From 80dd73b9e5deffe93f65ef37858a62cd141887ed Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 16 Aug 2005 21:57:43 +0000 Subject: [PATCH] Add openvpnclient and openvpnserver tunnel types git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2511 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 50 ++++++++++++++++++++++++++++++++++++++ Shorewall/releasenotes.txt | 4 +++ Shorewall/tunnels | 8 +++--- 4 files changed, 61 insertions(+), 3 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 54df610b3..1036f6a67 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -3,6 +3,8 @@ Changes in 2.5.3 1) Allow exclusion lists in /etc/shorewall/tcrules. +2) Added 'openvpnserver' and 'openvpnclient' tunnel types. + Changes in 2.5.2 1) Allow port lists in /etc/sorewall/accounting. diff --git a/Shorewall/firewall b/Shorewall/firewall index 3c597d615..ea7e404ca 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2225,6 +2225,50 @@ setup_tunnels() # $1 = name of tunnels file progress_message " OPENVPN tunnel to $1:$protocol:$p defined." } + setup_one_openvpn_server() # $1 = gateway, $2 = kind[:port] + { + local protocol=udp + local p=1194 + + case $2 in + *:*:*) + protocol=${2%:*} + protocol=${protocol#*:} + p=${2##*:} + ;; + *:*) + p=${2#*:} + ;; + esac + + addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT + addrule2 $outchain -p $protocol $(dest_ip_range $1) --sport $p -j ACCEPT + + progress_message " OPENVPN server tunnel to $1:$protocol:$p defined." + } + + setup_one_openvpn_client() # $1 = gateway, $2 = kind[:port] + { + local protocol=udp + local p=1194 + + case $2 in + *:*:*) + protocol=${2%:*} + protocol=${protocol#*:} + p=${2##*:} + ;; + *:*) + p=${2#*:} + ;; + esac + + addrule2 $inchain -p $protocol $(source_ip_range $1) --dsport $p -j ACCEPT + addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT + + progress_message " OPENVPN client tunnel to $1:$protocol:$p defined." + } + setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone { local protocol @@ -2297,6 +2341,12 @@ setup_tunnels() # $1 = name of tunnels file openvpn|OPENVPN|openvpn:*|OPENVPN:*) setup_one_openvpn $gateway $kind ;; + openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*) + setup_one_openvpn_client $gateway $kind + ;; + openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*) + setup_one_openvpn_server $gateway $kind + ;; generic:*|GENERIC:*) setup_one_generic $gateway $kind $z1 ;; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c53785730..8796e76f7 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -8,6 +8,10 @@ New Features in Shorewall 2.5.3 SOURCE and DEST columns of entries in /etc/shorewall/tcrules and Shorewall will generate the rule that you expect. +2) Tunnel types "openvpnserver" and "openvpnclient" have been added + to reflect the introduction of client and server OpenVPN + configurations in OpenVPN 2.0. + Problems Corrected in 2.5.2: 1) You may now include port lists in in the /etc/shorewall/accounting diff --git a/Shorewall/tunnels b/Shorewall/tunnels index ffd8eb8a4..5d88f25d5 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -13,16 +13,18 @@ # # TYPE -- must start in column 1 and be "ipsec", "ipsecnat", # "ipip", "gre", "6to4", "pptpclient", "pptpserver", -# "openvpn" or "generic" +# "openvpn", "openvpnclient", "openvpnserver" or +# "generic" # # If the type is "ipsec" or "ipsecnat", it may be # followed by ":noah" to indicate that the Authentication # Header protocol (51) is not used by the tunnel. # -# If type is "openvpn", it may optionally be followed +# If type is "openvpn", "openvpnclient" or +# "openvpnserver" it may optionally be followed # by ":" and the port number used by the tunnel. if no # ":" and port number are included, then the default port -# of 5000 will be used +# of 1194 will be used # # If type is "generic", it must be followed by ":" and # a protocol name (from /etc/protocols) or a protocol