shorewall-ipsec.patch - NethServer 6 - NethServer.org

/etc/shorewall.ori/interfaces 2013-08-09 09:57:12.506730576 +0000
25	25	loc eth0 tcpflags,nosmurfs
26	26
27	27	vpn tun0
	28	l2tp ppp+

     #				LEVEL	BURST		MASK
     loc            vpn           ACCEPT
     vpn            loc           ACCEPT
     ipsec          loc           ACCEPT
     loc            ipsec          ACCEPT
     loc             l2tp            ACCEPT # Allows local machines to connect to road warriors
     l2tp            loc             ACCEPT # Allows road warriors to connect to local machines
     l2tp            net             ACCEPT # Allows road warriors to connect to the Internet
     ipsec		net		ACCEPT
     # Policies for traffic originating from the local LAN (loc)
+    #
     # If you want to force clients to access the Internet via a proxy server
-...
     # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
     $FW		net		ACCEPT		info
     $FW		loc		ACCEPT
     $FW		ipsec		ACCEPT
+    #
     # Policies for traffic originating from the Internet zone (net)
+    #
     net		$FW		DROP		info
     net		loc		DROP		info
     net		all		DROP		info
     # THE FOLLOWING POLICY MUST BE LAST
     all		all		REJECT		info
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall.ori/rules 2013-08-09 09:57:12.511730591 +0000
34	34	# (assumes that the loc-> net policy is ACCEPT).
35	35	#
36	36	Ping/ACCEPT loc $FW
	37	Ping/ACCEPT ipsec $FW
	38	Ping/ACCEPT l2tp $FW
	39	Ping/ACCEPT $FW ipsec
	40	Ping/ACCEPT $FW l2tp
37	41
38	42	#
39	43	# Accept DNS connections from the firewall to the Internet