[Shorewall-users] Design Problems for VPN/Transparent Firewall

dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com
Mon, 28 Jan 2002 18:51:41 -0600 (CST)


Regarding Shorewall for proxy arp subnet:


Tom,

Finally got the time to look into this more closely, and I'm having some 
difficulty. 

I have a basic install of Red Hat 7.2, configured using the "Firewall/Router" 
option in Red Hat setup.

Any help appreciated,

Dan

Quoting Tom Eastep <teastep@shorewall.net>:


> Ok. I'm assuming that eth0 is your interface to the DSL router -- if
> not, 
> reverse eth0 and eth1.

My setup matches this...

> 
> /etc/shorewall/zones
> 
> net	Internet	The internet including your DSL router
> loc	Local		Local including the subnetworks accessed via IPSEC VPN
Done

> /etc/shorewall/interfaces:
> 
> net	eth0		norfc1918,...
> loc	eth1		routestopped
> loc	ipsec+		multi

Done

> /etc/shorewall/policy
> 
> loc	loc		ACCEPT
> loc	net		ACCEPT
> net	all		DROP
> all	all		REJECT:info

Done
 
> /etc/shorewall/proxyarp
> 
> <124 entries> with "Yes" in the HAVEROUTE column

I have this done, but I get the following errors when starting Shorewall:

Copied from console:

)nvalid value for HAVEROUTE - (Yes
" ignored9.98.36.45 eth1 eth0 Yes
)nvalid value for HAVEROUTE - (Yes
" ignored9.98.36.46 eth1 eth0 Yes
)nvalid value for HAVEROUTE - (Yes
" ignored9.98.36.47 eth1 eth0 Yes  

for all 124 IP addresses...

..and in /var/log/messages

Jan 27 20:25:17 localhost shorewall: )
Jan 27 20:25:17 localhost shorewall: " ignored
Jan 27 20:25:17 localhost shorewall: ' not found
Jan 27 20:25:17 localhost shorewall: Try `iptables -h' or 'iptables --help' for 
more information.
Jan 27 20:25:17 localhost rc: Starting shorewall:  failed


Files:

Interfaces
##############################################################################
#ZONE	 INTERFACE	BROADCAST	OPTIONS
net	eth0				norfc1918
loc	eth1				routestopped
loc	ipsec+			multi
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy
###############################################################################
#CLIENT		SERVER		POLICY		LOG LEVEL
loc		loc		ACCEPT
loc		net		ACCEPT
net		all		DROP			info
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


Proxyarp
#			#ADDRESS	INTERFACE	EXTERNAL   HAVEROUTE
#			155.186.235.6	eth1		eth0       No
##############################################################################
#ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
219.98.36.1		eth1		eth0			Yes
219.98.36.2		eth1		eth0			Yes
219.98.36.3		eth1		eth0			Yes
219.98.36.4		eth1		eth0			Yes
219.98.36.5		eth1		eth0			Yes
219.98.36.6		eth1		eth0			Yes
219.98.36.7		eth1		eth0			Yes

....to 219.98.36.124

Zones
#ZONE	DISPLAY		COMMENTS
net	Internet		Internet 
loc	Localnet		Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE