Re: [suse-security] SuSEfirewall2 & MS/VPN

28 Jul 2003

      Hello,

When you say:-
...
'You can put the M$ box behind
a suse firewall if you have an official IP for the box, too. Then just
close all exept the PPTP Port and the maschine is as safe as in your
currently setup it would be (if it would work ;)'
Do you mean fixed IP address for the SuSEfirewall2 box or the MS VPN box? In 
fact, I have fixed IP addresses for both and they are both publicly 
available. So, if my fixed IP address for my MS VPN machine is 123.456.78.9 
then I should be able to forward packets like so,

FW_FORWARD="0/0,123.456.78.9,tcp,1723

What I'm trying to achieve is this

      Internet
           |
  Exterior router
           |
SuSEfirewall2 PC  ---- MS VPN box
           |
Internal network

as opposed to

              Internet
                  |
          Exterior router
        |                      |
SuSEfirewall <--> MS/VPN
        |
Internal network

At the moment the MS/VPN machine can be got to directly from the internet...

Rgds
Andy

On Saturday 26 July 2003 02:50, Sven 'Darkman' Michels wrote:
...
Andy Bennett wrote:
...
Hi,
Edit what package?
TCP Datapacket, not a package like a rpm or so ;)
...
The Microsoft WIndows 2000 server is already running
pptp/vpn and working fine. All I'm trying to establish is whether it is
possible to place it behind the firewall and forward the VPN connection
to it so that the rest of the available ports/connections on the MS
WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack.
i know what you're trying but AFAIK your setup isn't possible. Try to
establish a PPTP connection from a client BEHIND a gateway to some
VPN Server, without special modules it *WILL NOT* work. PPTP packets
must be passed thru, not handled like normal, masqueraded, packets.
If you reverse the setup, you'll see that DNAT is like masquerading
and so PPTP won't work in your setup. You can put the M$ box behind
a suse firewall if you have an official IP for the box, too. Then just
close all exept the PPTP Port and the maschine is as safe as in your
currently setup it would be (if it would work ;)
...
If, as has been stated, the forward rule simply does NAT on that
particular port, 1723, for that particular protocol, TCP,  that's all I
need isn't it?
it isn't. As i said, afaik you cannot simply NAT PPTP Packets.
...
To be clear - I am talking about connections to a permantly connected
setup from outside - i.e. road warriors.
I know ;)
so, HTH and good night (sorry for typos.. it's nearly 4 am and i'm
just back from a party %-)
Sven