On 26/10/15 10:51, Tom Eastep wrote: > On 10/25/2015 10:19 AM, Tom Robinson wrote: >> >> I'm still confused by the documentation, though. Do any of these rules >> go in ESTABLISHED? (From http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP): >> >> |/etc/shorewall/rules|: >> >> #ACTION SOURCE DEST PROTO DEST SOURCE >> # PORT(S) PORT(S) >> SECTION ESTABLISHED >> # Prevent IPsec bypass by hosts behind a NAT gateway >> L2TP(REJECT) net $FW >> REJECT $FW net udp - 1701 >> # l2tp over the IPsec VPN >> ACCEPT vpn $FW udp 1701 >> # webserver that can only be accessed internally >> HTTP(ACCEPT) loc $FW >> HTTP(ACCEPT) l2tp $FW >> HTTPS(ACCEPT) loc $FW >> HTTPS(ACCEPT) l2tp $FW >> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> > > Only the first two should be in the ESTABLISHED section. I've corrected > the article. >
Thanks Tom, I did wonder about the placement of the rules. After I put the third rule in NEW and adjusted for the mode=transport policy option in the zones file, it started working. I'm not allowing access to the $FW for HTTP(S) so I've left the remaining rules out for now.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
