[Openswan Users] Questions from a beginner ;)

Toby Corkindale openswan at wintrmute.net
Fri Aug 20 16:29:45 CEST 2004


On Fri, Aug 20, 2004 at 10:10:57AM -0400, David Clymer wrote:
> Thus quoth Toby Corkindale:
> > Also, the way you categorise traffic at the firewall is different, too.
> > 
> 
> I'm not sure I underdstand what you mean here. For the purposes of
> clarification, I was talking about the following:
> 
> # allow IPsec reciept on eth0
> iptables --append INPUT --in-interface eth0 --protocol udp --source 44.33.22.11 --port 500 --jump ACCEPT 
> iptables --append INPUT --in-interface eth0 --protocol esp --source 44.33.22.11 --jump ACCEPT 
> 
> # apply rules to unencrypted traffic coming over VPN
> iptables --append FORWARD --in-interface ipsec0 --protocol tcp --destination 192.168.10.5 --destination-port 25 --jump ACCEPT 
> 
> as opposed to
> 
> # all rules, applying to both encrypted and unencrypted data apply to the same interface
> iptables --append INPUT --in-interface eth0 --protocol udp --source 44.33.22.11 --port 500 --jump ACCEPT 
> iptables --append INPUT --in-interface eth0 --protocol esp --source 44.33.22.11 --jump ACCEPT 
> iptables --append FORWARD --in-interface eth0 --protocol tcp --destination 192.168.10.5 --destination-port 25 --jump ACCEPT 
> 
> I like the logical separation of the rules in scenario one, as opposed to 
> scenario two. It just makes more sense to me, when trying to think
> through the rules and the flow of traffic.

Hmm.
My firewall script is somewhat longer, and has user chains for internal
network, external (ie. internet), and vpn network.
(eg. the VPN chain allows access to NFS-related stuff, whereas the EXTERNAL
chain only allows access to port 22 and 80).

This makes the script a low easier to read and understand, because you don't
need to replicate so many options on each line. Also, it logically seperates
different things to different bits of the page, and you can also make
assumptions like "anyone who can access the VPN features should be also able
to access the stuff random internet addresses can hit too", and then do it
really simply by just jumping into the external chain, if you didn't match
anything in the vpn chain. (Although obviously you don't do the reverse! ;)

I can use such a script on both KLIPS and native-26-ipsec boxes, and only need
to change a couple of lines - the bit where it determines which chain to jump
to.

tjc.



More information about the Users mailing list