[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

Tom Eastep teastep at shorewall.net
Fri Dec 19 12:53:57 PST 2003


On Friday 19 December 2003 12:26 pm, gary ng wrote:
> I may have complicated the matter. I have done some
> more reading about IPSEC and it seems that it is UDP
> 500, and protocol 50,51(ESP,AH) that needs to be
> DNATed to my machine of choice. Is this the equvilent
> of 'ipsec passthru' that people are talking about ?

No -- IPSEC passthru encapsulates the ESP/AH inside UDP 500 so that the only 
thing that needs to pass through the firewall is UDP.
 
>
> I was thinking about DMZ( that is every incoming
> packet to eth0:69.56.237.100 will be forwarded to
> 10.0.1.10) which is pretty standard like a 2 NIC
> setup(eth0,eth1). The only difference seems to be that
> it is (eth0,tap+) instead and tap+ still depends on
> eth0(running on top of it through UDP 5000+).
>
> So it becomes, how would I specify the rules which
> essentially means :
>
> For all packets coming from eth0, forward to tap0(this
> becomes the DMZ server)

I'm not going to give you any advise without understanding what problem you 
are trying to solve. And I've already told you that I don't understand that 
problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list