[Firehol-support] IPSec + Firehol
vik at etogo.net
Mon Jul 9 12:07:41 BST 2018
According to the docs, the 'firehol.conf' file is executed by the
firehol as a shell script, so, any shell command can be added there. The
problem is, that this workaround is not a firehol functionality and it's
not possible to configure such things using firehol itself. Furthermore,
it looks like the firehol is not supported anymore. That's why, I
suppose, the best solution is to get rid of it. Dunno, probably in this
situation it's better to move to the raw iptables.
On 7/9/18 06:09, Carlos Ferreira wrote:
> Thanks. It worked well. It was exactly what I wanted.
> For some time, I wanted to be able to add rules to the iptables, using
> the firehol.conf. I searched the documentation to find a way and if it
> exists something in the docs, I was unable to find it.
> Thank you!
> Carlos Ferreira
> On 6 July 2018 at 12:42, Viktor Remennik <vik at etogo.net> wrote:
>> Hi Carlos Miguel,
>> Had the same issue, found no solution yet. Ii is mentioned in the docs that
>> it is possible, but no clue how. The "ipsec+" interface wildcard mentioned,
>> but I can't get it working. Maybe it's not suitable for tunnels because
>> there's no dedicated interface for the ipsec.
>> Workaround is, as you noticed, just to add the raw iptables rule. I did it
>> adding this to the end of the firehol.conf:
>> iptables -I INPUT --match policy --pol ipsec --dir in --proto esp -s
>> 172.16.0.0/16 -j ACCEPT
>> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp -d
>> 172.16.0.0/16 -j ACCEPT
>> Where 172.16.0.0./16 is the internal subnet.
>> No masquerading required if you use tunnel; you just connect to the internal
>> network over the internet. Also, there's no new interface for the tunnel,
>> so, no firehol policies will be applied. According to this rule, any port is
>> accepted via tunnel.
>> Please let me know if you'll find a solution. I almost decided to drop
>> firehol due to lack of support though. There's a lot of other firewalls and
>> even raw iptables fw is better, as you see.
>> Kind regards,
>> On 7/6/18 14:00, firehol-support-request at lists.firehol.org wrote:
>>> Hello to all
>>> I'm trying to have an IPsec tunnel to work in my router for hosts on
>>> the internet and according to the strongswan documentation, I
>>> understand that I need to add a postrouting rule to iptables before
>>> the masquerade rule .
>>> My question is, how can I do this?
>>> I also understand that firehol also provides ipsec service rules, but
>>> for what I understand, that's only used to open ports.
>>> Some help would be appreciated.
>>> My regards,
>>> Carlos Miguel Ferreira
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
More information about the Firehol-support