[Openswan Users] Questions from a beginner ;)

David Clymer dclyme at hrcsb.org
Fri Aug 20 11:43:06 CEST 2004 

Thus quoth Toby Corkindale:
> To: David Clymer <dclyme at hrcsb.org>
> Cc: users at lists.openswan.org
> From: Toby Corkindale <openswan at wintrmute.net>
> Subject: Re: [Openswan Users] Questions from a beginner ;)
> 
> On Fri, Aug 20, 2004 at 10:10:57AM -0400, David Clymer wrote:
> > Thus quoth Toby Corkindale:
> > > Also, the way you categorise traffic at the firewall is different, too.
> > > 
> > 
> > I'm not sure I underdstand what you mean here. For the purposes of
> > clarification, I was talking about the following:
> > 
> > # allow IPsec reciept on eth0
> > iptables --append INPUT --in-interface eth0 --protocol udp --source 44.33.22.11 --port 500 --jump ACCEPT 
> > iptables --append INPUT --in-interface eth0 --protocol esp --source 44.33.22.11 --jump ACCEPT 
> > 
> > # apply rules to unencrypted traffic coming over VPN
> > iptables --append FORWARD --in-interface ipsec0 --protocol tcp --destination 192.168.10.5 --destination-port 25 --jump ACCEPT 
> > 
> > as opposed to
> > 
> > # all rules, applying to both encrypted and unencrypted data apply to the same interface
> > iptables --append INPUT --in-interface eth0 --protocol udp --source 44.33.22.11 --port 500 --jump ACCEPT 
> > iptables --append INPUT --in-interface eth0 --protocol esp --source 44.33.22.11 --jump ACCEPT 
> > iptables --append FORWARD --in-interface eth0 --protocol tcp --destination 192.168.10.5 --destination-port 25 --jump ACCEPT 
> > 
> > I like the logical separation of the rules in scenario one, as opposed to 
> > scenario two. It just makes more sense to me, when trying to think
> > through the rules and the flow of traffic.
> 
> Hmm.
> My firewall script is somewhat longer, and has user chains for internal
> network, external (ie. internet), and vpn network.
> (eg. the VPN chain allows access to NFS-related stuff, whereas the EXTERNAL
> chain only allows access to port 22 and 80).
> 

Of course. Mine is and does as well. The rules shown were made up on the spot,
and were just to illustrate what I liked about separate interfaces.

-davidc

More information about the Users mailing list