[Shorewall-users] Policy Match in shorewall-rules

Fri, 13 Oct 2017 02:24:23 -0700 

Hi all,

I'm a happy shorewall user since 2009 and never had an issue that I
couldn't solve using the excellent documentation. There's just one thing
that always bugged me. We have a couple of tunnels to branch offices, for
which shorewall inserts the appropriate iptables rules (webr being the
local zone, while the *pn zones are connected over IPsec tunnels):

Chain webr_frwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
[...]
 759K  121M webr2gvapn  all  --  *      eth-ext1  0.0.0.0/0
10.50.0.0/16         policy match dir out pol ipsec
6660K 4097M webr2swlpn  all  --  *      eth-ext1  0.0.0.0/0
10.60.0.0/16         policy match dir out pol ipsec
  18M   66G webr2fnopn  all  --  *      eth-ext1  0.0.0.0/0
10.70.0.0/16         policy match dir out pol ipsec
4961K 6804M webr2hyppn  all  --  *      eth-ext1  0.0.0.0/0
10.80.0.0/16         policy match dir out pol ipsec
99227  134M webr2rwvpn  all  --  *      eth-ext1  0.0.0.0/0
10.100.0.0/16        policy match dir out pol ipsec

However, in order to prevent local traffic from leaking out when the IPsec
SA can't be established for some reason, I use a script to insert the
following two rules after shorewall has generated its ruleset--because per
policy, local (webr) traffic to the internet is allowed:

iptables -I OUTPUT -d 10.0.0.0/8 --out-interface eth-ext1 -m policy --pol
none --dir out -j REJECT --reject-with icmp-admin-prohibited
iptables -I FORWARD -d 10.0.0.0/8 --out-interface eth-ext1 -m policy --pol
none --dir out -j REJECT --reject-with icmp-admin-prohibited

I would really like to integrate these rules into the shorewall
configuration, but can't figure out any way to do it. From what I can tell,
shorewall-rules does not have policy match options.

Is there a canonical way to prevent RFC1918-addressed, non IPsec encrypted
packets from leaving the FW on an external interface?

Thanks and best regards,
Dorian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to