From: Tom E. <te...@sh...> - 2005-09-25 20:09:22
|
On Sunday 25 September 2005 10:56, Brent Schwartz wrote: > Hello, I am looking for some example configurations of an openvpn > bridge running with shorewall. Thus far I am able to create an > openvpn connection using the tap0 on client to the server on br0=3D > (eth1=3Dlan + tap0=3Dvpn) but I am unable to ping through. I feel that > openvpn is configured properly at this point and feel that the issue > is with my shorewall config possibly. > Though my shorewall logs are=20 > not showing drops the ifconfig for tap0 shows TX drops after my > failed ping attempts. TX drops in ifconfig have nothing to do with Shorewall. Also, if Shorewall = is=20 not logging any drops or rejects then it is highly unlikely that Shorewall= =20 has anything to do with your problem. > > The openvpn bridged howto specifics the following iptables rules be > present: > > iptables -A INPUT -i tap0 -j ACCEPT > iptables -A INPUT -i br0 -j ACCEPT > iptables -A FORWARD -i br0 -j ACCEPT > > but in shorewall/interfaces br0 's zone is labeled as such: > > #ZONE INTERFACE BROADCAST OPTIONS > - br0 detect dhcp > net eth0 detect routefilter,norfc1918,tcpflags > > and appropriately shorewall/host is: > > vpn br0:tap0 > loc br0:eth1 > > this being so how do I tell shorewall to create the above iptables > rules? =46irst of all, the above iptables rules were suggested by someone who does= n't=20 understand how iptables and netfilter interact. The first rule is completel= y=20 unnecessary (tap0 doesn't have an IP address and hence will never match usi= ng =20 "-i"). With your setup (separate zones for the individual bridge ports), y= ou=20 could achieve the effect of the other two rules with the following policies: vpn fw ACCEPT loc fw ACCEPT vpn loc ACCEPT loc vpn ACCEPT =2DTom =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |