Re: [suse-security] SuSEfirewall2 , pptp, and port forwarding
O.K., Sorry for this being so long but here is my problem. I am trying to get both pptpd and SuSEfirewall2 working on the same system. I have each working by them selves. I do have routing turned on between eth0 and eth1. Included are the configuration files for both SuSEfirewall2 and pptpd. I am getting the error: Cannot determine ethernet address for proxy ARP When I connect with the pptp session. But I do have a session. Then when I ping I get the error message: SuSE-FW-DROP-DEFAULT from the firewall rules dump it does look like I am not routing to eth1. Any ideas on how to fix this. I did read about scripting the device interface but it seems to me that I am missing somthing. Thanks for any help! Robert SuSEfirewall2 file: FW_DEV_EXT="eth0 ppp0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="1723 53 http https ssh" FW_SERVICES_EXT_UDP="53 500" FW_SERVICES_EXT_IP="gre 50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="1723" FW_SERVICES_INT_UDP="53 500" FW_SERVICES_INT_IP="gre 50 51" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.20.115,tcp,5631 0/0,192.168.20.udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" pptpd.conf: speed 115200 debug localip 192.168.20.236-245 remoteip 192.168.10.226-235 listen 10.0.1.254 pidfile /var/run/pptpd.pid options: name mars debug noauth +chap +chapms +chapms-v2 mppe-40 #mppe-128 mppe-stateless #require-chap proxyarp On Monday, July 29, 2002, at 12:46 AM, Manfred Larcher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am Freitag, 26. Juli 2002 08:37 schrieb Robert Fenney:
Thanks! I got that working right away. No if I could just get this pptp stuff working....
Robert
You should explain what you mean with pptp stuff... If you want to connect to an Alcatel ADSL Modem you have to insert the "GRE" protocol to your firewall rules, if you use SuSE Firewall2:
# For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="gre"
cu Manfred - --
- ------------------------------------ Pirlo Ges.m.b.H. & Co Manfred Larcher
Hugo Petter Str. 8-14 A-6333 Kufstein Tel. +43 5372 64923 65 oder 35 Fax +43 5372 64923 61 mailto:mlarcher@pirlo.com http://www.pirlo.com - ------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE9RPLo/ZrEMf+80q8RAlg9AJ4gZ0nqJ6E6MI1+96+5OAxY52qEpQCdEbuK Npfe+e64zS+rdjTELMf7SPY= =/jTR -----END PGP SIGNATURE-----
participants (1)
-
Robert Fenney