[Shorewall-users] Design Problems for VPN/Transparent Firewall

Tom Eastep teastep@shorewall.net
Sun, 13 Jan 2002 13:01:23 -0800


On Sunday 13 January 2002 12:29 pm, dgilleece@optimumnetworks.com wrote:
> Quoting Tom Eastep <teastep@shorewall.net>:
> > Ok -- what function does your DSL router play?
>
> The DSL router currently passes all traffic to a network switch, throug=
h
> which all hosts currently access the internet directly --- using only l=
ocal
> security measures (personal firewall, ipchains, etc.)
>
> > - From your ISP's point of view, does it act as the gateway to your /=
25
> >
> > network?
>
> Yes.
>
>  - Does it physically interface to the phone line or is there a "dsl
>
> > modem"
> > outbound of it?
>
> Not sure what you mean here.  It is a Cisco 678, connected to a dedicat=
ed
> (non- shared "dry pair") business circuit.  LAN-side, it is attached to=
 a
> workgroup switch.

Ok -- It's unfortunate that you have a router rather than just a "DSL Mod=
em"=20
since your Linux box is perfectly capable of acting as a router and the=20
router is just getting in the way.

>
> > 2.  Allowing any given host on that protected subnet to access just
> >
> > > about any given type of VPN system at a variety client sites.  (rul=
ing
> >
> > out
> >
> > > NAT, necessarily)
> >
> > That's a routing requirement, not a firewall requirement.
>
> By "allowing" I mean not interfering with "aggressive" VPN connections =
--
> which NAT firewalls hose.
>
> > > 3.  Having the gateway/firewall act as the VPN gateway connecting
> >
> > three
> >
> > > remote office subnets together seamlessly.
> >
> > Ditto.
>
> Given my intent to create an simple (relative term here) appliance that
> does both VPN management and filtering, I am concerned the two applicat=
ions
> don't make life difficult for each other -- I wasn't sure if your comme=
nts
> in the doc would be show-stoppers...
>
> > Let's answer the questions about the DSL router first then I'll give =
you
> > my
> > thoughts.
>
> I am looking forward to them :)
>

Ok. I'm assuming that eth0 is your interface to the DSL router -- if not,=
=20
reverse eth0 and eth1.

------------------------------------

/etc/shorewall/zones

net=09Internet=09The internet including your DSL router
loc=09Local=09=09Local including the subnetworks accessed via IPSEC VPN

/etc/shorewall/interfaces:

net=09eth0=09=09norfc1918,...
loc=09eth1=09=09routestopped
loc=09ipsec+=09=09multi

/etc/shorewall/policy

loc=09loc=09=09ACCEPT
loc=09net=09=09ACCEPT
net=09all=09=09DROP
all=09all=09=09REJECT:info

/etc/shorewall/proxyarp

<124 entries> with "Yes" in the HAVEROUTE column

------------------------------

The firewall will let traffic pass freely between all IPSEC interfaces an=
d=20
your local network (the "multi" allows traffic between the IPSEC interfac=
es).=20
All hosts in the local zone have unlimited access to the internet. No acc=
ess=20
from internet to anything.=20

You will have to code /etc/shorewall/rules to specify what connections to=
=20
allow to/from your firewall.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net