * 192.168.1.0/24 0.0.0.0/0 > policy match dir in pol none > 46 7456 loc_frwd all -- * * 10.1.0.0/24 0.0.0.0/0 > policy match dir in pol none > > Chain loc_frwd (2 references) > 0 0 loc2sitea all -- * eth1 0.0.0.0/0 > 192.168.111.0/24 policy match dir out pol ipsec > > > Traffic from loc to sitea eventually hits loc2net policy (ACCEPT). > > Without netmap all works like expected. > When zone is defined as an ordinary ipv4 zone, all works like expected too. > > Is there any way to keep a zone as an ipsec zone, use netmap and have working > loc2sitea rules ? Do I lose anything by defining zone as ipv4 instead of > ipsec (is it significantly less secure) ? >
Arthur, Please refer to http://www.shorewall.net/support.htm#Guidelines for the information that we need to help you with these sorts of connection problems. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
