[Shorewall-newbies] Crypto API and Shorewall

Tom Eastep teastep at shorewall.net
Thu Jan 15 07:58:54 PST 2004

A number of you are flailing around trying to get the subject combination to 

You should all be aware that there are parts of this that don't currently work 
and that won't work well until there are enhancements made to Shorewall (and 
probably to Netfilter).

I. There is no clean way currently to support Road Warriors from a 
Masquerading Netfilter firewall/gateway. As Dan Hollis pointed out in his 
post last fall, there is a requirement to avoid masquerading traffic from the 
local network(s) through the tunnel. This was no problem when all tunnel 
traffic went through its own device because the output device could be 
specified in the Netfilter SNAT/MASQUERADE rule. With Crypto API, all tunnel 
traffic leaves via the system's external interface so exceptions to the 
SNAT/MASQUERADE rule need to be inserted when a RoadWarrior connects and must 
be deleted when the RoadWarrior disconnects.

The "updown" script can of course be used to do that. For those with this 
problem, I would suggest starting with:


		iptables -t nat -I POSTROUTING -d <roadwarrior IP> -j ACCEPT


		iptables -t nat -D POSTROUTING -d <roadwarrior IP> -j ACCEPT

Disclaimer: I have no idea if that will work or not.

II. If 'norfc1918' is specified on your remote interface then you need to 
modify /etc/shorewall/rfc1918 to pass traffic to/from remote RFC1918 

III. The requirement to avoid masquerading traffic through tunnels means that 
you can't cleanly define a VPN hub. You would want to be able to have an 
entry in /etc/shorewall/masq as follows:

<ext if>:!<subnet1>,<subnet2>,...	<local if>

Where <subnet<n>> are the remote networks that you are tying together.

Shorewall currently doesn't support such entries.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list