[Firehol-support] IPSec + Firehol

Carlos Ferreira carlosmf.pt at gmail.com
Mon Jul 9 04:09:16 BST 2018


Thanks. It worked well. It was exactly what I wanted.

For some time, I wanted to be able to add rules to the iptables, using
the firehol.conf. I searched the documentation to find a way and if it
exists something in the docs, I was unable to find it.

Thank you!

Carlos Ferreira

On 6 July 2018 at 12:42, Viktor Remennik <vik at etogo.net> wrote:
> Hi Carlos Miguel,
>
>
> Had the same issue, found no solution yet. Ii is mentioned in the docs that
> it is possible, but no clue how. The "ipsec+" interface wildcard mentioned,
> but I can't get it working. Maybe it's not suitable for tunnels because
> there's no dedicated interface for the ipsec.
>
> Workaround is, as you noticed, just to add the raw iptables rule. I did it
> adding this to the end of the firehol.conf:
>
>
> iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s
> 172.16.0.0/16 -j ACCEPT
> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp  -d
> 172.16.0.0/16 -j ACCEPT
>
>
> Where 172.16.0.0./16 is the internal subnet.
>
> No masquerading required if you use tunnel; you just connect to the internal
> network over the internet. Also, there's no new interface for the tunnel,
> so, no firehol policies will be applied. According to this rule, any port is
> accepted via tunnel.
>
>
> Please let me know if you'll find a solution. I almost decided to drop
> firehol due to lack of support though. There's a lot of other firewalls and
> even raw iptables fw is better, as you see.
>
> https://github.com/firehol/firehol/issues/323
>
> https://serverfault.com/questions/900531/firehol-ipsec-configuration
>
>
> Kind regards,
> Viktor
>
>
> On 7/6/18 14:00, firehol-support-request at lists.firehol.org wrote:
>>
>> Hello to all
>>
>> I'm trying to have an IPsec tunnel to work in my router for hosts on
>> the internet and according to the strongswan documentation, I
>> understand that I need to add a postrouting rule to iptables before
>> the masquerade rule [1].
>>
>> My question is, how can I do this?
>>
>> I also understand that firehol also provides ipsec service rules, but
>> for what I understand, that's only used to open ports.
>>
>> Some help would be appreciated.
>>
>>
>>
>> [1]:https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-Internet
>>
>> My regards,
>> Carlos Miguel Ferreira
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support


More information about the Firehol-support mailing list