[Firehol-support] IPSec + Firehol

Carlos Ferreira carlosmf.pt at gmail.com
Mon Jul 9 12:54:17 BST 2018


> Furthermore, it looks like the firehol is not supported anymore.

Just now that I was starting to use it :/

Well, thanks for the info. I guess I'll just have to find a different
solution in the long-term...


Regards,

Carlos Ferreira

On 9 July 2018 at 12:07, Viktor Remennik <vik at etogo.net> wrote:
> Np,
>
> According to the docs, the 'firehol.conf' file is executed by the firehol as
> a shell script, so, any shell command can be added there. The problem is,
> that this workaround is not a firehol functionality and it's not possible to
> configure such things using firehol itself. Furthermore, it looks like the
> firehol is not supported anymore. That's why, I suppose, the best solution
> is to get rid of it. Dunno, probably in this situation it's better to move
> to the raw iptables.
>
>
> Kind regards,
> Viktor
>
>
> On 7/9/18 06:09, Carlos Ferreira wrote:
>>
>> Thanks. It worked well. It was exactly what I wanted.
>>
>> For some time, I wanted to be able to add rules to the iptables, using
>> the firehol.conf. I searched the documentation to find a way and if it
>> exists something in the docs, I was unable to find it.
>>
>> Thank you!
>>
>> Carlos Ferreira
>>
>> On 6 July 2018 at 12:42, Viktor Remennik <vik at etogo.net> wrote:
>>>
>>> Hi Carlos Miguel,
>>>
>>>
>>> Had the same issue, found no solution yet. Ii is mentioned in the docs
>>> that
>>> it is possible, but no clue how. The "ipsec+" interface wildcard
>>> mentioned,
>>> but I can't get it working. Maybe it's not suitable for tunnels because
>>> there's no dedicated interface for the ipsec.
>>>
>>> Workaround is, as you noticed, just to add the raw iptables rule. I did
>>> it
>>> adding this to the end of the firehol.conf:
>>>
>>>
>>> iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s
>>> 172.16.0.0/16 -j ACCEPT
>>> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp  -d
>>> 172.16.0.0/16 -j ACCEPT
>>>
>>>
>>> Where 172.16.0.0./16 is the internal subnet.
>>>
>>> No masquerading required if you use tunnel; you just connect to the
>>> internal
>>> network over the internet. Also, there's no new interface for the tunnel,
>>> so, no firehol policies will be applied. According to this rule, any port
>>> is
>>> accepted via tunnel.
>>>
>>>
>>> Please let me know if you'll find a solution. I almost decided to drop
>>> firehol due to lack of support though. There's a lot of other firewalls
>>> and
>>> even raw iptables fw is better, as you see.
>>>
>>> https://github.com/firehol/firehol/issues/323
>>>
>>> https://serverfault.com/questions/900531/firehol-ipsec-configuration
>>>
>>>
>>> Kind regards,
>>> Viktor
>>>
>>>
>>> On 7/6/18 14:00, firehol-support-request at lists.firehol.org wrote:
>>>>
>>>> Hello to all
>>>>
>>>> I'm trying to have an IPsec tunnel to work in my router for hosts on
>>>> the internet and according to the strongswan documentation, I
>>>> understand that I need to add a postrouting rule to iptables before
>>>> the masquerade rule [1].
>>>>
>>>> My question is, how can I do this?
>>>>
>>>> I also understand that firehol also provides ipsec service rules, but
>>>> for what I understand, that's only used to open ports.
>>>>
>>>> Some help would be appreciated.
>>>>
>>>>
>>>>
>>>>
>>>> [1]:https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-Internet
>>>>
>>>> My regards,
>>>> Carlos Miguel Ferreira
>>>
>>>
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>


More information about the Firehol-support mailing list