-| + |
OpenVPN Tunnels- |
-
OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
-daemon which can be used to securely link two or more private networks using
-an encrypted tunnel over the internet. OpenVPN is an Open Source project and
-is licensed under the
-GPL. OpenVPN can be downloaded from
+
+ OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
+ daemon which can be used to securely link two or more private networks using
+ an encrypted tunnel over the internet. OpenVPN is an Open Source project
+and is licensed under
+the GPL. OpenVPN can be downloaded from http://openvpn.sourceforge.net/.
-
OpenVPN support was added to Shorewall in version 1.3.14.
-
Suppose that we have the following situation:
- +
-
We want systems in the 192.168.1.0/24 subnetwork to be able -to communicate with the systems in the 10.0.0.0/8 network. This is accomplished -through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy -file and OpenVPN.
- -While it was possible to use the Shorewall start and stop -script to start and stop OpenVPN, I decided to use the init script of OpenVPN -to start and stop it.
- -On each firewall, you will need to declare a zone to represent -the remote subnet. We'll assume that this zone is called 'vpn' and declare -it in /etc/shorewall/zones on both systems as follows.
- -+ + +We want systems in the 192.168.1.0/24 subnetwork to be able + to communicate with the systems in the 10.0.0.0/8 network. This is accomplished + through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy + file and OpenVPN.
+ +While it was possible to use the Shorewall start and stop + script to start and stop OpenVPN, I decided to use the init script of OpenVPN + to start and stop it.
+ +On each firewall, you will need to declare a zone to represent + the remote subnet. We'll assume that this zone is called 'vpn' and declare + it in /etc/shorewall/zones on both systems as follows.
+ ++ +- -
+- -ZONE -DISPLAY -COMMENTS -- - - + +vpn -VPN -Remote Subnet -+ +ZONE +DISPLAY +COMMENTS ++ + + +vpn +VPN +Remote Subnet +On system A, the 10.0.0.0/8 will comprise the vpn +zone. In /etc/shorewall/interfaces:
+ ++- -+ +
+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + +vpn +tun0 ++
++ On system A, the 10.0.0.0/8 will comprise the vpn zone. -In /etc/shorewall/interfaces:
- --- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - -vpn -tun0 --
-- In /etc/shorewall/tunnels on system A, we need the following:
- -+ ++ +- -- -
-- -TYPE -ZONE -GATEWAY -GATEWAY ZONE -- - - + +openvpn -net -134.28.54.2 -- + +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ + +openvpn +net +134.28.54.2 ++ This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN -traffic on the default port 5000/udp will be accepted to/from the remote gateway. -If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels -like this:
+This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN + traffic on the default port 5000/udp will be accepted to/from the remote +gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels + like this:
+ +
+++ ++ +
++ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ + + +openvpn:7777 +net +134.28.54.2 ++ This is the OpenVPN config on system A:
+ ++ ++ +++ +dev tun
+
+ local 206.162.148.9
+ remote 134.28.54.2
+ ifconfig 192.168.99.1 192.168.99.2
+ up ./route-a.up
+ tls-server
+ dh dh1024.pem
+ ca ca.crt
+ cert my-a.crt
+ key my-a.key
+ comp-lzo
+ verb 5
+Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn + zone. In /etc/shorewall/interfaces:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +vpn +tun0 +192.168.1.255 ++ In /etc/shorewall/tunnels on system B, we have:
+ +++ ++ +
++ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ + + +openvpn +net +206.191.148.9 ++ And in the OpenVPN config on system B:
+ +++ +dev tun
+
+ local 134.28.54.2
+ remote 206.162.148.9
+ ifconfig 192.168.99.2 192.168.99.1
+ up ./route-b.up
+ tls-client
+ ca ca.crt
+ cert my-b.crt
+ key my-b.key
+ comp-lzo
+ verb 5
+You will need to allow traffic between the "vpn" zone and + the "loc" zone on both systems -- if you simply want to admit all +traffic in both directions, you can use the policy file:
+ +++ ++ +
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +vpn +ACCEPT ++ + + + +vpn +loc +ACCEPT ++ On both systems, restart Shorewall and start OpenVPN. The systems in the + two masqueraded subnetworks can now talk to each other.
