Adrian Mak | 12 Jun 10:46 2005
Picon

kernel and netfilter patches already in Redhat AS 4 for IPSEC

I read LinuxFest NW 2005 Presentation pdf. On page 32, mentioned it
required patches on kernel 2.6.x and netfilter and It only said that
SuSE 9.2 and 9.3 had patches on it's stock kernel. I'm using Redhat AS
4. Anybody knows does the stock kernel and netfilter had theses
patches patched ? or How should I know the kernel and netfilter had
these patches applied ?

thanks!
Cristian Rodriguez | 12 Jun 11:30 2005
Picon

Re: kernel and netfilter patches already in Redhat AS 4 for IPSEC

2005/6/12, Adrian Mak <makkaichung <at> gmail.com>:
> I read LinuxFest NW 2005 Presentation pdf. On page 32, mentioned it
> required patches on kernel 2.6.x and netfilter and It only said that
> SuSE 9.2 and 9.3 had patches on it's stock kernel. I'm using Redhat AS
> 4. Anybody knows does the stock kernel and netfilter had theses
> patches patched ? 

Nope, Im not currently using Redhat, Im using SUSE.

kernel patches are available here 

http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.11

like the docs says,you should use Shorewall 2.2.0 Beta 1 or later (but
please use the current version 2.4.0)

maybe some folks here can help you better.
Andre Juffer | 12 Jun 17:41 2005
Picon
Picon

proxy_arp: Permission denied

Dear All,

I have a problem to start Shorewall on a Debian 1.3 Linux box. Here is 
some info:

Output of '/sbin/shorewall trace start 2> /tmp/trace' is in the attachment.

Shorewall version: 2.2.3

Output of 'ip addr show':
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:50:fc:64:c2:52 brd ff:ff:ff:ff:ff:ff
     inet 81.17.202.85/26 brd 81.17.202.127 scope global secondary 
eth0:chlorine
5: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
     link/ether 00:48:54:81:08:d3 brd ff:ff:ff:ff:ff:ff

Output of 'ip route show':
81.17.202.64/26 dev eth0  proto kernel  scope link  src 81.17.202.70
default via 81.17.202.65 dev eth0

The actual error messages are:

/usr/share/shorewall/firewall: line 2179: 
(Continue reading)

Tobias Weisserth | 12 Jun 21:37 2005
Picon
Picon

vpnc versus Shorewall problem

Hi everybody,

I have been using Shorewall for quite a while now but I recently 
stumbled over a new setup that stopped me cold. I don't know how to 
proceed:

I have an ordinary GNU/Linux box (2.6.11) connected to a nonpublic 
network with one interface eth0 which gets an IP through DHCP like 
172.17.x.y. Traffic is not routed to the Internet in this subnet. In 
order to connect to the Internet I have to build a VPN connection to a 
Cisco Concentrator box inside this network (172.17.0.1).

I also get the addresses of two DNS servers assigned by this DHCP 
server (10.0.251.1, 10.0.251.2) which are ofcourse outside my reach as 
long as I don't have a connection to the VPN Gateway.

I can connect to the Cisco VPN Gateway using "vpnc", a free alternative 
to the Cisco client, which makes use of a "tun0" device. The "tun0" 
device also receives an IP address from a DHCP server, something like 
10.26.80.x

How do I setup Shorewall, so that I can connect to the Cisco 
Concentrator while at the same time blocking all inbound traffic that I 
don't want?

I started out with the one-interface setup described in the quick 
guides through I realise that I seem to have two devices (eth, tun0). 
When I'm using this initial setup I can establish the VPN link but 
cannot use it. As soon as I shut down Shorewall, I can use the VPN 
tunnel, but everything is wide open.
(Continue reading)

Cristian Rodriguez | 12 Jun 22:03 2005
Picon

Re: vpnc versus Shorewall problem

> 
> How do I setup Shorewall, so that I can connect to the Cisco
> Concentrator while at the same time blocking all inbound traffic that I
> don't want?
> 
> I started out with the one-interface setup described in the quick
> guides through I realise that I seem to have two devices (eth, tun0).
> When I'm using this initial setup I can establish the VPN link but
> cannot use it. As soon as I shut down Shorewall, I can use the VPN
> tunnel, but everything is wide open.
> 

http://www.shorewall.net/Documentation_Index.html

FInd the word VPN.

read carrefully the related docs..still no luck ?
Stephen Carville | 12 Jun 22:04 2005

Re: vpnc versus Shorewall problem

On Sun, 12 Jun 2005, Tobias Weisserth wrote:

