Hi, I have a shorewall-5.2.0.4 system on fedora28 connecting to a similar shorewall system as a net-to-net VPN and having some difficulties with rules for the VPNs involved with the firewall.
The local side is 68.194.193.42 (orion) with private subnet 192.168.1.0/24 behind it and the remote side is 65.45.72.6 (cyclops) with 64.1.15.0/27 (DMZ) behind it. The problem I'm having is that hosts in the DMZ can't reach hosts on the private subnet 192.168.1.0/24. Should the local private network be listed in hosts among the VPN networks? I have all these networks listed in the hosts file as part of the VPN on orion: vpn br0:192.168.1.0/24,65.45.72.6,64.1.15.0/27 ipsec How do I indicate to the firewall that the 64.1.15.0/27 network is the DMZ on the remote firewall and should be access through the VPN by the local private network 192.168.1.0/24? I've included below my current configuration, but I don't believe the "ext" network is defined properly. interfaces: ext br0 detect tcpflags,nosmurfs,routefilter,logmartians int eth1 detect tcpflags,nosmurfs,routefilter,logmartians,routeback zones: vpn ipsec mode=tunnel mss=1400 ext ipv4 int ipv4 Should I create a "dmz" zone to contain the 64.1.15.0/27 remote network? policy: int int ACCEPT int ext ACCEPT $FW int ACCEPT int vpn ACCEPT int $FW ACCEPT vpn int ACCEPT info $FW vpn ACCEPT vpn $FW ACCEPT $FW ext ACCEPT all all REJECT $LOG Thanks, Alex _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
