[Shorewall-newbies] Crypto API and Shorewall
teastep at shorewall.net
Thu Jan 15 07:58:54 PST 2004
A number of you are flailing around trying to get the subject combination to
You should all be aware that there are parts of this that don't currently work
and that won't work well until there are enhancements made to Shorewall (and
probably to Netfilter).
I. There is no clean way currently to support Road Warriors from a
Masquerading Netfilter firewall/gateway. As Dan Hollis pointed out in his
post last fall, there is a requirement to avoid masquerading traffic from the
local network(s) through the tunnel. This was no problem when all tunnel
traffic went through its own device because the output device could be
specified in the Netfilter SNAT/MASQUERADE rule. With Crypto API, all tunnel
traffic leaves via the system's external interface so exceptions to the
SNAT/MASQUERADE rule need to be inserted when a RoadWarrior connects and must
be deleted when the RoadWarrior disconnects.
The "updown" script can of course be used to do that. For those with this
problem, I would suggest starting with:
iptables -t nat -I POSTROUTING -d <roadwarrior IP> -j ACCEPT
iptables -t nat -D POSTROUTING -d <roadwarrior IP> -j ACCEPT
Disclaimer: I have no idea if that will work or not.
II. If 'norfc1918' is specified on your remote interface then you need to
modify /etc/shorewall/rfc1918 to pass traffic to/from remote RFC1918
III. The requirement to avoid masquerading traffic through tunnels means that
you can't cleanly define a VPN hub. You would want to be able to have an
entry in /etc/shorewall/masq as follows:
<ext if>:!<subnet1>,<subnet2>,... <local if>
Where <subnet<n>> are the remote networks that you are tying together.
Shorewall currently doesn't support such entries.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies