Re: [suse-security] MS Vpn Server pptp in SuSE 8.0
* Hannu Hirvonen wrote on Tue, Nov 12, 2002 at 12:20 +0200:
On Tuesday 12 November 2002 12:12, you wrote:
What does that mean? I thing, it should be no problem to open protocol 47 with iptables.
That is protocoll 47, not port 47. You know, protocoll 1 is ICMP, protocoll 6 is TCP, protocoll 17 is UDP etc., 47 is GRE (General Routing Encapsulation).
Yes, I know that we don't talk about TCP or UDP ports but about IP protocols. My man iptables reads as it follows: -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, So I would expect "--protocol 47" to match any IP protocol 47, (of course without any content inspection). With ipchains, I'm sure that this works for protocol 50 (IPSec ESP) as I use it in production :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Am Dienstag, 12. November 2002 12:21 schrieb Steffen Dettmer:
* Hannu Hirvonen wrote on Tue, Nov 12, 2002 at 12:20 +0200:
On Tuesday 12 November 2002 12:12, you wrote:
What does that mean? I thing, it should be no problem to open protocol 47 with iptables.
That is protocoll 47, not port 47. You know, protocoll 1 is ICMP, protocoll 6 is TCP, protocoll 17 is UDP etc., 47 is GRE (General Routing Encapsulation).
Yes, I know that we don't talk about TCP or UDP ports but about IP protocols. My man iptables reads as it follows:
-p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value,
So I would expect "--protocol 47" to match any IP protocol 47, (of course without any content inspection). With ipchains, I'm sure that this works for protocol 50 (IPSec ESP) as I use it in production :)
Steffen is right. I do it like this with SuSEFirewall: FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,47 " 192.168.xxx.yyy is my MS VPN-Server. But I have patched the SuSEfirewall2 script: I use the version from SuSE8.0 and this is at line about 1320: test "$PROTO" = tcp -o "$PROTO" = udp -o "$PROTO" = 47 || { echo "Error: The protocol with FW_MASQ_NETS must be tcp or udp or 47 -> $NETS" NET2="" } test ! "$PROTO" = 47 -a -z "$PORT1" && { echo "Error: Port missing in FW_MASQ_NETS -> $NETS" NET2="" } You see, I just have allowed 47 for PROTO and say it is now error if $PROTO=47 has no port. (Be carefull with the linebreaks, I use kmail!) Greetings Harald -- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
Hello Harald and Steffen, some days ago I asked about IPSEC and SuSEFirewall2, so do I understand you correctly, that all I should do is to MASQ the internal interface and then FORWARD_MASQ from outside to internal like in: FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,50" after modifying the Firewall-scripts according to Harald's post ? Did you do something different on your production system, Steffen ? TIA, Philipp Rusch Harald Wallus schrieb:
Am Dienstag, 12. November 2002 12:21 schrieb Steffen Dettmer:
* Hannu Hirvonen wrote on Tue, Nov 12, 2002 at 12:20 +0200:
On Tuesday 12 November 2002 12:12, you wrote:
What does that mean? I thing, it should be no problem to open protocol 47 with iptables.
That is protocoll 47, not port 47. You know, protocoll 1 is ICMP, protocoll 6 is TCP, protocoll 17 is UDP etc., 47 is GRE (General Routing Encapsulation).
Yes, I know that we don't talk about TCP or UDP ports but about IP protocols. My man iptables reads as it follows:
-p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value,
So I would expect "--protocol 47" to match any IP protocol 47, (of course without any content inspection). With ipchains, I'm sure that this works for protocol 50 (IPSec ESP) as I use it in production :)
Steffen is right. I do it like this with SuSEFirewall:
FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,47 "
192.168.xxx.yyy is my MS VPN-Server. But I have patched the SuSEfirewall2 script: I use the version from SuSE8.0 and this is at line about 1320:
test "$PROTO" = tcp -o "$PROTO" = udp -o "$PROTO" = 47 || { echo "Error: The protocol with FW_MASQ_NETS must be tcp or udp or 47 -> $NETS" NET2="" } test ! "$PROTO" = 47 -a -z "$PORT1" && { echo "Error: Port missing in FW_MASQ_NETS -> $NETS" NET2="" } You see, I just have allowed 47 for PROTO and say it is now error if $PROTO=47 has no port. (Be carefull with the linebreaks, I use kmail!)
Greetings Harald
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Philipp Rusch wrote on Tue, Nov 12, 2002 at 17:46 +0100:
Did you do something different on your production system, Steffen ?
Yes :) The productive GWs use ipchains, since iptables were not trusted by us when we set it up. Then I don't tried to masquerade IPSec; with ESP it could work in some rare cases (when you have a single connection IIRC), with AH it cannot. I simply gave the VPN GWs real public IPs. I don't want to have Masq in VPN, I want the clients to see it as a LAN/WAN (for the clients, it just looks like there were leased lines all around). Well, and in such a configuration, usually you should not allow workstations to go out to the internet with masquerading, since it's a little dangerous (not having masqurading for workstations is a nice and very strict egress filtering :)), imagine of trojans and spyware. Well, we have proxies... I must say, Masquerading looks always like a kind of hack to me, not the best choice for companies corporate distributed networks. I prefere to have an DMZ to provide services such as eMail. Well, most "networks" *want* masquerading, but even in this case you can do masq and VPN on the same physical router - the one between LAN and Internet. I think this is a natural, straightforward setup, and most masq routers to firewalling (packet filtering) anyway. And I think "KISS" (keep it simple, stupid) applies for networking as well as a software design principle, other admins may need to understand when I am in vacation :) Finally, I think, when designing firewalls, it a complex task to create the right rules. For instance, if you have active FTP for both directions without port restrictions, you can turn of the firewall nearly... When you have a simple, straightforward setup, it's much more easy to design the rules correclty, and thus there is less risk (I think the risk no. 1 isn't a bug in ipchains code, but in the rules, since they are designed by humans and difficult to test). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Harald Wallus -
Philipp Rusch -
Steffen Dettmer