holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add FAQ 43; Update OpenVPN article; change encryption to Blowfish in IPSEC 2.6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1862 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-27 15:39:58 +00:00
parent 8d03d8c347
commit b346ac1840
3 changed files with 68 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-12-22</pubdate>
<pubdate>2004-12-26</pubdate>
<copyright>
<year>2001-2004</year>
@ -1590,6 +1590,17 @@ alias ipt_pkttype off</programlisting>
kernel, I also recommend upgrading to Shorewall 2.0.6 or later and then
setting PKTTYPE=No in shorewall.conf.</para>
</section>
<section>
<title>(FAQ 43) I just installed the Shorewall RPM and Shorewall doesn't
start at boot time.</title>
<para><emphasis role="bold">Answer</emphasis>: When you install using
the "rpm -U" command, Shorewall doesn't run your distribution's tool for
configuring Shorewall startup. You will need to run that tool (insserv,
chkconfig, run-level editor, …) to configure Shorewall to start in the
run-levels that you run your firewall system at.</para>
</section>
</section>
<section>
@ -2014,7 +2025,17 @@ Verifying Configuration...
<para><revhistory>
<revision>
<revnumber>1.39</revnumber>
<revnumber>1.41</revnumber>
<date>2004-12-26</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 43.</revremark>
</revision>
<revision>
<revnumber>1.40</revnumber>
<date>2004-12-22</date>

20
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-12-18</pubdate>
<pubdate>2004-12-26</pubdate>
<copyright>
<year>2004</year>
@ -347,7 +347,7 @@ remote 134.28.54.2
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@ -358,7 +358,7 @@ sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@ -367,7 +367,7 @@ sainfo address 206.162.148.9/32 any address 10.0.0.0/8 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@ -376,7 +376,7 @@ sainfo address 206.162.148.9/32 any address 134.28.54.2/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@ -385,7 +385,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
@ -502,7 +502,7 @@ remote <emphasis role="bold">anonymous</emphasis>
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@ -513,7 +513,7 @@ sainfo <emphasis role="bold">anonymous</emphasis>
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
@ -609,7 +609,7 @@ remote anonymous
my_identifier address ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
@ -620,7 +620,7 @@ sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

48
Shorewall-docs2/OPENVPN.xml
View File

@ -21,7 +21,7 @@
</author>
</authorgroup>
<pubdate>2004-12-23</pubdate>
<pubdate>2004-12-26</pubdate>
<copyright>
<year>2003</year>
@ -54,10 +54,10 @@
<warning>
<para>The default port number for OpenVPN changed from 5000 to 1194 in
Shorewall version 2.2.0 RC2. This change reflected a change in OpenVPN
which also changed its default to 1194. In the text that follows, where
you see Port 5000 this can also refer to port 1194 depending on which
version of Shorewall and OpenVPN that you are using.</para>
Shorewall version 2.2.0 RC2. This change follows OpenVPN 2.0 which also
changed its default port to 1194. In the text that follows, where you see
Port 1194 this can also refer to port 5000 depending on which version of
Shorewall and OpenVPN that you are using.</para>
</warning>
<section>
@ -117,20 +117,23 @@ openvpn net 134.28.54.2</programlisting>
</blockquote>
<note>
<para>Shorewall versions prior to 2.2.0 Beta 1 enforced use of the same
port number for both the source and destination port.</para>
<para>Some OpenVPN clients (notabley on <trademark>Windows</trademark>)
do not use the same source and destination ports which can cause
problems. If system B is a Windows system or if you find that Shorewall
is blocking the UDP port 5000 traffic from the remote gateway, then you
will want the following entry in
<filename>/etc/shorewall/tunnels</filename> instead of the one
above:</para>
is blocking the UDP port 1194 traffic from the remote gateway and you
are running a version of Shorewall prior to 2.2.0 Beta 1, then you will
want the following entry in <filename>/etc/shorewall/tunnels</filename>
instead of the one above:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
generic:udp:5000 net 134.28.54.2</programlisting>
generic:udp:1194 net 134.28.54.2</programlisting>
</note>
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
firewall so that OpenVPN traffic on the default port 5000/udp will be
firewall so that OpenVPN traffic on the default port 1194/udp will be
accepted to/from the remote gateway. If you change the port used by
OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:</para>
@ -268,6 +271,8 @@ dh dh1024.pem
ca /etc/certs/cacert.pem
crl-verify /etc/certs/crl.pem
cert /etc/certs/SystemA.pem
key /etc/certs/SystemA_key.pem
@ -337,7 +342,7 @@ tls-client
pull
ca /etc/certs/cacert.pem
cert /etc/certs/SystemB.pem
key /etc/certs/SystemB_key.pem
@ -356,5 +361,22 @@ persist-key
verb 3</programlisting>
</blockquote>
<para>If you want multiple remote clients to be able to communicate with
each other then you must:</para>
<orderedlist>
<listitem>
<para>Include the <emphasis role="bold">client-to-client</emphasis>
directive in the server's OpenVPN configuration; and</para>
</listitem>
<listitem>
<para>Specify the <emphasis role="bold">routeback</emphasis> option on
the <filename class="devicefile">tun0</filename> device in <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
</para>
</listitem>
</orderedlist>
</section>
</article>
</article>