[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet? SOLVED

cmisip cmisip at insightbb.com
Sat Aug 30 02:26:29 PDT 2003

Seems to work well.  Both Windows xp and Redhat 9 on the laptop have vpn
connections to the rest of the wired lan and the internet.  I chronicled
everything here:

Its disorganized and may even have a bunch of errors and I will probably
need to update it with new information as I learn them.

On Sat, 2003-08-30 at 00:48, Joshua Banks wrote:
> --- cmisip <cmisip at insightbb.com> wrote:
> > I was coming from a configuration using a DI 614 wireless router.  Hence
> > both the laptop and all the other wired hosts belong to the same
> > network.  I found out that you cannot create a "host to
> > subnet" ipsec tunnel between the laptop and the network
> > because the laptop belongs to the same network.  So I had to create
> > "host to host" tunnels between the laptop and the other wired hosts.  To
> > allow the laptop to access the internet securely (wireless encryption),
> > I had to create a "host to subnet" tunnel where the subnet is
> >       Now, I decided to increase security by putting the laptop and
> > wireless router in its own network ( and isolating it
> > from the rest of the wired lan (  This allows me to
> > create a single "host(laptop) to subnet ( tunnel
> > extremely simplifying the ipsec configuration. By using a subnet of
> >, I can extend the same connection to allow internet access. 
> > This is what I missed.  Thank you for bringing me back on track.    
> > 
> > I think I have achieved my goal in this setup.  With ipsec ON in the
> > laptop, the laptop is allowed access to the rest of the wired network
> > and the internet.  With ipsec OFF on the laptop, all communications
> > between it and the wired lan are via regular ethx connections and
> > shorewall is configured to reject these connections from the wireless
> > lan network. 
> > Now if an outsider tries to connect to my wireless router, they will not
> > be able to access the wired lan or the internet at all.
> > 
> > Thanks again. I am currently testing the setup.  So far it seems to be
> > working well.
> Nice job CMISIP,
> Please let me know how this works out.
> JBanks
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list