2002-05-01 01:13:15 +02:00
|
|
|
#
|
2006-10-05 02:04:59 +02:00
|
|
|
# Shorewall version 3.3 - Tunnels File
|
2005-08-02 18:46:30 +02:00
|
|
|
#
|
|
|
|
# /etc/shorewall/tunnels
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-01-31 20:10:22 +01:00
|
|
|
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-01-31 20:10:22 +01:00
|
|
|
# IPIP, GRE and OPENVPN tunnels must be configured on the
|
|
|
|
# firewall/gateway itself. IPSEC endpoints may be defined
|
|
|
|
# on the firewall/gateway or on an internal system.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# The columns are:
|
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat",
|
|
|
|
# "ipip", "gre", "6to4", "pptpclient", "pptpserver",
|
2005-08-16 23:57:43 +02:00
|
|
|
# "openvpn", "openvpnclient", "openvpnserver" or
|
|
|
|
# "generic"
|
2003-01-31 20:10:22 +01:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# If the type is "ipsec" or "ipsecnat", it may be
|
|
|
|
# followed by ":noah" to indicate that the Authentication
|
|
|
|
# Header protocol (51) is not used by the tunnel.
|
2005-07-09 06:45:32 +02:00
|
|
|
#
|
2005-08-16 23:57:43 +02:00
|
|
|
# If type is "openvpn", "openvpnclient" or
|
2005-10-18 17:20:12 +02:00
|
|
|
# "openvpnserver" it may optionally be followed by ":"
|
|
|
|
# and "tcp" or "udp" to specify the protocol to be
|
|
|
|
# used. If not specified, "udp" is assumed.
|
|
|
|
#
|
|
|
|
# If type is "openvpn", "openvpnclient" or
|
2005-08-16 23:57:43 +02:00
|
|
|
# "openvpnserver" it may optionally be followed
|
2003-02-04 17:59:49 +01:00
|
|
|
# by ":" and the port number used by the tunnel. if no
|
|
|
|
# ":" and port number are included, then the default port
|
2005-10-18 17:20:12 +02:00
|
|
|
# of 1194 will be used. . Where both the protocol and port
|
|
|
|
# are specified, the protocol must be given first (e.g.,
|
|
|
|
# openvpn:tcp:4444).
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-08-06 02:06:44 +02:00
|
|
|
# If type is "generic", it must be followed by ":" and
|
|
|
|
# a protocol name (from /etc/protocols) or a protocol
|
|
|
|
# number. If the protocol is "tcp" or "udp" (6 or 17),
|
|
|
|
# then it may optionally be followed by ":" and a
|
|
|
|
# port number.
|
|
|
|
#
|
2002-05-01 01:13:15 +02:00
|
|
|
# ZONE -- The zone of the physical interface through which
|
|
|
|
# tunnel traffic passes. This is normally your internet
|
|
|
|
# zone.
|
|
|
|
#
|
|
|
|
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
2005-12-21 16:03:43 +01:00
|
|
|
# remote gateway has no fixed address (Road Warrior)
|
2005-08-02 18:46:30 +02:00
|
|
|
# then specify the gateway as 0.0.0.0/0. May be
|
2005-07-09 07:45:05 +02:00
|
|
|
# specified as a network address and if your kernel and
|
|
|
|
# iptables include iprange match support then IP address
|
|
|
|
# ranges are also allowed.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-02-23 15:10:37 +01:00
|
|
|
# GATEWAY
|
2003-01-31 20:10:22 +01:00
|
|
|
# ZONES -- Optional. If the gateway system specified in the third
|
2002-05-01 01:13:15 +02:00
|
|
|
# column is a standalone host then this column should
|
2003-01-31 20:10:22 +01:00
|
|
|
# contain a comma-separated list of the names of the
|
|
|
|
# zones that the host might be in. This column only
|
2006-01-19 17:04:07 +01:00
|
|
|
# applies to IPSEC tunnels where it enables ISAKMP
|
|
|
|
# traffic to flow through the tunnel to the remote
|
|
|
|
# gateway.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# Example 1:
|
|
|
|
#
|
|
|
|
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
2005-07-09 06:45:32 +02:00
|
|
|
# the remote subnet is 192.168.9.0/24. The tunnel does
|
|
|
|
# not use the AH protocol
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# ipsec:noah net 4.33.99.124
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# Example 2:
|
|
|
|
#
|
|
|
|
# Road Warrior (LapTop that may connect from anywhere)
|
|
|
|
# where the "gw" zone is used to represent the remote
|
|
|
|
# LapTop.
|
|
|
|
#
|
|
|
|
# ipsec net 0.0.0.0/0 gw
|
|
|
|
#
|
|
|
|
# Example 3:
|
|
|
|
#
|
|
|
|
# Host 4.33.99.124 is a standalone system connected
|
|
|
|
# via an ipsec tunnel to the firewall system. The host
|
|
|
|
# is in zone gw.
|
|
|
|
#
|
|
|
|
# ipsec net 4.33.99.124 gw
|
|
|
|
#
|
2002-10-01 22:54:42 +02:00
|
|
|
# Example 4:
|
|
|
|
#
|
|
|
|
# Road Warriors that may belong to zones vpn1, vpn2 or
|
|
|
|
# vpn3. The FreeS/Wan _updown script will add the
|
|
|
|
# host to the appropriate zone using the "shorewall add"
|
|
|
|
# command on connect and will remove the host from the
|
|
|
|
# zone at disconnect time.
|
|
|
|
#
|
|
|
|
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
|
|
|
|
#
|
2002-10-15 00:26:28 +02:00
|
|
|
# Example 5:
|
|
|
|
#
|
|
|
|
# You run the Linux PPTP client on your firewall and
|
|
|
|
# connect to server 192.0.2.221.
|
|
|
|
#
|
|
|
|
# pptpclient net 192.0.2.221
|
|
|
|
#
|
|
|
|
# Example 6:
|
|
|
|
#
|
|
|
|
# You run a PPTP server on your firewall.
|
|
|
|
#
|
|
|
|
# pptpserver net
|
|
|
|
#
|
2003-01-31 20:10:22 +01:00
|
|
|
# Example 7:
|
|
|
|
#
|
|
|
|
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
|
|
|
|
# openvpn uses port 7777.
|
|
|
|
#
|
|
|
|
# openvpn:7777 net 4.33.99.124
|
|
|
|
#
|
2003-08-06 02:06:44 +02:00
|
|
|
# Example 8:
|
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# You have a tunnel that is not one of the supported
|
|
|
|
# types. Your tunnel uses UDP port 4444. The other end
|
|
|
|
# of the tunnel is 4.3.99.124.
|
2003-08-06 02:06:44 +02:00
|
|
|
#
|
|
|
|
# generic:udp:4444 net 4.3.99.124
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# See http://shorewall.net/Documentation.htm#Tunnels for additional
|
|
|
|
# information.
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
###############################################################################
|
|
|
|
#TYPE ZONE GATEWAY GATEWAY
|
|
|
|
# ZONE
|
2002-05-01 01:13:15 +02:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|