[Firehol-devs] [Firehol-support] marks and speed

Tsaousis, Costa costa at tsaousis.gr
Sat Jan 24 16:51:34 CET 2015


Hi Whit,

These statements are not stateful. Unfortunately I don't use IPSEC
VPNs to help you.
Probably I can convert them to firehol statements if you send me the
link where I can find some documentation about it.

If you want to use firehol marks and these statements in the same
firewall, you will need a little change to avoid interference with
firehol marks.
Mark 1 will be used by firewall connmarks by default.
So just change mark 1 with something outside the current bitmask. The
value 0x80000000/0x80000000 will do:

example:

  # IPsec mangling
  # Mark IPsec, and allow decrypted IPsec

  ipsecmark="0x80000000/0x80000000"

  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK
--set-mark ${ipsecmark} # udp/isakmp
  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark ${ipsecmark} # esp
  iptables -t filter -A INPUT -m mark --mark ${ipsecmark} -j ACCEPT
  iptables -t filter -A FORWARD -m mark --mark ${ipsecmark} -j ACCEPT
  iptables -t filter -A OUTPUT -m mark --mark ${ipsecmark} -j ACCEPT

...

The above though does not guarantee that firehol will never use this
mark for something else.
To make firehol aware of this mark, you could open
/etc/firehol/firehol-defaults.conf, find the section where markedef
statements are and add below all others the line:

markdef ipsecmark 2

This says: define the ipsecmark with 2 possible values: 0 and 1.

Now replace the ipsecmark variable we defined in your script, with this:

ipsecmark="$(mark_value ipsecmark 1)"

This calculates the bitmasked mark of the ipsecmark with value 1,
bitmasked properly of course.
(If you have checked out the tools from github, please get them
again... I just added the mark_value() function).

If you do this, your ipsec mark and the firehol marks can co-exist perfectly.

Costa


On Sat, Jan 24, 2015 at 3:50 PM, Whit Blauvelt <whit at transpect.com> wrote:
> On Sat, Jan 24, 2015 at 03:12:30PM +0200, Tsaousis, Costa wrote:
>
>> The FireHOL suite (firehol, fireqos, link-balancer) now supports
>> internally 2 types of marks: usermarks and connmarks.
>
> Nice!
>
> The way I've been enabling Openswan IPsec to work from a server with the
> previous FireHOL is like this (in firehol.conf ahead of the standard stuff):
>
>   # IPsec mangling
>   # Mark IPsec, and allow decrypted IPsec
>
>   iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
>   iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
>   iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
>   iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
>   iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
>
>   # don't SNAT IPsec
>
>   rightsubnets=( 172.30.0.0/24 10.242.0.0/22 172.16.11.0/24 )
>   for rightsubnet in "${rightsubnets[@]}"; do
>           iptables -t nat -I POSTROUTING -d $rightsubnet -j ACCEPT
>   done
>
> What would the translation of that to the new FireHOL syntax look like?
>
> Thanks,
>
> Whit



More information about the Firehol-devs mailing list