Thread: RE: [Fwbuilder-discussion] fwbuilder, freeswan & nat
Brought to you by:
mikehorn
From: Neil B. <nei...@pa...> - 2003-09-11 16:34:09
|
Hi, Vadim Kurland wrote: > > this looks like a routing problem. Perhaps FreeSWAN installed a default > route pointing into ipsec0 interface. You should check your routing table. > > On the other hand, I can argue that this is a "good thing". You do want > your remote VPN clients to be effectively disconnected from the Internet > when they connect to internal network via VPN, otherwise they become a > backdoor gateway. But of course it is a matter of the security policy of > your company. > > If their policy is indeed to have you send all the traffic trough the > VPN and then office firewall, even when you browse the web, then the > problem may be in FreeSWAN config. You would then need to make "right > network" to be 0.0.0.0/0 so FreeSWAN would encrypt all your packets > going through ipsec0 regardless of their destination address. I did in the end find details on this. It is a case of things changing between freeswan 1.xx and 2.xx and defaulting on to the new behaviour. If anyone is interested they can find the details here; http://lists.freeswan.ca/pipermail/sfs-users/2003-June/004614.html Our initial testing of the VPN was using freeswan 1.99. On a slightly related note one little niggle I've had with fwbuilder is that by default its logging routine doesn't differentiate between 'RULE <n>' in the global policy and 'RULE <n>' on an interface. I noticed today the feature in the options for a rule that you can put a custom prefix which is helpful, but when enabled it doesn't display ACCEPT or REJECT when it logs against a rule. Is this a bug? I think a useful feature would be the ability to set a prefix string for each interface, perhaps in the interface properties. Would this be possible? This would be more useful than the individual rule prefix option IMHO. Thanks for your help, Neil. |
From: Vadim K. <va...@vk...> - 2003-09-11 16:49:23
|
On Thursday, September 11, 2003, at 09:32 AM, Neil Bingham wrote: > > I did in the end find details on this. It is a case of things changing > between freeswan 1.xx and 2.xx and defaulting on to the new behaviour. > If > anyone is interested they can find the details here; > > http://lists.freeswan.ca/pipermail/sfs-users/2003-June/004614.html > > Our initial testing of the VPN was using freeswan 1.99. > > On a slightly related note one little niggle I've had with fwbuilder > is that > by default its logging routine doesn't differentiate between 'RULE > <n>' in > the global policy and 'RULE <n>' on an interface. > you could use macro '%I' in the definition of the custom prefix, it is replaced with the name of the interface or word "Global" in the log record. Basically, you make logging prefix look something like this: RULE %N -- %A %I Firewall Builder USers Guide ha a list of all custom logging macros the policy compilers understand --vk > I noticed today the feature in the options for a rule that you can put > a > custom prefix which is helpful, but when enabled it doesn't display > ACCEPT > or REJECT when it logs against a rule. Is this a bug? > > I think a useful feature would be the ability to set a prefix string > for > each interface, perhaps in the interface properties. Would this be > possible? This would be more useful than the individual rule prefix > option > IMHO. > > Thanks for your help, > > Neil. |