Hi Ian, I have been able to get the VPN server running. I'm concerned though that I had to open up to much in my firewall config to make this possible. I don't have access to the firewall config file right now but what I did is that I added all the possible ppp adapters to FW_DEV_INT and then I added a forwarding rule for all ports with source and destination of 192.168.1.0/24 like this: FW_FORWARD_TCP="192.168.1.0/24,192.168.1.0/24,1:65535" # Beware to use this! FW_FORWARD_UDP="192.168.1.0/24,192.168.1.0/24,1:65535" # Beware to use this! FW_FORWARD_IP="192.168.1.0/24,192.168.1.0/24,1" # Beware to use this! What I don't understand though is how to limit the destination of these packages to be one of the ppp adapters and not my FW_DEV_WORLD adapter. Maybe packages from 192.168.1.0/24 will be denied from FW_DEV_WORLD, but I have no way of testing that. I'm also not sure if the FORWARD rule overrides the INPUT rule or not, that if , if packets entered FW_DEV_WORLD from a source of 192.168.1.0/24 will they be forwarded to the internal network even though they are not open in: FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain FW_SERVICES_EXTERNAL_UDP="" # Common: domain I clerly need to spend some more time understanding these rules. If anyone on the list has some information on how to properly setup incoming VPN connections to a pptpd running on the firewall that would be very helpful... Thanks Daniel Nilsson Ian F. Silver wrote:
Dear Daniel,
I saw your post to the SuSE-Security mailing list where you were asking about setting up a VPN/PTPTP connection from the outside world to your 192.168.1.0/24 masqueraded address machines on the internal side of the SuSEfirewall you've set up.
I've got an almost _identical_ setup to yours, and am exploring the exact same options as you, though I don't think I'm quite as far along as you are (I haven't set up PPTPD yet, I'm still in the exploration/information seeking phase).
I was seriously thinking of switching firewall packages over to Astaro's offering due to all the features it has, but since I've been happy with the SuSEfirewall package to date, I'd like to stick with it if possible.
Have you had any luck so far with your configuration of a VPN with SuSEfirewall? If so, would you be willing to share your configs (minus any sensitive info/passwords of course!) to give me a leg up in getting farther along this path? If I can come up with any insights, of course I'll be willing to share them in return. :-)
Sincerely, Ian F. Silver