On 10/13/2017 01:53 AM, Dorian Kind wrote: > Hi all, > > I'm a happy shorewall user since 2009 and never had an issue that I > couldn't solve using the excellent documentation. There's just one thing > that always bugged me. We have a couple of tunnels to branch offices, > for which shorewall inserts the appropriate iptables rules (webr being > the local zone, while the *pn zones are connected over IPsec tunnels): > > Chain webr_frwd (1 references) > pkts bytes target prot opt in out source > destination > [...] > 759K 121M webr2gvapn all -- * eth-ext1 0.0.0.0/0 > <http://0.0.0.0/0> 10.50.0.0/16 <http://10.50.0.0/16> > policy match dir out pol ipsec > 6660K 4097M webr2swlpn all -- * eth-ext1 0.0.0.0/0 > <http://0.0.0.0/0> 10.60.0.0/16 <http://10.60.0.0/16> > policy match dir out pol ipsec > 18M 66G webr2fnopn all -- * eth-ext1 0.0.0.0/0 > <http://0.0.0.0/0> 10.70.0.0/16 <http://10.70.0.0/16> > policy match dir out pol ipsec > 4961K 6804M webr2hyppn all -- * eth-ext1 0.0.0.0/0 > <http://0.0.0.0/0> 10.80.0.0/16 <http://10.80.0.0/16> > policy match dir out pol ipsec > 99227 134M webr2rwvpn all -- * eth-ext1 0.0.0.0/0 > <http://0.0.0.0/0> 10.100.0.0/16 <http://10.100.0.0/16> > policy match dir out pol ipsec > > However, in order to prevent local traffic from leaking out when the > IPsec SA can't be established for some reason, I use a script to insert > the following two rules after shorewall has generated its > ruleset--because per policy, local (webr) traffic to the internet is > allowed: > > iptables -I OUTPUT -d 10.0.0.0/8 <http://10.0.0.0/8> --out-interface > eth-ext1 -m policy --pol none --dir out -j REJECT --reject-with > icmp-admin-prohibited > iptables -I FORWARD -d 10.0.0.0/8 <http://10.0.0.0/8> --out-interface > eth-ext1 -m policy --pol none --dir out -j REJECT --reject-with > icmp-admin-prohibited > > I would really like to integrate these rules into the shorewall > configuration, but can't figure out any way to do it. From what I can > tell, shorewall-rules does not have policy match options. > > Is there a canonical way to prevent RFC1918-addressed, non IPsec > encrypted packets from leaving the FW on an external interface? >
You can simply put the rules in your rules file as: ?SECTION ALL REJECT(icmp-admin-prohibited) webr net:10.0.0.0/8 (assumes that 'webr' is your local LAN and 'net' is the Internet zone) The jumps to the *webr2net chains specify "-m policy --pol none --dir out" and the rules will be in those chains. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