+ +Updated 2/4/2003 - Tom Eastep +and Simon Mater
-
-- -- -
-- -TYPE -ZONE -GATEWAY -GATEWAY ZONE -- - - -openvpn:7777 -net -134.28.54.2 -- This is the OpenVPN config on system A:
- -- -- --- -dev tun
-
- local 206.162.148.9
- remote 134.28.54.2
- ifconfig 192.168.99.1 192.168.99.2
- up ./route-a.up
- tls-server
- dh dh1024.pem
- ca ca.crt
- cert my-a.crt
- key my-a.key
- comp-lzo
- verb 5
-Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn -zone. In /etc/shorewall/interfaces:
- --- -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - -vpn -tun0 -192.168.1.255 -- In /etc/shorewall/tunnels on system B, we have:
- --- -- -
-- -TYPE -ZONE -GATEWAY -GATEWAY ZONE -- - - -openvpn -net -206.191.148.9 -- And in the OpenVPN config on system B:
- --- -dev tun
-
- local 134.28.54.2
- remote 206.162.148.9
- ifconfig 192.168.99.2 192.168.99.1
- up ./route-b.up
- tls-client
- ca ca.crt
- cert my-b.crt
- key my-b.key
- comp-lzo
- verb 5
-You will need to allow traffic between the "vpn" zone and - the "loc" zone on both systems -- if you simply want to admit all traffic - in both directions, you can use the policy file:
- --- -- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -- -loc -vpn -ACCEPT -- - - - -vpn -loc -ACCEPT -- On both systems, restart Shorewall and start OpenVPN. The systems in the -two masqueraded subnetworks can now talk to each other.
- -Updated 2/4/2003 - Tom Eastep -and Simon Mater
-- -
Copyright -© 2003 Thomas M. Eastep. and Simon Mater
-
-
+ +Copyright + © 2003 Thomas M. Eastep. and Simon Mater
+
+
+
diff --git a/Shorewall-docs/SeattleInTheSpring.html b/Shorewall-docs/SeattleInTheSpring.html new file mode 100755 index 000000000..6a50ef5f2 --- /dev/null +++ b/Shorewall-docs/SeattleInTheSpring.html @@ -0,0 +1,52 @@ + + + + + +Springtime in Seattle!!! + + + + + + + ++ +
+ + ++ + + ++ +Visit Seattle in the Springtime!!!!
++
+
+ March 6, 2003 - Nice day for a walk....
+
++
+
+
++ +
The view from my office window -- think I'll go out and enjoy the deck +(Yes -- that is snow on the deck...).
+ +
+Updated 3/7/2003 - Tom Eastep +
+ +Copyright © 2001, 2002 Thomas M. Eastep.
+
+
+ + diff --git a/Shorewall-docs/download.htm b/Shorewall-docs/download.htm index 0f3bd5b30..cd2cee24c 100644 --- a/Shorewall-docs/download.htm +++ b/Shorewall-docs/download.htm @@ -1,391 +1,454 @@ - + - + - + - +Download - +- -
- -- ++ + - - + + + +- + -Shorewall Download
-I strongly urge you to read and print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own.
- -
-The entire set of Shorewall documentation is available in PDF format at:
- -ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-
- http://slovakia.shorewall.net/pub/shorewall/pdf/
- rsync://slovakia.shorewall.net/shorewall/pdf/ -Once you've printed the appropriate QuickStart Guide, download - one of the modules:
- +I strongly urge you to read and print a copy of the Shorewall QuickStart Guide + for the configuration that most closely matches your own.
