diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index c51662133..1b132fc84 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2004-11-18
+ 2004-12-18
2001-2004
@@ -623,6 +623,10 @@
VPN
+
+ Basics
+
+
IPSEC
diff --git a/Shorewall-docs2/VPNBasics.xml b/Shorewall-docs2/VPNBasics.xml
index 1203e41df..18856bf70 100644
--- a/Shorewall-docs2/VPNBasics.xml
+++ b/Shorewall-docs2/VPNBasics.xml
@@ -120,20 +120,24 @@
- Local-host-to-remote-host — same as Local-host-to-local-gateway
+ Local-host-to-remote-host —
+ same as Local-host-to-local-gateway
above.
- Local-gateway-to-remote-gateway.
+ Local-gateway-to-remote-gateway.
- Remote-gateway-to-local-gateway.
+ Remote-gateway-to-local-gateway.
- Remote-host-to-local-host — same as Local-gateway-to-local-host
+ Remote-host-to-local-host —
+ same as Local-gateway-to-local-host
above.
@@ -175,26 +179,97 @@
+
+ Defining Remote Zones
+
+ Most VPN types are implemented using a virtual network device such
+ as pppN (e.g., ppp0), tunN (e.g., tun0), etc. This means that in most
+ cases, remote zone definition is similar to zones that you have already
+ defined.
+
+ /etc/shorewall/zones:
+
+ #ZONE DISPLAY COMMENT
+net Internet The big bad net
+loc Local Local LAN
+rem Remote Remote LAN
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTION
+net eth0 detect norft1918,routefilter
+loc eth1 detect
+rem tun0 192.168.10.0/24
+
+ The /etc/shorewall/hosts file comes into play when:
+
+
+
+ You have a number of remote networks.
+
+
+
+ The remote networks have different firewall requirements and you
+ want to divide them into multiple zones.
+
+
+
+ There is no fixed relationship between the remote networks and
+ virtual network devices (for example, the VPN uses PPTP and remote
+ gateways connect on demand).
+
+
+
+ In this case, your configuration takes the following
+ approach:
+
+ etc/shorewall/zones:
+
+ #ZONE DISPLAY COMMENT
+net Internet The big bad net
+loc Local Local LAN
+rem1 Remote1 Remote LAN 1
+rem2 Remote2 Remote LAN 2
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTION
+net eth0 detect norft1918,routefilter
+loc eth1 detect
+- tun+ -
+
+ /etc/shorewall/hosts:
+
+ #ZONE HOST(S) OPTIONS
+rem1 tun+:10.0.0.0/24
+rem2 tun+:10.0.1.0/24
+
+ The /etc/shorewall/hosts file is also used with
+ kernel 2.6 native IPSEC.
+
+
Eliminating the /etc/shorewall/tunnels file
- The /etc/shorewall/tunnels file provides no functionality that could
- not be implemented using entries in /etc/shorewall/rules and I have
- elimination of the /etc/shorewall/tunnels file as a long-term goal. The
- following sections show how entries in /etc/shorewall/tunnels can be
- replaced by rules for some common tunnel types.
+ The /etc/shorewall/tunnels file provides no
+ functionality that could not be implemented using entries in
+ /etc/shorewall/rules and I have elimination of the
+ /etc/shorewall/tunnels file as a long-term goal. The
+ following sections show how entries in
+ /etc/shorewall/tunnels can be replaced by rules for
+ some common tunnel types.
IPSEC
- /etc/shorewall/tunnels:
+ /etc/shorewall/tunnels:
#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec Z1 1.2.3.4 Z2
- /etc/shorewall/rules:
+ /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
@@ -218,14 +293,14 @@ ACCEPT Z2:1.2.3.4 $FW udp 500
PPTP
- /etc/shorewall/tunnels:
+ /etc/shorewall/tunnels:
#TYPE ZONE GATEWAY GATEWAY ZONE
pptpserver Z1 1.2.3.4
- /etc/shorewall/rules:
+ /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
@@ -243,14 +318,14 @@ ACCEPT Z1:1.2.3.4 $FW 47
OpenVPN
- /etc/shorewall/tunnels:
+ /etc/shorewall/tunnels:
#TYPE ZONE GATEWAY GATEWAY ZONE
openvpn:P Z1 1.2.3.4
- /etc/shorewall/rules:
+ /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index 02e43923b..7ae9e3e15 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -15,7 +15,7 @@
- 2004-12-16
+ 2004-12-18
2001-2004
@@ -127,6 +127,11 @@
The firewall system itself runs a DHCP server that serves the local
network.
+ I have one system (Roadwarrior, 206.124.146.179) outside the
+ firewall. This system, which runs Debian Sarge (testing) is used for
+ roadwarrior IPSEC testing and for checking my firewall "from the
+ outside".
+
All administration and publishing is done using ssh/scp. I have a
desktop environment installed on the firewall but I am not usually logged
in to it. X applications tunnel through SSH to Ursa. The server also has a