Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 & MS/VPN
  • From: Andy Bennett <andy@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 28 Jul 2003 13:13:38 +0100
  • Message-id: <200307281313.39071.andy@xxxxxxxxxxxxxxxxxxxxx>
Hello,

When you say:-

> 'You can put the M$ box behind
> a suse firewall if you have an official IP for the box, too. Then just
> close all exept the PPTP Port and the maschine is as safe as in your
> currently setup it would be (if it would work ;)'

Do you mean fixed IP address for the SuSEfirewall2 box or the MS VPN box? In
fact, I have fixed IP addresses for both and they are both publicly
available. So, if my fixed IP address for my MS VPN machine is 123.456.78.9
then I should be able to forward packets like so,

FW_FORWARD="0/0,123.456.78.9,tcp,1723

What I'm trying to achieve is this

Internet
|
Exterior router
|
SuSEfirewall2 PC ---- MS VPN box
|
Internal network

as opposed to

Internet
|
Exterior router
| |
SuSEfirewall <--> MS/VPN
|
Internal network

At the moment the MS/VPN machine can be got to directly from the internet...

Rgds
Andy

On Saturday 26 July 2003 02:50, Sven 'Darkman' Michels wrote:
> Andy Bennett wrote:
> > Hi,
> >
> > Edit what package?
>
> TCP Datapacket, not a package like a rpm or so ;)
>
> > The Microsoft WIndows 2000 server is already running
> > pptp/vpn and working fine. All I'm trying to establish is whether it is
> > possible to place it behind the firewall and forward the VPN connection
> > to it so that the rest of the available ports/connections on the MS
> > WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack.
>
> i know what you're trying but AFAIK your setup isn't possible. Try to
> establish a PPTP connection from a client BEHIND a gateway to some
> VPN Server, without special modules it *WILL NOT* work. PPTP packets
> must be passed thru, not handled like normal, masqueraded, packets.
> If you reverse the setup, you'll see that DNAT is like masquerading
> and so PPTP won't work in your setup. You can put the M$ box behind
> a suse firewall if you have an official IP for the box, too. Then just
> close all exept the PPTP Port and the maschine is as safe as in your
> currently setup it would be (if it would work ;)
>
> > If, as has been stated, the forward rule simply does NAT on that
> > particular port, 1723, for that particular protocol, TCP, that's all I
> > need isn't it?
>
> it isn't. As i said, afaik you cannot simply NAT PPTP Packets.
>
> > To be clear - I am talking about connections to a permantly connected
> > setup from outside - i.e. road warriors.
>
> I know ;)
>
> so, HTH and good night (sorry for typos.. it's nearly 4 am and i'm
> just back from a party %-)
>
> Sven


< Previous Next >