+ +
+The entire set of Shorewall documentation is available in PDF format +at:
+ +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ +
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+ rsync://slovakia.shorewall.net/shorewall/pdf/ +The documentation in HTML format is included in the .rpm and in the +.tgz packages below.
+ +Once you've printed the appropriate QuickStart Guide, download + one of the modules:
+-
- -- If you run a RedHat, SuSE, Mandrake, - Linux PPC or TurboLinux distribution - with a 2.4 kernel, you can use the RPM version (note: the - RPM should also work with other distributions that - store init scripts in /etc/init.d and that include chkconfig +
- If you run a RedHat, SuSE, Mandrake, + Linux PPC or TurboLinux distribution + with a 2.4 kernel, you can use the RPM version (note: the + RPM should also work with other distributions that + store init scripts in /etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me know so that - I can mention them here. See the Installation - Instructions if you have problems installing the RPM.
-- If you are running LRP, download the .lrp file (you - might also want to download the .tgz so you will have a copy of - the documentation).
-- If you run Debian - and would like a .deb package, Shorewall is included in both -the Debian - Testing Branch and the Debian -Unstable Branch.
-- Otherwise, download the shorewall - module (.tgz)
- + href="mailto:teastep@shorewall.net"> me know so that + I can mention them here. See the Installation + Instructions if you have problems installing the RPM. +- If you are running LRP, download the .lrp file (you + might also want to download the .tgz so you will have a copy +of the documentation).
+- If you run Debian + and would like a .deb package, Shorewall is included in both +the Debian + Testing Branch and the Debian + Unstable Branch.
+- Otherwise, download the shorewall + module (.tgz)
+The documentation in HTML format is included in the .tgz and .rpm files - and there is an documentation .deb that also contains the documentation. The -.rpm will install the documentation in your default document directory which -can be obtained using the following command:
-
-+ ++ +The documentation in HTML format is included in the .tgz and .rpm files + and there is an documentation .deb that also contains the documentation. The + .rpm will install the documentation in your default document directory which + can be obtained using the following command:
+ +
+-rpm --eval '%{defaultdocdir}'
-Please verify the version that you have downloaded -- during the - release of a new version of Shorewall, the links below may - point to a newer or an older version than is shown below.
- +Please verify the version that you have downloaded -- during the + release of a new version of Shorewall, the links below may + point to a newer or an older version than is shown below.
+-
- +- RPM - "rpm -qip LATEST.rpm"
-- TARBALL - "tar -ztf LATEST.tgz" (the directory - name will contain the version)
-- LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar - -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" -
- +- RPM - "rpm -qip LATEST.rpm"
+- TARBALL - "tar -ztf LATEST.tgz" (the directory + name will contain the version)
+- LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar + -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" +
+Once you have verified the version, check the errata to see - if there are updates that apply to the version that you have - downloaded.
- -WARNING - YOU CAN NOT SIMPLY INSTALL - THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START as described in the QuickStart -Guides. Once you have completed configuration of your firewall, you -can enable startup by removing the file /etc/shorewall/startup_disabled.
- -Download Latest Version (1.4.0): Remember that updates - to the mirrors occur 1-12 hours after an update to the Washington + color="#ff0000"> errata to see + if there are updates that apply to the version that you have + downloaded.
+ +WARNING - YOU CAN NOT SIMPLY INSTALL + THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed + configuration of your firewall, you can enable startup by removing the + file /etc/shorewall/startup_disabled.
+ +Download Latest Version (1.4.0): Remember that updates + to the mirrors occur 1-12 hours after an update to the Washington State site.
