diff --git a/Shorewall/compiler b/Shorewall/compiler
index 72d090ff6..8a44126e7 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -9220,7 +9220,7 @@ case "$COMMAND" in
compile_firewall $2
;;
- call)
+ call)
#
# Undocumented way to call functions in /usr/share/shorewall/compiler directly
#
diff --git a/docs/OPENVPN.xml b/docs/OPENVPN.xml
index f1d965abf..7ea4f173c 100644
--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -21,7 +21,7 @@
- 2006-03-19
+ 2006-03-21
2003
@@ -181,7 +181,7 @@ openvpn:tcp:7777 net 134.28.54.2
local 206.162.148.9
remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2
-up ./route-a.up
+route 10.0.0.0 255.0.0.0 192.168.99.2
tls-server
dh dh1024.pem
ca ca.crt
@@ -217,7 +217,7 @@ openvpn net 206.191.148.9
local 134.28.54.2
remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1
-up ./route-b.up
+route 192.168.1.0 255.255.255.0 192.168.99.1
tls-client
ca ca.crt
cert my-b.crt
diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml
index 48c1bf0f4..0160e1e0d 100644
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@@ -15,7 +15,7 @@
- 2006-03-20
+ 2006-03-21
2006
@@ -110,7 +110,8 @@
eth0 -- conntected to
the switch in my office. That switch is cabled to a second switch in
my wife's office where there is my wife's desktop and her networked
- printer.
+ printer (sure which there had been wireless back when I strung that
+ CAT-5 cable halfway across the house).
@@ -279,7 +280,7 @@ done
- Dom0 Shorewall Configuration
+ Dom0 Configuration
The goals for the Shorewall configuration in Dom0 are as
follows:
@@ -349,7 +350,7 @@ SECTION NEW
- Firewall DomU Shorewall Configuration
+ Firewall DomU Configuration
In the firewall DomU, I run a conventional three-interface
firewall with Proxy ARP DMZ -- it is very similar to the firewall
@@ -493,7 +494,10 @@ vpn tun+ -
206.124.146.180 $EXT_IF 192.168.1.6 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- /etc/shorewall/masq:
+ /etc/shorewall/masq (Note the cute drick here and in
+ the proxyarp file that follows that allows me to
+ access the DSL "Modem" using it's default IP address
+ (192.168.1.1)):
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@@ -697,18 +701,20 @@ DROP net:82.96.96.3 all
Wireless Gateway DomU Configuration
- The Shorewall configuration in the 'wireless' DomU is very
- simple-minded. It's sole purpose is to protect the local network from
- the Wireless net by restricting wireless access to clients that have
- established an OpenVPN Bridged
- connection. This configuration illustrates that you can use any Linux
- system on your internal LAN as a wireless gateway -- it doesn't have to
- be your main firewall (and it doesn't have to run in a Xen domain
- either). The wireless gateway runs a DHCP server that assigns wireless
- hosts an IP address in 192.168.3.0/24 -- The OpenVPN server running on
- the gateway assigns its clients an IP address in 192.168.1.0/24 so,
- thanks to bridging, these clients appear to be physically attached to
- the LAN).
+ The Shorewall configuration in the 'wireless' DomU is very simple.
+ It's sole purpose is to protect the local network from the Wireless net
+ by restricting wireless access to clients that have established an
+ OpenVPN Bridged connection. This
+ configuration illustrates that you can use any system on your internal
+ LAN as a wireless gateway -- it doesn't have to be your main firewall
+ (and it doesn't have to run in a Xen domain either and it doesn't even
+ have to run Linux). Our wireless gateway runs a DHCP server that assigns
+ wireless hosts an IP address in 192.168.3.0/24 -- The OpenVPN server
+ running on the gateway assigns its clients an IP address in
+ 192.168.1.0/24 so, thanks to bridging, these clients appear to be
+ physically attached to the LAN). That allows our two laptops to have the
+ same IP address in 192.168.1.0/24 regardless of whether they are
+ connected to the LAN directory or are connected wirelessly.
![]()
@@ -926,7 +932,8 @@ loc br0 192.168.1.255 dhcp,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- /etc/shorewall/policy:
+ /etc/shorewall/policy (again, note the use
+ of an ACCEPT all->all policy):
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
@@ -953,8 +960,24 @@ ACCEPT eth4 00:0f:66:ef:b6:f6 192.168.3.8
ACCEPT eth4 00:12:79:3d:fe:2e 192.168.3.6 #Work Laptop
ACCEPT eth4 - 192.168.3.254 #Broadcast/Multicast from us
DROP:info eth4 - 192.168.3.0/24
+DROP:info eth4 - 169.254.0.0/16 #Stop autoconfigured hosts.
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+ The routing table on the wireless gateway is as follows:
+
+
+ 192.168.3.0/24 dev eth4 proto kernel scope link src 192.168.3.254
+192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.7
+169.254.0.0/16 dev eth4 scope link
+127.0.0.0/8 dev lo scope link
+default via 192.168.1.254 dev br0
+
+
+ The route to 169.254.0.0/16 is automatically generated by the
+ SuSE network scripts so I include that network in the
+ /etc/shorewall/maclist file for
+ completeness.
+
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
@@ -962,6 +985,7 @@ DROP:info eth4 - 192.168.3.0/24
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
+ACCEPT Wifi loc:192.168.1.5 udp 123 #Allow NTP before OpenVPN is up.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
@@ -970,10 +994,9 @@ SECTION NEW
/etc/openvpn/server-bridge (Note that I
prefer to push two /1 routes rather than to use the redirect-gateway directive on the client
- systems; I find that the latter occasionally leaves the remote system
- with no default gateway while my
- approach always works):
+ role="bold">redirect-gateway directive; I find that the
+ latter occasionally leaves the remote system with no default gateway):
dev tap0
@@ -1012,7 +1035,7 @@ verb 3
push "route 0.0.0.0 128.0.0.0 192.168.1.254"
push "route 128.0.0.0 128.0.0.0 192.168.1.254"
- /etc/openvpn/bridge-clients/tipper.shorewall.net
+ /etc/bridge-clients/tipper.shorewall.net
(used to assign a fixed IP address to clients -- there are other
similar files in this directory):