[Shorewall-users] unable to filter or log vpn traffic

Paolo paolo at paologalati.it
Tue Mar 15 15:51:06 PST 2005


first, thanks for replies, now i'll try to complete info,
in attach there is an image with a more clear net topology

this is my configuration:

shorewall/zones
net     Net         Internet
loc     Local       Local Network
wlan    wlan        Wireless LAN

shorewall/interfaces
net      ppp0       -           routefilter,norfc1918,tcpflags,nosmurfs
loc      eth1       detect      dhcp
wlan     eth2       detect      dhcp

shorewall/policy
fw          net         ACCEPT
loc         net         ACCEPT
wlan        net         ACCEPT
fw          loc         ACCEPT
fw          wlan        ACCEPT
net         all         DROP        info
all         all         REJECT      info

shorewall/routestopped
eth1        -


Now to reply to Tom, yes stopping firewall with ADMINISABSENTMINDED=No 
stop vpn blocking incoming packet (absolutely no external interface in 
routestopped), but with firewall started i'm not able to log or filter 
traffic, i put on top of rules file this entry:

#ACTION         SOURCE                  DEST        PROTO
LOG:info        all                     all         udp

but using vpn nothing appear on log, is the rule correct to log traffic
on this vpn? maybe not!!

Thanks for fast replay, Paolo.


Tom Eastep ha scritto:
> Paolo wrote:
> 
> 
>>So this VPN create a direct connection from one of my internal machine
>>to external server completely bypass my firewall, seem i can do nothing
>>to control traffic.
> 
> 
> With ADMINISABSENTMINDED=Yes, once you have allowed the VPN connection
> to be established then the only things that you can do to stop traffic
> through that VPN are:
> 
> a) Use the 'cutter' utility to sever the VPN connection (or unload the
> ip_conntrack kernel module).
> b) Set BLACKLISTNEWONLY=No in shorewall.conf and blacklist the remote
> gateway.
> 
> With ADMINISABSENTMINDED=No, stopping Shorewall will probably stop VPN
> traffic since you normally don't have your external interfaces enabled
> in your /etc/shorewall/routestopped file.
> 
> -Tom

-- 
Paolo
mailto:paolo at paologalati.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net-topology.jpg
Type: image/jpeg
Size: 50185 bytes
Desc: not available
Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20050316/ff6110fa/net-topology-0001.jpg


More information about the Shorewall-users mailing list