* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 16:57 +0300:
1 Suse 8.0, 2 NIC's, freeswan VPN. All I want is to use the VPN, have acces from the remote network to the Samba service installed on the same computer, and to access ssh from anywhere. Nothing else. Thanx.
I have SuSE 8.2 as roadwarrior with freeswan + SuSEfirewall2. The SuSEfirewall2 seems to make a lot of assumptions. It seems you either live with it, or don't use it :-) for instance, FW_SERVICE_AUTODETECT="yes" seems to work only if the services are running locally (otherwise, I couldn't imagine how it should work). Please correct me if I'm wrong and give improved examples! Setup: ipsec0 with 192.168.1.0/24 <-> 192.168.2.0/24. eth1 internal LAN. 1. if you allow something from ext, you have to allow it for everyone. set: FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" to allow everyone (!) to access ISAKMP and ESP/AH. 2. make ipsec0 an internal interface: FW_DEV_INT="eth1 ipsec0" 3. Try to make it working. I set FW_PROTECT_FROM_INTERNAL="no" FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24" (it seems to be assumed, that trusted networks are on the internal interfaces only, because it seems an explicit DROP rule is cerated on external interface) 4. FW_KERNEL_SECURITY="no" to disable "rp_filter" feature. It seems to be assumed that you either want many or none of the kernel security features. 5. Because I just have one external interface and no DMZ, I set: FW_ALLOW_CLASS_ROUTING="yes" I didn't found a FW_ALLOW_INTERNAL_ROUTING or FW_ALLOW_TRUSTED_ROUTING. Finally, the portscan from external looks good so I can live with it :-) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.