SHOREWALL6-TUNNELS(5) | Configuration Files | SHOREWALL6-TUNNELS(5) |
NAME¶
tunnels - Shorewall6 VPN definition fileSYNOPSIS¶
/etc/shorewall6/tunnels
DESCRIPTION¶
The tunnels file is used to define rules for encapsulated (usually encrypted) traffic to pass between the Shorewall6 system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone/policy/rule mechanism. See http://www.shorewall.net/VPNBasics.html[1] for details.The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).
TYPE - {ipsec[:{noah|ah}]|ipsecnat|gre|l2tp|pptpclient|pptpserver|?COMMENT|{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[:port]}
ipsec - IPv6 IPSEC ipsecnat - IPv6 IPSEC with NAT Traversal (UDP port 4500 encapsulation) gre - Generalized Routing Encapsulation (Protocol 47) l2tp - Layer 2 Tunneling Protocol (UDP port 1701) openvpn - OpenVPN in point-to-point mode openvpnclient - OpenVPN client runs on the firewall openvpnserver - OpenVPN server runs on the firewall generic - Other tunnel type tinc - TINC (added in Shorewall 4.6.6)
If the type is ipsec, it may be followed by :ah to indicate that the Authentication Headers protocol (51) is used by the tunnel (the default is :noah which means that protocol 51 is not used). NAT traversal is only supported with ESP (protocol 50) so ipsecnat tunnels don't allow the ah option (ipsecnat:noah may be specified but is redundant).
If type is openvpn, openvpnclient or openvpnserver it may optionally be followed by ":" and tcp or udp to specify the protocol to be used. If not specified, udp is assumed. Note: At this writing, OpenVPN does not support IPv6.
If type is openvpn, openvpnclient or openvpnserver it may optionally be followed by ":" and the port number used by the tunnel. if no ":" and port number are included, then the default port of 1194 will be used. . Where both the protocol and port are specified, the protocol must be given first (e.g., openvpn:tcp:4444).
If type is generic, it must be followed by ":" and a protocol name (from /etc/protocols) or a protocol number. If the protocol is tcp or udp (6 or 17), then it may optionally be followed by ":" and a port number.
Comments may be attached to Netfilter rules generated from entries in this file through the use of ?COMMENT lines. These lines begin with the word ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word ?COMMENT.
ZONE - zone
GATEWAY(S) (gateway or gateways) - address-or-range [ , ... ]
Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (shorewall6-exclusion[2] (5) ) is not supported.
GATEWAY ZONE(S) (gateway_zone or gateway_zones) - [zone[,zone]...]
EXAMPLE¶
Example 1:The remote gateway is 2001:cec792b4:1::44. The tunnel does not use the AH protocol
#TYPE ZONE GATEWAY ipsec:noah net 2002:cec792b4:1::44
Example 2:
#TYPE ZONE GATEWAY GATEWAY ZONES ipsec net ::/0 gw
Example 3:
#TYPE ZONE GATEWAY GATEWAY ZONES ipsec net 2001:cec792b4:1::44 gw
Example 4:
#TYPE ZONE GATEWAY GATEWAY ZONES openvpn:7777 net 2001:cec792b4:1::44
Example 8:
#TYPE ZONE GATEWAY GATEWAY ZONES generic:udp:4444 net 2001:cec792b4:1::44
Example 9:
#TYPE ZONE GATEWAY GATEWAY ZONES tinc net ::/0
FILES¶
/etc/shorewall6/tunnelsSEE ALSO¶
http://www.shorewall.net/configuration_file_basics.htm#Pairs[3]shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-zones(5)
NOTES¶
- 2.
- shorewall6-exclusion
03/16/2017 | Configuration Files |