Re: [suse-security] SuSEfirewall2 & MS/VPN
Hi, No. Briefly, I have come into the middle of a situation where a someone else has set up a system for a friend of mine in such a way that his MS VPN box is directly connected to the internet alongside his SuSEfirewall2 like this Internet | Exterior router | | SuSEfirewall MS/VPN My first thouht was that the guy had gone mad but then it occurred to me that maybe he knows something I don't. In any event I thought I'd ask here first. I thought it should be possible to simply put something like FW_FORWARD="0/0,192.168.1.2,tcp,1723 as Jorn Ott suggested to forward connections directly to the MS VPN machine and let it handle everything but, like I said, am I missing something? Any help greatly appreciated. Regards Andy On Friday 25 July 2003 17:07, you wrote:
Hi!
Just one question, do you have the linux firewall on both ends of the connection?
CU Lars.
Andy Bennett wrote:
Hi,
No. Briefly, I have come into the middle of a situation where a someone else has set up a system for a friend of mine in such a way that his MS VPN box is directly connected to the internet alongside his SuSEfirewall2 like this
Internet | Exterior router | | SuSEfirewall MS/VPN
My first thouht was that the guy had gone mad but then it occurred to me that maybe he knows something I don't. In any event I thought I'd ask here first.
I thought it should be possible to simply put something like
FW_FORWARD="0/0,192.168.1.2,tcp,1723
as Jorn Ott suggested to forward connections directly to the MS VPN machine and let it handle everything but, like I said, am I missing something?
As with ipsec etc. you cannot simply edit the packages (like NAT will do). So you cannot forward the connection i would guess. For your setup you will need to put the win maschine in Front of the firewall or setup the firewall itself as a PPTP Server (or if you need, as client). For PPTP from inside -> outside some masq modules exist (at least for Kernel 2.2.x, dunno if it's ported to 2.4 right now). Maybe such a masq modul would help for your forwarding problem, but i don't think so ;) HTH, Sven
Hi!
As with ipsec etc. you cannot simply edit the packages (like NAT will do). So you cannot forward the connection i would guess.
Forwarding is what all the router on the internet are doing... so if a vpn is possible over the internet, the entry in the forward chain should be the solution. However, if you have a dial-up link, it might become difficult as this usually implies nat... CU Lars. -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!
Lars Grobe wrote:
Hi!
As with ipsec etc. you cannot simply edit the packages (like NAT will do). So you cannot forward the connection i would guess.
Forwarding is what all the router on the internet are doing... so if a vpn is possible over the internet, the entry in the forward chain should be the solution. However, if you have a dial-up link, it might become difficult as this usually implies nat...
Forwarding in THIS case means DNAT (even if it's called forward in the SuSEFW ;) Sven
Hi, Edit what package? The Microsoft WIndows 2000 server is already running pptp/vpn and working fine. All I'm trying to establish is whether it is possible to place it behind the firewall and forward the VPN connection to it so that the rest of the available ports/connections on the MS WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack. If, as has been stated, the forward rule simply does NAT on that particular port, 1723, for that particular protocol, TCP, that's all I need isn't it? To be clear - I am talking about connections to a permantly connected setup from outside - i.e. road warriors. TIA Andy On Friday 25 July 2003 18:14, Sven 'Darkman' Michels wrote:
Andy Bennett wrote:
Hi,
No. Briefly, I have come into the middle of a situation where a someone else has set up a system for a friend of mine in such a way that his MS VPN box is directly connected to the internet alongside his SuSEfirewall2 like this
Internet
Exterior router
SuSEfirewall MS/VPN
My first thouht was that the guy had gone mad but then it occurred to me that maybe he knows something I don't. In any event I thought I'd ask here first.
I thought it should be possible to simply put something like
FW_FORWARD="0/0,192.168.1.2,tcp,1723
as Jorn Ott suggested to forward connections directly to the MS VPN machine and let it handle everything but, like I said, am I missing something?
As with ipsec etc. you cannot simply edit the packages (like NAT will do). So you cannot forward the connection i would guess. For your setup you will need to put the win maschine in Front of the firewall or setup the firewall itself as a PPTP Server (or if you need, as client). For PPTP from inside -> outside some masq modules exist (at least for Kernel 2.2.x, dunno if it's ported to 2.4 right now). Maybe such a masq modul would help for your forwarding problem, but i don't think so ;)
HTH, Sven
Andy Bennett wrote:
Hi,
Edit what package?
TCP Datapacket, not a package like a rpm or so ;)
The Microsoft WIndows 2000 server is already running pptp/vpn and working fine. All I'm trying to establish is whether it is possible to place it behind the firewall and forward the VPN connection to it so that the rest of the available ports/connections on the MS WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack.
i know what you're trying but AFAIK your setup isn't possible. Try to establish a PPTP connection from a client BEHIND a gateway to some VPN Server, without special modules it *WILL NOT* work. PPTP packets must be passed thru, not handled like normal, masqueraded, packets. If you reverse the setup, you'll see that DNAT is like masquerading and so PPTP won't work in your setup. You can put the M$ box behind a suse firewall if you have an official IP for the box, too. Then just close all exept the PPTP Port and the maschine is as safe as in your currently setup it would be (if it would work ;)
If, as has been stated, the forward rule simply does NAT on that particular port, 1723, for that particular protocol, TCP, that's all I need isn't it?
it isn't. As i said, afaik you cannot simply NAT PPTP Packets.
To be clear - I am talking about connections to a permantly connected setup from outside - i.e. road warriors.
I know ;) so, HTH and good night (sorry for typos.. it's nearly 4 am and i'm just back from a party %-) Sven
Hello list, Today I've received this log entry in my /var/log/httpd/access_log file: 218.2.192.91 - - [27/Jul/2003:01:09:15 -1000] "GET http://www.baidu.com/ HTTP/1.1" 200 18960 I do not have a corresponding error message in my /var/log/httpd/error.log (Apache server response 200, which means that this request was "ok"). The originating IP address appears to be forged. I'm not sure what kind of site www.baidu.com is cause it's all in Chinese. Question # 1: Is my Apache server being misused? Question # 2: Should I be concerned? Question # 3: How did they format this request Question # 4: What can I do to prevent this from occurring again? Thanks in advance, Dwight... dvictor@hawaii.rr.com
Hello list, I believe I've found the answer (actually, from a previous post to this list...should have done my search first...oh well): [ start ] From: rich_b_nz@clear.net.nz [mailto:rich_b_nz@clear.net.nz] Sent: Sunday, February 09, 2003 1:16 AM To: suse-security@suse.com Subject: Re: [suse-security] apache log "GET http://irc.stealth.net:5558" Someone is seeing if your apache will proxy for them. If you are using virtual hosting, and have a default virtual host set, it likely returned that.
Hello, in my apache log I find
**.**.***.*** - - [08/Feb/2003:21:23:46 +0100] "GET http://irc.stealth.net:5558/ HTTP/1.1" 200 362
What is happening here? I don't host an irc server. How can apache return a page that does not exist but is a website or irc server ((as judged by the 200 response)? Is this an error in my setup? Thanks, Ruud
[ end ] Thanks, Dwight... dvictor@hawaii.rr.com -----Original Message----- From: Dwight Victor [mailto:dvictor@hawaii.rr.com] Sent: Sunday, July 27, 2003 1:33 AM To: suse-security@suse.com Subject: [suse-security] Apache access_log Questions Hello list, Today I've received this log entry in my /var/log/httpd/access_log file: 218.2.192.91 - - [27/Jul/2003:01:09:15 -1000] "GET http://www.baidu.com/ HTTP/1.1" 200 18960 I do not have a corresponding error message in my /var/log/httpd/error.log (Apache server response 200, which means that this request was "ok"). The originating IP address appears to be forged. I'm not sure what kind of site www.baidu.com is cause it's all in Chinese. Question # 1: Is my Apache server being misused? Question # 2: Should I be concerned? Question # 3: How did they format this request Question # 4: What can I do to prevent this from occurring again? Thanks in advance, Dwight... dvictor@hawaii.rr.com -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello, When you say:-
'You can put the M$ box behind a suse firewall if you have an official IP for the box, too. Then just close all exept the PPTP Port and the maschine is as safe as in your currently setup it would be (if it would work ;)'
Do you mean fixed IP address for the SuSEfirewall2 box or the MS VPN box? In fact, I have fixed IP addresses for both and they are both publicly available. So, if my fixed IP address for my MS VPN machine is 123.456.78.9 then I should be able to forward packets like so, FW_FORWARD="0/0,123.456.78.9,tcp,1723 What I'm trying to achieve is this Internet | Exterior router | SuSEfirewall2 PC ---- MS VPN box | Internal network as opposed to Internet | Exterior router | | SuSEfirewall <--> MS/VPN | Internal network At the moment the MS/VPN machine can be got to directly from the internet... Rgds Andy On Saturday 26 July 2003 02:50, Sven 'Darkman' Michels wrote:
Andy Bennett wrote:
Hi,
Edit what package?
TCP Datapacket, not a package like a rpm or so ;)
The Microsoft WIndows 2000 server is already running pptp/vpn and working fine. All I'm trying to establish is whether it is possible to place it behind the firewall and forward the VPN connection to it so that the rest of the available ports/connections on the MS WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack.
i know what you're trying but AFAIK your setup isn't possible. Try to establish a PPTP connection from a client BEHIND a gateway to some VPN Server, without special modules it *WILL NOT* work. PPTP packets must be passed thru, not handled like normal, masqueraded, packets. If you reverse the setup, you'll see that DNAT is like masquerading and so PPTP won't work in your setup. You can put the M$ box behind a suse firewall if you have an official IP for the box, too. Then just close all exept the PPTP Port and the maschine is as safe as in your currently setup it would be (if it would work ;)
If, as has been stated, the forward rule simply does NAT on that particular port, 1723, for that particular protocol, TCP, that's all I need isn't it?
it isn't. As i said, afaik you cannot simply NAT PPTP Packets.
To be clear - I am talking about connections to a permantly connected setup from outside - i.e. road warriors.
I know ;)
so, HTH and good night (sorry for typos.. it's nearly 4 am and i'm just back from a party %-)
Sven
participants (4)
-
Andy Bennett -
Dwight Victor -
Lars Grobe -
Sven 'Darkman' Michels