[Bug 394708] New: SuSEfirewall2 on server blocks new routes/ comms by openvpn server
https://bugzilla.novell.com/show_bug.cgi?id=394708 Summary: SuSEfirewall2 on server blocks new routes/comms by openvpn server Product: openSUSE 10.3 Version: Final Platform: i586 OS/Version: openSUSE 10.3 Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jrobiso2@ford.com QAContact: qa@suse.de Found By: Beta-Customer Recently, we installed openVPN on our church server. We tore our hair out for weeks trying to figure out why nobody could browse the network shares via the VPN from outside. The openVPN server is also the Samba server, configured as master browser. We ensured that all ports needed were opened on the server, and listed in the SuSEfirewall2 exceptions list in YaST. Yet logs continued to show a lot of our traffic DROP'd by the firewall. The firewall seemed to be dropping them because it didn't like the routing across subnets that was involved. Finally when I turned off the firewall completely, everything works. I will try and post all the relevant configs later today when I get home and have access to the church server. (openvpn configs, samba configs, and the results of iptables-save when firewall is running). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c1 --- Comment #1 from Jonathon Robison <jrobiso2@ford.com> 2008-05-27 11:10:39 MDT --- Created an attachment (id=218384) --> (https://bugzilla.novell.com/attachment.cgi?id=218384) iptables listing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c3 --- Comment #3 from Jonathon Robison <jrobiso2@ford.com> 2008-05-27 11:11:19 MDT --- Created an attachment (id=218386) --> (https://bugzilla.novell.com/attachment.cgi?id=218386) smb conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c4 --- Comment #4 from Jonathon Robison <jrobiso2@ford.com> 2008-05-27 11:11:54 MDT --- Created an attachment (id=218387) --> (https://bugzilla.novell.com/attachment.cgi?id=218387) openVPN server startup add-on script for iptables rules -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c5 --- Comment #5 from Jonathon Robison <jrobiso2@ford.com> 2008-05-27 11:13:14 MDT --- In essence, shouldn't YaST2 SuSEfirewall2 config be as aware of openVPN as it is of services like DHCP, DNS, etc.? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c2 --- Comment #2 from Jonathon Robison <jrobiso2@ford.com> 2008-05-27 11:11:00 MDT --- Created an attachment (id=218385) --> (https://bugzilla.novell.com/attachment.cgi?id=218385) Server openVPN config -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 Robert Vojcik <rvojcik@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rvojcik@novell.com AssignedTo|bnc-team-screening@forge.provo.novell.com |locilka@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 Lukas Ocilka <locilka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |locilka@novell.com AssignedTo|locilka@novell.com |lnussel@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c6 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #6 from Ludwig Nussel <lnussel@novell.com> 2008-05-28 02:20:00 MDT --- (In reply to comment #5 from Jonathon Robison)
In essence, shouldn't YaST2 SuSEfirewall2 config be as aware of openVPN as it is of services like DHCP, DNS, etc.?
AFAIK we do not have a yast module for openVPN which would be responsible for telling the yast2 firewall module what to do. Supporting openVPN obviously means more than just opening some port as you'd have to know the routing configuration too. I can't help you with your setup though. Bugzilla is meant for dealing with bug reports while your request sounds like a call for help. Please refer to one of our community mailinglists for that purpose: http://en.opensuse.org/Communicate/Mailinglists -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=394708 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=394708#c7 --- Comment #7 from Jonathon Robison <jrobiso2@ford.com> 2008-05-28 06:05:09 MDT --- I listed this as a bug because all necessary ports were opened in the firewall, yet some comms were still blocked by the SuSEfirewall2 system, as set up by YaST. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com