[Firehol-support] IPSec + Firehol

Viktor Remennik vik at etogo.net
Mon Jul 9 12:07:41 BST 2018


Np,

According to the docs, the 'firehol.conf' file is executed by the 
firehol as a shell script, so, any shell command can be added there. The 
problem is, that this workaround is not a firehol functionality and it's 
not possible to configure such things using firehol itself. Furthermore, 
it looks like the firehol is not supported anymore. That's why, I 
suppose, the best solution is to get rid of it. Dunno, probably in this 
situation it's better to move to the raw iptables.


Kind regards,
Viktor

On 7/9/18 06:09, Carlos Ferreira wrote:
> Thanks. It worked well. It was exactly what I wanted.
>
> For some time, I wanted to be able to add rules to the iptables, using
> the firehol.conf. I searched the documentation to find a way and if it
> exists something in the docs, I was unable to find it.
>
> Thank you!
>
> Carlos Ferreira
>
> On 6 July 2018 at 12:42, Viktor Remennik <vik at etogo.net> wrote:
>> Hi Carlos Miguel,
>>
>>
>> Had the same issue, found no solution yet. Ii is mentioned in the docs that
>> it is possible, but no clue how. The "ipsec+" interface wildcard mentioned,
>> but I can't get it working. Maybe it's not suitable for tunnels because
>> there's no dedicated interface for the ipsec.
>>
>> Workaround is, as you noticed, just to add the raw iptables rule. I did it
>> adding this to the end of the firehol.conf:
>>
>>
>> iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s
>> 172.16.0.0/16 -j ACCEPT
>> iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp  -d
>> 172.16.0.0/16 -j ACCEPT
>>
>>
>> Where 172.16.0.0./16 is the internal subnet.
>>
>> No masquerading required if you use tunnel; you just connect to the internal
>> network over the internet. Also, there's no new interface for the tunnel,
>> so, no firehol policies will be applied. According to this rule, any port is
>> accepted via tunnel.
>>
>>
>> Please let me know if you'll find a solution. I almost decided to drop
>> firehol due to lack of support though. There's a lot of other firewalls and
>> even raw iptables fw is better, as you see.
>>
>> https://github.com/firehol/firehol/issues/323
>>
>> https://serverfault.com/questions/900531/firehol-ipsec-configuration
>>
>>
>> Kind regards,
>> Viktor
>>
>>
>> On 7/6/18 14:00, firehol-support-request at lists.firehol.org wrote:
>>> Hello to all
>>>
>>> I'm trying to have an IPsec tunnel to work in my router for hosts on
>>> the internet and according to the strongswan documentation, I
>>> understand that I need to add a postrouting rule to iptables before
>>> the masquerade rule [1].
>>>
>>> My question is, how can I do this?
>>>
>>> I also understand that firehol also provides ipsec service rules, but
>>> for what I understand, that's only used to open ports.
>>>
>>> Some help would be appreciated.
>>>
>>>
>>>
>>> [1]:https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-Internet
>>>
>>> My regards,
>>> Carlos Miguel Ferreira
>>
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support




More information about the Firehol-support mailing list