[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?
teastep at shorewall.net
Fri Dec 19 12:53:57 PST 2003
On Friday 19 December 2003 12:26 pm, gary ng wrote:
> I may have complicated the matter. I have done some
> more reading about IPSEC and it seems that it is UDP
> 500, and protocol 50,51(ESP,AH) that needs to be
> DNATed to my machine of choice. Is this the equvilent
> of 'ipsec passthru' that people are talking about ?
No -- IPSEC passthru encapsulates the ESP/AH inside UDP 500 so that the only
thing that needs to pass through the firewall is UDP.
> I was thinking about DMZ( that is every incoming
> packet to eth0:22.214.171.124 will be forwarded to
> 10.0.1.10) which is pretty standard like a 2 NIC
> setup(eth0,eth1). The only difference seems to be that
> it is (eth0,tap+) instead and tap+ still depends on
> eth0(running on top of it through UDP 5000+).
> So it becomes, how would I specify the rules which
> essentially means :
> For all packets coming from eth0, forward to tap0(this
> becomes the DMZ server)
I'm not going to give you any advise without understanding what problem you
are trying to solve. And I've already told you that I don't understand that
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies