[opensuse-security] GRE protocol in the firewall
Hi folks, I have a SuSE 10.2 firewall which has a cable modem on the outside and a 10.0.0.0/24 network on the inside. I have someone on the inside running a Windows server with pptp and I'm trying to nat that access. I've forwarded (MASQ) 1723 to that inside address, but there is no YAST setting possible to allow GRE protocol. I edited /etc/sysconfig/SuSEfirewall2 and added the ext_ip=gre manually, but it still does not work. Any suggestions on proper configurations for a GRE tunnel? Thanks Gary B --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-11-21 at 21:10 -0500, Gary Baribault wrote:
I have someone on the inside running a Windows server with pptp and I'm trying to nat that access. I've forwarded (MASQ) 1723 to that inside address, but there is no YAST setting possible to allow GRE protocol. I edited /etc/sysconfig/SuSEfirewall2 and added the ext_ip=gre manually, but it still does not work.
There is no "gre" in /etc/services, so you can not use that keyword to open that port - if that's what you mean you did. :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHRX7mtTMYHG2NR9URAlKnAJ4hORcgEaZ+eodYx/PGzjjGVRa40wCfYXsn vnmaPnwQX04/0TPVzM1tzd0= =jR50 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Additional to open TCP port 1723, all packages of protocol GRE (#47) must be forwarded in both directions. There is an explanation here: http://pptpclient.sourceforge.net/howto-diagnosis.phtml#client_no_gre_tx Johannes Weberhofer Carlos E. R. schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2007-11-21 at 21:10 -0500, Gary Baribault wrote:
I have someone on the inside running a Windows server with pptp and I'm trying to nat that access. I've forwarded (MASQ) 1723 to that inside address, but there is no YAST setting possible to allow GRE protocol. I edited /etc/sysconfig/SuSEfirewall2 and added the ext_ip=gre manually, but it still does not work.
There is no "gre" in /etc/services, so you can not use that keyword to open that port - if that's what you mean you did. :-?
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFHRX7mtTMYHG2NR9URAlKnAJ4hORcgEaZ+eodYx/PGzjjGVRa40wCfYXsn vnmaPnwQX04/0TPVzM1tzd0= =jR50 -----END PGP SIGNATURE-----
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- |--------------------------------- | weberhofer GmbH | Johannes Weberhofer | information technologies | Austria, 1080 Wien, Blindengasse 52/3 |----------------------------------------------------------->> --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Nov 22, 2007 at 02:06:29PM +0100, Carlos E. R. wrote:
There is no "gre" in /etc/services, so you can not use that keyword to open that port - if that's what you mean you did. :-?
Of course it's not. It's in /etc/protocols - where it belongs. Ciao Joerg -- Joerg Mayer <jmayer@loplof.de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Carlos E. R. -
Gary Baribault -
Joerg Mayer -
suse@weberhofer.at