[Shorewall-users] Is there a way to allow vpn connections and
block eth connections from a host or subnet? SOLVED
cmisip at insightbb.com
Sat Aug 30 02:26:29 PDT 2003
Seems to work well. Both Windows xp and Redhat 9 on the laptop have vpn
connections to the rest of the wired lan and the internet. I chronicled
Its disorganized and may even have a bunch of errors and I will probably
need to update it with new information as I learn them.
On Sat, 2003-08-30 at 00:48, Joshua Banks wrote:
> --- cmisip <cmisip at insightbb.com> wrote:
> > I was coming from a configuration using a DI 614 wireless router. Hence
> > both the laptop and all the other wired hosts belong to the same
> > 192.168.1.0/24 network. I found out that you cannot create a "host to
> > subnet" ipsec tunnel between the laptop and the 192.168.1.0/24 network
> > because the laptop belongs to the same network. So I had to create
> > "host to host" tunnels between the laptop and the other wired hosts. To
> > allow the laptop to access the internet securely (wireless encryption),
> > I had to create a "host to subnet" tunnel where the subnet is 0.0.0.0/0.
> > Now, I decided to increase security by putting the laptop and
> > wireless router in its own network (192.168.0.0/24) and isolating it
> > from the rest of the wired lan (192.168.1.0/24). This allows me to
> > create a single "host(laptop) to subnet (192.168.1.0/24) tunnel
> > extremely simplifying the ipsec configuration. By using a subnet of
> > 0.0.0.0/0, I can extend the same connection to allow internet access.
> > This is what I missed. Thank you for bringing me back on track.
> > I think I have achieved my goal in this setup. With ipsec ON in the
> > laptop, the laptop is allowed access to the rest of the wired network
> > and the internet. With ipsec OFF on the laptop, all communications
> > between it and the wired lan are via regular ethx connections and
> > shorewall is configured to reject these connections from the wireless
> > lan network.
> > Now if an outsider tries to connect to my wireless router, they will not
> > be able to access the wired lan or the internet at all.
> > Thanks again. I am currently testing the setup. So far it seems to be
> > working well.
> Nice job CMISIP,
> Please let me know how this works out.
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
More information about the Shorewall-users