RE: [suse-security] MS VPN over SuSefirewall2 (7.3)
I ran into this same problem using OpenBSD as a firewall also... Don't know why it is so difficult for everyone to behave nicely together. I love Linux/Unix because of the security, reliability, and the "geek" in me says it's cool. But I have to face reality - the majority of the computers out there on the desktop are using Windows. My corporate network uses a Microsoft VPN (not SSH, or anything else that they could have used), and I have DSL at home. So I created a firewall using floppyfw (http://www.zelow.no/floppyfw/) - it works great, easy to set up my DSL connection, NAT, port forwarding was a piece of cake. There on that site they specifically tell you what you need for a MS VPN connection, so just add that to your firewall rules, reboot. Piece of cake! So now I can very easily connect from my internal protected network thru the firewall to our corporate VPN. No problems at all. If you have questions about floppyfw and my setup or firewall rules, e-mail me personally. My floppyfw runs on an old Pentium 133, 24M memory, no hard drive required (I don't care for logging currently - I have other things to do that to watch my logs) - but supposedly you can send syslog to another box inside your firewall also. -----Original Message----- From: Rainer Hofmeister [mailto:rh@webkom.net] Sent: Thursday, February 06, 2003 7:19 AM To: suse-security@suse.com Subject: [suse-security] MS VPN over SuSefirewall2 (7.3) Hi, I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded. Is there a way to configure the firewall to allow VPN connections from the Win2K machine? I opened the following ports in FW_MASQ_NETS: 10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500 This didn't work. I read somewhere that the communication over port 47 is not tcp or udp but gre. Since I can't set that in SuSEfirewall2 I tried to open up the complete network by using: 10.0.0.0/8 This didn't help, either. Connecting the Win2K machine directly to the ISDN router works so there seems to be no problem with its configuration. Is it possible to configure VPN over SuSEfirewall2 at all? If yes, what am I doing wrong? Best regards, Rainer -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
It brings up to date the Iptables for 1.2.7xx the door of access to be directed and the 1743 TCP only e the protocol and GRE or 47 []'s Fabio Sena Brasil - PE ----- Original Message ----- From: "Devenport, Jimmy" <jimmy.devenport@hp.com> To: "Rainer Hofmeister" <rh@webkom.net>; <suse-security@suse.com> Sent: Saturday, February 08, 2003 1:37 PM Subject: RE: [suse-security] MS VPN over SuSefirewall2 (7.3) I ran into this same problem using OpenBSD as a firewall also... Don't know why it is so difficult for everyone to behave nicely together. I love Linux/Unix because of the security, reliability, and the "geek" in me says it's cool. But I have to face reality - the majority of the computers out there on the desktop are using Windows. My corporate network uses a Microsoft VPN (not SSH, or anything else that they could have used), and I have DSL at home. So I created a firewall using floppyfw (http://www.zelow.no/floppyfw/) - it works great, easy to set up my DSL connection, NAT, port forwarding was a piece of cake. There on that site they specifically tell you what you need for a MS VPN connection, so just add that to your firewall rules, reboot. Piece of cake! So now I can very easily connect from my internal protected network thru the firewall to our corporate VPN. No problems at all. If you have questions about floppyfw and my setup or firewall rules, e-mail me personally. My floppyfw runs on an old Pentium 133, 24M memory, no hard drive required (I don't care for logging currently - I have other things to do that to watch my logs) - but supposedly you can send syslog to another box inside your firewall also. -----Original Message----- From: Rainer Hofmeister [mailto:rh@webkom.net] Sent: Thursday, February 06, 2003 7:19 AM To: suse-security@suse.com Subject: [suse-security] MS VPN over SuSefirewall2 (7.3) Hi, I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded. Is there a way to configure the firewall to allow VPN connections from the Win2K machine? I opened the following ports in FW_MASQ_NETS: 10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500 This didn't work. I read somewhere that the communication over port 47 is not tcp or udp but gre. Since I can't set that in SuSEfirewall2 I tried to open up the complete network by using: 10.0.0.0/8 This didn't help, either. Connecting the Win2K machine directly to the ISDN router works so there seems to be no problem with its configuration. Is it possible to configure VPN over SuSEfirewall2 at all? If yes, what am I doing wrong? Best regards, Rainer -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
From: Rainer Hofmeister [mailto:rh@webkom.net] Sent: Thursday, February 06, 2003 7:19 AM To: suse-security@suse.com Subject: [suse-security] MS VPN over SuSefirewall2 (7.3)
Hi,
I'm trying to build a VPN tunnel from an internal Win2K machine to a server on the Internet (also MS). We are using a SuSEfirewall2 (SuSE 7.3) to protect our internal Lan. The internal Lan is masqueraded.
Is there a way to configure the firewall to allow VPN connections from the Win2K machine?
I opened the following ports in FW_MASQ_NETS:
10.0.0.0/24,0/0,tcp,1723 10.0.0.0/24,0/0,udp,1723 10.0.0.0/24,0/0,tcp,47 10.0.0.0/24,0/0,udp,47 10.0.0.0/24,0/0,udp,500
This didn't work. I read somewhere that the communication over port 47 is not tcp or udp but gre. Since I can't set that in SuSEfirewall2 I tried to open up the complete network by using:
It's not _port_ 47, but _protocol_ 47 instead! This is an important difference! I don't know the SuSE Firewall scripts, but opening _protocol_ 47 instead of the port would help IMO. Thomas
participants (3)
-
Devenport, Jimmy -
Fabio Sena -
Thomas Reitelbach