{"id":4497,"date":"2022-12-20T18:08:49","date_gmt":"2022-12-20T21:08:49","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewalltunnels-man5\/"},"modified":"2022-12-20T18:08:49","modified_gmt":"2022-12-20T21:08:49","slug":"shorewalltunnels-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewalltunnels-man5\/","title":{"rendered":"SHOREWALL−TUNNELS (man5)"},"content":{"rendered":"

SHOREWALL\u2212TUNNELS<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLE<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

tunnels \u2212 Shorewall VPN definition file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/tunnels<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

The tunnels file is used to define rules for encapsulated (usually encrypted) traffic to pass between the Shorewall system and a remote gateway. Traffic flowing through the tunnel is handled using the normal zone\/policy\/rule mechanism. See https:\/\/shorewall.org\/VPNBasics.html<\/font><\/b> [1]<\/font><\/small> for details.<\/font><\/p>\n

The columns in the file are as follows.<\/font><\/p>\n

TYPE<\/b> \u2212 {ipsec<\/b>[:{noah<\/b>|ah}]|ipsecnat<\/b>|ipip<\/b>|gre<\/b>|l2tp|pptpclient<\/b>|pptpserver<\/b>|?COMMENT|{openvpn<\/b>|openvpnclient<\/b>|openvpnserver<\/b>}[:{tcp<\/b>|udp<\/b>}][<\/b>:port<\/i>]|generic:<\/b>protocol<\/i>[:<\/b>port<\/i>]}<\/font><\/p>\n

Types are as follows:<\/font><\/p>\n

6to4<\/b> or 6in4<\/b> \u2212 6to4 or 6in4 tunnel. The 6in4<\/b> synonym was added in 4.4.24.
ipsec<\/b> \u2212 IPv4 IPSEC
ipsecnat<\/b> \u2212 IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
ipip<\/b> \u2212 IPv4 encapsulated in IPv4 (Protocol 4)
gre<\/b> \u2212 Generalized Routing Encapsulation (Protocol 47)
l2tp<\/b> \u2212 Layer 2 Tunneling Protocol (UDP port 1701)
pptpclient<\/b> \u2212 PPTP Client runs on the firewall
pptpserver<\/b> \u2212 PPTP Server runs on the firewall
openvpn<\/b> \u2212 OpenVPN in point\u2212to\u2212point mode
openvpnclient<\/b> \u2212 OpenVPN client runs on the firewall
openvpnserver<\/b> \u2212 OpenVPN server runs on the firewall
generic<\/b> \u2212 Other tunnel type
tinc<\/b> \u2212 TINC (added in Shorewall 4.6.6)<\/font><\/p>\n

If the type is ipsec<\/b>, it may be followed by :ah<\/b> to indicate that the Authentication Headers protocol (51) is used by the tunnel (the default is :noah<\/b> which means that protocol 51 is not used). NAT traversal is only supported with ESP (protocol 50) so ipsecnat<\/b> tunnels don’t allow the ah<\/b> option (ipsecnat:noah<\/b> may be specified but is redundant).<\/font><\/p>\n

If type is openvpn<\/b>, openvpnclient<\/b> or openvpnserver<\/b> it may optionally be followed by “:” and tcp<\/b> or udp<\/b> to specify the protocol to be used. If not specified, udp<\/b> is assumed.<\/font><\/p>\n

If type is openvpn<\/b>, openvpnclient<\/b> or openvpnserver<\/b> it may optionally be followed by “:” and the port number used by the tunnel. if no “:” and port number are included, then the default port of 1194 will be used. . Where both the protocol and port are specified, the protocol must be given first (e.g., openvpn:tcp:4444).<\/font><\/p>\n

If type is generic<\/b>, it must be followed by “:” and a protocol name (from \/etc\/protocols) or a protocol number. If the protocol is tcp<\/b> or udp<\/b> (6 or 17), then it may optionally be followed by “:” and a port number.<\/font><\/p>\n

Comments may be attached to Netfilter rules generated from entries in this file through the use of \/COMMENT lines. These lines begin with ?COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line containing only ?COMMENT.<\/font><\/p>\n

Note<\/big><\/b>
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred.<\/font><\/p>\n

ZONE<\/big><\/b> \u2212 zone<\/i><\/big><\/font><\/p>\n

The zone<\/i> of the physical interface through which tunnel traffic passes. This is normally your internet zone.<\/big><\/font><\/p>\n

GATEWAY<\/b>(S) (gateway or gateways) \u2212 address\u2212or\u2212range<\/i> [ , … ]<\/b><\/big><\/font><\/p>\n

The IP address of the remote tunnel gateway. If the remote gateway has no fixed address (Road Warrior) then specify the gateway as 0.0.0.0\/0<\/b>. May be specified as a network address and if your kernel and iptables include iprange match support then IP address ranges are also allowed.<\/big><\/font><\/p>\n

Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given. Exclusion (<\/big><\/font>shorewall\u2212exclusion<\/font><\/b><\/big> [2] (5) ) is not supported.<\/big><\/font><\/p>\n

GATEWAY ZONES<\/b> (gateway_zone or gateway_zones) \u2212 [zone<\/i>[,<\/b>zone<\/i>]…]<\/big><\/font><\/p>\n

Optional. If the gateway system specified in the third column is a standalone host then this column should contain a comma\u2212separated list of the names of the zones that the host might be in. This column only applies to IPSEC tunnels where it enables ISAKMP traffic to flow through the tunnel to the remote gateway(s).<\/big><\/font><\/p>\n

EXAMPLE <\/a> <\/h2>\n

IPv4 Example 1:<\/big><\/font><\/p>\n

IPSec tunnel.<\/big><\/font><\/p>\n

The remote gateway is 4.33.99.124 and the remote subnet is 192.168.9.0\/24. The tunnel does not use the AH protocol<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY
ipsec:noah net 4.33.99.124<\/big><\/font><\/p>\n

IPv4 Example 2:<\/big><\/font><\/p>\n

Road Warrior (LapTop that may connect from anywhere) where the “gw” zone is used to represent the remote LapTop<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 0.0.0.0\/0 gw<\/big><\/font><\/p>\n

IPv4 Example 3:<\/big><\/font><\/p>\n

Host 4.33.99.124 is a standalone system connected via an ipsec tunnel to the firewall system. The host is in zone gw.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 4.33.99.124 gw<\/big><\/font><\/p>\n

IPv4 Example 4:<\/big><\/font><\/p>\n

Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The FreeS\/Wan _updown script will add the host to the appropriate zone using the shorewall add<\/b> command on connect and will remove the host from the zone at disconnect time.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 0.0.0.0\/0 vpn1,vpn2,vpn3<\/big><\/font><\/p>\n

IPv4 Example 5:<\/big><\/font><\/p>\n

You run the Linux PPTP client on your firewall and connect to server 192.0.2.221.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
pptpclient net 192.0.2.221<\/big><\/font><\/p>\n

IPv4 Example 6:<\/big><\/font><\/p>\n

You run a PPTP server on your firewall.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
pptpserver net 0.0.0.0\/0<\/big><\/font><\/p>\n

Example 7:<\/big><\/font><\/p>\n

OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn uses port 7777.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 4.33.99.124<\/big><\/font><\/p>\n

IPv4 Example 8:<\/big><\/font><\/p>\n

You have a tunnel that is not one of the supported types. Your tunnel uses UDP port 4444. The other end of the tunnel is 4.3.99.124.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 4.3.99.124<\/big><\/font><\/p>\n

IPv4 Example 9:<\/big><\/font><\/p>\n

TINC tunnel where the remote gateways are not specified. If you wish to specify a list of gateways, you can do so in the GATEWAY column.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
tinc net 0.0.0.0\/0<\/big><\/font><\/p>\n

IPv6 Example 1:<\/big><\/font><\/p>\n

IPSec tunnel.<\/big><\/font><\/p>\n

The remote gateway is 2001:cec792b4:1::44. The tunnel does not use the AH protocol<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY
ipsec:noah net 2002:cec792b4:1::44<\/big><\/font><\/p>\n

IPv6 Example 2:<\/big><\/font><\/p>\n

Road Warrior (LapTop that may connect from anywhere) where the “gw” zone is used to represent the remote LapTop<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net ::\/0 gw<\/big><\/font><\/p>\n

IPv6 Example 3:<\/big><\/font><\/p>\n

Host 2001:cec792b4:1::44 is a standalone system connected via an ipsec tunnel to the firewall system. The host is in zone gw.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 2001:cec792b4:1::44 gw<\/big><\/font><\/p>\n

IPv6 Example 4:<\/big><\/font><\/p>\n

OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and openvpn uses port 7777.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 2001:cec792b4:1::44<\/big><\/font><\/p>\n

IPv6 Example 8:<\/big><\/font><\/p>\n

You have a tunnel that is not one of the supported types. Your tunnel uses UDP port 4444. The other end of the tunnel is 2001:cec792b4:1::44.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 2001:cec792b4:1::44<\/big><\/font><\/p>\n

IPv6 Example 9:<\/big><\/font><\/p>\n

TINC tunnel where the remote gateways are not specified. If you wish to specify a list of gateways, you can do so in the GATEWAY column.<\/big><\/font><\/p>\n

#TYPE ZONE GATEWAY GATEWAY ZONES
tinc net ::\/0<\/big><\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/tunnels<\/big><\/font><\/p>\n

\/etc\/shorewall6\/tunnels<\/big><\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/b><\/big> [3]<\/font><\/p>\n

shorewall(8)<\/big><\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/VPNBasics.html<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/VPNBasics.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-exclusion<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-exclusion.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/big><\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/big><\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

tunnels \u2212 Shorewall VPN definition file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1467],"class_list":["post-4497","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-tunnels"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4497"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4497\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}