[Firehol-support] Bridged OpenVPN
Daniel L. Miller
dmiller at amfes.com
Tue May 16 05:19:38 BST 2006
I just figured out something that's been driving me NUTS - thought I'd
share it just in case somebody else has been struggling with this.
Intermittently, I found that my firewall permissions would quit working
- and about the only way I could get the back was to reboot my firewall
server. Obviously, this is totally unacceptable.
While I was checking everything else I could think of, I noticed
something. Because I'm using OpenVPN with a bridged interface, I have
two LAN routable interfaces on my firewall. For purposes of illustration:
foxy:/etc/iproute2# ip route
<snip>
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.9
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
<snip>
I thought to myself, "Self, you might remember that the routing table is
processed in order. So if the bridged interface appears first . . .
routing Internet requests to internal hosts might get routed via the
bridged interface. Do you HAVE any bridge interface definitions in you
firehol.conf file?"
I answered myself, "No. I didn't know I needed that . . . ."
So, changing the related router definition to:
router x2lan inface "${EXT_X_IF}" outface "${LAN_IF} ${BR_IF}"
And pre-defining my variables of course - seems to have solved my
problem. I'm assuming that my problems have come from re-starting the
OpenVPN server, which would change the routing table. This should end
that particular problem.
Moral of the story: if you have more than one interface connected to
the same network - make sure they're all accounted for in your firewall
definitions.
--
Daniel
More information about the Firehol-support
mailing list