[Firehol-support] IPSec + Firehol

Mon Jul 16 11:00:18 BST 2018

The problem is, that if you'd need to handle these vpn/tunnel 
connections with the iptables, you could not do that with firehol. You'd 
need to write more iptables raw rules then.

So, like in my case, you'll have to make raw iptables rules for such a 
connections, and then you'll find that it's quite easy to move these 
rules to other interfaces eliminating the firehol necessity )

Kind regards,
Viktor

On 7/9/18 14:54, Carlos Ferreira wrote:
>> Furthermore, it looks like the firehol is not supported anymore.
> Just now that I was starting to use it :/
>
> Well, thanks for the info. I guess I'll just have to find a different
> solution in the long-term...
>
>
> Regards,
>
> Carlos Ferreira
>
> On 9 July 2018 at 12:07, Viktor Remennik <vik at etogo.net> wrote:
>> Np,
>>
>> According to the docs, the 'firehol.conf' file is executed by the firehol as
>> a shell script, so, any shell command can be added there. The problem is,
>> that this workaround is not a firehol functionality and it's not possible to
>> configure such things using firehol itself. Furthermore, it looks like the
>> firehol is not supported anymore. That's why, I suppose, the best solution
>> is to get rid of it. Dunno, probably in this situation it's better to move
>> to the raw iptables.
>>
>>
>> Kind regards,
>> Viktor
>>
>>
>> On 7/9/18 06:09, Carlos Ferreira wrote:
>>> Thanks. It worked well. It was exactly what I wanted.
>>>
>>> For some time, I wanted to be able to add rules to the iptables, using
>>> the firehol.conf. I searched the documentation to find a way and if it
>>> exists something in the docs, I was unable to find it.
>>>
>>> Thank you!
>>>
>>> Carlos Ferreira
>>>
>>> On 6 July 2018 at 12:42, Viktor Remennik <vik at etogo.net> wrote:
>>>> Hi Carlos Miguel,
>>>>
>>>>
>>>> Had the same issue, found no solution yet. Ii is mentioned in the docs
>>>> that
>>>> it is possible, but no clue how. The "ipsec+" interface wildcard
>>>> mentioned,
>>>> but I can't get it working. Maybe it's not suitable for tunnels because
>>>> there's no dedicated interface for the ipsec.
>>>>
>>>> Workaround is, as you noticed, just to add the raw iptables rule. I did
>>>> it
>>>> adding this to the end of the firehol.conf:
>>>>
>>>>
>>>> iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s
>>>> 172.16.0.0/16 -j ACCEPT
>>>> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp  -d
>>>> 172.16.0.0/16 -j ACCEPT
>>>>
>>>>
>>>> Where 172.16.0.0./16 is the internal subnet.
>>>>
>>>> No masquerading required if you use tunnel; you just connect to the
>>>> internal
>>>> network over the internet. Also, there's no new interface for the tunnel,
>>>> so, no firehol policies will be applied. According to this rule, any port
>>>> is
>>>> accepted via tunnel.
>>>>
>>>>
>>>> Please let me know if you'll find a solution. I almost decided to drop
>>>> firehol due to lack of support though. There's a lot of other firewalls
>>>> and
>>>> even raw iptables fw is better, as you see.
>>>>
>>>> https://github.com/firehol/firehol/issues/323
>>>>
>>>> https://serverfault.com/questions/900531/firehol-ipsec-configuration
>>>>
>>>>
>>>> Kind regards,
>>>> Viktor
>>>>
>>>>
>>>> On 7/6/18 14:00, firehol-support-request at lists.firehol.org wrote:
>>>>> Hello to all
>>>>>
>>>>> I'm trying to have an IPsec tunnel to work in my router for hosts on
>>>>> the internet and according to the strongswan documentation, I
>>>>> understand that I need to add a postrouting rule to iptables before
>>>>> the masquerade rule [1].
>>>>>
>>>>> My question is, how can I do this?
>>>>>
>>>>> I also understand that firehol also provides ipsec service rules, but
>>>>> for what I understand, that's only used to open ports.
>>>>>
>>>>> Some help would be appreciated.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> [1]:https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-Internet
>>>>>
>>>>> My regards,
>>>>> Carlos Miguel Ferreira
>>>>
>>>> _______________________________________________
>>>> Firehol-support mailing list
>>>> Firehol-support at lists.firehol.org
>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>>