# # Shorewall 2.4 - /etc/shorewall/tunnels # # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # # IPIP, GRE and OPENVPN tunnels must be configured on the # firewall/gateway itself. IPSEC endpoints may be defined # on the firewall/gateway or on an internal system. # # The columns are: # # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip" # "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or # "generic" # # If the type is "ipsec" or "ipsecnat", it may be followed # by ":noah" to indicate that the Authentication Header # protocol (51) is not used by the tunnel. # # If type is "openvpn", it may optionally be followed # by ":" and the port number used by the tunnel. if no # ":" and port number are included, then the default port # of 5000 will be used # # If type is "generic", it must be followed by ":" and # a protocol name (from /etc/protocols) or a protocol # number. If the protocol is "tcp" or "udp" (6 or 17), # then it may optionally be followed by ":" and a # port number. # # ZONE -- The zone of the physical interface through which # tunnel traffic passes. This is normally your internet # zone. # # GATEWAY -- The IP address of the remote tunnel gateway. If the # remote getway has no fixed address (Road Warrior) # then specify the gateway as 0.0.0.0/0. May be # specified as a network address and if your kernel and # iptables include iprange match support then IP address # ranges are also allowed. # # GATEWAY # ZONES -- Optional. If the gateway system specified in the third # column is a standalone host then this column should # contain a comma-separated list of the names of the # zones that the host might be in. This column only # applies to IPSEC and generic tunnels. # # Example 1: # # IPSec tunnel. The remote gateway is 4.33.99.124 and # the remote subnet is 192.168.9.0/24. The tunnel does # not use the AH protocol # # ipsec:noah net 4.33.99.124 # # Example 2: # # Road Warrior (LapTop that may connect from anywhere) # where the "gw" zone is used to represent the remote # LapTop. # # ipsec net 0.0.0.0/0 gw # # Example 3: # # Host 4.33.99.124 is a standalone system connected # via an ipsec tunnel to the firewall system. The host # is in zone gw. # # ipsec net 4.33.99.124 gw # # Example 4: # # Road Warriors that may belong to zones vpn1, vpn2 or # vpn3. The FreeS/Wan _updown script will add the # host to the appropriate zone using the "shorewall add" # command on connect and will remove the host from the # zone at disconnect time. # # ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 # # Example 5: # # You run the Linux PPTP client on your firewall and # connect to server 192.0.2.221. # # pptpclient net 192.0.2.221 # # Example 6: # # You run a PPTP server on your firewall. # # pptpserver net # # Example 7: # # OPENVPN tunnel. The remote gateway is 4.33.99.124 and # openvpn uses port 7777. # # openvpn:7777 net 4.33.99.124 # # Example 8: # # You have a tunnel that is not one of the supported types. # Your tunnel uses UDP port 4444. The other end of the # tunnel is 4.3.99.124. # # generic:udp:4444 net 4.3.99.124 # # # See http://shorewall.net/Documentation.htm#Tunnels for additional information. # # TYPE ZONE GATEWAY GATEWAY # ZONE # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE