On 2/27/2014 7:23 AM, Artur Uszyński wrote: >>> >>> Traffic from loc to sitea eventually hits loc2net policy (ACCEPT). >>> >>> Without netmap all works like expected. >>> When zone is defined as an ordinary ipv4 zone, all works like expected too. >>> >>> Is there any way to keep a zone as an ipsec zone, use netmap and have >>> working loc2sitea rules ? Do I lose anything by defining zone as ipv4 >>> instead of ipsec (is it significantly less secure) ? >>> >> Arthur, >> >> Please refer to http://www.shorewall.net/support.htm#Guidelines for the >> information that we need to help you with these sorts of connection >> problems. >> > > Hello Tom. > > My apologies, I was hoping that somebody already knew this effect > and could answer quickly. According to the chart it will be case #3 or > #4. I don't want to send informations about my production systems, so I > made a small lab using 3 virtual machines: > - one is acting as a remote gateway (REMOTE) > - one is acting as the firewall, which is the subject of this topic > (FIREWALL) > - one is just a workstation which generates traffic (WORKSTATION). > > The traffic flow from WORKSTATION to inside IP of REMOTE looks like this: > > WORKSATION (siteb, 172.17.17.5) -> (172.17.17.87) FIREWALL -> netmap > (SNAT 172.17.17.0/24 -> 10.1.0.0/24) -> IPSec tunnel (10.1.0.0/24 == > 172.16.16.0/24) -> REMOTE (172.16.16.86, sitea) > > Before making "shorewall dump" I generated some traffic from 172.17.17.5 > to 172.16.16.86 (ping, ssh - accordind to rules ssh should not be > possible, but it works).
Arthur, In order to make sitea work as an ipsec zone, you would need to change the IPSEC security policies to use 172.17.17.0/24 as the local network rather than 10.1.0.0/24. When a connection request traverses the FORWARD chain, there is no security policy that matches the request. Therefore, the connection request does not match 'policy ipsec' and is treated as a loc->net request. If you make sitea an ipv4 sub-zone of net, then it will work as expected. There is no difference in the security that such a setup provides. HTH, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
