Tom Eastep pisze:
On 2/27/2014 7:23 AM, Artur Uszyński wrote:
Traffic from loc to sitea eventually hits loc2net policy (ACCEPT).
Without netmap all works like expected.
When zone is defined as an ordinary ipv4 zone, all works like expected too.
Is there any way to keep a zone as an ipsec zone, use netmap and have working
loc2sitea rules ? Do I lose anything by defining zone as ipv4 instead of ipsec
(is it significantly less secure) ?
Arthur,
Please refer to http://www.shorewall.net/support.htm#Guidelines for the
information that we need to help you with these sorts of connection
problems.
Hello Tom.
My apologies, I was hoping that somebody already knew this effect
and could answer quickly. According to the chart it will be case #3 or
#4. I don't want to send informations about my production systems, so I
made a small lab using 3 virtual machines:
- one is acting as a remote gateway (REMOTE)
- one is acting as the firewall, which is the subject of this topic
(FIREWALL)
- one is just a workstation which generates traffic (WORKSTATION).
The traffic flow from WORKSTATION to inside IP of REMOTE looks like this:
WORKSATION (siteb, 172.17.17.5) -> (172.17.17.87) FIREWALL -> netmap
(SNAT 172.17.17.0/24 -> 10.1.0.0/24) -> IPSec tunnel (10.1.0.0/24 ==
172.16.16.0/24) -> REMOTE (172.16.16.86, sitea)
Before making "shorewall dump" I generated some traffic from 172.17.17.5
to 172.16.16.86 (ping, ssh - accordind to rules ssh should not be
possible, but it works).
Arthur,
In order to make sitea work as an ipsec zone, you would need to change
the IPSEC security policies to use 172.17.17.0/24 as the local network
rather than 10.1.0.0/24. When a connection request traverses the FORWARD
chain, there is no security policy that matches the request. Therefore,
the connection request does not match 'policy ipsec' and is treated as a
loc->net request. If you make sitea an ipv4 sub-zone of net, then it
will work as expected. There is no difference in the security that such
a setup provides.
Thanks for explanations.
Cheers.
--
Artur
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