- -+ ++- +Browse Download Sites:
- -+ ++- +- -
-- -SERVER LOCATION -DOMAIN -HTTP -FTP -- SourceForge (Incomplete) -
-sf.net -+ + +SERVER LOCATION +DOMAIN +HTTP +FTP ++ -SourceForge +
+sf.net +Browse -N/A -- -Slovak Republic -Shorewall.net -Browse -Browse -- -Texas, USA -Infohiiway.com -Browse -Browse -- -Hamburg, Germany -Shorewall.net -Browse -Browse -- -Martinez (Zona Norte - GBA), Argentina -Correofuego.com.ar -Browse -Browse -- +France -Shorewall.net -Browse -Browse -N/A +- +Washington State, USA -Shorewall.net -Browse -Browse +Slovak Republic +Shorewall.net +Browse +Browse + +Texas, USA +Infohiiway.com +Browse +Browse ++ +Hamburg, Germany +Shorewall.net +Browse +Browse ++ +Martinez (Zona Norte - GBA), Argentina +Correofuego.com.ar +Browse +Browse ++ +France +Shorewall.net +Browse +Browse ++ - - + +Washington State, USA +Shorewall.net +Browse +Browse +CVS:
- -+ ++ +- -The CVS repository - at cvs.shorewall.net contains the latest snapshots of the each - Shorewall component. There's no guarantee that what you find there + href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository + at cvs.shorewall.net contains the latest snapshots of the each + Shorewall component. There's no guarantee that what you find there will work at all.
-
-Last Updated 3/5/2003 - +
Last Updated 3/6/2003 - Tom Eastep
- +Copyright © 2001, 2002, 2003 Thomas M. Eastep.
diff --git a/Shorewall-docs/images/P1000048.jpg b/Shorewall-docs/images/P1000048.jpg new file mode 100755 index 000000000..16c75640d Binary files /dev/null and b/Shorewall-docs/images/P1000048.jpg differ diff --git a/Shorewall-docs/images/P1000049.jpg b/Shorewall-docs/images/P1000049.jpg new file mode 100755 index 000000000..43d0a4ff9 Binary files /dev/null and b/Shorewall-docs/images/P1000049.jpg differ diff --git a/Shorewall-docs/images/P1000050.jpg b/Shorewall-docs/images/P1000050.jpg new file mode 100755 index 000000000..23d91cd78 Binary files /dev/null and b/Shorewall-docs/images/P1000050.jpg differ diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm index 079f75bd1..ee7d09311 100644 --- a/Shorewall-docs/shoreline.htm +++ b/Shorewall-docs/shoreline.htm @@ -1,125 +1,128 @@ - +
About the Shorewall Author - + - + - + - +- -
- +- +- + + - - + + + ++ -Tom Eastep
-- + +
-
Tarry & Tom -- August 2002
- +
-
-
+ +-
- -- Born 1945 in Born 1945 in Washington State .
-- BA Mathematics from Washington +
- BA Mathematics from Washington State University 1967
-- MA Mathematics from MA Mathematics from University of Washington 1969
-- Burroughs Corporation (now Burroughs Corporation (now Unisys ) 1969 - 1980
-- Tandem Computers, Incorporated - (now part of the The New HP) 1980 -- present
-- Married 1969 - no children.
- +- Tandem Computers, Incorporated + (now part of the The New HP) 1980 - + present
+- Married 1969 - no children.
+I am currently a member of the design team for the next-generation - operating system from the NonStop Enterprise Division of HP.
- -I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated - ipchains and developed the scripts which are now collectively known as - Seattle Firewall. Expanding - on what I learned from Seattle Firewall, I then designed and -wrote Shorewall.
- -I telework from our home in Shoreline, - Washington where I live with my wife Tarry.
- + +I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.
+ +I became interested in Internet Security when I established a home office + in 1999 and had DSL service installed in our home. I investigated + ipchains and developed the scripts which are now collectively known +as Seattle Firewall. +Expanding on what I learned from Seattle Firewall, I then designed +and wrote Shorewall.
+ +I telework from our home in Shoreline, Washington +where I live with my wife Tarry.
