extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add more config info for OpenVPN

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2859 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-12 15:25:01 +00:00
parent bca5b8a8ef
commit 5efcf21b43
1 changed files with 82 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
Shorewall-docs2/OPENVPN.xml
View File

@ -21,7 +21,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-09-30</pubdate> <pubdate>2005-10-12</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -290,30 +290,30 @@ road loc ACCEPT</programlisting>
<programlisting>dev tun <programlisting>dev tun
server 192.168.2.0 255.255.255.0 server 192.168.2.0 255.255.255.0
dh dh1024.pem dh dh1024.pem
ca /etc/certs/cacert.pem ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem crl-verify /etc/certs/crl.pem
cert /etc/certs/SystemA.pem cert /etc/certs/SystemA.pem
key /etc/certs/SystemA_key.pem key /etc/certs/SystemA_key.pem
port 1194 port 1194
comp-lzo comp-lzo
user nobody user nobody
group nogroup group nogroup
ping 15 ping 15
ping-restart 45 ping-restart 45
ping-timer-rem ping-timer-rem
persist-tun persist-tun
persist-key persist-key
verb 3</programlisting> verb 3</programlisting>
</blockquote> </blockquote>
@ -371,28 +371,28 @@ $FW home ACCEPT</programlisting>
<programlisting>dev tun <programlisting>dev tun
remote 206.162.148.9 remote 206.162.148.9
up /etc/openvpn/home.up up /etc/openvpn/home.up
tls-client tls-client
pull pull
ca /etc/certs/cacert.pem ca /etc/certs/cacert.pem
cert /etc/certs/SystemB.pem cert /etc/certs/SystemB.pem
key /etc/certs/SystemB_key.pem key /etc/certs/SystemB_key.pem
port 1194 port 1194
user nobody user nobody
group nogroup group nogroup
comp-lzo comp-lzo
ping 15 ping 15
ping-restart 45 ping-restart 45
ping-timer-rem ping-timer-rem
persist-tun persist-tun
persist-key persist-key
verb 3</programlisting> verb 3</programlisting>
</blockquote> </blockquote>
@ -564,28 +564,82 @@ verb 3</programlisting>
url="SimpleBridge.html">Simple Bridge documentation</ulink>.</para> url="SimpleBridge.html">Simple Bridge documentation</ulink>.</para>
<section> <section>
<title>/etc/shorewall/interfaces</title> <title>Firewall</title>
<para>Note that the bridge (br0) is defined as the interface to the <section>
local zone and has the <emphasis role="bold">routeback</emphasis> <title>/etc/shorewall/interfaces</title>
option.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para>Note that the bridge (br0) is defined as the interface to the
local zone and has the <emphasis role="bold">routeback</emphasis>
option.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth2 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs net eth2 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
loc br0 192.168.1.255 dhcp,<emphasis role="bold">routeback</emphasis> loc br0 192.168.1.255 dhcp,<emphasis role="bold">routeback</emphasis>
dmz eth1 - logmartians dmz eth1 - logmartians
Wifi eth0 192.168.3.255 dhcp,maclist Wifi eth0 192.168.3.255 dhcp,maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>/etc/shorewall/tunnels</title>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:1194 Wifi 192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
</section> </section>
<section> <section>
<title>/etc/shorewall/tunnels</title> <title>Tipper</title>
<programlisting>#TYPE ZONE GATEWAY GATEWAY <section>
# ZONE <title>/etc/shorewall/zones</title>
openvpn-server:1194 Wifi 192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> <programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
<emphasis role="bold">home ipv4</emphasis> #Wired LAN at our home
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
</section>
<section>
<title>/etc/shorewall/interfaces</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
#
net eth0 detect routefilter,dhcp,tcpflags
<emphasis role="bold">home tap0 192.168.1.255</emphasis>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</section>
<section>
<title>/etc/shorewall/policy</title>
<para>Since we don't expect any traffic between the <emphasis
role="bold">net</emphasis> zone and the <emphasis
role="bold">home</emphasis> zone, we use NONE policies for that
traffic. If any such traffic should occur, it will be handled
according to the all-&gt;all policy.</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
<emphasis role="bold">fw home ACCEPT
home fw ACCEPT
net home NONE
home net NONE</emphasis>
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- DO NOT REMOVE
</programlisting>
</section>
</section> </section>
</section> </section>
</section> </section>
</article> </article>