[Shorewall-users] OpenVPN and Ethernet Bridging

Tom Eastep teastep at shorewall.net
Sat Oct 18 10:43:09 PDT 2003


On Sat, 2003-10-18 at 09:08, Micha Silver wrote:
> Tom Eastep wrote:
> 
> >On Sat, 2003-10-18 at 08:10, Micha Silver wrote:
> >
> >  
> >
> >>If anyone has other insight on allowing remote users to browse a windows 
> >>(i.e. "network neighborhood") LAN thru vpn, I'd appreciate hearing.
> >>
> >>    
> >>
> >
> >Most people simply run a WINS server.
> >  
> >
> 
> Hi Tom:
> 
> We're drifting away from Shorewall here, and if this gets too far off, 
> I'll go to the OpenVPN list.
> 
> I have a WINS server running in the Windows LAN, and I added it's 
> address manually to the "tap" device on the remote road warrior which 
> connected using openvpn in a P to P (routed) mode, but that didn't help.
> I could ping the WINS server - and others - and use non browse-dependant 
> apps (i.e. VNC). But no Network Neighborhood, and no "shares". Is there 
> something else I missed?
> Do I need any special rules to allow the smb ports out thru the tunnels?
---------------------------------------------------------------------------
Shorewall 101:

a) Policies define the default behavior of traffic between zones.
b) Rules are exceptions to policies.

The above applies to ALL PROTOCOLS and ALL PORTS (for those protocols
that support the notion of ports).

So if your policies through the tunnels are ACCEPT then you don't need
rules. If your policies through the tunnels are other than ACCEPT then
you need rules.

The output of "shorewall [re]start" and "shorewall check" will show you
the policy between each pair of zones.
---------------------------------------------------------------------------
By default, SMB traffic that is being dropped or rejected by policy is
not logged by Shorewall (as a result of entries in
/etc/shorewall/common.def). This is because people normally run Windoze
systems and if Shorewall were to log this traffic, we would have 500
newbies a day franticly posting on the list about the "attack" that they
were seeing.

The page http://shorewall.net/samba.htm shows the rules that are
required -- you just need to adjust the zones in the rules to fit your
situation.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list