+Our current home network consists of:
- +-
- + +- 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & -20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. +
- 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & +20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Serves as a PPTP server for Road Warrior access. Dual boots Mandrake 9.0.
-- Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) - NIC - My personal Linux System which runs Samba configured as a - WINS server. This system also has VMware installed and can run both - Debian Woody and Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) + NIC - My personal Linux System which runs Samba configured as +a WINS server. This system also has VMware installed and can run +both Debian Woody and SuSE 8.1 in virtual machines.
-- K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC - - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), +
- K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC + - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind 9).
-- PII/233, RH8.0, Kernel 2.4.20, 256MB MB RAM, 2GB SCSI - HD - 3 LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall - 1.4.0 and a DHCP server.
-- Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -- My wife's personal system.
-- PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard - EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My -main work system.
- +- PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 +LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.14 +and a DHCP server.
+- Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - +My wife's personal system.
+- PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard + EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main + work system.
+For more about our network see my Shorewall Configuration.
+All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.
- + - - + +Last updated 3/7/2003 - Tom Eastep
- Copyright © 2001, 2002, 2003 Thomas + Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
diff --git a/Shorewall-docs/shorewall_mirrors.htm b/Shorewall-docs/shorewall_mirrors.htm index 9d1df357c..9926d876d 100644 --- a/Shorewall-docs/shorewall_mirrors.htm +++ b/Shorewall-docs/shorewall_mirrors.htm @@ -1,86 +1,87 @@ - + - + - + - +Shorewall Mirrors - +- -
- -- ++ + - - + + + +- Shorewall Mirrors
-Remember that updates to the mirrors are often delayed - for 6-12 hours after an update to the primary site.
- + +Remember that updates to the mirrors are often delayed + for 6-12 hours after an update to the primary rsync site. For HTML content, +the main web site (http://shorewall.sf.net) +is updated at the same time as the rsync site.
+The main Shorewall Web Site is http://shorewall.sf.net -and is located in California, USA. It is mirrored at:
- + href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net + and is located in California, USA. It is mirrored at: +-
- -- http://slovakia.shorewall.net - (Slovak Republic).
-- http://slovakia.shorewall.net + (Slovak Republic).
+- http://shorewall.infohiiway.com (Texas, USA).
-- http://germany.shorewall.net +
- http://germany.shorewall.net (Hamburg, Germany)
-- http://shorewall.correofuego.com.ar +
- http://shorewall.correofuego.com.ar (Martinez (Zona Norte - GBA), Argentina)
-- http://france.shorewall.net +
- http://france.shorewall.net (Paris, France)
-- http://www.shorewall.net +
- http://www.shorewall.net (Washington State, USA)
- + +
-The main Shorewall FTP Site is ftp://ftp.shorewall.net/pub/shorewall/ - and is located in Washington State, USA. It is mirrored at:
- + +The rsync site is mirrored via FTP at:
+-
-Search results and the mailing list archives are always fetched from the + Search results and the mailing list archives are always fetched from the site in Washington State.- ftp://slovakia.shorewall.net/mirror/shorewall - (Slovak Republic).
-- ftp://slovakia.shorewall.net/mirror/shorewall + (Slovak Republic).
+- ftp://ftp.infohiiway.com/pub/shorewall (Texas, USA).
-- ftp://germany.shorewall.net/pub/shorewall +
- ftp://germany.shorewall.net/pub/shorewall (Hamburg, Germany)
-- ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall +
- ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall (Martinez (Zona Norte - GBA), Argentina)
-- ftp://france.shorewall.net/pub/mirrors/shorewall +
- ftp://france.shorewall.net/pub/mirrors/shorewall (Paris, France)
- +
- -Last Updated 11/09/2002 - Last Updated 3/7/2003 - Tom Eastep
- +Copyright © 2001, 2002 Thomas M. Eastep.
-
+ size="2">Copyright © 2001, 2002, 2003 Thomas M. Eastep. +
+
- 
- 
- 
- 
- 