> Hi everybody,
>
> I have been using Shorewall for quite a while now but I recently stumbled 
> over a new setup that stopped me cold. I don't know how to proceed:
>
> I have an ordinary GNU/Linux box (2.6.11) connected to a nonpublic network 
> with one interface eth0 which gets an IP through DHCP like 172.17.x.y. 
> Traffic is not routed to the Internet in this subnet. In order to connect to 
> the Internet I have to build a VPN connection to a Cisco Concentrator box 
> inside this network (172.17.0.1).
>
> I also get the addresses of two DNS servers assigned by this DHCP server 
> (10.0.251.1, 10.0.251.2) which are ofcourse outside my reach as long as I 
> don't have a connection to the VPN Gateway.
>
> I can connect to the Cisco VPN Gateway using "vpnc", a free alternative to 
> the Cisco client, which makes use of a "tun0" device. The "tun0" device also 
> receives an IP address from a DHCP server, something like 10.26.80.x
>
> How do I setup Shorewall, so that I can connect to the Cisco Concentrator 
> while at the same time blocking all inbound traffic that I don't want?

I use OpenVPN to connect remote sites viw the tun device so...

I assume you are running shorewall on the same box you want to connect 
with.

You can treat tun<#> as a local device. In /etc/shorewall/interfaces:
(Continue reading)

Tobias Weisserth | 12 Jun 22:14 2005
Picon
Picon

Re: vpnc versus Shorewall problem

Hi,

On Jun 12, 2005, at 10:03 PM, Cristian Rodriguez wrote:

> http://www.shorewall.net/Documentation_Index.html
>
> FInd the word VPN.
>
> read carrefully the related docs..still no luck ?

If you don't want to help, why bother writing at all?

I checked out this

http://www.shorewall.net/GenericTunnels.html

before asking my stupid question, but it doesn't seem to help me. And 
as I understand (or don't, that's the problem) the Cisco concentrator 
does things differently, thus the need for a specific client. The 
problem is I don't understand how this client works, so I don't know 
how to handle this correctly in Shorewall.

It's not like an ordinary OpenVPN connection as far as I understand. 
The people running this network had simply one line of advice for my 
problem: disable your firewall. I thought maybe someone else is having 
the same problem and could help me out a little.

regards,
Tobias

(Continue reading)

Tobias Weisserth | 12 Jun 22:16 2005
Picon
Picon

Re: vpnc versus Shorewall problem

Hi there,

On Jun 12, 2005, at 10:04 PM, Stephen Carville wrote:

> You can treat tun<#> as a local device. In /etc/shorewall/interfaces:
>
> vpn0    tun0            detect
>
> In /etc/shorewall/policy:
>
> fw      all     ACCEPT
> vpn0	all	REJECT
>
> This will allow all outgoing traffic from fw but block all incoming 
> traffic.
>
> In masq: (I've never actually done this part but it _should_ work)
>
> tun0    eth0

Luckily I won't need masq. I'll try this out though I think I had 
something similar which didn't work.

thanks,
Tobias

*****************************************

"Email messages are supposed to be text, thank you. Text. Only text. If 
God had intended for email to be written in HTML, then the traditional 
(Continue reading)

Tobias Weisserth | 12 Jun 22:34 2005
Picon
Picon

Re: vpnc versus Shorewall problem

Hi again,

On Jun 12, 2005, at 10:04 PM, Stephen Carville wrote:

> You can treat tun<#> as a local device. In /etc/shorewall/interfaces:
>
> vpn0    tun0            detect
>
> In /etc/shorewall/policy:
>
> fw      all     ACCEPT
> vpn0	all	REJECT
>
> This will allow all outgoing traffic from fw but block all incoming 
> traffic.

This didn't work.

I have some more info:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
172.17.0.1      172.17.4.254    255.255.255.255 UGH   0      0        0 
eth0
172.17.4.0      *               255.255.255.0   U     0      0        0 
eth0
loopback        *               255.0.0.0       U     0      0        0 
lo
default         *               0.0.0.0         U     0      0        0 
(Continue reading)

Jeff | 12 Jun 23:29 2005

Re: vpnc versus Shorewall problem

see below...
----- Original Message ----- 
From: "Tobias Weisserth" <tobias.weisserth <at> gmx.net>
To: "Mailing List for Shorewall Users" <shorewall-users <at> lists.shorewall.net>
Sent: Sunday, June 12, 2005 4:34 PM
Subject: Re: [Shorewall-users] vpnc versus Shorewall problem

> Hi again,
>
> On Jun 12, 2005, at 10:04 PM, Stephen Carville wrote:
>
> > You can treat tun<#> as a local device. In /etc/shorewall/interfaces:
> >
> > vpn0    tun0            detect
> >
> > In /etc/shorewall/policy:
> >
> > fw      all     ACCEPT
> > vpn0 all REJECT
> >
> > This will allow all outgoing traffic from fw but block all incoming
> > traffic.
>
> This didn't work.
>
> I have some more info:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
(Continue reading)


Gmane