Re: [Shorewall-users] openvpn bridge with shorewall

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Sunday 25 September 2005 10:56, Brent Schwartz wrote:
> Hello, I am looking for some example configurations of an openvpn
> bridge running with shorewall.  Thus far I am able to create an
> openvpn connection using the tap0 on client to the server on br0=3D
> (eth1=3Dlan + tap0=3Dvpn) but I am unable to ping through.  I feel that
> openvpn is configured properly at this point and feel that the issue
> is with my shorewall config possibly. > Though my shorewall logs are=20
> not showing drops the ifconfig for tap0 shows TX drops after my
> failed ping attempts.

TX drops in ifconfig have nothing to do with Shorewall. Also, if Shorewall =
is=20
not logging any drops or rejects then it is highly unlikely that Shorewall=
=20
has anything to do with your problem.

>
> The openvpn bridged howto specifics the following iptables rules be
> present:
>
> iptables -A INPUT -i tap0 -j ACCEPT
> iptables -A INPUT -i br0 -j ACCEPT
> iptables -A FORWARD -i br0 -j ACCEPT
>
> but in shorewall/interfaces br0 's zone is labeled as such:
>
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> -       br0             detect          dhcp
> net     eth0            detect          routefilter,norfc1918,tcpflags
>
> and appropriately shorewall/host is:
>
> vpn             br0:tap0
> loc             br0:eth1
>
> this being so how do I tell shorewall to create the above iptables
> rules?

=46irst of all, the above iptables rules were suggested by someone who does=
n't=20
understand how iptables and netfilter interact. The first rule is completel=
y=20
unnecessary (tap0 doesn't have an IP address and hence will never match usi=
ng =20
"-i").  With your setup (separate zones for the individual bridge ports), y=
ou=20
could achieve the effect of the other two rules with the following policies:

vpn	fw	ACCEPT
loc	fw	ACCEPT
vpn	loc	ACCEPT
loc	vpn	ACCEPT

=2DTom
=2D-=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key