Virtual private networking to a dmz, Firewall configuration, Starting shorewall firewall menu – RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

126

RX1000/RX1100™

wider subnet mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net zone
since the more specific vpn zone subnet must be inspected first.

Host Zone

Interface

Subnet

IPsec Zone?

vpn

w1ppp

192.168.1.0/24

Yes

net

w1ppp

0.0.0.0/0

No

The IPsec protocol operates on UDP port 500 and using protocols ah (Authentication Header) and
Encapsulating Security Payload (ESP) protocols. The firewall must accept this traffic in order to allow
IPsec.

Action

Source-Zone

Destination-Zone

Protocol

Dest-Port

ACCEPT

net

fw

ah

ACCEPT

net

fw

esp

ACCEPT

net

fw

udp

500

IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon. Openswan then
decrypts the traffic and forwards it back to shorewall on the same interface that originally received it.
You will also need a rule to allow traffic to enter from this interface.

ACCEPT

vpn

loc

14.5.2. Virtual Private Networking To A DMZ

If the firewall is to pass the VPN traffic through to another device (e.g. a VPN device in a DMZ) then
establish a DMZ zone and install the following rules.

ACCEPT

net

dmz

ah

ACCEPT

net

dmz

esp

ACCEPT

net

dmz

udp

500

ACCEPT

dmz

net

ah

ACCEPT

dmz

net

esp

ACCEPT

dmz

net

udp

500

14.6. Firewall Configuration

Figure 14.1. Starting Shorewall Firewall Menu