* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 19:34 +0300:
Thank you very much. You were right. The problem was that the ipsec0 interface was in FW_DEV_EXT, not in FW_DEV_INT.
I do not know if this is right for you also. In my case, there is exactly one trusted VPN peer. I don't want to filter anything between all the LANs, so for me it is right :-)
I put it there because the SuSEfirewall2 manual says: "Also, you need to add ipsec0 to the FW_DEV_EXT variable". Will this be a security issue???????
Well, I must admit that I do not understand SuSEfirewall2. I just saw some EXT/DMZ/INT structure. I do not know if EXT/EXT/INT/INT or more complex topologies are supported, well, I doubt that for a desktop linux system such things are neccesary - a own script should be needed anyway. Well, for 2.0.x and 2.2.x I had an own script. Beside controlling of some general features such as rp_filter and friends, it's configuration file consists of "rules", basically in the form: #DHCP input: any:68 any:67 udp ACCEPT -i eth0 #NTP (dont try this @home :-)) input: ntps2-0:123 any:123 udp ACCEPT input: ntps2-1:123 any:123 udp ACCEPT input: ntps2-2:123 any:123 udp ACCEPT #some other LAN forward: 192.168.9.0/24 192.168.101.0/24 all ACCEPT -b and so on. I cannot imagine how this can be easily abstracted except with ACL-style things. Well, and for the guys that have multiple cascaded firewalls, as companies, they can buy a Firewall-on-cd licence for it (don't know, if you need a licence for every firewall, this can get expensive). I guess it is supported to configure end-to-end connections, the some tool calculates which firewalls need which rules, but I don't know. I had never the time to look at the firewall on cd and I read not so many things about that here. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.