Tom Eastep | 5 Feb 17:48 2006
Picon

Re: RE: Hamachi's VPN solution and Shorewall

On Sunday 05 February 2006 08:27, Tom Eastep wrote:
> On Sunday 05 February 2006 08:21, Tom Eastep wrote:
>
> Note that this last part *may* not be necessary -- until someone tries this
> thing with Shorewall, we won't know. If it works ok without this part then
> it would seem that you could run multiple instances of Hamachi behind your
> firewall.
>
> > b) You need to forward the UDP port to your local system. Assuming that
> > you've selected port 12975 as mentioned in the FAQ:
> >
> > 	DNAT	net	loc:<your local IP>	udp	12975
>

Note that I haven't taked about running Hamachi on the firewall itself. To do 
that, you would need additional stuff:

/etc/shorewall/zones:

ham      ipv4                  # Host(s) on the other end of the P2P link

/etc/shorewall/interfaces:

ham      <tap device>     -    # Hamachi documentation is almost non-existant 
                               # on their web site but I get the impression
			       # that they may name their devices 'hamN' for 
			       # N = 0,1,2,...

/etc/shorewall/policy:

ham      all       REJECT:info # I won't touch this thing with a 10-foot pole
all      ham       ACCEPT      # Fools rush in where wise men never go

/etc/shorewall/rules:

ACCEPT   $FW       net         tcp     12975    #Only if your $FW->net policy 
						#isn't ACCEPT
ACCEPT	 net	   $FW         udp     12975    #You may not need this...

<rules allowing the traffic from ham that you are willing to permit>

Again, if someone wants to play with this thing I'll be glad to advise -- I 
just have no interest in using it myself or in spending any of my time trying 
to understand the thing.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Gmane